Single sign-on configuration - AWS Wickr
View SSO detailsConfigure SSOGrace period for token refresh

This guide provides documentation for the AWS version of Wickr. If you're using the on-premises version of Wickr, see Enterprise Administration Guide.

Single sign-on configuration

In the SSO Configuration section of the AWS Management Console for Wickr, you can configure Wickr to use a single sign-on system to authenticate. SSO provides an added layer of security when paired with an appropriate multi-factor authentication (MFA) system. Wickr supports SSO providers who use OpenID Connect (OIDC) only. Providers who use Security Assertion Markup Language (SAML) are not supported.

View SSO details

Complete the following procedure to view the current single sign-on configuration for your Wickr network, if any. You can also view the network endpoint for your Wickr network.

  1. Open the AWS Management Console for Wickr at https://console.aws.amazon.com/wickr/.

  2. On the Networks page, choose the Admin link, to navigate to Wickr Admin Console for that network.

    The Networks page.

    You're redirected to the Wickr Admin Console for a specific network.

    The Dashboard page.

  3. In the navigation pane of the Wickr Admin Console, choose Network Settings, and then choose SSO Configuration.

    The Single Sign-on & LDAP Configuration page displays your Wickr network endpoint and current SSO configuration.

Configure SSO

For more information about configuring SSO, see the following guides in the Wickr Help Center:

Important

When you configure SSO, you specify a company ID for your Wickr network. Be sure to write down the company ID for your Wickr network. You must provide it to your end users when sending invitation emails. End users must specify the company ID when they register for your Wickr network.

Grace period for token refresh

Occasionally, there may be instances where identity providers encounter temporary or extended outages, which may lead to your users being logged out unexpectedly due to a failed refresh token for their client session. To prevent this problem, you can establish a grace period that allows your users to remain signed in even if their client refresh token fails during such outages.

Here are the available options for the grace period:

  • No grace period (default): Users will be signed out immediately after a refresh token failure.

  • 30 minute grace period: Users can stay signed in for up to 30 minutes after a refresh token failure.

  • 60 minute grace period: Users can stay signed in for up to 60 minutes after a refresh token failure.