SSO and authentication methods
Adapting SSO to authentication methods
This article deals with some cases where you might want to consider using a SSO solution where behavior is dependent on the authentication method.
Authentication Methods and their limitations¶
Different authentication methods may be considered more secure than others, or one method may be considered too cumbersome to be used often. In such situations it may be valuable to be able to define different behaviors for SSO depending on which authentication method that is in play.
Improving experience and security¶
An important part of SSO is to provide a smooth user experience. This is often hard to do when that need conflicts with security requirements. In such situations it becomes important to be able to provide a reasonable compromise between stricter (and possibly more cumbersome) authentication methods at longer intervals, while maintaining a shorter interval for less involved methods.
Using SSO expiration times¶
The SSO session in Curity is valid for until the configured expiration time occurs. This is a profile wide setting but can be overridden for each authenticator.
|Profile||3600 seconds||If not configured on an authenticator this applies|
|Username / Password Authenticator||1 day||Require password every day|
|SMS Second factor||30 days||Require second factor every month|
With the above configuration for SSO expiration we can achieve a more user friendly login flow.
- Day 1: The user accesses the site for the first time and is prompted with both Username/Password and SMS
- Day 2: The user (using the same browser) returns to work, but since it's the same browser we now only request the Username/Password again
- Day 31: The user now needs to re-authenticate using both factors
This is a common setup for sites that the user accesses frequently.
The SSO is governed using the expiration settings in Curity's configuration. This can be elaborately tweaked to accommodate numerous use-cases.
For more information, see the Curity Developer Portal on SSO.