SSO with YubiKey two-factor authentication

Many systems are moving away from independent logins to Single-Sign-On solutions, where a single authentication unlocks access to multiple applications or services. With each additional system being tied to a single authentication event, it becomes more and more crucial that the authentication is secure. Two-factor authentication adds the necessary security by pairing a physical token with other credentials, such as a username and password. The security and ease of use of the YubiKey makes it an ideal solution for Single Sign On authentication, allowing them to carry the key to their virtual office on their keychain.


Security Assertion Markup Language (SAML) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (a producer of assertions) and a service provider (a consumer of assertions). Yubico partners with third party online SAML identity services to be able to offer several YubiKey enabled SAML providers for our customers. We also encourage various free software projects to implement support for YubiKey in their SAML packages. 


YubiKey Hardware
SAML server/implementation

Third party SAML providers

Enterprise class SAML servers and services supporting the YubiKey include:

• OneLogin
• Clavid
• ForgeRock
• Svensk e-identitet


simpleSAMLphp is a simple PHP application to perform authentication which supports several federation protocols, including SAML.

• simpleSAMLphp
• Yubico’s SAML administration tool


Shibboleth is the leading SAML implementation used in higher education federations around the world. YubiKey authentication is possible with the Yubico JAAS module found in the Yubico Java client:

• Java Client

Multifactor authentication with Shibboleth is possible with the multifactor login handler contributed to the community by Yubico:

• Multifactor login handler

How to implement support for OpenID for your site

Join the global OpenID initiative and turn your online service, web mail, blog, etc. into a safe and easy place to visit. Download implementations to get started:


YubiKey Hardware
OpenID support

How to use YubiKey + OpenID as a user

1. Insert the YubiKey in your computer’s USB port
2. Enter your OpenID URL into the OpenID URL prompt on any website that supports OpenID.
3. You will be redirected to the OpenID server you have chosen where you will need to authenticate yourself using the YubiKey.
4. Next you are redirected back to the website, properly authenticated.


Yubico OpenID Server 

For demonstration purposes, Yubico provides an OpenID server that is easy to use if you have a YubiKey. Go to our OpenID server, login, and follow the instructions there on how to use it.


The source code for our OpenID server is open source. It is based on JanRain’s example OpenID server.

• Google Code “yubico-openid-server” Project

Partners provide YubiKey enabled OpenID:



Go to top EV SSL