Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session.
Below information should be provided by the client so that Gooru will configure SSO access
|Issuer / login URL||https://signin.client.url/login|
Gooru will configure SSO access and share client id and secret.
In order to use WS-Fed SSO, client application should initiate SSO request by calling GET endpoint as like (this is sample endpoint, it may change):
Gooru will then redirect the to the issuer / login URL based on the client id passed in the request. If user is not already logged in at clients application, login page will be displayed. Otherwise further WS-Fed request should be invoked
Client's IDP server should make POST request with WS-Fed request body at endpoint as like (this is sample endpoint, it may change):
As part of the WS-Fed request client should send below claims:
|http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name||Username in client's system|
|http://gooru.org/tenant/clientid||Gooru tenant id assigned to partner|
|http://identityserver.thinktecture.com/claims/profileclaims/accountguid||Unique user id of the user in client system|
|http://identityserver.thinktecture.com/claims/profileclaims/firstname||First name of the user|
|http://identityserver.thinktecture.com/claims/profileclaims/lastname||Last name of the user|
|http://schemas.microsoft.com/ws/2008/06/identity/claims/role||Role of the user. Teacher / Student|
Based on the claims received, the user details are verified in Gooru and user is authenticated. Upon successful authentication, they will be redirected to Gooru homepage.