Enabling Single Sign-On, SSO, for a Criipto Verify domain will let your users get access to several of your systems with a minimum of effort. They will only be prompted for a login once per browsing session when you are using SSO. Subsequent authentication requests on the same domain (and for the same eID method) will be completed automatically by Criipto Verify, thereby reducing the UX friction.
The session information needed to maintain an SSO session is maintained in
Secure cookies, created with
SameSite=None. This means that the session can be established and maintained even if your users access your Criipto Verify domain in third-party context. Cookies and therefore also the SSO session is tied to a single Criipto Verify domain.
You enable and disable
SSO per DNS domain through the management dashboard for Criipto Verify. Go to the
Domains tab on dashboard.criipto.com and click on the domain you choose for SSO. The following options are available:
You can tweak this behavior on a per-authentication-request basis by specifying an additional query parameter in the request for authentication. There are 2 options:
If you send a
prompt=none and the user has no session, an error response will be sent back to your supplied callback URL with an
Note that if you are using WS-Federation, and have to use a library that supports only standard parameters, you can achieve the same effect via the
wfresh parameter. Specify
wfresh=-1 for a
Silent check and
wfresh=0 for a
If you are using SSO across multiple applications, you should also offer users a way to actively terminate the sessions with each application. Depending on the authentication protocol you use, you can initiate a Single Logout, SLO, flow by sending the users browser to one of the following URLs: