Authentication is a key functionality of
idaas.nl. Users are authenticated at the requested authentication levels using authentication modules that can fulfil the authentication request.
We understand authentication in its broadest sense. Traditionally, users are authenticated by username and password. But this way of authentication is just one out of many optional authentication modules. The authentication tree is completely customizable.
What is unique is that
idaas.nl allows registration, activation and password forgotten modules to be seen as special forms of authentication. This is beneficiary for clients connecting to
idaas.nl as this provides control over the process. It also allows for example to log in someone automatically after someone registers or activates his or hers accounts.
By assigning authentication levels to authentication modules, clients ensure users securely access their services.
- Module concepts
- Authentication modules
- Authentication chain
- Account linking
Each module has the following options to configure.
Show only when needed
The name of the module is presented to user when prompted to pick an authentication method.
Configure if a successful authentication should be remembered for this module. In either a (persistent) cookie or a session cookie.
How long to remember a successful authentication. For session cookies, the authentication result is forgotten as soon as the web browser is closed.
Specify one or more authentication levels for this module. After the authentication chain has been completed, the levels passed are stored in the
acr claim. This claim is retrievable from the
id_token and from the
A client may also specify the required authentication level using the OpenID Connect
acr_values query-parameter. See documentation/openidconnect.
A disabled module is never presented to an end-user.
Show only when needed
This option ensures a certain module is only presented when one explicitly requests this module, using the
The following authentication modules are currently supported by
idaas.nl. This list is subject to change.
Log in with your username or email, and password. Users must exist in your tenant. Either because you have created them or because they have registered themselves using the registration module.
Time-based One-Time Password
Time-based One-Time Password (TOTP) is a well known authentication method for second-factor authentication (2FA). It is most used in combination with the Google Authenticator app.
You can safely configure the TOTP module as a second-factor. By default, this module must only be succesfully passed for users who have configured TOTP for their user account.
OpenID Connect (remote provider)
Configure a remote OpenID Connect provider as an authentication module. This allows users to log in via your tenant, without registering first.
The activation module sends an email to the user with an activation link.
If this module is used as a first factor, it prompts for the user's username or email.
If this module is used as a second factor, it sends a mail to the user without prompting.
After having send the e-mail, the module shows a success message.
In most set-ups, a user has multiple ways to activate his account. For example, many services consider a login with a Facebook or Google account as a valid way to activate an account. Therefore, an account is activated based on the related
activation authentication level. You can assign this authentication level to other authentication modules if needed.
The password forgotten module is a special module that allows resetting your password by sending a link. After resetting the password, the user is logged in.
This is another special module that allows users to register themselves. Usually, you would want to configure the activation-module after the register-module, but this is not a requirement. If you would like to let in users immediately to your web service, you are free to do so
Let users log in without a password via a magic link, send to their mail address.
If you create your own profile page, you might want to offer users the possibility to link a Facebook account to an existing account.
Log in via Google.
Log in via Twitter.
Log in via LinkedIn.
Log in via GitHub.
Authentication modules can be configured in a chain. The first module in the chain is always the start-module. After this module you can configure any number of modules. After each module you can configure again as many modules as you would like. This allows you to set up advanced multi-factor authentication scenarios.
A single person might want to make use of different authentication methods. He might register himself using a password first, but later wants to connect his Facebook or Google account. This can be done by account linking.