SSO Support with OIDC

We are excited to announce that the Dfns wallet platform now supports Single Sign-On (SSO) via OpenID Connect (OIDC). This addition strengthens our authentication stack by combining OIDC with our WebAuthn-based passkeys and key-based cryptographic signatures, giving clients new ways to unify user identity, security, and workflows across financial applications.

A bit about SSO, SAML, and OIDC

Single Sign-On (SSO) is the experience enterprises want. Users log in once through their internal identity system and gain seamless access to all approved applications, including their wallets. But SSO itself isn’t a protocol; it’s a pattern that relies on standards underneath. Historically, that standard was SAML, an XML-based protocol designed in the 2000s and still widely used across legacy enterprise software.

Today, OpenID Connect (OIDC) has become the modern alternative. Built on top of OAuth 2.0, it uses lightweight JSON tokens, integrates naturally with APIs and mobile devices, and enforces the same access policies that govern core systems like email or HR. For financial services, this shift matters as OIDC allows wallet sessions to plug directly into corporate identity providers, ensuring that conditional MFA, risk-based access rules, and passwordless flows apply before any transaction request is ever made.

By embracing OIDC, Dfns enables enterprises to combine the convenience of SSO with the cryptographic guarantees of its secure wallet platform, unifying identity policy with transaction security.

Why OIDC and wallets matter in finance

Banks, fintechs, and payment platforms work in highly regulated spaces where proving who someone is matters as much as securing a transaction. Adding OIDC support in Dfns wallets lets organizations:

• Use their existing IDP (e.g., Azure AD, Okta, Ping, Google Workspace) to control wallet access.
• Onboard and offboard staff simply by linking wallet access to enterprise identities.
• Apply the same login rules, MFA, and audit policies they already use across applications directly to wallet operations.

This means wallets can fit neatly into existing SSO frameworks instead of creating separate identity systems. The benefits are clear:

• Seamless user flow: Employees, traders, or customers log in with their usual SSO account and move straight into wallet tasks. No duplicate accounts or extra logins.
• Built in compliance: Every wallet login and transaction approval maps back to an enterprise identity, making KYC, AML, and audit processes simpler and more consistent.
• Fine grained controls: Administrators can set rules at both the identity provider and wallet level, such as requiring multiple passkeys for large transfers or blocking use outside specific networks.
• Stronger security: Combining SSO, WebAuthn, and MPC signatures layers identity checks, device based authentication, and distributed signing, which greatly reduces the chance of account takeover or insider abuse.

How OIDC works with WebAuthn and passkeys

Dfns has always taken a layered approach to authentication because no single control can adequately protect enterprise wallets against today’s mix of threats. Identity providers are excellent for managing user access, but they can be phished. Passkeys provide phishing-resistant cryptography, but they can’t enforce enterprise-wide login policies. Even hardware-bound signatures can be misused if the surrounding session isn’t governed by corporate identity rules. By stacking these mechanisms together, Dfns ensures that every authentication step compensates for the limitations of the others, creating a defense-in-depth model purpose-built for financial transactions.

• OIDC authentication: Users first authenticate via their organization’s identity provider. This ensures that enterprise access policies, from passwordless login to conditional MFA, are enforced before a wallet session is even created.
• WebAuthn passkeys: Once authenticated, users confirm wallet operations using passkeys bound to their device through WebAuthn. This guarantees phishing-resistant, cryptographic authentication tied to hardware (TPMs, Secure Enclaves, or platform authenticators).
• Private key signatures: Every transaction request still requires cryptographic validation through Dfns’ MPC- or HSM-based key management system. Even if an attacker gained access to an SSO session, they would not be able to move assets without device-bound signatures and policy approvals.

Below is a more detailed authentication and transaction flow within the Dfns platform when OIDC SSO is enabled: 

• SSO login: The user opens a wallet app. Dfns redirects them to the company’s identity provider. The identity provider applies enterprise rules such as passwordless login, MFA, or conditional access, then returns a signed OIDC token to Dfns
• Session established: Dfns verifies the token and creates a wallet session tied to the user’s enterprise identity. The user can now access the platform but no signing has taken place yet
• Transaction request: When the user requests an action such as a transfer, the Policy Engine checks both enterprise identity details like roles and groups and wallet rules such as requiring two approvals for large transfers
• WebAuthn challenge: If extra confirmation is needed, Dfns sends a WebAuthn challenge. The user responds with a passkey signature from their registered device
• MPC signature: Once identity and device are confirmed, the Dfns MPC network generates a distributed signature. No single node holds the private key, ensuring separation of control
• Execution and logging: The transaction is broadcasted to the blockchain. A cryptographic audit log records the OIDC login, WebAuthn confirmation, and MPC signature, giving regulators and auditors full visibility

The result is federated identity. Enterprises get the convenience of SSO and the assurance that every transaction is still secured by three independent security pillars: federated identity, hardware-rooted authentication, and distributed key management. 

Building the next generation of financial applications

With OIDC support, the Dfns wallet platform can now be fully embedded into enterprise IAM ecosystems. This means banks and payment providers can roll out secure digital asset services while retaining the same user experience and security assurances they already apply to core banking applications.

For developers, it also means wallets become first-class citizens in enterprise workflows. You can build trading dashboards, payment portals, and custody platforms that respect both modern identity standards and financial-grade cryptographic controls.

Get started today: app.dfns.io/get-started