I have a web app, let’s call “Verification Station”, and dozen of web apps called “Drink Shops”.
User will be asked to login to Verification Station to access Drink Shops.
Drink Shop will be added quite frequently(about 1-2 shops per month).
I want to implement SSO using Auth0 so that user can only login once and be able to use all that shops.
My opinion is building Verification Station as Identity Provider which user information will be held totally in Auth0, and Drink Shops as Services Providers with SAML.
Note that Drink Shops will not be configured in Auth0.
Can we implement above case using Auth0?
I’ve searched around but still do not sure how to make it work.
Any suggest will be appreciate.
After searching around, I ended up building a system that has:
- Auth0 as Identify Provider
- “Verification Station” webapp to be verification endpoint, with functions for connecting to Auth0 Management APIs to manage user and “Drink Shop” info.
“Verification Station” use Auth0’s SDK to perform SSO.
- “Drink Shop” webapps that implements SSO by using either Auth0’s SDK or OneLogin SAML Toolkit.
I’ve created a demo, it works but there are so many struggles I got in my head. I will list below.
Problems I’m facing:
Is there any limit for number element of “Allowed Logout URLs” and “Allowed Callback URLs”?
As my understand, each Service Provider’s login-logout link need to be defined in these fields to be able to perform SSO-SLO with Auth0.
What are proper way to confirm SSO-SLO work correctly or not?
Since Service Provider will be added quite frequently, we need a confirmation method to make sure everything work before publicly releasing it, like a tool or something.
Currently in demo, I confirming the flow of SSO by running the app in local: login one by credential, then click login in other to see if it is logged in automatically. But I hope there are more efficient ways to check the implementation.
Any suggest will be highly appreciate.