This object is in archive! 

Does UR support single sign-on (SSO)?

Archived Jonathan A. 12 years ago

We're considering UR for our corporate intranet, but we wouldn't want associates creating separate accounts just to use UR. Do you offer any sort of single sign-on support? Thanks.

Best Answer
photo

We have SSO in our roadmap. We just didn't decide what to choose as a basis for development, but we are looking towards SAML or LDAP. So as soon as we get more feedback from community we'll provide more solid plans here, but it will be done by 1.1 major release.

Update: Single Sign On is live in 1.1 release. More information in documentation:

Replies (20)

photo
1

If it helps, we use a Vordel gateway, which supports SAML, Remote_User, Kerberos, and OAuth, though the first three are preferable.

photo
1

We have SSO in our roadmap. We just didn't decide what to choose as a basis for development, but we are looking towards SAML or LDAP. So as soon as we get more feedback from community we'll provide more solid plans here, but it will be done by 1.1 major release.

Update: Single Sign On is live in 1.1 release. More information in documentation:

photo
1

For now, we only offer 3rd-party logins as alternative to traditional login/password approach, implemented in Login Plus module (Google Account, Facebook, Twitter; via oAuth). However, as Stas mentioned, we have SSO in our roadmap.

photo
1

Currently we didn't decide what method of SSO to use, so based on the feedback we'll make final decision.

As for OAuth. Our Login Plus uses this method to athorize in Facebok, Twitter and Google, so it can be easily extended to use custom server to accept authentication.

photo
1

when will you be releasing 1.1?

photo
1

Kavisha,

There is no exact date, but we plan to release it by the end of February with Online Chat, Single Sign On and API, but the price will rise for Corporate package. All users will receive updates for free.

As of now we are preparing 1.0.1 that will be available to community within next 2 days with extras to contributors.

photo
1

Calvin wrote:

[p]I see status has changed to In Progress - which SSO method are you guys implementing?[/p]

Yes, we are wroking on it currently and there will be 1 or 2 ways:

- Cookie/JS method;

- LDAP (preferably) - decided to move on with that method as it's most popular;

photo
1

Janx Kep wrote:

(We would want to integrated SSO with our current home grown app. So Cookie's should work great.)

Any estimate on when this will be ready?

We've already completed it, and it will be released in 1.1 in about 5-10 days. Will update here when it's live

photo
2

Is it possible with your SSO solution to have the user's icon on my site also be their icon in UseResponse? This is important to my organization as we want to keep the user identity consistent across all parts of our site. Thanks very much for your help!

photo
1

Yes, it's possible and will require code modifications in the following way:

  1. useresponse-sso.class.php - you'll have to change the template for script src ($_jsTemplate) to have a placeholder for image url for user icon
  2. Your code where you populate $options for UseresponseSso::setup($options) with user information, with new array key equal to placeholder in $_jsTemplate and image url as it's value
  3. UseResponse's loginplus module, Events.php - code needs to be added there to get the URL of user's icon and to set it for newly created UseResponse user.

photo
1

Awesome! Thank you for the super quick response, Paul!

photo
1

I'm trying to implement the custom profile pic feature that Corinne asked about above. I have followed your instructions Paul. I changed the _jsTemplate to this:


<script type="text/javascript" src="#domain#/sso/#source#/#secret#/#fullname#/#email#/#user_id#/#profile_pic_url#/#redirect#">'


I then updated the code in my site that calls UseresponseSso::setup($options) to pass in the custom pic url. I can tell that this is working because I can see the encoded value in the new script src. However, it seems that the modified format of the script src is breaking UserResponse's ability to parse the values out of the request and create the sso_user cookie, which Event::_integrationReadCookie depends on to register the acct. It works fine without the profile_pic_url modification, but with the addition, the sso_user cookie doesn't get created at all.

photo
1

Paul, you have to adjust _integrationReadCookie as well. Do you have any problems with that?

photo
1

Paul Yakubets wrote:

Paul, you have to adjust _integrationReadCookie as well. Do you have any problems with that?
Yes, I understand. Theoretically I should be able to add a line like this in _integrationReadCookie:


$user['photo'] = $ssoData['profile_pic_url'];


But 'photo' isn't a key in $ssoData. I can see $ssoData is derived from the sso_user cookie. I can't find where sso_user cookie is being set. It seems it must be created by zendguarded code, which understandably isn't aware of the new format I've defined in _jsTemplate.

photo
1

Paul. It's set in javascriptAction() of IntegrationController, loginplus module.

photo
1

I see. Modifying _jsTemplate requires a corresponding update to APP/modules/loginplus/routes.ini . Once I updated the endpoint config to support the new parameter and deleted zend_cache, the sso_user cookie was created correctly. Worth mentioning the 'photo' column in the db is only 37b wide, so we had to be creative about fitting the photo url in there.


Finally we had to update APP/modules/system/helpers/Photo.php to override the default avatar URL retrieval, which uses System_Model_User::getAvatarSrc. That function assumes a local basedir and doesn't appear to be modifiable.

photo
1

We got v1.1 and I see SSO working. But all the screens still have the UseResponse branding. How can we get rid of it? We paid extra money to get rid of it. This will confuse our customers. Please, clarify how to resolve it.

photo
1

Irena Balin wrote:

We got v1.1 and I see SSO working. But all the screens still have the UseResponse branding. How can we get rid of it? We paid extra money to get rid of it. This will confuse our customers. Please, clarify how to resolve it.
Could you please point out with image where do you see branding to be shown with the image attached, as I don't see out logos in your community anywhere?

photo
1

Stas Kuzma wrote:

Irena Balin wrote:

We got v1.1 and I see SSO working. But all the screens still have the UseResponse branding. How can we get rid of it? We paid extra money to get rid of it. This will confuse our customers. Please, clarify how to resolve it.
Could you please point out with image where do you see branding to be shown with the image attached, as I don't see out logos in your community anywhere?
please, see file attached with the screenshot. I'm getting this after clicking the "FB login" option in my registration form. As you can see, the UR branding is on top of it.

photo
1

Irena,

You need to setup your own applications in FB, Twitter and Google as by default system uses our applications. See instructions in Admin Manual -> Login Plus Configuration

Replies have been locked on this page!