We have all used a website that allowed you to “Sign-in with Google” or “Sign-in with Facebook” instead of creating yet another username and password for that you have to remember. But have you ever wondered how this is implemented? Well this is where OpenId Connect comes to the rescue.
OpenId Connect was developed to allow website developers to enable single-sign on from a variety of different “identity providers” using a common API. Let’s say you are a developer creating a new website called acmeproducts.com. Now, instead of asking the user to create an account where he has to provide a specific username and password along with his name, address, and other personal information, you can now use OpenId Connect to request that information from the user’s favorite identity provider (e.g. Google or Facebook) where the user has already provided that information.
When the user clicks the “Sign-in with Google or Facebook” button, he will be redirected to the appropriate service to login. Once logged in, your site, acmeproducts.com will get a token that will contain information about the user and you to get additional information about the user from the identity provider. The advantage here is that the user has one less username and password to remember, he just uses his Google or Facebook password and his account on acmeproducts.com is created automatically and he can login with the same Google or Facebook credential. In a nutshell, acmeproducts.com would be using Google or Facebook to achieve single sign-on for your user.
OmniDefend also supports OpenId Connect and can be configured for single sign-on to any website that supports selectable OpenId Connect identity providers. However, instead of using a username and password, the user can now use biometric, smart card, OTP, PIN or phone push notification based authentication to make the login and authentication process simpler and more secure. To configure OmniDefend for single sign-on using OpenId Connect, you will need to do the following:
- Find out if the application allows single sign-on using 3rd party identity providers that are OpenId Connect compatible
- Add an OpenId Connect application in OmniDefend and provide information about the application URLs for login and logout
- Configure the application to redirect users to OmniDefend for OpenId Connect authentication. This will involve providing a ClientId and ClientSecret generated from the previous step and also providing the application with the URL where you are running OmniDefend
The end result will be a dialog like you see below, where your users authenticate with OmniDefend (biometric, smart card, OTP, etc) and then get automatically signed into the application using strong and secure authentication.
Here is a great Medium article where you can read more about the OpenId Connect standard.