Closed dsmrt closed 5 years ago
jeffsikes
commented
6 years ago Some of the backend administration areas require you to re-enter your password in order to continue - how would that be handled via SSO? Example: Clicking the Save button on the Add New User form.
nateiler
commented
6 years ago Ah yes. This is considered an 'Elevated Session'. The SAML protocol might break this as checking the IDP would likely result in a redirect.
Thinking...
dsmrt
commented
6 years ago I believe this sort of Craft customization is in the works. Looks like the AuthManager.js manages that modal and is referenced here: https://github.com/craftcms/cms/issues/1471#issuecomment-407034303. I've commented there as well and showed my update that we are working on for the /admin/login page.
Here is my screenshot for the login page.
nateiler
commented
6 years ago Thinking it might be possible to create a new elevated session manager class and override the Craft.elevatedSessionManager found /src/web/assets/cp/src/js/ElevatedSessionManager.js:156
Probably also have to consider something for login timeout.
m8i
commented
6 years ago I see that you've got this mostly completed. How do I make a friendly name for this? In your screenshot, it shows "Via OKTA," but mine shows an ugly URL. :)
dsmrt
commented
6 years ago I added labels to the providers on the edit view. You can name them whatever you want. I suggest in the documentation to use environment if you are managing more than one but you can name it however you choose.
Let me know if there is anything else!
dsmrt
commented
5 years ago Closing this due to limitations with our options here.
mihow
commented
4 years ago Did this get partially implemented? I see the "login via" button on the Craft CMS login screen.
dsmrt
commented
4 years ago @mihow Yes it did. That will initiate login.
Currently, the only way to login via the IDP is through a frontend template, ie,
/login. Ideally, users will utilize this plugin for frontend and backend authentication so the goal here is to simply add a link or button to the cp login page so there is a way to initiate login from there. Considerations must be made for theRelayStateso the user is correctly redirected to the page they were attempting to goto in the first place after authentication.