search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

Using IdentityServer in a SSO portal #1485

Closed sthewissen closed 9 years ago

sthewissen commented 9 years ago

I'm trying to create the following situation:

User visits a centralized portal and logs in (using either a dedicated account or social media account). The social media account option always maps the user to a dedicated account, so in the end the dedicated account is leading. When the user is logged into the portal he sees an overview of the applications that have been made available for him. When he clicks on one of the links, the user is forwarded to the application and automatically logged in using the same credentials als the SSO portal.

The first part seems to be quite doable using IdentityServer by implementing an IUserService, defining clients and setting up the additional identity providers. However, the latter part of the solution is still a bit vague for me. We want to redirect the user to one of the applications that are connected to the portal which can be both .NET (incl. SharePoint) and non-.NET applications. The part that I do not understand is how these applications will have to log in the user. Do we send them a token of some sorts when we forward the user to these applications which they will have to use to talk to some of the STS's webservices? Or is there a better/different way to do this? I'm even wondering if the entire setup of how this should work is the way to go so I'd love to get some pointers on this.

leastprivilege commented 9 years ago

All applications must either support OpenID Connect or WS-Federation. Each application technically does its own authentication but inside the existing SSO session.

sthewissen commented 9 years ago

Ok, but is the flow I described realistic? Logging in to a portal first and then seamlessly open other applications? And if so, how would you set that up?

brockallen commented 9 years ago

Yes it's realistic as long as the portal knows the URLs of the apps so it can send the user to each one. But that's sort of the job of a portal, right?

sthewissen commented 9 years ago

I have this scenario partially implemented, but am still missing some control over whats happening in the background. I know I can alter the Views using ViewServices, but is there also some way to hook functionality up to a custom view? E.g. We want to perform some custom actions after a login, such as linking an external account (Facebook) to a dedicated account and logging that in instead. If we could simply call some IdentityServer methods from code in our own views customization would seem easier.

brockallen commented 9 years ago

Check the user service docs for partial logins if you need to control the user's workflow as they login to IdSvr. As far as I can tell this is unrelated to your portal question.