Skip to main content

Authentication

This section outlines the preferred authentication protocols and methods for secure access and guides application owners in choosing the right one for their application.

Supported Protocols

The following protocols are supported by PwC Identity, listed by preference:

Authentication ProtocolDescription
SAML
Security Assertion Markup Language
A federated protocol used for Cross-Domain Single Sign-On (CDSSO).
WS-FederationMicrosoft protocol primarily used for .NET-based applications.
OAuth2OAuth2 is an open standard for authorization, allowing a third-party application to get limited access to a user's data on another service.
OIDC
OpenID Connect
A modern authentication standard built on OAuth 2.0.
Detailed grant flows & their support are listed in the ensuing summary table.

OAuth2 Grant Flows

Summary Table

Grant TypeUse CaseSecurity LevelStatus
Authorization CodeServer-side web appsHigh
ImplicitSPAs (deprecated)Low
Client CredentialsServer-to-server communicationHigh
Resource Owner PasswordTrusted clients (deprecated)Low
Device AuthorizationLimited-input devices (e.g., IoT)High
Refresh TokenToken renewalHigh
Authorization Code with PKCESPAs and mobile appsHigh

For detailed protocol specifications and endpoint configurations, refer to Section 4.0 of the Application Integration Guide.

Authentication Options

  • Certificate-Based Authentication: Standard method for internal users on PwC managed devices on PwC Network.
  • Password-Based Authentication: Standard method using username and password credentials.
  • Password Fallback MFA: One-Time Password (OTP) sent via SMS or email when primary authentication fails.
  • MFA (Entrust): Strong multi-factor authentication using Entrust tokens.
  • MFA with "Trust My Device": Allows device recognition for smoother user experience while maintaining security.

Details on each authentication level for internal and external users are available in Section 4.3 of the Application Integration Guide.

Session Lifetimes

PwC Identity does not have a maximum idle timeout or maximum session setting. Hence, to make sure that your application times out an inactive user and renews the authenticated session at a frequency mandated by the ISP requirements, you will need to:

  • Remove and revoke the application session cookies and cache.
  • Call the Entra ID logout URI.
  • Initiate a fresh authentication session.

Refer to Session Management of the Technical Integration Guide for more information.

Recommendations

  • Prefer OIDC with OAuth2 for new applications due to its enhanced security and flexibility.
  • Ensure callback URLs are absolute and comply with OAuth2 specifications &standards.
  • Ensure SAML & Ws-Fed requests are signed.
  • Ensure OAuth2 & OIDC tokens are validated.
  • Avoid using wildcards in redirect URIs.
  • Avoid using localhosts in redirect URIs.
  • Avoid using HTTP in redirect URIs and ensure always HTTPS URIs are used.
  • Choose authentication methods based on user type and risk profile.
  • Implement MFA for all sensitive or privileged access.
  • Use fallback mechanisms to ensure accessibility without compromising security.