Implementation On Websites \ Single Sign-On

Learn how to deploy Single Sign-On in order to automatically sign in your users as they browse between multiple and independent websites in your ecosystem. Take away the need for your users to re-enter their authentication credentials when they switch from one of your websites to another.

Start by adding the SSO JavaScript

The SSO JavaScript maintains the SSO sessions for authenticated users and redirects these users to the callback_uri when they switch from one of your websites to another.

Now edit the websites on which you want to enable Single Sign-On and place the following asynchronous JavaScript snippet anywhere in the HTML document.

	<script type="text/javascript">

		/* Replace #sso_session_token# by the generated SSO token (See below) */
		var sso_session_token = '#sso_session_token#';
		/* Replace #callback_uri# by the URL to your callback script (See below) */
		var callback_uri = '#callback_uri#';
		/* Initiates the OneAll asynchronous queue */
		var _oneall = window._oneall || [];

		/* ===== This part is for users that are logged in */
		if (typeof sso_session_token === 'string' && sso_session_token.length > 0)
			/* Attaches the SSO session token to the user */
			_oneall.push(['single_sign_on', 'do_register_sso_session', sso_session_token]);	
		/* ===== This part is for user that are NOT logged in */
			/* Sets the SSO callback uri */  
			_oneall.push(['single_sign_on', 'set_callback_uri', callback_uri]);
	  		/* Redirects the user to the callback_uri if he is logged in on another of your websites */
			_oneall.push(['single_sign_on', 'do_check_for_sso_session']);

Setup the user authentication

Single Sign-On can be implemented for users that login with Social Login as well as for legacy users that sign in with a username/password combination. In both cases you should store the identity_token and sso_session_token in the users' session data as you will need these values lateron.

Login with a Social Network

When a user authenticates with a social network, our Social Login service sends back a unique connection_token to your_callback_uri

  1. Use this connection_token to retrieve the user's details,
  2. Use the identity_token included in the user's details to start a new SSO session,
  3. Dynamically insert the generated sso_session_token in the JavaScript added in the previous step.

Login with a Username/Password

SSO sessions can also be setup for legacy users from your database. When a user logs in with his username/password:

  1. Push the user's profile data from your database to the cloud storage,
  2. Use the obtained identity_token to start a new SSO session,
  3. Dynamically insert the generated sso_session_token in the JavaScript added in the previous step.

Setup the user logout

Whenever a user logs you should destroy the SSO session using identity_token obtained when the user logged in.

Implement the automatic login

When a user switches from one of your websites to another, the SSO Service will automatically redirect the user to your_callback_uri if he is not yet logged in and has an active SSO session. SSO will send the POST value connection_token to the callback script and this token can then be used to retrieve the user's profile data.

After having retrieved the user's profile data, the callback script can either login the user with an existing account or use the data to create a new account. If you have already implemented Social Login then you can use the existing callback script, otherwise start from scratch using our exemple below.


	// Your OneAll Site Settings
	$site_public_key = 'REPLACE WITH YOUR SITE PUBLIC KEY';
	$site_private_key = 'REPLACE WITH YOUR SITE PRIVATE KEY';

	// Check if we have received a connection_token
	if ( ! empty ($_POST['connection_token']))
		// Get connection_token
		$token = $_POST['connection_token'];

		// Retrieve the user's profile data
		$resource_uri = 'https://'.$site_subdomain.''.$token .'.json';

		// Setup connection
		$curl = curl_init();
		curl_setopt($curl, CURLOPT_URL, $resource_uri);
		curl_setopt($curl, CURLOPT_HEADER, 0);
		curl_setopt($curl, CURLOPT_USERPWD, $site_public_key . ":" . $site_private_key);
		curl_setopt($curl, CURLOPT_TIMEOUT, 15);
		curl_setopt($curl, CURLOPT_VERBOSE, 0);
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
		curl_setopt($curl, CURLOPT_FAILONERROR, 0);

		// Send request
		$result_json = curl_exec($curl);

		// Error
		if ($result_json === false)
			echo 'Curl error: ' . curl_error($curl). '<br />';
			echo 'Curl info: ' . curl_getinfo($curl). '<br />';
		// Success
			// Close connection

			// Decode
			$json = json_decode ($result_json);

			// Extract data
			$data = $json->response->result->data;
			// Check for service
			switch ($data->plugin->key)
				// Single Sign On
				case 'single_sign_on':
					// Operation successful
					if ($data->plugin->data->status == 'success')
						// The user_token uniquely identifies the user 
						$user_token = $data->user->user_token;
						// The identity contains the user's profile data
						$identity = $data->user->identity
						// At this point you must use the identity data to either login the user
						// with an existing account or to create a new account.
						// ....

Test Single Sign-On

To be able to make your first test, you need to setup Single Sign-On on at least two different websites.

Once this has been done, start by logging out from both websites. Now login on the first website. If you have correctly setup the user authentication then your system should generate a new sso_session_token and register the SSO session for for you.

You should now be able to switch to the second website and you should automatically be redirect to your_callback_uri and logged in.

User Contributed Notes