Barebones CMS

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSO: Sign in a user underwater without manually entering details
#1
Yesterday I managed to setup a SSO server and two clients, thanks to the amazing video tutorials available.
The server and client work well, and they offer lots of great options and configuration. 


While that works as expected, I would like to setup the sign in system that allows for users to get signed in from code, without having to enter any details manually. We're already using another authentication system, but we would like to use this one as extra, for SSO purposes.

The idea: a user signs in, using our already existing authentication system (legacy). Under water, the user simultaneously gets logged into the SSO server.

I'm trying to setup the remote login option, where it shows an example of '$sso_client->RemoteLogin($userid, $fieldmap);'. This seems exactly what is needed in this situation. However, it does not seem to work as I expected it to do. While I've read the documentation on it, I still don't fully get it. CanRemoteLogin always returns false, because it needs $this->request[SSO_COOKIE_NAME . "_sr_id"] and $this->request[SSO_COOKIE_NAME . "_sr_t"], but I'm just calling the URL directly, so the request doesn't have those parameters. While I thought I could directly login remotely through 'RemoteLogin', without any session/parameters, apart from the remote key and a Client instance. It seems I'm misunderstanding the idea of the remote login provider and the documentation.


Is remote login the proper solution for this problem?
Reply
#2
The Remote Login provider is for remote sign in. It's similar to a SAML/Okta-style enterprise sign in. The sign in flow is as follows:

Special URL to an application that contains remote login info in the URL -> The application starts new SSO server session and redirects to the SSO frontend -> SSO frontend picks up the request and routes it to the Remote Login provider -> the Remote Login provider redirect to URL specified by the Remote Login (could be behind a firewall) -> the software at the URL the browser is redirected to uses the SSO client and has the user sign in (e.g. Active Directory or a legacy login system like yours) -> Once the user signs in, the SSO client is used to push user information into the Remote Login session and then redirects the user back to the SSO server frontend -> SSO server frontend finalizes sign in and redirects back to the application -> User is signed into the application.

You generally can't push information into the SSO server without an activated session and you can't create activated sessions outside of the only allowed flows.

If you can create a page with special URLs to various applications and those applications use the SSO client, then your idea will work fine. The Remote Login provider can then redirect to your legacy login system that has them sign in and then use the SSO client Remote Login to push the legacy info into SSO server and redirect back to the application.
Author of Barebones CMS

If you found my reply to be helpful, be sure to donate!
All funding goes toward future product development.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)