Get started

Overview
Get started

Applications

Overview
Settings
Theming

API scopes

Overview
Standard scopes

Integration guides

No framework (curl)
Next.js / better-auth
React (SPA)
Expo (React Native)
Flutter
Node.js / Express
Java / Spring Boot
C# / .NET MVC
Go
Python
Other frameworks

Features

Scopes and claims
Prompts
Test users
Single sign-on
Company delegations
Custom delegations
Consent
Skipping passkeys
Device code flow

Troubleshooting

Common issues

Single sign-on

Single sign-on (SSO) lets a user authenticate once and then sign into every other application on your team without re-entering credentials. Kenni keeps a session at the IdP, and any subsequent authorization request that arrives while the session is alive completes silently.

SSO is a team-wide setting — when enabled, it applies to every application owned by the team.

SSO is a paid feature on a higher plan tier. Get in touch and we'll talk you through pricing and enable it for your team.

Plan and team setup

SSO is gated by your plan tier. If your team's plan supports it, configure SSO from Settings → Team settings in the developer portal:

  • Enable SSO — turns the feature on for the team.
  • Session TTL (seconds) — how long the IdP session stays valid before the user is asked to authenticate again. Minimum 60 seconds, maximum 30 days. Default 30 days.

The TTL counts from the last authentication, not the last activity. Each fresh login resets the clock.

How it behaves

With SSO enabled, an authorization request that arrives while a Kenni session is active skips the credential prompt entirely. The user lands directly on:

  • the consent screen, if consent is enabled and there are unconsented scopes,
  • the delegation picker, if prompt=delegation is on the request,
  • the delegation admin, if prompt=delegation_admin is on the request,
  • otherwise, your redirect_uri with a fresh authorization code.

Without SSO, every authorization request requires a fresh authentication, even if the user just signed in to a sibling application a minute ago.

The user only sees one Kenni session per browser. Signing in to one team-owned application is enough to skip the credential prompt on every other team-owned application that accepts the same session.

Ending the session

Closing the application or clearing its cookies does not end the Kenni session. To sign the user out everywhere on the team, your application must perform an RP-initiated logout by redirecting to the IdP's end_session_endpoint (available from the discovery document).

A typical logout flow:

  1. Application clears its own session.
  2. Application redirects to https://idp.kenni.is/<team-domain>/oidc/session/end?id_token_hint=<id-token>&post_logout_redirect_uri=<your-uri>.
  3. Kenni clears the IdP session and redirects back.

If you skip step 2, the user remains signed into Kenni and the next authorization request completes silently — usually not what the user expects after clicking "Sign out".

Test users and SSO

A test-user session never carries over via SSO to an application that doesn't have Test user access enabled. Kenni detects the mismatch and forces a fresh login on the receiving application, even if the test-user session is otherwise valid. This prevents test identities from leaking into production clients while keeping SSO useful inside development teams.

Next steps