I’m researching this for a customer. They have 2 Wordpress sites and 1 site built on C# .NET. They have users that could have accounts in any of the 3 sites. They want to implement SSO so that 1)if a person registers on any site, they’re registered for all three, and 2) if anyone logs in to any site, they’re logged in to all three.
I’m just getting familiar with authorization and authentication and have a trial Auth0 account to experiment with. I see there is an Auth0 Wordpress plugin which should make things easier to get going, and I did get one of their sample ASP.NET apps working in as much as I can login and logout, so I should be able to figure out the .NET side of things. But how do I associate all the users with all three sites?
Any suggestions, directions or resources are greatly appreciated.
Hey @stevex64 , accomplishing SSO across multiple applications with Auth0 is easy with Auth0 (as long as you use the same Auth0 tenant for all these three applications). After reading your use case, this is my recommendation:
This can be accomplished just by using the same database/databases for all your three applications/websites. This means having the same connection enabled: create a Database Connection on your Auth0 dashboard and enable that connection for all your three applications. You can enable/disable database connections via Connections → Database → click on the database name → Applications tab or alternatively via Applications → click on the application name → Connections tab
By default, if you are using Universal Login, this is automatic and you shouldn’t need to do anything. This means that when using Universal Login, if a user logs in to any of your three applications, that person will be able to SSO to any of the other two applications.
I will leave a couple of resources here for your convenience:
Now I have to think about a different scenario. They want it so if a user is not registered at all three sites, they can only login to the ones they are registered at. Say they’re registered at site #1 and site #2. They can use SSO and be signed into both sites from either site. But since they’re not registered at site #3, they would have to go through the registration process if they want access to that site.
Auth0 will only keep one user. If you do the registration three times, that would imply three different users so you can not do SSO between the apps.
I believe you only need to keep one user and use the management API to update a property in the user metadata to mark which user went through the registration process of each application. If the user registered in the three apps, the user metadata will contain that info.
When the user is authenticated, you can include the metadata in the JWT so the application can check if the user went through the registration of that app or not.
