SSOready platform

At 21RISK, we rely on SSOready to power authentication and directory sync across our platform. SSOready provides authentication-as-a-service with a focus on enterprise-ready SSO and SCIM support — without bundling session management or user databases.

Whenever authentication is required, users are redirected to SSOready. We currently support two types of authentication flows:

OTP-based email login

OTP-based email login

We strongly advise all enterprise customers using 21RISK to utilize SSO. In cases where SSO is not enabled—such as for non-enterprise customers or demo environments—we use a secure OTP (One-Time Password) email-based login flow.

This solution was built in-house to replace magic links and mitigate their known security concerns. Compared to magic links, OTP-based authentication offers better protection against MITM attacks and session hijacking.

Our OTP implementation includes the following safeguards:

• OTP codes are valid for a single use only.
• Each code is valid for 10 minutes.
• Login must be completed using the same browser or device.

Single Sign On (SSO) with SSOready

Single Sign On (SSO) with SSOready

SSOready are industry experts in enterprise SSO integrations. Their platform supports both SAML and OIDC protocols and adheres to the OAuth 2.0 framework, abstracting away the differences between various identity providers (IdPs).

The SSO authentication flow is described here , and is summarized below:

To deliver the best experience, users are redirected based on their email domain to the correct SSO provider, if SSO is configured for that domain.

Directory Sync

Directory Sync

To streamline the enterprise experience, we offer directory sync powered by SSOready .

This makes it possible to automatically provision and de-provision users based on their status in the customer’s identity provider. For example, when a user is unassigned from the 21RISK app in the IdP, they are automatically deactivated in our system — ensuring data security and access control.