Skip to content
Connect2id

Native SSO

This guide explains how to configure a Connect2id server so that native mobile and desktop app suites can use the OpenID Connect extension for device SSO. Also described is the registration of native clients and the management of device sessions.

Configuration

  1. Enable device SSO for the Connect2id server.

    op.sso.device.enable=true

    The enabled support will be advertised in the OpenID provider metadata, using the standard native_sso_supported parameter.

  2. Choose suitable time settings for the device sessions or leave them at their default settings.

    Example device session time settings (all values must be minutes):

    # The lifetime of sessions is limited to 90 days
op.sso.device.sessionMaxLifetime=129600
# Users will not be asked to periodically re-authenticate 
op.sso.device.sessionAuthLifetime=0
# After 10 days of inactivity (no token requests) device sessions will be
# ended
op.sso.device.sessionMaxIdleTime=14400

  3. Enable the default handler for back-channel SSO authorisations.

    op.deviceSSOHandler.enable=true

    The default handler supports a number of optional settings, for example scope values that require the user to re-authenticate and / or provide explicit consent at the authorisation endpoint.

    op.deviceSSOHandler.enable=true
op.deviceSSOHandler.scopeRequiringInteraction=email profile

Native app registration

A mobile or desktop app is allowed to use native SSO by registering it with a scope metadata parameter that includes the openid and device_sso values.

Example client registration request:

POST /clients HTTP/1.1
Host: demo.c2id.com
Content-Type: application/json

{
  "application_type"           : "native",
  "redirect_uris"              : [ "https://app.example.com/cb" ],
  "token_endpoint_auth_method" : "none",
  "code_challenge_method"      : "S256",
  "scope"                      : "openid device_sso email profile"
}

The client registration guide has helpful general tips about the registration of native apps as public OAuth 2.0 clients.

Managing the device sessions of users

The active sessions for a user can be obtained from the session store API of the Connect2id server. The sessions that are linked to devices have a ctx field with the value device.

Example request to list the sessions for a user with ID alice:

GET /session-store/rest/v2/sessions?subject=alice HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6

To end a device session use the DELETE method.

Example request to delete a session by its identifier:

DELETE /session-store/rest/v2/sessions HTTP/1.1
Host: c2id.com
Authorization: Bearer ztucZS1ZyFKgh0tUEruUtiSTXhnexmd6
SID: WYqFXK7Q4HFnJv0hiT3Fgw.-oVkvSXgalUuMQDfEsh1lw