Welcome to the new Customer Portal! We are still in the process of moving all our customers so please bear with us if you are temporarily unable to log in. You can still email support@vanillaforums.com!

Embedded SSO

edited February 2014 in Questions

Hello,
I am trying to implement the embedded SSO. After users log into my website, they can access a discussion page where I have vanilla embedded into an iframe. JSConnect is set to use my website as authentication method.
I use the following code to include the forum within my page:

    var vanilla_forum_url = '<?php echo VANILLA_FORUMS_URL; ?>'; // Required: the full http url & path to your vanilla forum
    var vanilla_sso = '<?php echo user_sso(); ?>';

    (function() {
        var vanilla = document.createElement('script');
        vanilla.type = 'text/javascript';
        var timestamp = new Date().getTime();
        vanilla.src = vanilla_forum_url + '/js/embed.js';
        (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(vanilla);
    })();

function user_sso() {

$sso_string = '';
if (is_user_logged_in_profile()) {
    require get_template_directory() . '/jsconnect.php';
    $user = array();
    $user['email'] = $_SESSION['email'];
    $user['name'] = $_SESSION['fname'] . ' ' . $_SESSION['lname'];
    $user['uniqueid'] = $_SESSION['uniqueid'];
    $sso_string = JsSSOString($user, CLIENTID, SECRET);
}
return $sso_string;

}

The JsSSOString is part of the PHP library suggested by Vanilla.

This is my result:

var vanilla_sso = 'eyJlbWFpbCI6ImdpdXNlcHBlbUBzbGFsb20uY29tIiwibmFtZSI6IiAiLCJ1bmlxdWVpZCI6IjEwODQ5OTUiLCJjbGllbnRfaWQiOiI3MzE4ODQ1OTkifQ== b4b3ac8334b48736bb74580b4222578be60e9d54 1392776246 hmacsha1';

When the iframe appears the user is not completely logged in but one more click is required to do so, such as Sign in with third party.

Is it possible, with the above solution, to fully authenticate users in vanilla so they can interact with the forum without required any extra steps?

If not possible with the above method, is there any way to fully authenticate users against vanilla through an iframe?

The environment in question is my staging environment, you may not find any settings on production.

Thanks

Comments

  • edited February 2014

    Hi Chris,

    Embedded seamless SSO is one of the gnarliest places to run into trouble, so thanks for coming to the table with a clear explanation and examples.

    The expected result is indeed that the user would be logged in seamlessly with no further action required.

    Can you link me to the page where the embedding is happening?

    Could I also get a test login account to your system? It doesn't need any special privileges on your end, just basic login. You can use support@vanillaforums.com as the email and/or send the password there.

    In general, a good first step when any SSO problem comes up is to clear your cookies or try an Private Browsing window or a different browser. We sometimes find repeated SSO attempts on different accounts can mess things up sufficiently that you can have issues signing in. This is only a concern for the administrator while doing the initial testing. I don't necessarily think this is the issue here, just covering all our bases.

  • edited February 2014

    Hi Lincoln,
    thank you so much for you response.
    You can access the embedded forum here: https://www-staging.teapartypatriots.org/discussions/
    If you need credentials feel free to click on register and create an account.
    This is also the vanilla forum url that we are using: https://forums-staging.teapartypatriots.org.
    We are using https to embed the forum. You may notice that the first time you try to hit the forum you will get a security issue, we are in the process to register the ssl certificate, just accept to continue and it will work.

    For debug purpose, after logging in, the discussions page contains a hidden field: . You can use that field to double the user unique id.

    Let me know if you need any other info from me.

    screenshot from the page:
    image

  • Hi Lincoln,
    do you have any updates on this?

    Thank you so much.

  • LauraLaura Support, Staff

    Hey Chris!

    I alerted Lincoln to your response and have him tasked to take a look as soon as he can. We'll get back to you as soon as we've rooted out the issue.

    Thanks!
    -Laura

  • Laura, Lincoln,
    do you have any updates?

    Thanks

  • LauraLaura Support, Staff

    Hey Chris,

    As Lincoln said, Embedded seamless SSO is a complex issue. He will update you as soon as he has some relevant information, but know that in the meantime, we are working on it.

    -Laura

  • Adding more details. After a user registers on my website and he tries to access my discussion page with vanilla embedded, the following workflow happens:

    When i click on the right link with the user name. Vanilla asks me to set the the user password:

    Is it possible to avoid the setting password step using seamless sso integration?

    Digging into the support forum i also found this post: http://vanillaforums.com/discussion/3756/sso-integration/p1
    Is it my problem related to that in some way?

    Thank you

  • I also tried to use the vanilla forum wordpress plugin but re achieve the same result.

  • Hi Chris,

    The registration method should be set to "Connect" when using SSO so I set that & another setting to force a connection if an account with the same email address already exists. Now the "Sign in with Tea Party Patriots" message is a simple link that passes you thru seamlessly. That's still not "just logged in" tho.

    I'm checking with another developer to confirm the expected behavior because I don't see anything wrong with your setup.

  • Hi Lincoln,
    thank you for your response. This is a really critical feature for our official release that is coming up pretty soon.
    Please let me know as soon as possible.

  • We created a new jsconnect connection to slalom.us.to. The website is a standard wordpress instance using the wordpress vanilla forum plugin correctly set up with client id and secret. Unfortunately also in this case we are not able to automatically log in new users in the forum using the sso embedded integration provided by the worpdress plugin.
    The link "Sign in using slalom digital appears" and once the user clicks the link it gets prompted to set a new password.

  • Can you please provide an update on this?

  • LauraLaura Support, Staff

    Hey Chris,

    I am chasing this up with the developers now, I will get back to you as soon as I can.

  • Hi Chris. I'm viewing the source of your forum parent frame at https://www-staging.teapartypatriots.org/discussions/. Here are a few things I see.

    1. I've turned on debug and see that you have a mismatch in your client IDs. You need to match your client IDs and secrets on both the parent site and the forum.

    2. I notice that you are using regular http:// urls for your jsconnect settings. If you are going to be https then you should go ahead and set those to either https:// or // if you want to support both.

    3. I've left debug on so that you can see any other issues with embedded sso when you visit the forum. There is a trace at the bottom of the page. Right now I'm unsure of whether the certificate errors will cause issues with the browser taking cookies or not, but once you've sorted out the basic client id/secret issues then we can have a look again.

  • Hey Todd,
    we are now using the production environment. We ran into several issues and the sso integration is not really stable yet.

  • Chris can you be more specific?

  • Hi Todd,
    thank you for turning on the debug mode, it really useful. We found a lot of conflicts that we couldn't anticipate.
    In regard with the environment, we are now using: https://www.teapartypatriots.org.

    Thank you

  • Great. Just send us a message when you want us to turn it off.

  • Thank you for the update

  • Thank you for the update

This discussion has been closed.