Skip to content
Connect2id

Web SSO eligibility checker

1. Overview

For an authorisation request to qualify for single sign-on (SSO) the Connect2id server checks for a present user session, and if the request or the client registration specifies it, for additional conditions, such as the authentication strength (acr_values) of the session or the time that passed since the user was last challenged to authenticate (max_age). Only then the request is allowed to skip the user authentication step.

The Connect2id server, starting with v16.1, enables deployments to specify additional, custom checks whether a particular request qualifies for web SSO. One such use case is to always require users to authenticate when logging into or authorising a critical client application.

Note that this is a feature of web-based SSO. To implement a similar check for native SSO use the device SSO handler SPI.

2. Device SSO handler SPI

A plugin interface (SPI) enables deployments to specify additional checks whether an OAuth 2.0 authorisation / OpenID authentication request is allowed to benefit from SSO.

Prior to calling the SPI the Connect2id server ensures the following SSO conditions are met for a request:

  • A subject (end-user) session is present.

  • The subject session authentication lifetime (auth_life), if specified for the session, has not expired.

  • If the request is an OpenID authentication request with a maximum authentication age (max_age) or an ACR level (acr_values), that the subject session satisfies them.

  • If a particular user identity is required (via an id_token_hint), that it matches session subject.

  • The request doesn’t specify a prompt login, select_account or create.

  • A Connect2id server op.authz.alwaysPromptForAuth configuration doesn’t trigger an authentication prompt.

If the request is eligible for SSO the isEligible check method returns true. Else the method returns false, to cause the Connect2id server to prompt the end-user for authentication.

3. How to develop your own web SSO eligibility checker

First, read our general guide for developing, annotating and packaging an SPI-based plugin.

The plugin must implement the WebSSOEligibilityChecker SPI defined in the Connect2id server SDK:

Git repohttps://bitbucket.org/connect2id/server-sdk

If the Connect2id server detects an SPI implementation at startup it will log its loading under OP2140:

INFO MAIN [main][OP2140] Loaded web SSO eligibility checker: : class=com.nimbusds.openid.connect.provider.spi.impl.websso.checkers.ExtraChecker

Note, the Connect2id server can load at most one web SSO eligibility checker at startup.