Skip to content
Connect2id

Web and device SSO

Classic web-based SSO for your users and applications

Classic web-based single sign-on (SSO) with OpenID Connect is a standard feature of the Connect2id server. Deployments receive the core benefits of SSO, such as improved UX and centralised access control, plus Connect2id specific features and enhancements:

  • Create tailored authentication and consent journeys on top of the login web API:

    • For each class of users, such as employees, contractors, business partners and consumers.

    • For each class of client application, such as web vs native, first-party or external, on-premise or cloud-based, or based on any other discriminator in the registered metadata for the client, including custom data.

  • Define additional SSO-eligibility checks on top of those provided by the Connect2id server. When necessary, SSO can be disabled entirely for selected clients.

  • The availability of SSO is critical for applications. Clustering is available for highly-available deployments within and across data centres, using classic or cloud-native load-balancing and data replication.

Device SSO for groups of native applications

Connect2id server 16.0 rolled out a new OpenID protocol to enable SSO for groups of related mobile and desktop applications on the same device. If you are vendor that provides a suit of native apps, users receive a smooth and seamless SSO experience across the installed apps, while keeping the authorisations and tokens separate, and supporting single logout. The device session token is kept in secure storage provided by the OS, such as the Keychain on iOS and macOS.

ID token based integration

Regardless of which flow was used to sign-in the user, the client application receives an ID token for the identity of the person. The token may include details about the authentication event, such as the level of assurance (LoA).

The ID token is compact and URL-safe, its payload JSON, and can be secured by a range of cryptographic algorithms, such as RSA, EC and EdDSA signatures, or HMAC.

{
  "sub"       : "alice",
  "iss"       : "https://c2id.com",
  "aud"       : "app-123",
  "auth_time" : 1311280969,
  "acr"       : "https://loa.c2id.com/high",
  "iat"       : 1311280970,
  "exp"       : 1311281970
}

Single logout

Client applications can subscribe to logout events, using a standard OpenID Connect front or back-channel notification mechanism. This ensures that users are automatically logged out of applications that previously used the Connect2id server for sign-in.

Client applications may be allowed to request user logout at the Connect2id server, at the standard logout endpoint. This action triggers logout notifications to all subscribed applications, as described above.

Session management and monitoring

The built-in session store of the Connect2id server has been optimised over the years to efficiently handle up to 2 billion concurrent sessions with low latency.

Key features of the session store and its web API:

  • A user can have multiple concurrent web and device sessions, with strict isolation between them.

  • Each session can be created with a specific authentication level (LoA) to align with the application’s security needs. For example, a banking application may require strong multi-factor authentication, while a federated social may be sufficient for common applications.

  • Selected session attributes can be automatically included in the issued ID tokens.

  • The session can be used as a simple and efficient source of OpenID claims for both UserInfo and ID tokens.

  • The web API provides calls to check who is online and to collect useful metrics.