Sso and Authentication with multiple clients

By: Ahsan Umair user 16 May 2017 at 11:19 a.m. CDT

10 Responses
Ahsan Umair gravatar
Hi, We have implemented SSO solution with Gluu server having multiple client applications. As these client applications are related to each other we only require the user to sing on once and then hop between different applications seamlessly. Can you please detail how do we go about implementing this scenario? Can we take the access token issued to the first application and re-use that in other applications so the user don't have to login again when he navigates between different apps? Please note our applications are implemented in different technologies ie. asp.net, c# and java. we are using oxd client to implement the sso.
U1404
closed

Answers

By Mohib Zico staff 16 May 2017 at 1:14 p.m. CDT

Copy
Mohib Zico gravatar
Whenever you log into any client, session is issued. If you open different client/app in a new tab; you don't need to re-authenticate again.. as session is shared already. So you have one login for all apps - achieved.

By Ahsan Umair user 16 May 2017 at 2:02 p.m. CDT

Copy
Ahsan Umair gravatar
If the client app is on different server and has its own session and authentication on top to make sure resources are protected and user is logged in through gluu sso. How this app can check specific user has signed in through gluu. Can we reuse previously issued access token to different application?

By Mohib Zico staff 16 May 2017 at 5:09 p.m. CDT

Copy
Mohib Zico gravatar
You don't need to reuse any access token. All your apps should be good with one login ( in same browser ), doesn't matter where your apps are sitting. Even if they are in different SSO protocols, just one access token is issued for them. Please feel free to test your scenario and if you face any issue anywhere, open a new ticket with stack trace.

By Ahsan Umair user 16 May 2017 at 5:47 p.m. CDT

Copy
Ahsan Umair gravatar
The issue is that our app needs to know which user has actually signed in through sso. For this gluu returns code and state parameters in return url which we then use to get user name and email from gluu .This works if there is one application authenticating as code and state are expired after first use (plz correct if i am wrong). All we need is, this to work with multiple apps to get user info from gluu so we know which user actually logged in. GetUserInfo method in oxd library reqires accesstoken which we obtain from code and state .If we want to call GetUserInfo from different app then access token is required.That is why we ask if we can reuse access token or not. If you have alternate solution to this then let us know.

By Yuriy Zabrovarnyy staff 18 May 2017 at 2:03 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Hi Ahsan, Access_token must be used for the client for which it is issued. As Zico already explained session_state is created in browser once you are authenticated and authorized. The overall workflow for your case would look as: - client1 sends authorization request and user is successfully logged in (session_state is created) - client1 gets token and user info via oxd commands - client2 sends authorization request but since session_state is already there user does not have to login again (SSO) and gets own code - client2 gets token and user info via oxd commands In this way each client gets own access_token but user has to login only once. access_token must not be re-used across clients. Thanks, Yuriy

By Ahsan Umair user 18 May 2017 at 9:06 a.m. CDT

Copy
Ahsan Umair gravatar
Hi, regarding point number 3 where client 2 sends authorization request, does than mean we call get_authorization_url end point through oxd and redirect user to that url after which gluu decides whether to show login screen or pass the tokens back to the client app?. Please confirm. Regards, Ahsan

By Yuriy Zabrovarnyy staff 18 May 2017 at 9:25 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
Ahsan, Yes, exactly. Thanks, Yuriy

By Ahsan Umair user 06 Jun 2017 at 6:12 a.m. CDT

Copy
Ahsan Umair gravatar
HI Yuriy, In case of multiple applications session scenario discussed above. Do we need to pass prompt=login parameter in get_authorization_url request or we need to ignore that? Regards, Ahsan

By Yuriy Zabrovarnyy staff 06 Jun 2017 at 8:14 a.m. CDT

Copy
Yuriy Zabrovarnyy gravatar
It depends on your requirements. If all your apps has agreement and given session is ok for them then you don't need prompt=login. In case current session is not ok (for some reason) then you can send prompt=login to force re-authentication. Thanks, Yuriy

By Ahsan Umair user 06 Jun 2017 at 8:22 a.m. CDT

Copy
Ahsan Umair gravatar
Hi Yuriy, Thanks for your help, yes that makes sense. Will remove prompt=login from code as all applications in our case share the same session. Regards, Ahsan

Post an answer