SSO with forums

[mikeamcbrien]

So many communities would love a system that would allow sso from their software, like forums, Invision Power, vBulletin and eve wordpress.

Allow a mechanism for Single Sign On from any of these systems could be a huge benefit to any of the communities involved and their real time communication needs.

and API that would also allow simple information, like #of users chatting, online, active, etc for pulling to the website would also work great in tandem with this feature.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[stefanffsx]

+1 to register/sign-in with like a vBulletin forum, would be awesome.

[rodrigok]

Any ideas how to implement this?

[AdrianoCahete]

XenForo have a Steam SSO here: http://www.github.com/HowIChrgeLazer/Steam-Authentication-for-XenForo

[andricicezar]

+1 I would love this feature. I would like to use it with a CAS server, like this one: http://rubycas.github.io/

[andricicezar]

Check this, maybe it can help you: https://atmospherejs.com/admithub/shared-auth

[engelgabriel]

Guys, just so I can understand and see if we can make this into our v1.0 release.

Is the SSO part important? Or just the OAuth or SAML part?

I mean, is that important that the user is automatically logged in, or it is enough for now that he can just use the same username and password without the need to re-register?

We could use soemthing like https://atmospherejs.com/natestrauser/accounts-saml

Or

We could create a generic oAuth package that can be configured to connect to Wordpress and alikes if they have something like https://wordpress.org/plugins/oauth2-provider/ installed.

[andricicezar]

I think is more important that the user be automatically logged in, because it will be a seamless flow when you integrate more projects together.

On Tue, Aug 4, 2015, 2:50 AM Gabriel Engel notifications@github.com wrote:

Guys, just so I can understand and see if we can make this into our v1.0 release.

Is the SSO part important? Or just the OAuth or SAML part?

I mean, is that important that the user is automatically logged in, or it is enough for now that he can just use the same username and password without the need to re-register?

We could use soemthing like https://atmospherejs.com/natestrauser/accounts-saml

Or

We could create a generic oAuth package that can be configured to connect to Wordpress and alikes if they have something like https://wordpress.org/plugins/oauth2-provider/ installed.

— Reply to this email directly or view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/322#issuecomment-127435018 .

[geekgonecrazy]

May I suggest an adapter approach? This would allow developers to write authentication methods for their different platforms, and take a lot of the burden off of you guys.

We discussed this in chat. @graywolf336 mentioned this. But I find it a great idea, and want to make sure its with the issue.

[graywolf336]

Yes, I think the adapter approach would be one of the best ways to go about this. It wouldn't be a seamless flow as others have mentioned in here but it would make it so only one login is required across several platforms (at least in my regards). There are a vast amount of solutions out there which can be hooked into via an adapter to try and meet the needs of them all, which is where the adapters would come into play. I use Xenforo and would be nice to use that as the system which my team uses to log in with.

[engelgabriel]

Support for Okta SSO through SAML v2

[engelgabriel]

https://github.com/nate-strauser/meteor-accounts-saml

[engelgabriel]

https://meteorhacks.com/extending-meteor-accounts

[engelgabriel]

We can test here: https://www.okta.com/get-okta-free/

[engelgabriel]

Go to https://www.okta.com/solutions/identity-layer-for-developers.html there is a sign up for a developer account

[jjshoe]

Def. want this without requiring a third party sso/oauth solution. I want to tie into my existing web app.

[mchilson]

Same here...Would like to integrate with my existing custom community site using the user's preexisting account.

[engelgabriel]

@mchilson can't you use SAML or oAuth?

[mchilson]

Yes of course, but like most that have posted here a seamless, fully integrated solution is much better for my users/subscribers and they come first. Nothing scares a unsophisticated user off more than having to jump through hoops.maybe have a "simple integrated mode" where the username can be passed and a session created? I know this is not how the app is structured but it would be VERY helpful to most integrators. With that said, .I really like rocket.chat and hope to be able to use it sometime in the future if this type of integration is ever implemented..

[IQ2022]

does this support also Forums like https://www.discourse.org/ https://nodebb.org/ http://flarum.org/

[jjshoe]

I too would love to see more than the adapter approach. The ability to have a user log into a website once is crucial.

[engelgabriel]

Related to https://github.com/RocketChat/Rocket.Chat/issues/1369

[engelgabriel]

Related to https://github.com/RocketChat/Rocket.Chat/issues/1924

[jjshoe]

FWIW - Hipchat does NOT have this feature to this day. Despite there being 2,700+ votes for it. Atlassian hasn't even acknowledged it publicly. Lots of people are forced into slack as a result.

