I've got multiple web apps running across multiple domains. I want to implement Single Sign-On, so that a user signs in once to access all apps.
How should I implement this? All apps use NodeJS backend.
General pointers in the right direction are welcome.
Click on save button to configure Nodejs. Click on metadata and copy IDP Entity ID, SAML Login URL, SAML Logout URL, X509 Certificate. Add IDP and SP configurations in saml-config. json file given in saml-config folder.
As your apps are running on different domains, you can no way share cookies between those APPS running on client machine to validate the user. So somehow information needs to be shared on server end.
Simplest solution that comes to my mind is:
Have a shared session for all servers.
Have a specific authentication domain and redirect users there whenever authentication is needed. Authenticate user there and set a session cookie or token whatever you want.
Whenever any app of yours needs authentication, redirect it to authentication domain. Authentication cookie will be served to authentication domain as well as the referrer domain. On seeing that you are already validated, authentication server can redirect you to original app with proper sessionID, which will be set as cookie for that domain.
If not authenticated, user will be asked to authenticate on authentication server and then the redirection will happen.
With little changes, you can achieve this using tokens and without need of shared sessions.
Validate the states properly before implementing it. More states in your mechanism means more chances of bugs and possible attacks.
Consider moving your apps on same sub-domain. If the authentication mechanism is same then everyone knows that all apps belong to same company. It will be also be easier for people to remember various sub domains on same domain rather than remembering all different domains.
The most used project is http://passportjs.org/ that is pretty much the only one I use, has great connectors to on premise soltions like ADFS and third party ones like google, facebook.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With