Home
Product documentation
Support homeSupport requestsSystem statusTrust centerTry for free

Device session behavior and seamless SSO

Strivacity enables seamless SSO across applications and browser sessions through device-based authenticators.

Two customer-facing options influence how the authentication state is preserved:

  • Keep me logged in
  • Remember my device

Although these options may appear similar, they serve different purposes and follow different lifecycle rules.

Understanding how they interact is essential when configuring adaptive access policies, passwordless flows, and multi-application environments.

📘

The Remember me option (shown on the identifier screen) controls whether a customer’s username or email is pre-filled on return visits. While it uses a similar mechanism, this page focuses only on authentication authenticators (password and MFA) not identifier memory.

Primary authenticator

Every authentication flow has a primary authenticator. The primary authenticator determines where the Keep me logged in option appears and how device session state is created.

Rules:

  • If a password exists in the flow, it is always the primary authenticator.
  • The primary authenticator can display the Keep me logged in option.
  • The primary authenticator is never stored as a remembered authenticator.
  • In passwordless flows, MFA becomes the primary authenticator.

This means that in passwordless authentication, the MFA screen can include the Keep me logged in option.

Keep me logged in

When a customer selects Keep me logged in, a kept authenticator is stored in the device session.

A kept authenticator:

  • Uses a sliding expiration
  • Extends its validity each time it is reused
  • May have an absolute maximum lifetime defined by policy
  • Is deleted when the customer logs out

Kept authenticators enable:

  • Seamless SSO across applications
  • Session persistence across browser restarts
  • Reduced authentication prompts during normal use

📘

The Keep me logged in option is configured at the application level under Identifier and device session management.

Remember this device

When a customer selects Remember my device, a remembered authenticator is stored.

A remembered authenticator:

  • Has a fixed expiration date
  • Does not extend automatically
  • Is not deleted on logout
  • Is used for second-factor (MFA) recognition

Remembered authenticators allow MFA challenges to be skipped on recognized devices until the configured validity period expires.

Although remembered authenticators are not removed during logout, they can be invalidated by deleting the device session.

This can be done:

  • From the Self-Service Portal (My AccountDevice sessions), or
  • Via the relevant device session management API endpoint.

📘

The Remember this device option is configured in the Adaptive access policy, under Adaptive rules and Device recognition.

Combined behavior

In flows that include both a password and MFA:

MFA authenticators may be stored as:

  • Kept
  • Remembered
  • Both kept and remembered

If both are applied:

  • The kept authenticator provides sliding session extension.
  • The remembered authenticator enforces its fixed recognition period.
  • If a valid kept authenticator exists, seamless SSO continues without requiring MFA re-entry, even if the remembered device duration has passed.

Passwordless authentication

In passwordless flows (Identifier → MFA):

  • MFA acts as the primary authenticator.
  • The MFA screen can display Keep me logged in.
  • When selected, MFA is stored as a kept authenticator.
  • Seamless SSO works across applications and browser sessions within policy limits.

Passwordless flows therefore support the same seamless SSO behavior as password-based flows.

IdP-based session behavior

When IdP session management is enabled at the application level, Strivacity maintains an identity provider session across applications in the same browser.

In this case:

  • An implicit "keep me logged in" behavior applies within the IdP session.
  • This applies regardless of whether the customer selected the Keep me logged in checkbox.

IdP session management therefore provides cross-application session continuity within the browser, independent of device-based authenticator settings.

Seamless SSO across applications

If a valid kept authenticator exists:

  • Customers can move between applications associated with the same identity store.
  • Browser restarts do not require re-authentication.
  • MFA is not requested again until the configured inactivity or maximum session limit is reached.

Session behavior is governed by:

  • Application inactivity timeout
  • Adaptive access device recognition settings
  • Absolute refresh limits, if configured

Advanced scenarios and journey steps

In advanced configurations involving:

  • Multiple MFA steps
  • Journey-based MFA overrides
  • Custom adaptive access policies

Keep/remember decisions are evaluated per authenticator.

If multiple authentication steps present Keep me logged in options:

  • Selections apply to the specific authenticator shown.
  • Checkbox states do not automatically propagate between steps.
  • Later steps may override earlier decisions depending on the configuration.

Careful testing is recommended when combining:

  • Password and passwordless flows
  • Multiple MFA steps
  • Custom journeys

Updated about 3 hours ago