It would be easy to slide rocket chat in as an option for all the hipchat people looking for a ship to jump on.

https://help.hipchat.com/forums/138883-suggestions/suggestions/2908263-single-sign-on-via-google-apps-crowd-active-dire

[anthony-o]

I would also need such feature: ability to connect to an existing SSO (here I would like a CAS support or any protocol that CAS can handle - oAuth, SAML... :))

[engelgabriel]

CAS has just been added to the develop branch.

https://github.com/RocketChat/Rocket.Chat/pull/2183

[konsumate]

Just a quick update: CAS 1.0 is fully integrated by now. First steps towards CAS 2.0 were taken.

[auryn-macmillan]

What's the latest on this? I'd really love to hook up my Discourse instance as an SSO provider for my rocket.chat instance.

The functionality is already built in to Discourse: https://meta.discourse.org/t/using-discourse-as-a-sso-provider/32974

[balsig99]

here is integration of ROCKET CHAT AND IPB [invision power board ] FORUM board by @wohali Please contribute to source code :) https://github.com/wohali/ips4-oauth2-server

[spinza]

Would also like to see discourse integration. Using discourse as the SSO provider.

[JSzaszvari]

You can probably do it through the SAML provider already.

These are all plugins that the community should be coming up with, it's not efficient use of a developers time to interstate this stuff that maybe 5 people would use. They need to be focusing on the core product, not integration with all these small tools that a few people use.

On Wednesday, September 7, 2016, spin notifications@github.com wrote:

Would also like to see discourse integration. Using discourse as the SSO provider.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/322#issuecomment-245205703, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1QDw0W4SBnEfuaek9Z5eU5RMk-NE1Qks5qnm-2gaJpZM4FcN9k .

[spinza]

Yeah but it's also good to gather interested people. Happy to get started on doing discourse one.

[spinza]

Is there any guidance on auth development for this?

[wohali]

@spinza In short if the forum software you have supports acting as an OAuth provider, you've already got what you need - it's just a matter of configuring the OAuth provider in your forum software and the OAuth consumer in Rocket.chat.

Otherwise you're looking at adding that functionality to the forum software, as I did with my IPS addon.

[spinza]

Thanks, it doesn't have oauth. It's Discourse.

So either I can add OAuth to it (or host a OAuth module separately that talks to Discourse), or I can add a specific module for it's SSO here. I am a noob with js. So I'm hoping there is a "template" or good example for adding another auth option to Rocket.Chat.

[Sentinelrv]

The Peercoin community is switching its forum from SMF to Discourse. We also use rocket.chat. Providing a single sign in option for both the forum and chat would be a great way to strengthen our community experience. The forum and chat would then be seamlessly integrated.

Has anyone made any progress on this?

[konsumate]

@Sentinelrv Try using established standards like LDAP, or CAS based on LDAP/Database/x or OAuth based on differnt backend to which all your applications in need for authentication (maybe authorization too) are able to connect to.

[spinza]

I've setup an oauth2 provider that effectively uses the discourse as backend for login. So login at chat.example.com gets redirected to oauth.example.com which redirects to discourse.example.com. Of course any other oauth2 compatible sites can use it too.

This was based off some example django oauth provider and adding discourse sign on and pydiscourse.

For reference I use the following:

• Django OIDC Provider to provide OAUTH2/Open ID connect services.
• Additional python code to use Discourse SSO from the above
• pydiscourse to access the Discourse API to retrieve relevant user info.

[engelgabriel]

@Sentinelrv did you achieve what you want with oAuth?

[evaletolab]

:+1: for SSO solution, it's a great feature that will allow a better user experience.

As an example, Disqus allow this feature and it really gives a better user experience :rocket: https://help.disqus.com/customer/portal/articles/236206-integrating-single-sign-on We use it in our plateform karibou.ch, here a screenshot before the karibou.ch login, And here, right after the karibou.ch login,

If there is a way to implement it? In our case we are the owner of the plateform !

Cheers, Olivier

[madguy02]

@geekgonecrazy How do i try out the adapters, for SSO purposes to any personal applications?

[geekgonecrazy]

@madguy02 Rocket.Chat has all found in the Administration section

[graywolf336]

As we allow Rocket.Chat being both an oAuth client and server, should we consider this suffice to close this issue? If another specific login source, as we have plenty right now, then we will accept pull requests. :)

[geekgonecrazy]

I think we should break this up into specific issues if there are any. SSO for forums is generic. I mean some forms support oauth, others like saml or cas. Others have their own.

[graywolf336]

Agreed. If there's a particular forum system which doesn't support oAuth or SAML or CAS and needs it's own, then please open an issue so that contributors can find it easily and help. :)