Forumbee Single Sign- On What is Single Sign- On? In basic terms, Single Sign- On (SSO) allows users of your web site to log into your Forumbee community automatically, without needing to sign up and create another account. Implementation of SSO on your web site requires technical development skills. This article is intended to give the information needed for a developer to implement SSO to Forumbee from your web site. SSO Settings for Your Community To utilize the SSO API, SSO must be enabled for your account. To enable SSO, navigate to the Admin area Settings SSO, check Enable SSO then click Save. Secret key You will use this secret key later when you construct your URL to generate a Sha1 hex digest. You should keep this key private and never publish it. 2014 FORUMBEE Single Sign- On (April 2014) 1
Handling direct community login/logout Remote login URL When you implement SSO you manage the login process for users into the community from your remote application. However it is possible for a user to access your community directly, such as through a bookmark or link, when they have not signed in through your remote application. When a non- logged in user accesses your community directly, they will be prompted to login. To transfer control of the login to your remote application, specify a remote login URL. When prompted to login or sign up, the user will be redirected to the URL you specify. This should be a URL in your remote system that allows the user to login or sign up and then passes them back to your community via SSO. Note: After specifying remote login URL you will no longer be able to login to your community directly. You may either use your remote application SSO implementation or you can log in through the Forumbee.com home page. Go to http://forumbee.com, click Login and enter your credentials. After you have logged in, click your name in the upper right and select your community from the menu. Remote log out URL When the user clicks log out in the community they will be sent to the URL you specify. Typically this would be a URL that also logs the user out of your remote system. The user key is passed on the Remote log out URL as a convenience for you to track the user. 2014 FORUMBEE Single Sign- On (April 2014) 2
SSO Implementation Instructions From your remote application construct a unique URL login link for the user that includes a base64- encoded JSON object containing user fields as shown below and a message digest ensuring the validity of the data. Use this URL to redirect the user to the community or to present a navigation link to the user. SSO login URL structure: http://yoursubdomain.forumbee.com/sso/1/login?digest={ }&data={ } During your implementation, use the Forumbee SSO test tool described below for documentation and testing. SSO Parameters Parameter Description Required Char length key Unique user identifier from the remote system. Matched users will be updated with changes in the Forumbee system. Yes 1-128 email User email (must be unique) Yes 7-128 name Display name for the user Yes 2-128 avatar URL to the avatar picture for the user No 0-256 role Access role type No 0=normal (default), 1=moderator, 2=admin (See User Roles section below for details on roles) forums Comma separated list of forum links to grant access. Admins have access to all forums. No 0-256 This is only needed when using restricted forums. Unrestricted forums are accessible by all users. The forum link is the final portion of the forum URL, in this example discussions : http://test.forumbee.com/community/discussions redirect An optional URL to send the user to after successful login. No 0-256 If this redirect is not specified the user will be directed to the community home. 2014 FORUMBEE Single Sign- On (April 2014) 3
Steps to create the login URL token 1. Construct a JSON object containing your Forumbee site sub- domain, URI (/sso/1/login), date in milliseconds since 1970 UTC and the SSO parameters from above. {"domain":"subdomain","uri":"/sso/1/login","date":"1373854115780","email":"hank@forumbee. org","name":"hank Manning","role":"2","key":"100"} 2. Base64 encode the previous step. 3. Compute a SHA- 1 hex digest by combining your secret key for this account and the base64 from the previous step. 4. Convert the digest from step 3 and the base64 data from step 2 into URL Encoded parameters. 5. Construct the final URL with the digest and data from step 4 as query parameters. URL structure: http://yoursubdomain.forumbee.com/sso/1/login?digest={ }&data={ } If you are using domain aliasing, replace yoursubdomain.forumbee.com with your domain alias. Example: http://community.mycompany.com/sso/1/login?digest={ }&data={ } 2014 FORUMBEE Single Sign- On (April 2014) 4
Using the SSO Developer Tool During your implementation, use the Forumbee SSO Developer Tool for documentation and testing. Navigate to the Admin area Settings SSO, and click SSO Developer Tool. SSO Developer Tool: 2014 FORUMBEE Single Sign- On (April 2014) 5
1. Enter test data in the fields and click Submit. 2. This returns a set of Steps and a Result link. Under Steps, each step in the process is documented and output is shown. Under Result is the actual SSO login url. Copy and paste this SSO link into a different browser to try it out. If you paste it in the current browser you are using, you will be logged out of your current session and logged in as the SSO user. 2014 FORUMBEE Single Sign- On (April 2014) 6
User account creation and updates When a user clicks through on your SSO link, Forumbee will look for the user in the system based on their key or email. If the user is not found, a new user is created with the details you provide. If the user is found, the system will update their email, name, avatar, and role, if changed. User roles One of the following roles can be assigned to a user with the SSO role parameter. Normal: This is the member role and is the default if no role is specified. Permissions: Access all unrestricted forums. Access restricted forums when granted access via SSO link. Add topics (if allowed in forum settings.) Post replies to topics. Moderator: Permissions include all member capabilities plus: Monitor activity stream. Receive moderator report email. Edit/remove postings. View and invite members. Suspend or block members. Admin: Permissions include all moderator capabilities plus: Access all forums. Change community settings. Add/remove forums. Add/remove moderators. Add/remove administrators. 2014 FORUMBEE Single Sign- On (April 2014) 7