FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    SSO Redirect scheme

    Scheduled Pinned Locked Moved
    Q&A
    sso jwt
    0
    3
    869
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      felix
      last edited by

      I'm trying to use the SSO feature of Canny (User feedback tool) with FA and I'm new to this kind of setup. I was wondering if their SSO Redirect approach is something that can be done using FA natively or if I still need to create pages in my web app to handle the login redirects.

      My gut feeling steers me towards an Application with JWT populate, but I've never done anything like that. More info about the Canny SSO Redirect is at https://help.canny.io/en/articles/1961021-setting-up-single-sign-on-sso-redirect. Any help would be appreciated.

      BTW, another tool I looked at uses the same setup (SSO Redirect), so I guess this is a thing...

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @felix Hmmm.

        So I read the docs and this is what it looks like to me:

        • user visits canny but encounters a configured login redirect and is sent to FusionAuth
        • FusionAuth authenticates the user and sends the the authorization code to your app
        • Your app exchanges the authorization code for a token.
        • You send that token to canny.

        Now, FusionAuth can help you generate the token in the proper format with the following claims:

            avatarURL: user.avatarURL, // optional, but preferred
    email: user.email,
    id: user.id,
    name: user.name,

        As you allude to, I'd use the JWT populate lambda to do that: https://fusionauth.io/docs/v1/tech/lambdas/jwt-populate/ It can craft a token to contain all the needed claims.

        And FusionAuth can take care of signing the JWT correctly, you'd just need to import the secret key (what they call the 'private key') to Key Master (or using the keys API: https://fusionauth.io/docs/v1/tech/apis/keys/ ) and configure your FusionAuth application config to sign the access token with the correct key so that when your app exchanges the authorization code for a token, it is all set to be sent to Canny.

        Does that make sense?

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • F
          felix
          last edited by

          @dan, thanks for the directions.

          It looks lik you have a way to make the SSO redirect work for their widget, but not for the portal version of their solution. The portal works with a "redirect" URL parameter that the authenticating party receives and needs to send back after authentication.

          I don't think FA supports arbitrary URL parameter forwarding, so this is pretty much a no go directly out of the box.

          I'll have a look at the widget, maybe that's a better solution for us anyway.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post