Single Sign On (SSO)
Single Sign On (SSO) provides a way for users to securely login to several applications and/or websites with a single account. Open Authorisation (OAuth) is a framework which uses the idea of SSO for authorising & granting access to users. Core dna implements OAuth 2.
Signing Into Your Website
You can sign in to your website using your local user account. When configured, you can also sign in using an external authenticator using OAuth.
Currently we support the following external authenticators:
- Microsoft (including Azure AD)
To enable these, some configuration is needed which can be done in Accounts → OAuth → Configuration. Please refer to your external authenticator documentation regarding obtaining client ID & secret and setting up OAuth on their side.
User Experience
A typical user experience involving SSO with external authenticator would look like:
- A user wants to access restricted content. They are prompted by a login page.
- User decides to login using their company ID (hosted on Azure ID). This is done by clicking on ‘Sign in with Microsoft’.
- The user is redirected to Microsoft’s Azure login page. If the user is already logged in then they are immediately redirected back to the original site. Otherwise, they must authenticate with their Azure AD credentials. Usually this involves entering username/password & possibly MFA code.
- Once authenticated, user is redirected back to original site.
Workflow Integrations
With the use of Forms & Hooks modules, you can implement powerful & customised workflows for SSO.
Some basic examples include:
- Setup a Hook so that when a user signs in for the first time a welcome email is automatically sent to them
- A Form could be setup so that users can request change to their access. They could enter some information regarding the access they need. A Hook can then read this data and pass it to an external API. The response from this would determine if their access is changed (ie group assignment, user type)
Using Core dna to Sign In
Your core dna website has built in ability to be an OAuth 2 authenticator, meaning that your users could sign in to other websites/applications (where supported) using their local account.
To set this up an OAuth client needs to be created in Accounts → Oauth → Clients → Add Client
- Name – Name of the application or website
- Is Confidential Client? – Can the client secret be securely stored? For mobile apps or JS only websites this isn’t possible so set this to no.
- Redirect URL – There must be at least one of these. Users will be redirected here after authorisation.
- Grant Types – Specifies which OAuth grant type the client will be allowed.
- Scopes – Specifies which scopes client can request.
Upon saving this form, a set of client ID & secret will be generated. Be sure to note this as the client secret fill not be visible after sometime. This set of credentials should be configured in the application/website.