Applications
Application single sign-on (SSO) is the core feature of HelloID's Access Management module. Your Users log in just once, and can seamlessly access all their applications with one click (see Applications for users).
The application workflow is as follows:
If your application is popular, it may already be in HelloID's App catalog. The app catalog contains pre-filled templates to help you quickly set up SSO applications.
To get started, Add an application from the catalog.
For applications in the catalog which require significant customization, we also offer App setup guides.
If your application isn't in the catalog, you'll need to use a generic template instead:
If your application is a SAML or OIDC app, configure its mapping set (see Application mapping sets) to send the appropriate SSO claims when a user launches the application from HelloID. For applications which don't support a formal SSO protocol, and only support web login via username/password, you instead use Application credentials.
Simple access to applications is mediated by membership in Groups. More sophisticated access control, including two-factor authentication, is available through Application access rules.
Grant a group access to an application for each relevant group.
Optional:Add an application access rule
Users can now access and launch the application via the user dashboard (see Applications for users). You can organize this page using Application categories.
SAML applications
SAML applications follow the SAML V2.0 Standard.
To get started, Add an application from the catalog labeled SAML, or Add a generic SAML application.
OIDC applications
OIDC applications follow the OpenID Connect 1.0 standard.
PKCE is supported.
To get started, Add an application from the catalog labeled OpenID Connect, or Add a generic OIDC application.
OIDC refresh token flow
To reduce the frequency with which users must re-authenticate, enable the OpenID refresh token flow. This is the flow documented at: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens.
To enable this flow, configure the following settings on the application's Configuration tab:
offline_access in Supported Scopes: enabled
Refresh Token Lifetime In Days: {the number of days the refresh token should remain valid}
After you configure these settings, the flow operates transparently in the background, without any further involvement by end users or HelloID administrators.
WS Federation applications
WS Federation applications follow the WS Federation 1.2 Standard.
To get started, Add an application from the catalog labeled WS Fed, or Add a generic WS Fed application.
Plugin applications
Plugin applications are applications which do not support an SSO protocol like SAML or OIDC. Instead, HelloID autofills a username and password in the application's login form using the Browser plugin. The autofilled information comes from the user's credential set (see Credential sets).
To get started, Add an application from the catalog labeled Plugin, or Add a generic Plugin application.
Tip
The difference between Form applications and Plugin applications is that form applications can only populate fields, whereas the plugin can additionally click a submit button.
Form applications
Form applications send an HTTP Post request to a target login page with the user's credential set (see Credential sets).
To get started, Add an application from the catalog labeled Form.
Tip
The difference between Form applications and Plugin applications is that form applications can only populate fields, whereas the plugin can additionally click a submit button.
Basic Auth applications
Basic Auth applications follow the HTTP Basic Authentication scheme.
To get started, Add an application from the catalog labeled Basic, or Add a generic Basic Auth application.