April 18th, 2015

Single Sign-on (SSO) Integration with LuxSci

Do you have a web site or App that you control where users of that site/App are also users of LuxSci?  LuxSci’s single sign-on service enables your site or app to send these users to any page of their LuxSci interface without their to separately login to LuxSci.

Single sign-on integrates your site or app with LuxSci so that users need only login once (to your site or app) and then can seamlessly travel between them.  This is great for speed and usability.  It is also good for users to not need to remember more passwords.

How does LuxSci Single Sign-On Work?

SSO works through LuxSci’s API.

Get started:

  1. You must have an account with LuxSci (even a trial account)
  2. Request API access from support
  3. Create an API Instance and enable Single Sign-On for it (and lock it down with security restrictions, such as limiting it to the IP address of your web server)

Authenticate your users:

  1. Your site or app must authenticate your users.  This can be done any way that you like; e.g. with usernames and passwords or authentication tokens specific to your system.

Provide “Links to LuxSci” (best practice implementation):

  1. Where desired, make links so your users can go to LuxSci pages of your choice.  This can be any page: e.g. their email INBOX, a specific Workspace, an Address Book, a Calendar, the Help, Spam filtering configuration, etc.  Its up to you.
  2. This link takes them to a server-side function in your site
  3. That function:
    1. Checks that the user is still active and logged in
    2. Determines what URL on LuxSci the user wants to go to
    3. Determines what the user’s current IP address is
    4. Uses the LuxSci API to make an “automatic login” link for this user from this IP to this link.
    5. Your site then redirects the user to that link

The user is transferred to LuxSci:

  1. That login link automatically logs the user into LuxSci
  2. The link then takes the user to the desired page on LuxSci
  3. The user will remain logged into LuxSci until s/he logs out or his/her session expires.

The result — the user logins in to your site, does whatever he/she needs to, sees a link to something on LuxSci, clicks on it, and is taken seamlessly to that page.  The user can then do other things on LuxSci as well.

How is this Secure?

Security is a strong factor with single sign-on solutions.  LuxSci has done a lot to ensure security from its end.  It is up to you to ensure that you use the system in a secure way.

What LuxSci has done:

  1. Customer API accesses cannot generate single sign-on links that is unless explicitly enabled by the account administrator.
  2. Your API can only generate links for users in your managed accounts
  3. You can exclude users (e.g. your admins) from being eligible for the single sign-on process
  4. Each single sign-on link is only valid for the user in question, is only valid for 15 minutes, and can only be used from the user IP address specified when you requested the link.
  5. All single sign-on link requests and subsequent logins are logged.
  6. You can lock down your API so that it can only be used from specific IP addresses
  7. The API itself has many other security features.

What you should do as a developer:

  1. Ensure that your application only generates single sign-on links for people that have actually authenticated to your system.
  2. Do not deploy your code and API credentials to the public.  E.g. if you embed the API code directly in an App, then your API credentials could be compromised and used to allow attackers to login as users in your account (and only your account). This would be like coding everyone’s usernames and passwords in your App — you would never do that, right?
  3. If you are using this with a deployed App, have the App make authenticated calls to some web site that you own, so that the web site (and not the App) can verify user authentication and perform API calls in an insulated and secure way.

Read: About LuxSci’s API (you must login to your LuxSci account to read this documentation).

Try out LuxSci’s API.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.