Docs and/or Samples for setting up Single Sign-On (SSO)

[pdevito3]

Hey guys, any chance you could add docs and/or a sample repo on setting up SSO with on a Duende auth server?

I'm pretty much finding no good resources on how one would go about this other than purchasing this 3rd party solution.

[leastprivilege]

I am not following.

SSO comes for free when multiple applications share the same OIDC provider in the same browser.

What's the problem you are running in?

[pdevito3]

So as I'm setting up an my auth server, I'd like to be able to integrate an SSO option for logging in. From what it sounds like, each SSO offering would be a new OIDC provider and go through the same external flow as say a social login?

From a UX perspective I'm most familiar with Auth0's and a couple other SaaS SSO flows where you just enter your email and it can handle the login from there. Now under the hood, maybe that's just JS on the page that will try to resolve the external provide the same way you would a social login?

Continuing to look into this myself, but having some guidance on this would be nice regardless given the big value add this delivers for our apps.

[brockallen]

Sounds like you mean HRD, not SSO:

https://docs.duendesoftware.com/identityserver/v6/ui/federation/#home-realm-discovery

[pdevito3]

hmm, yeah to a degree, but I still have the root need of supporting SSO as the 'best' option when appropriate.

Edit: and to be clear on what I mean when I say SSO, the use case I'm thinking would be I have a piece of software that a company wants to use. When they log into that software, they want to use their @company email addresses to get into the system, but they don't need a password because they are logging in from and authenticated company device.

[josephdecock]

I think there's some confusion about terms going on here, maybe I can help clarify. From the point of view of an identity provider like IdentityServer, Single Sign On means multiple applications using IdentityServer so that the end user only needs to sign in once to use those applications. When you bring up integration with SSO options for logging in, I think what you you are actually talking about is - from the point of view of an identity provider - Federating with an External Provider.

Our 2nd quickstart in the docs has a section on adding external identity providers to identity server which you may find helpful. In that quickstart, you'll see that we add a social login and an OIDC provider. There's some default UI which will include login buttons for each external provider that is registered. You could also provide your own UI that will send users to the correct external provider based on whatever criteria you like - see those docs on home realm discovery linked above.

It sounds like what you're looking for is to make the process as automatic as possible, so you may want to consider using the acr_values parameter when your application initiates the oidc handshake. That will give a hint to identity server as to which external provider should be used, and then your login page on identity server can redirect to the appropriate external provider automatically.

[pdevito3]

Thanks, Joe.

Yeah I think I just didn't really realize that what I normally see as SSO is the same as any other OIDC setup, it just has some extra work under the hood with HRD and such like y'all mentioned to facilitate that UX I've had with it. That was definitely the missing piece.

I am pretty comfortable setting up an OIDC provider, I've just never done it for this adjusted HRD workflow. Could be a nice thing to add into a sample/with a new sample too fwiw to get some more exposure to what I would think is a fairly common need.

[pdevito3]

hmm, closed since you answered the question, but i guess you might want to expand docs on this, so i'll leave it open for y'all to close when you think it makese sense.

thanks regardless

[brockallen]

Got it: DuendeSoftware/Samples#55

Thanks.