A question about SSO hooking

4 posts in this topic

Posted

When a site implements a custom SSO class to authenticate against some external resource, what happens when a user changes his or her password? Does it simply change the IPB stored hash or does it make a call to the SSO class to 'alert' it to the password change?

Share this post


Link to post
Share on other sites

Posted

There are many ways you can go about implementing SSO, especially since you typically write the PHP code to handle the process yourself.

That said, typically you would

  • Write an SSO hook to handle recognizing if the user is logged in to the front end, and automatically logging them into the forum if so
  • Write a login module to handle authenticating against the front end
    • The login module can redirect change password and email requests to the front end



When a user goes to change their password, they'll have to do it on the front end. In this type of setup, you never even need to store a valid password in IPB, because all authentication (SSO and actual logins) occur by checking the front end.

Share this post


Link to post
Share on other sites

Posted

So with a custom SSO class, is it required for me to handle session state, or can one simply overload the password check/change functions? It would be nice if the example code located here was a bit more complete, but then again I'm pretty clueless at the moment seeing how I've been researching IPB for only a matter of an hour or so :)

Share this post


Link to post
Share on other sites

Posted


So with a custom SSO class, is it required for me to handle session state, or can one simply overload the password check/change functions? It would be nice if the example code

located here

was a bit more complete, but then again I'm pretty clueless at the moment seeing how I've been researching IPB for only a matter of an hour or so :smile:




Typically, when we write an SSO plugin, we overload the create guest session and update guest session methods. When these methods are reached it means that IP.Board does not recognize the user presently as logged in. Within the overloaded code, we would call out to the front end to validate if the user is logged in there, and then log the user into the forums if so. On the next page load, no callout is done since the user is recognized locally (as a result of logging the user in during the previous step). This helps save resources as the forums do not need to make a callout to the front end on every single page load (only for guests).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Who's Browsing   0 members

    No registered users viewing this page.