Multipass

What is Multipass Login?

Multipass? It is yet another method of authentication aimed at Single Sign-On but most prominently used by Salesforce owned cloud helpdesk system Desk.com and ecommerce platform Shopify. Several other organizations also use Multi pass Single Sign-On for their websites albeit not widely. It is slightly different from how a JSON Web Token or SAML based Single Sign-On would work in the sense that it allows for customers of a business to log into their Desk.com or shopify based portal using existing authentication credentials. Effectively, Desk.com and Shopify become service providers whereas the business becomes the identity provider. Multipass works using a AES encrypted JSON hash which contains certain attributes about the customer seeking authentication on Desk.com or Shopify. This token is received by the service provider to create an account and log the customer in without having to register or login during the same session.

What’s in a Multipass Token?

The Multipass token, basically a JSON hash, contains various attributes about the customer seeking authentication like name, email address, IP address, timestamp for expiration of the token and so on. Of these, the email and the timestamp are mandatory which means the token can’t be created without the two attributes though other custom fields can also be added. All these values are AES encrypted to yield the final token.

How do Multipass and Single Sign-On Authentication work?

Multipass is designed to work in a Single Sign-On Authentication and Federation environment. The general flow is from a business website to another like Desk.com or Shopify based website for login less authentication. Whenever a customer logs into your website, you create a Multipass token on-the-go and pass it on to the second website as and when the customer seeks access. Of course, if there is no access request, the token would expire anyway. So, when the customer seeks access to a, say, Shopify website from your website, your main website sends the customer to the callback URL with the already created Multipass token and that’s it, your customer be signed in.

Is there a Multipass Single Sign-On Example?