Trusted.ID Service Overview — Single Sign-On (SSO) System

Trusted.ID Service is a Single Sign-On (SSO) system for centralized user authentication and access management for enterprise applications.

The system provides secure centralized authentication with support for SSO, OAuth 2.0, OpenID Connect, and two-factor authentication.

---

Use Cases for Trusted.ID Service

Trusted.ID Service is a system designed to organize centralized user login to corporate information resources using a single account.

Trusted.ID Service is aimed at companies that require:

• Single sign-on window for internal and external services
• Centralized access management for different categories of users (employees, contractors, clients)
• Enhanced security with multi-factor authentication support
• Strict control and audit of user actions
• Secure integration of multiple applications with different authentication systems

---

Key Features of Trusted.ID Service

1. Authentication and Login

The system provides centralized authentication and supports multiple protocols and authentication methods.

Supported Protocols

• OpenID Connect (OIDC) — user authentication and identity data transfer
• OAuth 2.0 — authorization and resource access management

Authentication Methods

• Basic methods: login and password, email
• External Identity Providers: social networks, trusted corporate systems, and other services
• Enhanced and passwordless methods: cryptographic authentication via mTLS (client certificates) and WebAuthn (biometrics, hardware keys), as well as TOTP/HOTP one-time passwords

Two-Factor Authentication (2FA / MFA)

Trusted.ID Service supports multi-factor authentication (MFA), where access is granted only after successful identity verification using several independent factors (knowledge, possession, biometrics).

2. Application and User Management

• Application creation and configuration: web applications, native mobile applications
• Widget customization: tailoring the external authentication widget to the company's brand
• User management: registration, editing, blocking, password changes

3. Security and Audit

• Access rights differentiation
• Detailed logging of all events and actions

4. Mini-widget

A lightweight JavaScript component that provides quick access to authentication functions and user information. It is easily embedded into any websites and interfaces, providing transitions to the profile, organization dashboard, and applications.

Access Levels

The system provides a flexible role-based access model:

Role	Permissions	Intended For
Manager	Management of applications and login methods for their organization/unit	Department heads, project managers
Administrator of application	Management of specific applications and their users	Developers, application administrators
Member	Management of personal profile and permissions for personal data access	Regular users, employees

Trusted.ID Service System Modules

1. Profile

The "Profile" module provides management of personal user data and access settings. It includes functions for editing personal information, privacy settings, managing application permissions, and viewing activity logs. The module also provides access to the public application catalog.

2. Organization Dashboard

The "Organization Dashboard" module provides management of applications, authentication methods, and access policies within the organization. It includes organization parameter settings, login method configuration, organization application management, and user activity monitoring.

3. Application Dashboard (ADM)

The "Application Dashboard" module is designed for the administration of individual applications. It contains functions for managing assigned applications and monitoring the activity of users who have access to these applications.

---

Concept and Operating Principles of Trusted.ID Service

General Interaction Scheme

Interaction Sequence:

1. Access Request — the user accesses the information system (IS).
2. Check in IS DB — the system checks for the user's existence.
3. Redirect to Widget — the user is directed to Trusted.ID Service.
4. Authentication — the user undergoes the login procedure.
5. Check in Trusted.ID Service DB — validation of credentials.
6. Profile Provision — return of user data.
7. Mapping in IS — searching for the user based on data from Trusted.ID Service.
8. Rights Check — authorization in the target system.
9. Access Granted — successful login to the system.

📌 Integration Requirements: To connect an information system to Trusted.ID Service, a user database and an authorization module supporting OpenID Connect or OAuth 2.0 are required.

OpenID Connect Authorization Scheme

Key OIDC Stages:

1. User accesses the IS.
2. IS (client) generates code_verifier and code_challenge.
3. IS redirects the user to /authorize in Trusted.ID Service.
4. User is redirected to the Trusted.ID Service authorization widget.
5. User enters login/password and provides consent for data transfer.
6. User check is performed in the Trusted.ID Service DB.
7. User is redirected back to the IS (client) with an Authorization code.
8. IS sends a request to /token in Trusted.ID Service.
9. code_challenge and code_verifier validation in Trusted.ID Service.
10. Provision of id token containing the Trusted.ID Service user profile and access token (optionally refresh token) to the IS.
11. IS user authentication.
12. User gains access to the IS.

OAuth 2.0 Authorization Scheme

OAuth 2.0 Flow Features:

1. User accesses the IS.
2. IS redirects the user to /authorize in Trusted.ID Service.
3. User is redirected to the Trusted.ID Service authorization widget.
4. User enters login/password and provides consent for data transfer.
5. User check is performed in the Trusted.ID Service DB.
6. Trusted.ID Service redirects the user back to the IS with an Authorization code to the Redirect_URI.
7. IS sends a request for a token using the Authorization code.
8. Trusted.ID Service validates the request.
9. Trusted.ID Service returns id token and access token (optionally refresh token).
10. IS requests the user profile.
11. Trusted.ID Service provides the user profile.
12. IS validates responses and establishes a local user session.
13. User gains access to the IS.

Single Sign-On (SSO) Scheme

Typical Scenario:

1. Access request to IS1.
2. User authentication in Trusted.ID Service.
3. Provision of the Trusted.ID Service user profile to IS1.
4. Access request to IS2.
5. Provision of the Trusted.ID Service user profile to IS2 without repeating the user authentication procedure.

---

See Also

• Organization Management — guide for working with an organization in Trusted.ID Service.
• Application Management — guide for creating, configuring, and managing OAuth 2.0 and OpenID Connect (OIDC) applications.
• Login Methods and Login Widget Configuration — guide for login methods and login widget configuration.