{"_id":"59c359d3185f99001034de69","project":"56439dfe9eebf70d00490d54","version":{"_id":"5864d2df79ce642d00f0fec7","project":"56439dfe9eebf70d00490d54","__v":4,"createdAt":"2016-12-29T09:09:51.074Z","releaseDate":"2016-12-29T09:09:51.074Z","categories":["5864d2df79ce642d00f0fec8","5864d2df79ce642d00f0fec9","5864d2df79ce642d00f0feca","5864d2df79ce642d00f0fecb","5864d2df79ce642d00f0fecc","5864d2df79ce642d00f0fecd","5864d2df79ce642d00f0fece","5864d2df79ce642d00f0fecf","5864d2df79ce642d00f0fed0","5864d2df79ce642d00f0fed1","5864d2df79ce642d00f0fed2","5864d2df79ce642d00f0fed3","5864d2df79ce642d00f0fed4","5864d2df79ce642d00f0fed5","5864d2df79ce642d00f0fed6","5864d2df79ce642d00f0fed7","5864d2df79ce642d00f0fed8","5864d2df79ce642d00f0fed9","5864d2df79ce642d00f0feda","5864d2df79ce642d00f0fedb","5864d2df79ce642d00f0fedc","5864d2df79ce642d00f0fedd","5864d2df79ce642d00f0fede","598aa64f4b6e990019b7a2d2","599bc76bc03fa2000f83db2a","599bcc3c3c5bf7000f3434fc"],"is_deprecated":false,"is_hidden":false,"is_beta":true,"is_stable":true,"codename":"","version_clean":"2.0.0","version":"2"},"category":{"_id":"599bc76bc03fa2000f83db2a","project":"56439dfe9eebf70d00490d54","version":"5864d2df79ce642d00f0fec7","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2017-08-22T05:55:55.391Z","from_sync":false,"order":23,"slug":"single-sign-on","title":"Single Sign-On"},"user":"5706dce42138ed0e0060f8ab","__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-09-21T06:18:59.386Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","examples":{"codes":[]},"auth":"required","params":[],"url":""},"isReference":false,"order":1,"body":"[block:api-header]\n{\n  \"title\": \"Overview\"\n}\n[/block]\nSingle sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.\n[block:api-header]\n{\n  \"title\": \"Prerequisite\"\n}\n[/block]\nBelow information should be provided by the client so that Gooru will configure SSO access\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Name\",\n    \"h-1\": \"Sample Value\",\n    \"0-0\": \"Issuer / login URL\",\n    \"1-0\": \"ThumbPrint\",\n    \"1-1\": \"2F2275E98D56E0F078E34F8C20E0E633FFA5DD4B\",\n    \"0-1\": \"https://signin.client.url/login\"\n  },\n  \"cols\": 2,\n  \"rows\": 2\n}\n[/block]\nGooru will configure SSO access and share client id and secret.\n[block:api-header]\n{\n  \"title\": \"WS-Fed Login\"\n}\n[/block]\nIn order to use WS-Fed SSO, client application should initiate SSO request by calling GET endpoint as like (this is sample endpoint, it may change):\nhttps://gooru.org/api/nucleus-auth-idp/v2/wsfed/login\n\nGooru will then redirect the to the issuer / login URL based on the client id passed in the request. If user is not already logged in at clients application, login page will be displayed. Otherwise further WS-Fed request should be invoked\n\nClient's IDP server should make POST request with WS-Fed request body at endpoint as like (this is sample endpoint, it may change):\nhttps://gooru.org/api/nucleus-auth-idp/v2/wsfed/login\n\nAs part of the WS-Fed request client should send below claims:\n[block:parameters]\n{\n  \"data\": {\n    \"h-0\": \"Claim\",\n    \"h-1\": \"Description\",\n    \"0-0\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\",\n    \"1-0\": \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress\",\n    \"2-0\": \"http://gooru.org/tenant/clientid\",\n    \"3-0\": \"http://identityserver.thinktecture.com/claims/profileclaims/accountguid\",\n    \"4-0\": \"http://identityserver.thinktecture.com/claims/profileclaims/firstname\",\n    \"5-0\": \"http://identityserver.thinktecture.com/claims/profileclaims/lastname\",\n    \"6-0\": \"http://schemas.microsoft.com/ws/2008/06/identity/claims/role\",\n    \"0-1\": \"Username in client's system\",\n    \"1-1\": \"Email address\",\n    \"2-1\": \"Gooru tenant id assigned to partner\",\n    \"3-1\": \"Unique user id of the user in client system\",\n    \"4-1\": \"First name of the user\",\n    \"5-1\": \"Last name of the user\",\n    \"6-1\": \"Role of the user. Teacher / Student\"\n  },\n  \"cols\": 2,\n  \"rows\": 7\n}\n[/block]\nBased on the claims received, the user details are verified in Gooru and user is authenticated. Upon successful authentication, they will be redirected to Gooru homepage.","excerpt":"","slug":"ws-fed-sso","type":"basic","title":"WS-Fed SSO"}
[block:api-header] { "title": "Overview" } [/block] Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. [block:api-header] { "title": "Prerequisite" } [/block] Below information should be provided by the client so that Gooru will configure SSO access [block:parameters] { "data": { "h-0": "Name", "h-1": "Sample Value", "0-0": "Issuer / login URL", "1-0": "ThumbPrint", "1-1": "2F2275E98D56E0F078E34F8C20E0E633FFA5DD4B", "0-1": "https://signin.client.url/login" }, "cols": 2, "rows": 2 } [/block] Gooru will configure SSO access and share client id and secret. [block:api-header] { "title": "WS-Fed Login" } [/block] In order to use WS-Fed SSO, client application should initiate SSO request by calling GET endpoint as like (this is sample endpoint, it may change): https://gooru.org/api/nucleus-auth-idp/v2/wsfed/login Gooru will then redirect the to the issuer / login URL based on the client id passed in the request. If user is not already logged in at clients application, login page will be displayed. Otherwise further WS-Fed request should be invoked Client's IDP server should make POST request with WS-Fed request body at endpoint as like (this is sample endpoint, it may change): https://gooru.org/api/nucleus-auth-idp/v2/wsfed/login As part of the WS-Fed request client should send below claims: [block:parameters] { "data": { "h-0": "Claim", "h-1": "Description", "0-0": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "1-0": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "2-0": "http://gooru.org/tenant/clientid", "3-0": "http://identityserver.thinktecture.com/claims/profileclaims/accountguid", "4-0": "http://identityserver.thinktecture.com/claims/profileclaims/firstname", "5-0": "http://identityserver.thinktecture.com/claims/profileclaims/lastname", "6-0": "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", "0-1": "Username in client's system", "1-1": "Email address", "2-1": "Gooru tenant id assigned to partner", "3-1": "Unique user id of the user in client system", "4-1": "First name of the user", "5-1": "Last name of the user", "6-1": "Role of the user. Teacher / Student" }, "cols": 2, "rows": 7 } [/block] Based on the claims received, the user details are verified in Gooru and user is authenticated. Upon successful authentication, they will be redirected to Gooru homepage.