A Strivacity application is a collection of policies that define how customers interact with your brand's protected resources: signing in, registering, and managing their accounts. This page covers the required and optional configuration options available when creating or editing an application.

📘

Strivacity supports three application types: simple, organization-only, and hybrid. Mandatory settings and most other configuration options apply across all types.

General tab

When creating a new application, some mandatory settings must be configured to save the application.

Mandatory settings

• Name: This is the name of the application as it appears in the Admin Console.
• Description: You can optionally add a description to provide context about the application's purpose.
• Policy tag: Tags can be used to organize and filter applications.
• Identity store: Each application must be linked to an identity store that holds its customer and administrative identities.

❗️

For organization-enabled applications, the identity store cannot be changed after the application is created.

Optional settings

These options let you tailor how your application works and integrates with other systems.

Group restriction (within identity stores)

Group restriction controls which groups within the identity store can access the application. Group data can also be passed to your brand portal in tokens and assertions.

Identifier and session management

Identifier and session management settings let you configure how customer account identifiers and login sessions behave across visits.

Remember account identifiers after the session ends

This setting controls whether and how a customer's account identifier is remembered across sessions.

Available options:

• Always remember identifiers: The customer's identifier is always remembered when logging back in from the same device or browser.
• User chooses to remember - checked by default: A "Remember me" checkbox appears for the customer. It's pre-checked by default.
• User chooses to remember - unchecked by default: Customers see the "Remember me" checkbox, and it is unchecked by default.
• Never remember identifiers: Identifiers are not remembered. Customers must always re-enter them.

Keep me logged in

This setting determines how Strivacity handles long-lived sessions. Customers can avoid re-entering their password on return visits if their session is still valid.

This is configured as a dropdown with four options:

• Always keep users logged in: The "Keep me logged in" checkbox is not shown to customers. Sessions are preserved automatically until timeout.
• User chooses - checked by default: Customers see the "Keep me logged in" checkbox, and it's checked by default.
• User chooses - unchecked by default: Customers see the "Keep me logged in" checkbox, and it's unchecked by default.
• Never keep users logged in: The "Keep me logged in" checkbox is not shown. Customers must always re-enter their password if the application requires re-authentication.

📘

If "Keep me logged in" is not available to the customer, sessions will expire when the access token or refresh token does.

Allow users to select "Keep me logged in" and "Remember my device" even if they choose not to remember identifiers

This setting controls whether the "Keep me logged in" and "Remember my device" checkboxes are shown to the customer, even when the identifier is not remembered.

When this option is enabled, these choices remain visible and functional during authentication steps regardless of the identifier memory settings. The actual behavior of "Remember my device" still depends on the Adaptive access configuration.

📘

If this setting is disabled and the identifier is not remembered, the customer won't see the “Keep me logged in” or “Remember this device” options.

Fastpath

Combined with device recognition, "Keep me logged in" can remove friction from the sign-in experience entirely for a single customer account in a browser. Fastpath skips account selection and simply forwards a user to the brand portal.

Fastpath is a result of the combination of these conditions:

• The customer has checked “Keep me logged in” at a previous sign-in.
• Only a single account is remembered in the browser’s session.
• The customer is signing in from a trusted device, which means:
  • They’ve opted in to “Remember my device” when completing an MFA step at a previous sign-in.
  • Their device is within the device recognition lifetime set in the Adaptive rules.
• The customer's session is within the inactivity timeout (and the session max age, if applied).

Customers can activate Fastpath if they select “Keep me logged in” when:

• Asked for their password,
• At the bottom of their registration form,
• While completing their invitation.

Inactivity timeout

Inactivity timeout defines how long a remembered session stays active before prompting the customer to re-enter their password.

If “Keep me logged in” is enabled and the customer returns within the inactivity window, they’re signed in automatically. The timeout resets, and a new access token or refresh token is generated every time the customer visits the brand portal.

Session max age

Session max age defines the absolute lifespan of a session. Once this maximum is reached, the customer must re-authenticate, even if their inactivity timeout hasn’t elapsed.

To enforce this, enable Let session expire.

Login session max age

This setting defines how long the login or registration flow stays active before the session expires. If the customer doesn’t complete the journey in time, they’ll see a “session expired” message.

Default session configuration

Strivacity applies the following session configuration values by default:

Consent management

You can assign consent statements to collect customer agreement for specific terms. For more, see Assigning a consent to an application.

Lifecycle event hooks

Lifecycle Event Hooks (LEH) provides a method to integrate your customer-facing applications with homegrown systems and third-party products.

Once created and tested, you can assign a hook to an application to activate it.

Policies tab

Policies control the customer experience and behavior of your application. You can assign existing policies from a drop-down list to assign them.

📘

A policy is a group of reusable common settings that can be assigned to an application. You can reuse the same policy by applying it to multiple applications.

Adaptive access policy

Defines the login workflow, access rules, and MFA requirements for the application.

Identity verification policy

Allows you to confirm the identity of your customers by applying document-centric and data-centric methods.

Self-service policy

Specifies what customers can do on their own, such as registering, recovering access, or managing their account.

Branding policy

Applies logos, colors, and other brand elements to customer-facing experience.

Notification policy

Defines notification content that customers receive.

Login providers tab

These settings define how customers authenticate with your application.

Local login

If enabled, customers can sign in using credentials stored in your Strivacity identity store.

You can disable local login to rely only on external identity providers. If disabled:

• The login screen won't show username or email fields.
• The "forgotten username" option won't be available.
• Customers won't see any remembered accounts.

External login

Enable customers to sign in using enterprise or social identity providers.

📘

Strivacity supports multiple social or enterprise login provider integrations.

Forward customers to an external provider

If only one external provider is configured, you can automatically redirect customers to the provider's login page, bypassing the Strivacity login screen entirely.

Clients tab

Learn more in our Application clients documentation.

A/B testing tab

Learn more in our A/B testing documentation.