OpenID Connect Single Sign-On (SSO)

One flexible login for all your users and applications

Providing Single Sign-On (SSO) to applications is a key aspect of the Connect2id server. The enterprise earns the benefits of a centralised login while being able to establish segmented login channels and experiences, depending on the type of user, device and application.

  • Highly-available login for web, mobile and desktop apps.

  • Handle on-premise, cloud-based and third-party SaaS applications.

  • Authentication flows tailored to the security and verification requirements for each class of users, whether employees, contractors, partners or customers / consumers.

ID token based integration

The ID token provides a unified object for signing users into applications (relying parties). It is compact, JSON-based and URL-safe, and can be protected by a range of cryptographic algorithms, such as HMAC, RSA and EC signatures. ID tokens are also easier to consume, compared to SAML.

{
  "sub"       : "alice",
  "iss"       : "https://c2id.com",
  "aud"       : "app-123",
  "auth_time" : 1311280969,
  "acr"       : "https://loa.c2id.com/high",
  "iat"       : 1311280970,
  "exp"       : 1311281970
}

Logout

Applications can subscribe to be notified of user logout via standard OpenID Connect front and back-channel mechanisms. Application-initiated logout at the Connect2id server is also supported.

Managing a sea of sessions

The built-in session store of the Connect2id server has been optimised over the years to handle millions of concurrent sessions with low latency and presents a comprehensive web API to manage and monitor them.

  • Users can have multiple concurrent login sessions, across multiple devices.

  • Each user session can be established at a specific authentication level (LoA) to match the application's security requirements. For instance, a fintech or sysadmin application could require a session with strong two-factor authentication, while password-based authentication could be sufficient for less sensitive applications.

  • Selected session attributes can be fed automatically into the issued ID tokens.

  • The web API provides calls to check who is online and collect various metrics.