| Note |
|---|
| Info |
This tutorial goes through a SSO setup process. This is intended for developers and administrators configuring external websites where they want users who are logged in at one site, to go to another site, and be visible already logged in without the need to click a “sign in” link at all. All such sites must already support normal OpenID Connect login process. |
...
The endpoint should be in the same domain as the site and other authorisation callbacks.
The endpoint should:
TODO Should the site always invalidate any previous user sessions, if such exist? TODO
Read added query parameters from the call
sso-token- The single-use SSO tokensso-validity- Token validity time in minutes from time of request, after which the token is invalidated if still unused.
Store the received information. Add cookies to the browser from the site’s own domain. The cookies should contain enough information to be able to use the above information later.
Optionally return a small logo image file in response, as this request came from an
<img src=”callback-url” />element.
...
Click “Add”. Select “OpenID Connect” as the mechanism.
Select the OpenID Connect client of the site.
Configure other details if needed.
Save the new Target.
Step 4: Use SSO token when un-signed-in user arrives
When a new user arrives at site, and the site uses the browser cookies it added to detect that they have an SSO token available for use, the site should redirect the user to the authorisation URL with extra parameters:
sso_token={user's SSO token}- The user’s SSO tokenprompt=none- No interactive UI is shown to user, sign-in fails if token is invalid and user is redirected to site’s failure URI.