This feature is currently in closed beta. Contact us at hello@kenni.is for more information on joining the beta program.
Single Sign-On (SSO) allows users to authenticate once and gain access to multiple web applications within their team without needing to log in again. This streamlines the user experience and enhances security by reducing password fatigue and login redundancy.
Benefits of SSO
- Seamless Access: Users can log in once and access all authorized applications within their team without re-entering credentials.
- Improved Security: Reduces the risk of password-related security breaches since users only need to authenticate once per session.
- Configurable Session Lifetime: The shared session at Kenni has a configurable lifetime, allowing teams to balance security with usability.
How It Works
When a user logs into one of your web applications (e.g., Web App A), an authenticated session is established at Kenni. If the user then accesses another web application (e.g., Web App B), it can request authorization from Kenni without prompting the user to log in again, as long as the session is still valid.
Enforcing Re-Authentication with prompt=login
There are cases where an application may need to force the user to re-authenticate, regardless of an active session. This can be achieved by including
prompt=login
in the authorization request. When this parameter is set:- Kenni will always prompt the user for credentials, even if a valid session exists.
- This is useful for high-security operations or when verifying a userās identity explicitly.
Enabling SSO for your team
Navigate to the Kenni developer portal, and click āSettingsā. Navigate to the āSSO Settingsā tab:
Ensure that āEnable SSOā is checked.
Specify the session lifetime at Kenni for your entire team. This value is specified in seconds, so for a session lifetime of 15 days, use 1.296.000.
Configuring your applicationās post logout redirect url
With SSO enabled, ending your applicationās local session will result in a subsequent authorization request to conclude without prompting the user to log in, given a valid session still exists at Kenni. In order to end the userās session at Kenni, your application must have a valid
post_logout_redirect_uri
specified.To add this, navigate to your application and click the settings tab. Fill out the āPost logout redirect URIāsā field. Kenni will only redirect back to URIs listed here, and specifying an invalid URI in the RP-initiated logout request will result in an error. Multiple valid redirect URIs can be specified by separating them with a line-break:
RP-Initiated Logout
Applications can initiate logout requests to ensure users are logged out across all applications sharing the session. This is done using RP-Initiated Logout, which involves redirecting the user to the
end_session_endpoint
provided in the discovery endpoint. To retrieve the discovery endpoint, navigate to any application within your team, and find it under āOther endpointsā in the āOverviewā tab.How to Implement RP-Initiated Logout
- Obtain the
end_session_endpoint
from your teamās discovery endpoint.
- Redirect the user to the
end_session_endpoint
- Append the
post_logout_redirect_uri
as a query parameter. This redirect url must be valid, and is configured within your applicationās settings tab. Please note that multiple valid redirect urls can be specified per application. - Append an
id_token_hint
, which is the logged in userās id_token.
- The session at Kenni will now be cleared, and the user redirected back to the url specified as the applicationās post logout redirect url.
Conclusion
SSO simplifies authentication across web applications within your team, while maintaining security and flexibility. By leveraging session sharing, enforcing re-authentication where necessary, and utilizing RP-Initiated Logout, you will be enabled to provide a seamless and secure login experience for your users.