CyberArk Identity has the ability to track client devices across endpoint requests so that it can enforce admin-defined authentication policies depending on whether the client device has invoked endpoints on a tenant while an
ASPXAUTH token is valid.
Configuration of such functionality starts on the Admin Portal. An admin specifies how long an
ASPXAUTH token is valid for once issued as described here.
The admin can then set up authentication policy rules that select authentication profiles to use while that ASPXAUTH token is valid. For example, you can create a rule specifying that a specific authentication profile be used if an
Identity Cookie is present:
On this screen, the Identity Cookie filter corresponds to the
CCSID cookie that CyberArk Identity issues and returns in the
/Security/AdvanceAuthentication response header along with other cookies. This cookie uniquely identifies the client device for a tenant.
CCSID can only be used/passed as a cookie for both client and server-based apps.
In the example screenshot above, the rule shown means that if CyberArk Identity has seen the client device before as identified by the CCSID, while the ASPXAUTH token is still valid, then use an authentication profile called MFA Privilege.
It's therefore important that the
CCSID cookie returned from
/Security/AdvanceAuthentication be retained by your client and submitted along with the
ASPXAUTH cookie in the header of subsequent API calls. CyberArk Identity will look for this cookie each time it evaluates the authentication policy rule. This also covers cross-session authentication scenarios, meaning that when the user logs out and logs back in again, the
CCSID cookie from the previous session should be passed to the authentication requests again so that CyberArk Identity can continue to use it during authentication policy evaluation.
The default duration for the
CSSID cookie is unlimited. Currently this can only be adjusted by contacting CyberArk Identity Cloud Ops requesting a different duration for your tenant. In the future, the Admin Portal will be enhanced to allow for adjustment by customers.
Note: if you're writing a browser-based client, the browser may retain this cookie for you.
Note: the Admin Portal uses the term Identity Cookie in both the Hours until Identity cookie expires field (described here) and on the Authentication Rule popup, as seen in the figures above. Despite using the same term, it's important to remember that in the first case the term refers to the ASPXAUTH cookie and in the second case it refers to the CCSID cookie.
Updated almost 2 years ago