A "session" refers to a continuous length of time during which a user's authentication is valid.

The Hosted Login session is a central, Akamai-hosted session that is primarily used to:

• Provide a seamless login experience across user-facing applications (SSO)
• Provide a secure profile management experience to your end users that is hosted by Akamai Identity Cloud

In addition, you can choose how much or how little your applications rely on the Hosted Login session for other purposes.

🚧

The Hosted Login session is not a replacement for your application’s user session, and it is not able to start or end application sessions. Your applications are expected to maintain their own user sessions and enrich them with identity and access tokens provided by Hosted Login.

The user session lifecycle

To understand the Hosted Login session, let’s see some examples of how the session changes throughout a user’s journey:

• When an end user authenticates for the first time in Hosted Login, a Hosted Login session is created.
• If the user visits another website and authenticates via SSO, their auth time is updated.
• If the user completes 2FA in order to access a sensitive area, their auth time, ACR and AMR values are updated.
• If the user logs into the same website from a different device, that device is bound to the existing session.
• If the user logs out from the original device, that device is unbound from the session.
• If the user or an administrator performs a global logout (i.e. “Log out of all devices”), or if the session expires, the session is deleted.

👍

Important Concept

There can only be 1 Hosted Login session per user (uuid) at any given time. As a user logs in across various devices, those devices are bound to the same session. When a user logs out from a device, that device is unbound from the session, while other devices retain access to the session.

This architecture allows for a secure “Log me out everywhere” function because when the Hosted Login session is deleted, all device logins (“bindings”) are deleted with it.

Session management features

The Hosted Login session is enabled by default, so if you’ve implemented Hosted Login, you can do things like:

• Configure the Hosted Login session
• Allow local logout via Hosted Login's profile management screens
• End a user session from your application
• Find, view, and end user sessions administratively
• Enable global token revocation
• Track user session activity via webhooks