Using new-mode SSO requires that your application support HTTPS, so an SSL certificate is required. We recommend using Let's Encrypt to obtain all DV (domain-validated) certificates. These can be issued and renewed in an automated fashion. We can also obtain non-free certificates which can be used for applications that handle financial transactions.
See the main SSL certificates page for full instructions.