My CONNECT account
"My CONNECT account" is the account management client of CONNECT. The "My CONNECT account" client is available at https://connect.telenordigital.com/gui/mypage.
A service using CONNECT may want to link to "My CONNECT account" from its clients, so that the end users may manage their account information. This makes it possible to manage email addresses and phone numbers, change password, and manage permissions.
The "My CONNECT account" client is a separate web client, which depends on single sign-on (SSO) functionality to get seamless integration from the clients linking to it. Note that an end user may occasionally need to explicitly log in. In addition, re-authentication will be required from the end user if he accesses sensitive functionality, e.g. wants to change email addresses or phone numbers. This is for security reasons, so that it is not possible to change vital user data and consequently be able to take over an account only based on the SSO session.
Changes made in "My CONNECT account" affect the end users' CONNECT account across all services using CONNECT as their login or payment solution.
- From within services: "My CONNECT account" or "Manage CONNECT account".
- From within CONNECT services: "My account".
- Do not use "Settings".
- "My CONNECT account" - Button
- "My CONNECT account" - Text link
- "Signed in as ..." - Text link
Integration - general
Integration with the My CONNECT account client can be controlled with the parameters in the table below.
The client must supply an email address and/or a phone number (preferably both) in a login_hint parameter when linking to the "My CONNECT account" client. The reason for this is to avoid accidentally using an existing session for another user. The "My CONNECT account" client supports the login_hint parameter, just like the authorization request for the authorization server.
Example - web link
The mypage_back_link parameter triggers the display of a backlink in the top left corner of MyPage (see screenshot below). If no mypage_back_link parameter is provided, then no backlink is displayed. The scheme and host must be given to us for whitelisting. You can add any path to the whitelisted URIs. If the URI is invalid or not whitelisted, the backlink is not displayed.
Integration for native clients
- Link to "My CONNECT account" in an external browser or a secure embedded browser like Chrome Custom Tabs or Safari View Controller. It has to be made clear to the user that "My CONNECT account" is not part of the service they are using. WebViews are therefore not allowed.
- If the client used the same browser (or another browser sharing cookies with it) to get the user authenticated with CONNECT, the user will be automatically logged into "My CONNECT account" if an active SSO session exists (*).
- If the client used a less secure embedded browser like a WebView (not recommended) to get the user authenticated with CONNECT, the user has to authenticate once more to get access to "My CONNECT account." Still, if a valid SSO session exists in the browser, e.g. from another client using CONNECT, the user will be automatically logged into "My CONNECT account" (*).
- If the client uses an external browser for the link to "My CONNECT account", a backlink may be used to make it easier for the user to get back to the client.
- If the client uses a secure embedded browser for the link to "My CONNECT account", there is no need for a backlink because such browsers already offer a way to get back to the client.
Variant 1 - linked via "Signed in as..."
Variant 2 - linked via "My CONNECT account"
Integration for web clients
- Link to "My CONNECT account" in a separate tab or window. The link may be opened in the same tab if a backlink is included.
- If an active SSO session exists, the user will be automatically logged into "My CONNECT account" (*).
Variant 1 - with direct links to sub pages within "My CONNECT account"
Variant 2 - linking to overview page
(*) For security reasons, SSO will not be sufficient to get access to the "change email" and "change phone" pages without re-authentication.