openKB icon indicating copy to clipboard operation
openKB copied to clipboard

Published 20 hours ago verified publisher icon mrvautin

Any plans to have SSO?

Open ti0rafa opened this issue 8 years ago • 24 comments

Are there any plans for "Single Sign On" option??.

Im trying to manage openKB users on my main app, and wanted to avoid different users.

ti0rafa avatar Mar 16 '17 23:03 ti0rafa

It's been mentioned but no work has commenced. If you can set it up and submit a PR I would definitely merge it.

mrvautin avatar Mar 16 '17 23:03 mrvautin

What kind of SSO do you need?

More specifically protocol and provider.

Passport would properly be the best option since it has support for 300+ authenticators - http://passportjs.org/docs

TBK avatar Mar 21 '17 00:03 TBK

I would think the option for: Facebook, Google, Twitter and Github would be more than enough to cover everyone. What are your thoughts?

mrvautin avatar Mar 21 '17 00:03 mrvautin

Throw LDAP into the mix and you also got local/corp deployments covered.

TBK avatar Mar 21 '17 00:03 TBK

Passportjs seems like a good option, if it can be integrated.

The provider: (in my case) will be my main app, it's a small ERP I help develop for a friend that needed a custom solution. So their users are managed locally.

The protocol: OAuth 2.0 probably is the way to go.

I was looking forward to an experience similar to what disqus or zendesk have for their SSO implementations. A very basic description of the process I hope I can achieve goes like this:

  1. You configure the login/auth URL in openKB (config file, mongo document, etc)
  2. When a user enters openKB and hits login they get redirected to what ever URL you previously configured
  3. The login/auth URL does what ever it needs to authenticate the user
  4. The login/auth URL grants a message to the user (JWT, Hash Signature, etc)
  5. The user gets redirected back to openKB with the grant message
  6. openKB validates the grant message and determines if its valid or not

I believe that experience can be achieve using passport if it can be integrated. And passport can help with the social logins for projects that need them.

ti0rafa avatar Mar 21 '17 17:03 ti0rafa

So to satisfy everybody's needs as well as #72, following packages should suffice?

 "passport": "^0.3.2",
 "passport-oauth": "^1.0.0",
 "passport-ldapauth": "^1.0.0",
 "passport-facebook": "^2.1.1",
 "passport-twitter": "^1.0.4",
 "passport-google-oauth": "^1.0.0"

TBK avatar Mar 21 '17 20:03 TBK

I have made a design concept for the user login: web 1920 1 2x

I got the Facebook and Twitter login buttons from https://dribbble.com/shots/1358062-Social-Login-Buttons, the Google and GitHub I made based on the Twitter login button design.

I am not sure if a corp/org SSO login button is needed or what it should look like.

TBK avatar Mar 21 '17 22:03 TBK

Looks good!

mrvautin avatar Mar 23 '17 01:03 mrvautin

I am not sure how the Settings design should look and the same goes for what happens after the user clicks the "Login with ....." button.

Could be:

  • New window opens
  • Login modal
  • Loads new site view

TBK avatar Mar 23 '17 08:03 TBK

I think it would be more economical to use the font-awesome icons for the login services (fa-facebook, fa-github, fa-google and fa-twitter). Looks good regardless!

unixben avatar Mar 26 '17 08:03 unixben

Definitely +1 for LDAP SSO! It'd be fantastic to be able to deploy in a corp environment without having to remember another password :)

plygrnd avatar Apr 04 '17 08:04 plygrnd

I've already built LDAP into ezyFAQ but haven't had the chance to add it to openKB as yet.

mrvautin avatar Apr 04 '17 08:04 mrvautin

Fair enough. Any chance you could build in Kerberos too? If not I'll send you a PR.

On Tue, 4 Apr 2017, 09:21 Mark Moffat, [email protected] wrote:

I've already built LDAP into ezyFAQ https://www.ezyfaq.com but haven't had the chance to add it to openKB as yet.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mrvautin/openKB/issues/144#issuecomment-291428552, or mute the thread https://github.com/notifications/unsubscribe-auth/AUTwhNQCSSlH8mPUk4pqi3EmDCnKdK6Aks5rsf2dgaJpZM4Mf_io .

-- Regards, Daniel Urson

plygrnd avatar Apr 04 '17 09:04 plygrnd

passport-kerberos

I have not had the time to adding passport support as of yet, might be able to do it next week.

TBK avatar Apr 04 '17 10:04 TBK

Hey there, any update on the plans for this?

thenaturalist avatar May 23 '17 09:05 thenaturalist

👍

SalahAdDin avatar Jun 28 '17 16:06 SalahAdDin

Hello, i've added Google login using Passport.

You need to manually configure auth tokens from "config/config.json".

If anyone i interested on modify Admin > Settings page to load clientID, clientSecret and callbackURL will be great.

Feel free to add the rest of the providers with Passport and using Google as a template.

skydiver avatar Jul 28 '17 03:07 skydiver

I can't seem to find passport for AD integration? is the "strategy" for AD deprecated??

xiddic avatar Jul 28 '17 16:07 xiddic

For AD integration we're using passport with openkb and ADFS 4 using the openid connect functionality made available in 4. Although as of right now we're only using it to give view access and don't have modifications to give any rights.

JDCain avatar Jul 29 '17 00:07 JDCain

@JDCain The only thing halting me from deploying openkb is ad integration, do you have a working build, at the moment my nodejs dev level is to low to implement adfs and passport into openkb.

xiddic avatar Oct 18 '17 06:10 xiddic

@TBK @skydiver Excellent, awesome.

SalahAdDin avatar Oct 18 '17 10:10 SalahAdDin

+1

gonzalodiaz avatar Feb 09 '18 15:02 gonzalodiaz

:+1:

SalahAdDin avatar Feb 09 '18 21:02 SalahAdDin

Hey Folks Super interested in this passport integration. Is there a plan to merge these? Thanks!

joeyjmorales avatar Jun 20 '19 16:06 joeyjmorales