Building Custom Single Sign-On Flows
What is Single Sign-On?
Single Sign-On (SSO
) is a way for you to make use of an existing system to allow access to your video site.
The idea is that whenever an unknown user visits your account, they
are sent to your system for authentication and sent back to us with a
valid login token that allows them to freely browse your site. If the
user does not have access to your authentication system (such as Active
Directory) they will not have access to the TwentyThree account or video section either.
SSO Integration Options
TwentyThree offers the following options for integrating Single Sign-On:
- SAML: The Security Assertion Markup Lanaguage is an open standard for exchanging authentication and authorization data between parties. It is widely supported by different platforms and services, notably Active Directory through Federation Services (ADFS). You can read a step-by-step guide to setting it up in our help center.
- OpenID Connect: Similar to SAML, OpenID Connect or OIDC is standard mechanism single sign-on and supported out of the box on TwentyThree.
- Custom: Implement your own solution for authenticating users.
Custom SSO Integration
TwentyThree supports custom integration with any external system through our API.
The first step is to set up an application with privileged credentials and authorise these through OAuth – instructions can be found here. The next step is to set up a page on your own site that handles user authentication. Your page should do the following:
- Authenticate the user against your system.
- Retrieve an access token from /session/get-token.
- Redirect the user to /session/redeem-token with the given token.
For step 1, the traditional solution is to authenticate them against a known user database or internal identity provider. However, you are free to grant users access based on whatever logic you implement. This might include a required e-mail signup or by having the user pay for access.
In your video site backend, go to Settings → Access
and enable "Single sign-on or Paywall" and enter the URL for the page you created above.
Once setup, any user trying to access your video site will be redirected to the URL you entered along with the query string return_url=<path>
, where <path>
is the relative URL they were trying to visit. You can use this URL in
step #2 to redirect the user back to the exact page they were trying to
visit.
Example
The video sections access is set to Single sign-on or Paywall
and the Remote login URL
is set to http://mynormalsite.com/sso-login.php
.
- The user attempts to access
http://videosite.twentythree.com/cool-video
- They are redirected to
http://mynormalsite.com/sso-login.php?return_url=/cool-video
- The page requests a token from the API and redirects the user to
http://videosite.twentythree.com/api/session/redeem-token?session_token=abcdef123456
- The user is granted access and redirected to
http://videosite.twentythree.com/cool-video
Visitor or Administrator Access
By default, single sign-on only authenticates users to access the frontend of the video site. There is an option found in Settings → Access
that allows you to enable SSO for back-end login as well.
This feature works by comparing the email provided in the call to /session/get-token with e-mails of the existing users. If a match is found, the user is logged in as that specific user in the backend rather than as an anonymous visitor.
Warning: Make sure that you do not use any shared e-mails and that the single sign-on page has been thoroughly tested, as this feature can grant full administrator rights to users logged in through SSO!