π§βπ§βπ§βπ§ User Authentification and SSO
You want to provide your own SSO? In many cases this makes sense. Good news: we offer many ways to implement this easily.
Single Sign-On (SSO) and User Authentication
tchop provides flexible and secure ways to manage user authentication and access control. We strongly recommend using Single Sign-On (SSO) wherever possible, as it allows you to fully control user identities, roles, and permissions in one central system. This ensures a seamless user experience and reduces the risks of managing multiple logins.
Depending on your use caseβwhether itβs an internal communications app for employees or an external community or membership modelβwe support all modern standards for SSO and user management.
Key options for user authentication and sync
1. Standard web authentication (OAuth2)
For simple and secure web authentication, tchop supports OAuth2, the most widely used standard for app and web integrations. OAuth2 makes it easy to connect to existing identity providers and ensures compatibility across platforms.
But OAuth2 has some downsides. For instance it provides a way to delegate access, but it does not define roles, groups, or permissions. Youβll need to handle mapping of users and roles in your own backend or identity system. Or you need to use our platform.
OAuth2 is a great foundation, but for secure authentication we almost always recommend OpenID Connect (OIDC).
2. Enterprise SSO (OpenID Connect & SAML 2.0)
For organizations with enterprise-grade requirements, we offer SSO integration via OpenID Connect or SAML 2.0.
OpenID Connect (OIDC) is ideal if you already use modern identity platforms such as Azure AD, Okta, or Google Workspace.
SAML 2.0 ensures broad compatibility with traditional enterprise identity providers.
These standards allow you to manage authentication, roles, and group-based access directly in your own identity management system. We do offer integrations for all common ID providers in the market, so usually integration is fairly easy.
Our recommendation is to use OpenID Connect as this is the more modern, secure standard.
3. API-based user sync
If you prefer direct backend integrations, our API lets you sync users programmatically. This option is useful when user data is managed in an external system, CRM, or database, and you want to automate the creation, update, or deletion of user accounts in tchop.
Unlike SSO, users still log in through tchopβs authentication layer, not your own system.
This methods has some upsides: You decide exactly when and how users are created, updated, or removed. No manual work is required once integration is in place and it works well for large user bases with frequent changes (e.g., thousands of users syncing daily).
It also doesnβt require your organization to run an identity provider (e.g. Azure AD, Okta) and it is useful if your users donβt all belong to the same company domain (e.g. external communities, B2C models).
The downsides: it requires some technical effort based on a somewhat modern API. Also depending on how you schedule sync jobs, user data might not be fully real-time.
4. Webhook-based sync
For lightweight use cases, we also provide easy ways to sync user data via webhooks. Whenever user data changes in your system, a webhook can trigger automatic updates in tchop. This is the most flexible and low-effort way to keep user information consistent.
Here also users still log in through tchopβs authentication layer, not your own system.
Good thing: this does not require any complex API client or deep integration, it works with almost any system that supports outgoing webhooks.
Downside again: there will be some delay in syncing user directories. It is ok for basic user sync (create/update/delete), but not ideal for complex workflows. Its harder to handle advanced attributes, large datasets, or bulk updates.
Mixed Models: Web SSO + Mobile Login
In some enterprise scenarios, clients prefer to use a hybrid approach for authentication.
SSO for the Web App: Users authenticate via their companyβs identity provider (SSO with OIDC or SAML 2.0) when accessing the web platform inside their own network (with additional access protection via IP whitelisting). This ensures centralized control over access and enforces corporate security policies.
Native Login for Mobile Apps: For security reasons, some organizations restrict SSO access on unmanaged or private mobile devices. In such cases, we enable users to log in with standard tchop credentials in the mobile apps, while still keeping the web app strictly under SSO.
This mixed setup provides the best of both worlds:
Full enterprise-grade compliance where required (web access).
Maximum flexibility and usability for mobile users, even on private devices.
We support these kinds of hybrid authentication models and can tailor them to your specific compliance or IT security requirements.
Recommended setup
For most clients, we recommend using SSO via OIDC or SAML 2.0 to:
Centralize identity and role management
Enforce strong authentication policies (e.g. MFA)
Reduce the risk of password-related issues
Ensure compliance with internal IT security standards
Tip: Our team can help you decide which integration method best fits your setup and guide you through the implementation.
