Is there a built-in way to expose an Single Sign On via Silhouette?

[Gary Malouf]

I have the following use-case that I'm trying to make happen:

• Existing play 2.4.x application that uses Silhouette to allow either credential or LinkedIn Login
• Client wants to add a forum to their overall site - we are looking at http://www.telescopeapp.org/
  
• Ideally, users would get redirected to the site supported by our Play app to sign in, then get redirected back to telescope-based forum

Is there a way to expose Single Sign On endpoints with Silhouette to make something like this work?

[Christian Kaps]

Silhouette has a CAS provider which supports Single Sign On. I've not used or configured the provider. So I really cannot help here.

Best regards,

Christian

[Gary Malouf]

My understanding was that providers allowed someone to login to your current application.  I'm looking for how to expose endpoints so that another site can reference ours for authentication (i.e. our app is the authenticator and the other site communicates with ours for authentication).

[Christian Kaps]

Yes, the CAS provider authenticates against a CAS service and your other APP's can also authenticate against this CAS service. That would you like to implement into your Play APP, does the CAS service provide. So the CAS service would be an additional APP in your architecture.

[Gary Malouf]

I want to clarify to be explicit.  We have an existing play framework application that lets users login via LinkedIn.  It has a fancy sign-in page etc.  The client wants an implementation of a forum (I don't know of any on Play) that would authenticate with our current sign-in, then allow you to do things within the forum.  I'm trying to find a way to make our Play app a single sign on server, otherwise the sign on needs to be ported to another application first.

[Christian Kaps]

Does the forum have a own login page, so that the user which have signed in to the forum first, has also access to the Play app? Or does the login only work over the Play app and then the user can access the forum?

[Gary Malouf]

The intention is that when the user goes to login to the forum, they are redirected to the login page on the Play app, authenticate, then are redirected back to the forum.  (That's at least what is being asked for.)

--
You received this message because you are subscribed to a topic in the Google Groups "Silhouette" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/play-silhouette/500Ia-OFf_c/unsubscribe.
To unsubscribe from this group and all its topics, send an email to play-silhouette+unsubscribe@googlegroups.com.
To post to this group, send email to play-silhouette@googlegroups.com.
Visit this group at https://groups.google.com/group/play-silhouette.
For more options, visit https://groups.google.com/d/optout.

[Christian Kaps]

I would use the JWT authenticator for this case. As example: The user signs-in to the Play app. Now you could create a JWT authenticator. If the forum is hosted on a different domain, then you can append the token to the redirect URL and save it in a cookie in the forum app. If it's hosted on the same or sub domain, then you can set the cookie directly in your Play app. In the forum app you can then validate the token against your Play app. It's the same as implemented in the angular seed template. 

Does this make sense to you?

Am Freitag, 16. September 2016 18:14:48 UTC+2 schrieb Gary Malouf:

The intention is that when the user goes to login to the forum, they are redirected to the login page on the Play app, authenticate, then are redirected back to the forum.  (That's at least what is being asked for.)

[Gary Malouf]

The only piece I'm unclear on is the 'validate the token against your play app' part.  I would need to expose a route such that the forum can validate the token each time right?  (Roughly the equivalent of how we protect our routes)

[Christian Kaps]

Correct! You can use either a SecuredAction or a UserAwareAction. If you use a SecuredAction then you must create error handlers which return an appropriate result(JSON object or HTTP status code). If you use the UserAwareAction then you do not need the error handlers because you can create the appropriate result directly in the action.

Am Freitag, 16. September 2016 18:32:14 UTC+2 schrieb Gary Malouf:

The only piece I'm unclear on is the 'validate the token against your play app' part.  I would need to expose a route such that the forum can validate the token each time right?  (Roughly the equivalent of how we protect our routes)

[Gary Malouf]

Sounds like UserAwareAction is the way to go (I usually only use this on pages where a user may/may not be logged in and they could still render).

To unsubscribe from this group and all its topics, send an email to play-silhouet...@googlegroups.com.
To post to this group, send email to play-si...@googlegroups.com.

Visit this group at https://groups.google.com/group/play-silhouette.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Silhouette" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/play-silhouette/500Ia-OFf_c/unsubscribe.

To unsubscribe from this group and all its topics, send an email to play-silhouet...@googlegroups.com.
To post to this group, send email to play-si...@googlegroups.com.

[Karim Heraud]

Where is located the docmentation for the CAS provider ? Can't find anything about that here...

Best regards

Karim

[Christian Kaps]

Hi,

there is currently no documentation. What is unclear to you?

Best regards,

Christian

[Karim Heraud]

I do understand that the CasProvider is a SocialProvider, so I can use it like any other SocialProvider in the seed examples.

I am struggling with two things :

1) How the central service provider should answer to the auth request ?

I am building my own SSO service on top of an existing website. I won't use the jasig implementation.

I understand that CasProvider has 4 kinds of protocol/validator : Cas1, Cas2, Cas3 and SAML.

I can't find exactly what are the protocol diagram for these validators. (PS: I do understand that it is not related specifically to silhouette :)).

2) How can I inject a custom CasProfileParser

It seems that CasProfileParser is directly wired in the CasProvider and not DI.

I plan to add extra informations passed by the central server. The right way should be to create a custom CasProvider ?

Best regards,

Karim

[Christian Kaps]

Hi,

1) Am I right, that you will use the CAS provider with your own SSO implementation? I'm not sure that this would work! I think the CAS protocol is really special and the client library which the CAS provider uses, is implemented to talk with this special CAS protocol to the CAS provider app.

2) You should create a custom provider as described in the [docs](http://silhouette.mohiva.com/docs/providers#social-profile-builders-and-parsers).

Best regards,

Christian

[Karim Heraud]

Thanks a lot Christian,

I decided to go with the CAS 3.0 protocol described here : https://github.com/apereo/cas/tree/master/docs/cas-server-documentation/protocol

I skipped all the proxy stuffs as I don't need it.

For the custom social profile it works well with the doc you point me at.

Last but not least question : is there a builtin mecanism in silhouette which allows me to modify the request before sending it to my CAS Provider ? I would like to use public/private key instead of clear nonces and nonces are directly extracted from request by the provider. I could force the implicit request to be a new one I change myself but I would like to be sure there is nothing built in Silhouette made for that.

Best regards

Karim

[Christian Kaps]

No, there is no builtin mechanism. 

[Karim Heraud]

Excellent ! Thanks a lot again for all the hard work and support !