OpenID Connect scenarios

Modified on Mon, 29 Mar 2021 at 11:55 AM

This document discusses and provides guide on how to configure your OpenID to achieve certain security server setup. This document only relevant to Server application which are using Omniscope Evo Enterprise/Team licences.

NOTE: This is only a guide, and is you should always consult with your company's IT policy when deciding on how setup your server. These are not recommendations of Visokio, but merely a guide on how you could setup your server to achieve certain security aspects.

The following scenarios assumes you have already setup the provider you want to authenticate with, and are looking for tips on how to configure the different OpenID Connect settings. For more information see here. The scenarios are based on what you should choose for OpenID Connect Login / Logout / Refresh behaviour.

If you need any guidance on how to setup please get in touch with us.

Scenario: Local sign-on, like Trello

You choose when to sign into Omniscope, and keep that sign on indefinitely (with invisible refresh and/or occasional provider user interface to reconfirm.

Behaviour	Value
Login	Implicit login for previous users
Logout	Local
Refresh	Keep

Scenario: Full/Enterprise SSO (Single-Sign On)

You never appear to need to sign into Omniscope, providing you have a provider session already (and subject to provider support), and cannot log out, other than going externally to the provider.

For enterprises using e.g. Windows account SSO (whether direct or OpenID, or via Enterprise SSO configuration at AuthO and Okta).

Behaviour	Value
Login	Implicit login, always
Logout	Local
Refresh	Keep

Scenario: High-security scenario

You require explicit re-authentication with provider, and always logout with provider

For enterprises using e.g. Windows account SSO (whether direct or OpenID, or via Enterprise SSO configuration at AuthO and Okta).

Behaviour	Value
Login	Explicit login with forced re-authentication
Logout	Provider
Refresh	Prompt

Advanced scenarios

These are some tips on different combinations you can setup based on the Login mode.

Login mode: Explicit login with forced re-authentication

Recommended logout mode	Notes
Provider	Most likely you would choose this with this login mode as you would want to make sure login/logout is always through provider. We also recommend have a short expiry set.

Recommended refresh Mode	Notes
Prompt	For highly secure app/environments. Before expiry you will be prompted to renew with explicit interactive interactive re-authentication with the provider.

Login mode: Explicit login

Recommended logout mode	Notes
Local	Omniscope session is distinct from provider session; we only do explicit login and logout of Omniscope, but leave the provider alone

Recommended refresh Mode	Notes
Prompt	Moderately secure apps/environments - requiring users to demonstrate they are alive before extending their session
Keep	Mostly suited for dashboards

Login mode: Implicit login for previous users

Recommended logout mode	Notes
Local	preserve silent SSO, except after the user explicitly logs out; still let it be easy to log back in explicitly
Provider	Where there are security reasons you would want an explicit global lout but also want the convenience of previous-user SSO.

Recommended refresh Mode	Notes
Prompt	You may want to choose this to prompt user to re-authenticate with provider.
Keep	Default for convenience you must explicitly log in once, and then retain or renew your session indefinitely until you explicitly log out

Login mode: Implicit login, always

Recommended logout mode	Notes
None	Where Omniscope is part of some wider ecosystem, but you only ever want to log out of it explicitly using an external account page, or can't log out e.g. Windows account SSO
Provider	Where you do want to present explicit global log out option within Omniscope. You want Omniscope to appear part of a wider group of applications.

Recommended refresh Mode	Notes
Keep	Full SSO