User authentication

Pluggable authentication

The Connect2id server doesn't deal with user credentials directly. Instead, it delegates the task of user authentication via a web API to an external handler. An LDAP / Microsoft Active Directory authentication handler is available out of the box, or you can plug your own, leveraging existing infrastructure if necessary.

LDAP / Active Directory

LDAP / Active Directory

Hardware Token

Hardware tokens (OTP)

X.509 Certificate

X.509 certificates

SQL database

SQL / NoSQL database

Risk based authentication

Risk based

Biometric authentication


Authentication factors can be added and upgraded on the fly, with zero disruption to sign-on service.

Credential security

Never having to share passwords with the OpenID Connect server is good for security, according to the principles of "need to know" and minimising credential access. This reduces the potential vectors of attack and makes the job of IT security easier.

Two-factor authentication

Enterprises are free to combine multiple factors for stronger authentication, for example LDAP credentials with hardware generators of one-time passwords (OTP tokens).

Two-factor authentication can be invoked on demand by a client application, or for users who require that.

The authentication strength and methods for a particular user session are advertised in the standard acr (Authentication Context Class Reference) and amr (Authentication Methods Reference) claims of identity tokens issued to applications.

Step-up authentication

Applications that need to step up authentication for a particular user or session can do so by making an OpenID authentication request with the optional acr_values parameter set to the desired ACR strength. On success the Connect2id server will return an ID token with the updated acr claim.

Authentication step-up is useful in cases such as updating personal information and credentials, making a payment, or some other sensitive operation.

The Connect2id server allows authentication to expire independently from a user's session (browser or device).

Just-in-time user provisioning

An important feature for consumer applications is the ability to issue an ID token for anonymous / unauthenticated users, or to allow users to create an account during the login flow.

  • Enterprises are free to define a pseudo identifier for anonymous / unauthenticated users, as well as an ACR value to indicate that to applications. If an application needs to authenticate the user at some point, it can make a step-up request to the Connect2id server.

  • The web API for plugging authentication factors allows the sign-in to paused until an account for the user is provisioned. This may involve the sending of a verification email or SMS, or some other action. Once the account is created the user may or may not be asked to authenticate. At the end if the sign-up is successful the Connect2id server will return a regular OpenID authentication response to the application.