> For the complete documentation index, see [llms.txt](https://docs.leza.glasc.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.leza.glasc.io/technology/authentication.md). # Authentication ## LeZa as an Identity Provider LeZa is in itself an identity provider based on the [OpenID Connect protocol](https://openid.net/connect/) implementation. It allows you to register users and keep their information safe. Easy access to this information is accessible through our open [API](https://dac.do.si-dev.net/docs#tag/Users). ## External Identity Providers LeZa seemlessly manages connections to other Identity Providers for your application and sits between your application and the Identity Provider that authenticates your users. LeZa provides SSO or Social Sign-in which allows you to connect to Identity Providers like [Google](https://developers.google.com/identity/protocols/oauth2/openid-connect), [Facebook](https://developers.facebook.com/docs/facebook-login/), [Azure](https://azure.microsoft.com/en-gb/free/active-directory/search/?\&ef_id=Cj0KCQjwxJqHBhC4ARIsAChq4asFWpQANdKTLykoNI1KjJzqBic33TiaCQILKHNssxOGzoXkhmQ0v4kaAp7VEALw_wcB:G:s\&OCID=AID2200255_SEM_Cj0KCQjwxJqHBhC4ARIsAChq4asFWpQANdKTLykoNI1KjJzqBic33TiaCQILKHNssxOGzoXkhmQ0v4kaAp7VEALw_wcB:G:s\&gclid=Cj0KCQjwxJqHBhC4ARIsAChq4asFWpQANdKTLykoNI1KjJzqBic33TiaCQILKHNssxOGzoXkhmQ0v4kaAp7VEALw_wcB) and many more with zero fuss. *An external identity provider is a service that creates and maintains identity information and then provides authentication services to your applications. Integrating with external identity providers can significantly reduce sign-in and registration friction, which allows your users to easily access applications without needing to create new passwords or remember usernames*. ## Authentication LeZa allows you to control access to your application using both the OAuth 2.0 and OpenID Connect specifications. [OpenID Connect](https://openid.net/connect/) (OIDC) is an authentication protocol that is an extension of [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749). While OAuth 2.0 is only a framework for building authorization protocols and is mainly incomplete, OIDC is a full-fledged authentication and authorization protocol. OIDC also makes heavy use of the [Json Web Token](https://jwt.io/) (JWT) set of standards. These standards define an identity token JSON format and ways to digitally sign and encrypt that data in a compact and web-friendly way. ### MFA (Multi-Factor Authentication) LeZa enables [strong customer authentication](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L2366\&from=EN#d1e5540-35-1) allowing users to configure MFA. Organisation admins are able to set MFA as a requirement for all users in the organisation. The multi-factor authentication methods that are provided are: * Using an authentication app like Google Authenticator * Using one or more phone numbers * Using your email address ***What is Strong Customer Authentication?** Strong Customer Authentication (*[*SCA*](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015L2366\&from=EN#d1e5540-35-1)*) is a new European regulatory requirement to reduce fraud and make online services more secure. SCA requires authentication to use at least two of the following three elements:* * ***Something the user knows** (eg. Password or Pin)* * ***Something the user has** (eg. Hardware key or Phone)* * ***Something the user is** (eg. Fingerprint or Facial Recognition)* ### Defining Custom Authentication Settings per Organization [Organization admins](/technology.md#organisations) have the flexibility to configure their own authentication policy requirements for the following items: * MFA to be required by users (forced) and which methods to allow * The token expiration time period for user registration and password reset * Password length and strength requirements * Permissible [SSO Identity Providers](/technology/authentication.md#external-identity-providers) * Maximum password lifetime --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.leza.glasc.io/technology/authentication.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.