logo

Single Sign-On (beta)

šŸ’”
This feature is currently in closed beta. Contact us at hello@kenni.is for more information on joining the beta program.
Single Sign-On (SSO) allows users to authenticate once and gain access to multiple web applications within their team without needing to log in again. This streamlines the user experience and enhances security by reducing password fatigue and login redundancy.

Benefits of SSO

  • Seamless Access: Users can log in once and access all authorized applications within their team without re-entering credentials.
  • Improved Security: Reduces the risk of password-related security breaches since users only need to authenticate once per session.
  • Configurable Session Lifetime: The shared session at Kenni has a configurable lifetime, allowing teams to balance security with usability.

How It Works

When a user logs into one of your web applications (e.g., Web App A), an authenticated session is established at Kenni. If the user then accesses another web application (e.g., Web App B), it can request authorization from Kenni without prompting the user to log in again, as long as the session is still valid.

Enforcing Re-Authentication with prompt=login

There are cases where an application may need to force the user to re-authenticate, regardless of an active session. This can be achieved by including prompt=login in the authorization request. When this parameter is set:
  • Kenni will always prompt the user for credentials, even if a valid session exists.
  • This is useful for high-security operations or when verifying a userā€™s identity explicitly.

Enabling SSO for your team

Navigate to the Kenni developer portal, and click ā€œSettingsā€. Navigate to the ā€œSSO Settingsā€ tab:
Image without caption
Ensure that ā€œEnable SSOā€ is checked.
Specify the session lifetime at Kenni for your entire team. This value is specified in seconds, so for a session lifetime of 15 days, use 1.296.000.

Configuring your applicationā€™s post logout redirect url

With SSO enabled, ending your applicationā€™s local session will result in a subsequent authorization request to conclude without prompting the user to log in, given a valid session still exists at Kenni. In order to end the userā€™s session at Kenni, your application must have a valid post_logout_redirect_uri specified.
To add this, navigate to your application and click the settings tab. Fill out the ā€œPost logout redirect URIā€™sā€ field. Kenni will only redirect back to URIs listed here, and specifying an invalid URI in the RP-initiated logout request will result in an error. Multiple valid redirect URIs can be specified by separating them with a line-break:
Image without caption

RP-Initiated Logout

Applications can initiate logout requests to ensure users are logged out across all applications sharing the session. This is done using RP-Initiated Logout, which involves redirecting the user to the end_session_endpoint provided in the discovery endpoint. To retrieve the discovery endpoint, navigate to any application within your team, and find it under ā€œOther endpointsā€ in the ā€œOverviewā€ tab.

How to Implement RP-Initiated Logout

  1. Obtain the end_session_endpoint from your teamā€™s discovery endpoint.
  1. Redirect the user to the end_session_endpoint
    1. Append the post_logout_redirect_uri as a query parameter. This redirect url must be valid, and is configured within your applicationā€™s settings tab. Please note that multiple valid redirect urls can be specified per application.
    2. Append an id_token_hint, which is the logged in userā€™s id_token.
  1. The session at Kenni will now be cleared, and the user redirected back to the url specified as the applicationā€™s post logout redirect url.

Conclusion

SSO simplifies authentication across web applications within your team, while maintaining security and flexibility. By leveraging session sharing, enforcing re-authentication where necessary, and utilizing RP-Initiated Logout, you will be enabled to provide a seamless and secure login experience for your users.