The Connect2id server doesn’t deal with user credentials directly. Instead, it delegates the task of user authentication to an external service. Customers can use the available Connect2id µService for standard LDAP / MS-AD authentication, or plug their own to leverage existing infrastructure.
LDAP / Active Directory
Hardware tokens (OTP)
SQL / NoSQL database
Existing authentication factors can be upgraded and new ones added with zero disruption to sign-on service.
Never having to share passwords with the OpenID Connect server is also good for security, according to the key principles of "need to know" and minimising credential access. This reduces the potential vectors of attack and simplifies the job of security staff in charge of protecting the asset (the user credentials).
Strong two-factor authentication
Enterprises are free to combine multiple factors for stronger authentication, for example LDAP credentials with hardware generators of one-time passwords (OTP tokens).
Two-factor authentication can be invoked on demand by a client application, or for privileged users only.
The authentication strength and methods for a particular user session are advertised in the standard acr (Authentication Context Class Reference) and amr (Authentication Methods Reference) claims of identity tokens issued to client applications.
Applications that need to step up authentication for a particular user or session can do so by making an OpenID authentication request with the optional acr_values parameter set to the desired ACR strength. On success the Connect2id server will return an ID token with the updated acr claim.
Authentication step-up is useful in cases such as updating personal information and credentials, making a payment, or some other sensitive operation.
The Connect2id server allows authentication to expire independently from a user’s session (browser or device).
Just-in-time user provisioning
An important feature for consumer applications is the ability to issue an ID token for anonymous / unauthenticated users, or to allow users to create an account during the login flow. The Connect2id server can support both scenarios.
Enterprises are free to define a pseudo identifier for anonymous / unauthenticated users, as well as an ACR value to indicate that. If the application needs to authenticate the user at some point, it can make a step-up request to the Connect2id server.
- The interface for plugging in authentication factors allows the login process to be suspended until an account for the user is provisioned. This may involve sending a verification email, making a payment, or some other step. When the account is created the user may or may not be asked to authenticate. At the end if the sign up is successful the Connect2id server will return the usual OpenID authentication response to the application.