Single Sign On For All The Things™

I’ve been tasked with figuring out how to solve a particular pain point for our company: Our customers have a bunch of disparate systems that they need to log into. Our store, a wordpress install (several, actually), a helpdesk / ticketing system, and, of course, a variety of desktop applications I’ve written in Xojo.

I know very little about Single Sign On (SSO), and wanted to just ask if anyone in the community has experience getting something like this set up? Is there really a SSO solution out there that will let my user log into, say, the store that will also automatically grant them access to Xojo desktop applications? It seems that most SSO solutions revolve around web-based systems only - that getting SSO to work across both web based destinations as well as desktop software is… unusual.

Anyone have any insight?

@Kimball_Larsen many of our customers use Okta - which has a documented Rest API (https://developer.okta.com/docs/reference/api-overview/) that would cover your desktop / web unification for SSO. I haven’t use it personally in my projects, but more of an idea as they are well respected. They use oAuth2 so that should be easy to implement in Xojo.

HTH,
Mike

I’ve done some work with SSO, but not enough to call myself an expert. That said, if you need the ability to sign in from within a Xojo app without requiring a web browser, I think the way you approach this is to implement a user account system yourself that supports being an SSO provider. OAuth2 requires the use of a browser. So acting as an SSO consumer will either need a browser or HTMLViewer. Being an SSO provider means you can implement your own logins in Xojo while allowing other SSO consumers such as Wordpress to use your logins.

As for automatic login across systems… no. That’s more-or-less impossible.

in a windows enviroment a request to the Active Directory come into mind.
the ad can also control what the user can use.
i guess changing open source web systems will be a pain.
Single Sign On is a risk - if someone trust a phishing mail - he open all doors.

I’ve run across Okta in my initial research. Looks nice, but quite spendy.

All my Xojo apps currently have a home-grown authentication system that bumps up against our registration servers both for initial login and continued access. I could move some or all of the client-side stuff into an HTMLViewer, but it sounds like SSO does not really buy us much except for guaranteeing that everyone’s credentials will be the same across our whole customer surface area.

1 Like

I’m currently in the research phase of this project, and I’ve been concerned about the risk from the moment it was suggested we do it. I’m in a mixed environment, so I can’t rely on AD. Thanks for the insight!

Yep.

if you have Microsoft Internet Information Services (IIS) you could add a web api controller in a ms vs project to provide access via rest service. this web api controller can ask the ad.

All our backend is Linux. Customer machines are a mix of Win/Mac. I’m currently looking at KeyCloak, which is open source and on the surface appears to provide most of what we are looking for. Planning to knock up a new server today and take it for a test drive.

2 Likes

@Kimball_Larsen how did your testing go with KeyCloak? This is also of interest to us here so thank you for your info!

  • Mike

You found KeyCloak before I could suggest it.

If you need to look at a subscription option, we use OneLogin at OWC.

You might want to look at embedded logins. This article may be helpful, although for mobile devices “only external user agents (such as the browser) should be used by native applications for authentication flows.”

how did your testing go with KeyCloak?

I got as far as getting a test KeyCloak instance set up and running, then the project stalled a bit, as we have about a bazillion questions about how to go about integrating with all our existing systems. I have been back and forth on the KeyCloak forums with some of the folks there, but with Black Friday looming, we decided to back-burner this project for a bit. Still not sure what direction we’ll go.

We have thousands of customers spread across 4 or 5 major disparate systems, and we’d like to integrate single sign on for all of them… but they live on different domains and some are desktop apps. Something like KeyCloak won’t really provide a “sign in once and you are auto-logged into all the things” for our specific situation. All we’ll really get is a guarantee that the user’s credentials are the same across all the systems. Couple that with the fact that we’ll have to have ALL our users update their password and/or create a new KeyCloak account, then find a way to reliably link up accounts from the different systems (including ones where Bob Smith used bob@smith.com for one system and bobby@smithsville.com for another) and pretty soon the can of worms becomes more difficult to deal with than having a bunch of different logins for all the things.

So, yeah. Project stalled for now. :-/

1 Like