OpenID Connect scenarios

Modified on Mon, 29 Mar, 2021 at 11:55 AM

This document discusses and provides guide on how to configure your OpenID to achieve certain security server setup. This document only relevant to Server application which are using Omniscope Evo Enterprise/Team licences. 


NOTE: This is only a guide, and is you should always consult with your company's IT policy when deciding on how setup your server. These are not recommendations of Visokio, but merely a guide on how you could setup your server to achieve certain security aspects.


The following scenarios assumes you have already setup the provider you want to authenticate with, and are looking for tips on how to configure the different OpenID Connect settings. For more information see here. The scenarios are based on what you should choose for OpenID Connect Login / Logout / Refresh behaviour.


If you need any guidance on how to setup please get in touch with us.



Scenario: Local sign-on, like Trello


You choose when to sign into Omniscope, and keep that sign on indefinitely (with invisible refresh and/or occasional provider user interface to reconfirm.


Behaviour
Value
LoginImplicit login for previous users
LogoutLocal
RefreshKeep



Scenario: Full/Enterprise SSO (Single-Sign On)


You never appear to need to sign into Omniscope, providing you have a provider session already (and subject to provider support), and cannot log out, other than going externally to the provider. 


For enterprises using e.g. Windows account SSO (whether direct or OpenID, or via Enterprise SSO configuration at AuthO and Okta).


Behaviour
Value
LoginImplicit login, always
LogoutLocal
RefreshKeep



Scenario: High-security scenario


You require explicit re-authentication with provider, and always logout with provider


For enterprises using e.g. Windows account SSO (whether direct or OpenID, or via Enterprise SSO configuration at AuthO and Okta).


Behaviour
Value
LoginExplicit login with forced re-authentication
LogoutProvider
RefreshPrompt



Advanced scenarios


These are some tips on different combinations you can setup based on the Login mode.




Login mode: Explicit login with forced re-authentication



Recommended logout modeNotes
ProviderMost likely you would choose this with this login mode as you would want to make sure login/logout is always through provider. We also recommend have a short expiry set.


Recommended refresh ModeNotes
Prompt
For highly secure app/environments. Before expiry you will be prompted to renew with explicit interactive interactive re-authentication with the provider.


Login mode: Explicit login


Recommended logout modeNotes
LocalOmniscope session is distinct from provider session; we only do explicit login and logout of Omniscope, but leave the provider alone


Recommended refresh ModeNotes
Prompt
Moderately secure apps/environments -  requiring users to demonstrate they are alive before extending their session
KeepMostly suited for dashboards



Login mode: Implicit login for previous users


Recommended logout modeNotes
Localpreserve silent SSO, except after the user explicitly logs out; still let it be easy to log back in explicitly
Provider
Where there are security reasons you would want an explicit global lout but also want the convenience of previous-user SSO.


Recommended refresh ModeNotes
Prompt
You may want to choose this to prompt user to re-authenticate with provider.
KeepDefault for convenience you must explicitly log in once, and then retain or renew your session indefinitely until you explicitly log out



Login mode: Implicit login, always


Recommended logout modeNotes
NoneWhere Omniscope is part of some wider ecosystem, but you only ever want to log out of it explicitly using an external account page, or can't log out e.g. Windows account SSO
ProviderWhere you do want to present explicit global log out option within Omniscope. You want Omniscope to appear part of a wider group of applications.


Recommended refresh ModeNotes
KeepFull SSO





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article