Session state management for authentication API adapters is no different than for
regular adapters. The same mechanisms, such as
TransactionalStateSupport, are used to store and retrieve session
attributes on behalf of a user.
It should not be necessary to store more state attributes just to support the authentication API. The same session attributes should cover both API and non-API requests.
You can also wrap an API-capable adapter in a PingFederate-managed authentication session. PingFederate-managed authentication sessions mean that many adapters no longer need to provide their own internal session tracking.