Overview

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.

Prerequisite

Below information should be provided by the client so that Gooru will configure SSO access

Name	Sample Value
Issuer / login URL	https://signin.client.url/login
ThumbPrint	2F2275E98D56E0F078E34F8C20E0E633FFA5DD4B

Gooru will configure SSO access and share client id and secret.

WS-Fed Login

In order to use WS-Fed SSO, client application should initiate SSO request by calling GET endpoint as like (this is sample endpoint, it may change):
https://gooru.org/api/nucleus-auth-idp/v2/wsfed/login

Gooru will then redirect the to the issuer / login URL based on the client id passed in the request. If user is not already logged in at clients application, login page will be displayed. Otherwise further WS-Fed request should be invoked

Client's IDP server should make POST request with WS-Fed request body at endpoint as like (this is sample endpoint, it may change):
https://gooru.org/api/nucleus-auth-idp/v2/wsfed/login

As part of the WS-Fed request client should send below claims:

Claim	Description
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Username in client's system
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress	Email address
http://gooru.org/tenant/clientid	Gooru tenant id assigned to partner
http://identityserver.thinktecture.com/claims/profileclaims/accountguid	Unique user id of the user in client system
http://identityserver.thinktecture.com/claims/profileclaims/firstname	First name of the user
http://identityserver.thinktecture.com/claims/profileclaims/lastname	Last name of the user
http://schemas.microsoft.com/ws/2008/06/identity/claims/role	Role of the user. Teacher / Student

Based on the claims received, the user details are verified in Gooru and user is authenticated. Upon successful authentication, they will be redirected to Gooru homepage.