Dear ABP Team,
What I want to achive is a lot of different "business" ABP applications (with the same configuration as below) for different purposes, and one "landig" ABP application, which takes care on the authentication and authorization of all that applications, so if a user logs in in the landing page, can navigate to any of the other applications with a valid user session, BUT also can start (and finish) her/his job on any of the "business" applications by redirecting to the "landing" app, logging in and redirecting back automatically. I don't want to use an external provider (like Azure AD) to manage my identity records, I want it to be handled by the "landing" app. Could you please provide me an example about how to do that SSO setup with ABP?
- ABP Framework version: v8.3.2
- UI Type: Angular
- Database System: EF Core + SQL Server,
- Tiered (for MVC) or Auth Server Separated (for Angular): Layered application, separate Authentication Server
16 Answer(s)
-
0
Hello ,
Can you please refer this document https://medium.com/@kirti.kulkarni/how-to-implement-single-sign-on-with-abp-commercial-application-b4952c3da1c0 it will help you to understand.
Thank you.
-
0
Thank you for your reply. I've checked that document, and it is for SSO with Microsoft Identity Platform. As I mentioned, I don't want to use external provider for identity management. Could you please provide me an example where my own ABP "landing" application is the identity provider? Thank you!
-
0
check this once https://abp.io/support/questions/8278/SSO-login-like-external-provider if it is helpful for you.
-
0
Unfortunately it is not. What I want is an example/document/howto about implementing both openiddict server and client side with my own ABP applications. I don't want to use external providers at all.
-
0
hi balazs.koczab
You can use openiddict as authserver. The default template is already built.
Then add
AddOpenIdConnect(oidc)in your backend and public MVC website.Once you sign at the public MVC website. The backend website will sign automatically.
If you want to share the
oidccookies between backend and public you can see: https://abp.io/community/articles/how-to-share-the-cookies-between-subdomains-jfrzggc2 -
0
hi maliming
Thank you for your response. Unfortunately it is still not working.
My setup: I've created a "SignInApp" and a "TestMesApp" to try it out. Modified the ...HttpApi.Host project's ...HttpApiHostModule.cs file's ConfigureAuthentication for both of the applications:
In the dbmigrator project of SignInApp, I've added all the applications to the OpenIddict config like this:
I've also extended the OpenIddictDataSeederContributor of SigniApp :
Authserver url of TestMesApp is set to the authserver url of SignInApp in the appsettings.json and environment.ts.
Actual results: scenario 1: I can sign in SignInApp but TestMesApp is still not authenticated. After it, if I click to the login button of TestMesApp the page refreshes, but nothing happens.
scenario2: If I delete the AspNetCore.Identity.Application cookie from the browser (for some reason it is not deleted when I logging out from SigninApp) I can click the login button to TestMesApp, which now redirects to the SignInApp's Authserver's login page. I can give in my credentials, it redirects back to the homepage but it is still not logged in. Now if I refreshing the SignInApp it is still not logged in, but if I click to the login button, it logs in without asking for credentials.
Am I doing something wrong? Is any of the above steps unnecessary?
-
0
hi
Can you upload your test project to Github private repos and invite https://github.com/maliming as a contributor?
I will check your code.
Thanks.
-
0
hi
I've just added you. I put all the things in one single commit wich is an addition to the default abp app. I've also updated version to 9. Thanks!
-
0
ok, I will check your code.
-
0
hi
There are two AuthServer projects. For SSO, you can only have one AuthServer,.
One AuthServer(OpenIddict) as an authentication/authorization server.
Two or more websites use this server to
OpenIdConnectlogin.If website A is signed in with AuthServer, websites B and C will automatically be signed.
account.abp.io is authser of abpio platform. www.abp.io docs.abp.io commercial.abp.io will be using
OpenIdConnectto sign with account.abp.ioWe will share the
OpenIdConnectcookies, so if you have signed in at www.abp.io, you will have a signed state on other websites.
If I misunderstand your project. You can share full steps to reproduce the problem with your project..
Thanks.
-
0
Hi
The Authserver project of the TestMesApp is not used at all. I've just deleted it to have a clearer picture.
What I want to achive is a lot of different "business" ABP applications (TestMesApp is an example for that) for different purposes, and one "landig" ABP application, which takes care on the authentication and authorization of all that applications (which is SignInApp),
so if a user logs in in SignInApp, can navigate to any of the other applications (TestMesApp) with a valid user session,
BUT also can start (and finish) her/his job on any of the "business" applications (TestMesApp) by redirecting to SignInApp's authserver,
logging in and redirecting back automatically.
I don't want to use an external provider (like Azure AD) to manage my identity records, I want it to be handled by SignInApp.
-
0
hi
I already know your case.
But your
TestMesApp.HttpApi.Hostis an API project. API generally won't useOpenIdConnectfor authentication.You can create a new app(layered, tiered, public website) project.
- The AuthServer is the authentication/authorization center.
- The HttpApi.Host is the API website that using
JWTto authentication/authorization - The WEB and WEB public websites are mvc app that using
OpenIdConnecttoSSO
You can see: once I have signed in to the web, the web public will be signed automatically. The video: https://we.tl/t-IToZ847OBB
If you have sub-domain for this website. You can configure to share cookies in the same domain https://abp.io/community/articles/how-to-share-the-cookies-between-subdomains-jfrzggc2
If you will use different domains for these websites. The web public website need to click the login and will redirec to authserver then signed automatically. because the authserver has the signed state.
-
0
Hi,
Could you please share the source code of that TestSSO project with me?
-
0
hi
The TestSSO project created by ABP Studio
APP layered, tiered, public website
-
0
So if my understanding is correct, if I already have a lot of different ABP applications in different repositories without ".Web" projects (all the applications have an angular UI, a ".Http.Api.Host" API project and an "Authserver"), it is** NOT** possible with ABP framework to implement a landing page and make all the applications to authorize through that page (SSO), right? What I want to achive is to authenticate once in a landing page, and from that point, all the different angular applications are become logged in automatically.
-
0
all the applications have an angular UI, a ".Http.Api.Host" API project and an "Authserver"
hi
Your application is an
APIproject/website , which means there is no page. It is authenticated by aJWTtoken.The SSO will use cookies for authentication. But angular will use
JWTtoken.
If your angular app uses
Authorization Code Flowto get tokens. then you can do:https://abp.io/docs/latest/framework/ui/angular/authorization#authorization-code-flow
You have a lot of angular and API websites. But there is only one
authserverproject.If one of your angular => login => redirect to authserver => signed => redirect to angular localhost:4200?code=xyz => angular get the token.
The other angulars do not need to sign again on the authserver website. It will get a token automatically.
