Open Closed

Transitioning to an SSO platform #6339


User avatar
0
auxo-devsu created
  • ABP Framework version: v7.0.0
  • UI Type: MVC
  • Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..)
  • Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server separated (modular approach)
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Hi,

We are running a multi-tenanted solution using ABP Commercial, and we are considering replacing the Auth Server module with a third-party Identity Management Platform such as Auth0.

I read something about the use of external logins on the Auth Server, but I would like to have an actual single sign-on solution and let a single identity potentially have access to multiple tenants, as that's something very common in our industry.

Could you please give me some instructions on what things I should do and consider to make this happen?

Thanks!


7 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    I read something about the use of external logins on the Auth Server

    I think it should be working. have you give it a try?

  • User Avatar
    0
    auxo-devsu created

    I read something about the use of external logins on the Auth Server

    I think it should be working. have you give it a try?

    Thanks for looking into my ticket but, as I said, I would like to have an actual single sign-on solution and let a single identity potentially have access to multiple tenants, as that's something very common in our industry.

    Could you please give me some instructions on what things I should do and consider to make this happen?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can try to replace AddOpenIdConnect with auth0 in the MVC project. It's simple.

    let a single identity potentially have access to multiple tenants, as that's something very common in our industry.

    You can change the current to access the data in other tenants.

    https://docs.abp.io/en/abp/latest/Multi-Tenancy#change-the-current-tenant

  • User Avatar
    0
    auxo-devsu created

    Thanks @maliming!

    Would you have any examples of how to replace AddOpenIdConnect? If I manage to replace that with Auth0, do I still have to keep the ABP's Identity Server alive?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The ABP's identity module will exist in the API project.

    https://auth0.com/blog/exploring-auth0-aspnet-core-authentication-sdk/

       Auth0
    Web     API
         
    
  • User Avatar
    0
    auxo-devsu created

    Thanks for the link! I had seen that bit already.

    Authenticating with Auth0 will be fine, I'm sure. Still, I'm looking for guidance on how to use a 3rd party but also continue to leverage ABP's authorisation bits like permissions, roles, current tenant identification and all that.

    Could you please help me with that? What are the things that will break into ABPs authorisation system when I decide to not use the out-of-the-box auth server? What are the things to be replaced/re-written/extended?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can use the external login and disable the local login.

    https://docs.abp.io/en/commercial/latest/modules/account#install-a-new-external-login https://docs.abp.io/en/commercial/latest/modules/account#local-login

    For SSO, you can configure the shared cookie domain:

    https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-8.0

    for example:

    context.Services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies", options =>
    {
        options.Cookie.Name = ....;
        options.Cookie.Domain = ....;
    
        .....
    })
    
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11