User authentication
Pluggable authentication
The Connect2id server provides a flexible web API to invoke one or several methods to authenticate the user and verify their presence. The API can integrate arbitrary authentication methods as well as logic to determine which method to invoke, based on criteria such as the requested access.
|
Passkey (FIDO2 / WebAuthn) |
LDAP / Active Directory |
OTP |
|
X.509 certificate |
Biometrics |
Risk based |
A handler for LDAP / Microsoft Active Directory authentication and attributes provisioning, commonly used in enterprises, is provided.
Credential security
Decoupling of the authentication methods from the core Connect2id server, within strong and well-defined boundaries, enhanced security. While recent advancements like passkeys are promising, passwords are likely to remain in use for the foreseeable future. As a “something you know” factor, passwords are perceived to carry less risk of loss compared to “something you have” factors, giving users a greater sense of control.
Communicating authentication level
The authentication strength and methods for a particular user authentication event or session can be communicated to client applications through the standard acr (Authentication Context Class Reference) and amr (Authentication Methods Reference) claims of ID tokens.
Authentication step-up
Applications can step up the authentication for a given user or session by making an OpenID authentication request with the optional acr_values parameter set to the desired ACR strength. On success the Connect2id server will return an ID token with the updated acr claim. This can be useful in cases involving the update of personal information and credentials, transactions, or some other sensitive operation.
The Connect2id server allows authentication to expire independently from the user’s browser or device session.
Just-in-time user provisioning
One useful feature for applications is the ability to issue an ID token for anonymous / unauthenticated users, or to allow users to create an account during login.
-
Connect2id deployments are able to define a pseudo identifier for anonymous / unauthenticated users and a suitable ACR value to indicate that to client applications. If an application needs to authenticate the user at some point, it makes a step-up request to the Connect2id server.
-
The sign-in can be paused until an account for the user is provisioned. This may involve the sending of a verification email or some other action. Once the account is created the user may re-authenticate. If the sign-up is successfully completed the Connect2id server returns a regular OpenID authentication response to the application.
Authentication method provision
The Connect2id server can act as an external authentication method (EAM) provider to Microsoft Entra. This enables authentication providers to expand their reach to large audiences and new applications.