Skip to main content
Skip table of contents

Technical Implementation Specifications


The following article lists the technical requirements that are either supported or not supported by the Cloud SSO, with regards to the respective OpenID Connect and SAML protocol specifications and RFCs.

OpenID Connect

SSO Initiations

(tick) RP-initiated Sign On
(error) IdP-initiated Sign On (Not defined by the OpenID Connect specification)

OAuth Flow Types

(tick) Authorization Code
(tick) Authorization Code with PKCE extension
(tick) Implicit
(tick) ROPC / Password (Public and Confidential)

(error) Hybrid Flow
(error) Client Credentials (SSO is only performed within user context, not for accessing an API, so no need for client credentials)
(error) Device Code

Grant Type Security Warning

Certain grant types, such as ROPC and Implicit, are less secure (by design). These modes can be considered "legacy". It is recommended that these modes not be enabled unless your connected apps / third parties specifically require them.

In the upcoming (currently in draft) OAuth 2.1 specification, ROPC and Implicit mode have been removed from the specification due to their weak security.

JWT Signing Algorithms

(tick) HS512 (Private shared symmetric key)
(tick) RS256
(tick) RS512

(error) Elliptic Curve (ECDSA)
(error) Probabilistic Signature Scheme (RSASSA-PSS)

Technical Note

When HS512 is selected, the JWKS endpoint does not advertise the signing key, as the key is intended for use as a private shared key between the first- and third-parties. The JWKS endpoint returns an empty string (Base64: "AA") for the key value in this mode.

OpenID Connect Endpoints

(tick) Discovery Endpoint (via well-known URL)
(tick) Authorization
(tick) Token Exchange
(tick) UserInfo
(tick) Token Introspection
(tick) Token Revocation
(tick) RP-initiated Logout (DRAFT status)

(error) Dynamic Registration
(error) Front-channel Logout
(error) Back-channel Logout

OAuth2 Scope Values

(tick) openid
(tick) profile

Technical Note

Due to the limited nature of the iMIS REST API, we are unable to support any iMIS API-related scopes. Our tokens are therefore only used to verify the identity of a user, not for that user to then access protected resources via an API using their token.

Auth Methods

(tick) Client Secret POST
(tick) Client Secret Basic

Subject Types

(tick) Public

Response Mode

(tick) Query

(error) Fragment
(error) Form Post

Response Types

(tick) Code (code)
(tick) Token (token)
(tick) ID Token (token id_token)

Technical Note

Not all combinations are supported in all scenarios. For example, you cannot request a token / id_token unless the Implicit Flow setting is enabled.

SAML 2.0

Overall SAML Featureset / Protocols

(tick) Authentication Request
(tick) Single Logout Protocol

(error) Assertion Query and Request Protocol
(error) Artifact Resolution Protocol
(error) Name Identifier Management Protocol
(error) Name Identifier Mapping Protocol

SSO Initiation

(tick) SP-initiated Login
(tick) IdP-initiated Login

Technical Note

IdP-initiated login presents a number of security challenges. It is supported by the Cloud SSO, but should only be used when SP-initiated login is not supported.

Additionally, there is currently no "landing page" feature in the Cloud Dashboard where users can browse for a list of applications they would like to sign into (much like an intranet site homepage). You will need to take your IdP-initiated sign-in link from the Cloud SSO admin console and place it somewhere on your own website.


(tick) HTTP POST
(tick) HTTP Redirect

(error) HTTP Artifact
(error) SAML SOAP
(error) POAS / Reverse SOAP
(error) SAML URI

NameID Formats

(tick) Unspecified (iMIS username or iMIS ID) (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)
(tick) Email (Contact's primary e-mail address) (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
(tick) Persistent (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)
(tick) Transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient)

(error) X.509 Subject Name
(error) Windows Domain Qualified Name
(error) Kerberos
(error) Entity

Attribute Formats

(tick) Basic
(tick) URI (If IQA column name is prefixed with urn:oid:)

(error) Unspecified

Condition Types

(tick) Not Before
(tick) Not On Or After
(tick) Audience Restriction

(error) One Time Use
(error) Proxy Restriction

Subject Confirmation Methods

(tick) Bearer

(error) Holder-of-Key
(error) Sender Vouches

AuthN Context Class Refs

At this time, because users are required to input their iMIS passwords at some point during authentication, and HTTPS is enforced, the only AuthN context class ref supported is Password Protected Transport.

Due to limitations with the iMIS REST API, we are unable to support iMIS installations where 2FA/MFA is enabled at this time.

(tick) Password Protected Transport (urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport)

(error) Authenticated Telephony
(error) Internet Protocol
(error) Internet Protocol Password
(error) Kerberos
(error) Mobile One Factor Contract
(error) Mobile One Factor Unregistered
(error) Mobile Two Factor Contract
(error) Mobile Two Factor Unregistered
(error) Nomad Telephony
(error) Password
(error) Personal Telephony
(error) PGP
(error) Previous Session
(error) Secure Remote Password
(error) Smartcard
(error) Smartcard PKI
(error) Software PKI
(error) SPKI
(error) Telephony
(error) Time Sync Token
(error) TLS Client
(error) Unspecified
(error) X.509
(error) Xml DSig

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.