Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug w/ External "SSO" Provider having Multiple Clients #1526

Open
b-earendil opened this issue Dec 26, 2024 · 2 comments
Open

Bug w/ External "SSO" Provider having Multiple Clients #1526

b-earendil opened this issue Dec 26, 2024 · 2 comments

Comments

@b-earendil
Copy link

Which version of Duende IdentityServer are you using?
v7.0.0

Which version of .NET are you using?
v8.0.204

Describe the bug

  • We have a Duende Identity Server License

  • We have two Web Clients.

  • Each has its own IdentityServer project based off of "QuickStart 2 - Interactive Applications with AspNet Core".

  • We have a third IdentityServer project which is meant to server as an external "SSO" Identity Provider.

  • After using the External SSO Provider to login to one of our Web Clients, attempting to do the same with the other Web Client logs the user out of the SSO External Provider, as well as the first Web Client.

To Reproduce

  1. Clone : https://github.com/b-earendil/duende-external-provider
  2. Launch : each of the following projects
  • 1_IdentityServer
  • 1_WebClient
  • 2_IdentityServer
  • 2_WebClient
  • SSO_Identity_Server
  1. Login : with 1_WebClient using "External Account > Custom-SSO"
  • Credentials: uname - bob, pw - bob
  • Note: Observe that the user is successfully logged in to 1_WebClient
  1. Login : with 2_WebClient using "External Account > Custom-SSO"
  • Credentials: uname - bob, pw - bob
  • Note: Upon clicking Custom-SSO the user is not automatically logged in to WebClient2. Instead, they are prompted to re-enter the SSO login credentials.
  • Note: Upon re-entering the SSO-login credentials, the user will be logged out of 1_WebClient and logged into 2_WebClient.

Expected behavior

  1. Clone : https://github.com/b-earendil/duende-external-provider
  2. Launch : each of the following projects
  • 1_IdentityServer
  • 1_WebClient
  • 2_IdentityServer
  • 2_WebClient
  • SSO_Identity_Server
  1. Login : with 1_WebClient using "External Account > Custom-SSO"
  • Credentials: uname - bob, pw - bob
  • Note: Observe that the user is successfully logged in to 1_WebClient
  1. Login : with 2_WebClient using "External Account > Custom-SSO"
  • Credentials: uname - bob, pw - bob
  • Note: Upon clicking Custom-SSO the user should be automatically logged into 2_WebClient.. without being prompted again for their SSO login credentials.. and they should remain logged in to 1_WebClient as well.

Additional context

Our intention is to build a custom SSO solution which will work with a number of pre-existing web applications--each with their own existing 'Auth' project. Within the SSO_Identity_Server UserStore, each user has an associated claim for each web application for which they have access. Each claim contains the UserId of the user within one specific web application's IdentityServer.

Example: Within the SSO_Identity_Server UserStore, the user Bob has claims

  • new Claim("Client1_UserId", "2") // Bob is UserId 2 in 1_IdentityServer
  • new Claim("Client2_UserId", "12") // Bob is UserId 12 in 2_IdentityServer

When a user attempts to access 1_WebClient, they must login with 1_IdentityServer. We provide a "Custom-SSO" button on this login screen that allows them to login via the external-provider SSO_Identity_Server instead. Behind the scenes, 1_IdentityServer will act as a Client to SSO_Identity_Server.. displaying the SSO_Identity_Server login page to the user. After entering their SSO_Identity_Server credentials, the user is logged in with the external-provider and 1_IdentityServer receives the claim information from SSO_Identity_Server indicating which user from its internal user store should be logged in. Finally, this user should be logged in.

If the user then attempts to access 2_WebClient, we would expect the Custom-SSO button to

  • automatically log the user in without prompting for re-entry of SSO credentials
  • leave the logged-in state of 1_WebClient untouched
@RolandGuijt
Copy link

Can you please elaborate on why you need this complicated setup?
Why isn't it possible in your case to just setup one IdentityServer instance for both clients (looking at the example code). There should be no need for three instances in this example.

@TedCorrales
Copy link

Hi,
I'm Ben's coworker & responding on his behalf since he's in meetings all day today and we're working together on this project.

In our actual use case, we have multiple pre-existing web applications each with their own authentication solution and their own storage solution for account / profile information. Each is also managed and maintained by separate groups within our organization. In order to create a better end-user experience we want to create SSO functionality for clients who have access to more than one of our web applications.

We came up with the design above as a solution to implement SSO without having to remove or dramatically rewrite each application's auth/storage solutions. The idea being that each application would just need to add our SSO server as an "external provider" and then write a small amount of code to log in the correct user from their own system.

If there is a better way to do what we're describing I am all ears but removing all the existing auth systems to create a new unified one is unfortunately not an option at the moment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants