Implementation On Websites \ Single Sign-On
Learn how to deploy Single Sign-On in order to automatically sign in your users as they browse between multiple and independent websites in your ecosystem. Take away the need for your users to re-enter their authentication credentials when they switch from one of your websites to another.
Start by adding the SSO JavaScript
The SSO JavaScript maintains the SSO sessions for authenticated users and redirects these users to the callback_uri when they
switch from one of your websites to another.
Now edit the websites on which you want to enable Single Sign-On and place the following asynchronous JavaScript snippet anywhere in the HTML document.
<script type="text/javascript">
/* Replace #sso_session_token# by the generated SSO token (See below) */
var sso_session_token = '#sso_session_token#';
/* Replace #callback_uri# by the URL to your callback script (See below) */
var callback_uri = '#callback_uri#';
/* Initiates the OneAll asynchronous queue */
var _oneall = window._oneall || [];
/* ===== This part is for users that are logged in */
if (typeof sso_session_token === 'string' && sso_session_token.length > 0)
{
/* Attaches the SSO session token to the user */
_oneall.push(['single_sign_on', 'do_register_sso_session', sso_session_token]);
}
/* ===== This part is for user that are NOT logged in */
else
{
/* Sets the SSO callback uri */
_oneall.push(['single_sign_on', 'set_callback_uri', callback_uri]);
/* Redirects the user to the callback_uri if he is logged in on another of your websites */
_oneall.push(['single_sign_on', 'do_check_for_sso_session']);
}
</script>
Setup the user authentication
Single Sign-On can be implemented for users that login with Social Login as well as for legacy users that sign in with a username/password
combination. In both cases you should store the identity_token and sso_session_token in
the users' session data as you will need these values lateron.
Login with a Social Network
When a user authenticates with a social network, our Social Login service sends
back a unique connection_token to your_callback_uri
-
Use this
connection_tokento retrieve the user's details, -
Use the
identity_tokenincluded in the user's details to start a new SSO session, -
Dynamically insert the generated
sso_session_tokenin the JavaScript added in the previous step.
Login with a Username/Password
SSO sessions can also be setup for legacy users from your database. When a user logs in with his username/password:
- Push the user's profile data from your database to the cloud storage,
-
Use the obtained
identity_tokento start a new SSO session, -
Dynamically insert the generated
sso_session_tokenin the JavaScript added in the previous step.
Setup the user logout
Whenever a user logs you should destroy the SSO session using identity_token
obtained when the user logged in.
Implement the automatic login
When a user switches from one of your websites to another, the SSO Service will automatically redirect the user to your_callback_uri
if he is not yet logged in and has an active SSO session. SSO will send the POST value connection_token to the callback script and this
token can then be used to retrieve the user's profile data.
After having retrieved the user's profile data, the callback script can either login the user with an existing account or use the data to create a new account. If you have already implemented Social Login then you can use the existing callback script, otherwise start from scratch using our exemple below.
<?php
// Your OneAll Site Settings
$site_subdomain = 'REPLACE WITH YOUR SITE SUBDMOAIN';
$site_public_key = 'REPLACE WITH YOUR SITE PUBLIC KEY';
$site_private_key = 'REPLACE WITH YOUR SITE PRIVATE KEY';
// Check if we have received a connection_token
if ( ! empty ($_POST['connection_token']))
{
// Get connection_token
$token = $_POST['connection_token'];
// Retrieve the user's profile data
$resource_uri = 'https://'.$site_subdomain.'.api.oneall.com/connections/'.$token .'.json';
// Setup connection
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $resource_uri);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_USERPWD, $site_public_key . ":" . $site_private_key);
curl_setopt($curl, CURLOPT_TIMEOUT, 15);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($curl, CURLOPT_FAILONERROR, 0);
// Send request
$result_json = curl_exec($curl);
// Error
if ($result_json === false)
{
echo 'Curl error: ' . curl_error($curl). '<br />';
echo 'Curl info: ' . curl_getinfo($curl). '<br />';
curl_close($curl);
}
// Success
else
{
// Close connection
curl_close($curl);
// Decode
$json = json_decode ($result_json);
// Extract data
$data = $json->response->result->data;
// Check for service
switch ($data->plugin->key)
{
// Single Sign On
case 'single_sign_on':
// Operation successful
if ($data->plugin->data->status == 'success')
{
// The user_token uniquely identifies the user
$user_token = $data->user->user_token;
// The identity contains the user's profile data
$identity = $data->user->identity
// At this point you must use the identity data to either login the user
// with an existing account or to create a new account.
// ....
}
break;
}
}
}
?>
Test Single Sign-On
To be able to make your first test, you need to setup Single Sign-On on at least two different websites.
Once this has been done, start by logging out from both websites. Now login on the first website. If you have correctly setup
the user authentication then your system should generate a new sso_session_token and register the SSO session for for you.
You should now be able to switch to the second website and you should automatically be redirect to your_callback_uri
and logged in.