Skip to content
Connect2id

Identity federation

Federated login

Connect2id server deployments can federate logins from third-party providers. Client applications receive a standard ID token and OpenID claims. The claims are typically sourced transparently from the upstream provider, or passed on as aggregated or distributed claims.

  • Consumer login: Consumer web and mobile applications can utilise logins from Google, Facebook, X, and others. Once the user logs in with their preferred provider, the Connect2id server creates a local identity. For critical or high-value operations client applications can request a refreshed or stepped-up authentication, triggering a new federated login or additional verification.

  • National eID gateways: Public and health sector applications can leverage verified identities from national eID schemes, bank apps, and other trusted providers. Client applications can use FAPI or another hardened profile to request user authentication and tokens from the Connect2id server. User attributes can be supplied in the regular OpenID claims format or in the special verified data format.

  • B2B logins: Enterprises offering applications for contractors, suppliers and other business partners can streamline interactions by allowing users to sign-in with identities provided by their workplace.

Connect2id servers, when acting as authentication or authorisation gateways, can delegate the definition of the consent screen to the underlying providers. This is done within the authorisation session API, by allowing the providers to supply the consent form in basic HTML or in another appropriate format.

Technology-agnostic federation

Deployments are able to federate logins from any third-party provider, supporting both standard and proprietary or legacy technologies:

  • OpenID Connect

  • SAML 2.0

  • SAML 2.0 bearer assertion for OAuth 2.0 access token exchange – client applications that have authenticated a user with a SAML IdP can request the Connect2id server to exchange the SAML assertion for an access token.

  • Any other login method produces a user identifier and may optionally supply user attributes.

The STS endpoint of the Connect2id server can conveniently mint request_object and private_key JWTs for upstream OpenID providers.

OpenID Federation 1.0

This new OpenID protocol introduces a JWT-based architecture for establishing trust at Internet scale. Federated client applications can make OpenID authentication requests directly to the Connect2id server, without the need for prior registration. The client metadata and the OpenID provider metadata are managed by the federation trust anchor.

In the future, OpenID Federation will become a viable alternative to “monolithic” national eID gateways for public and other services.