Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Can Vanilla (Open or Managed) act as a SSO authority for my disparate Web sites?

edited April 2015 in Vanilla 2.0 - 2.8

Hi, I am considering Vanilla for use in our environment. I have read through all the forum posts I can find that are related, and all seem to point to jsconnect as the answer to the above question, however this does not seem to meet our needs.

I fully comprehend how to use one of my existing sites as an authority for Vanilla to work with. However, I'm considering using Vanilla as a replacement for several sites, such that Vanilla is the authority for authentication.

Consider:

site1.domain.com <- existing site
site2.domain.com <- existing site
discussions.domain.com <- Vanilla

I would like to take site1 and site2, remove their current, heterogenous authentication systems, and instead have users at site1 and site2 register/sign-in with Vanilla. (It should be assumed that Vanilla will be allowing social logins etc.) On subsequent visits to either site1 or site2, have users authenticate with Vanilla. Please note I am looking for authentication only, authorization will be handled by site1 and site2 respectively.

Thanks in advance!

Best Answer

  • hgtonighthgtonight ∞ · New Moderator
    Answer ✓

    @mynameismonkey said:
    That works for logged-in users. For non-logged-in, I would what, call the log-in module and AJAX it in to site1? At which point I'm crossing domains, so that might be its own issue.

    I would:

    1. Link to your standard vanilla entry page with a redirect parameter (/entry/signin?Target={CURRENT_URL})
    2. Add your other domains as trusted domains in /conf/config.php ($Configuration['Garden']['TrustedDomains'] = array('domain1', 'domain2');)

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    mynameismonkeyShadowdare

Answers

  • hgtonighthgtonight ∞ · New Moderator

    I don't believe their are out of the box solutions here. It can be done, and even would not be that difficult.

    Generally SSO works by checking for an existing session cookie and processing it, or directing to "authority" to create a new session cookie and then return to where you were.

    Is this what you are looking for?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    mynameismonkeyShadowdare
  • edited April 2015

    I guess I'm looking for any pointers to any existing API/authentication reference docs I can use to start building out the remote sites' requests to Vanilla. All searches for SSO or similar return me to jsConnect for the managed product.

    Site1 and Site2 are CakePHP apps, in case that's helpful.

  • hgtonighthgtonight ∞ · New Moderator

    If you request /profile.json client side, you will get the currently authenticated Vanilla user's info. If the Vanilla cookie is invalid, you will receive a User not found error. You can store the pertinent authentication details on your other site and authorize as needed.

    Does this make sense?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    mynameismonkey
  • That works for logged-in users. For non-logged-in, I would what, call the log-in module and AJAX it in to site1? At which point I'm crossing domains, so that might be its own issue.

    I might be hitting a square peg into a round hole here, maybe I should just source a third-party SSO and have everything including Vanilla use that...

  • if you have another other authority, you could always use jsConnect to verify.

    grep is your friend.

  • hgtonighthgtonight ∞ · New Moderator
    Answer ✓

    @mynameismonkey said:
    That works for logged-in users. For non-logged-in, I would what, call the log-in module and AJAX it in to site1? At which point I'm crossing domains, so that might be its own issue.

    I would:

    1. Link to your standard vanilla entry page with a redirect parameter (/entry/signin?Target={CURRENT_URL})
    2. Add your other domains as trusted domains in /conf/config.php ($Configuration['Garden']['TrustedDomains'] = array('domain1', 'domain2');)

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    mynameismonkeyShadowdare
  • Great stuff, great pointers, thank you!

Sign In or Register to comment.