Configuring Single Sign-On (SSO) on a Neuron®

From Build 2024-03-21 you can now configure a Neuron® to support Single Sign-On (SSO). This means that users logged in to the Neuron® can use services on other servers that are accessible via reverse proxies on the Neuron®, and that these services can authorize requests based on that first login on the main Neuron®.

To create SSO-services using a Neuron® as the main gateway hosting multiple services behind using reverse proxies, you need to do the following:

  1. For each remote service create a session-enabled Reverse Proxy. By enabling proxy sessions, the reverse proxy node will check for current user login in the session, and forward a JWT-token in an Authorization: Bearer HTTP header to underlying services.

  2. On the main Neuron® implement either Quick Login, using session mode, which places the user login object in the QuickLoginUser session variable, or a traditional form login, placing the user login variable in the User session variable.

  3. On the remote web servers, you get the JWT token from the Authorization: Bearer header. Make sure to validate the JWT token, to make sure malicious actors are unable to inject calls to your web server with fake JWT tokens, pretending to be a user they are not.

  4. All links within the remote web service should be relative, not absolute, to avoid problems when navigating the links as seen from the client, that sees the service via the reverse proxy.

From Build 2024-03-22 you have further resources available, to simplify SSO on the Neuron®:

  1. If you have a Quick-Login performed, you can transition this into an Agent API Quick Login on the Neuron® seamlessly, if the identity of the user corresponds to an account on the Neuron® itself.

  2. You can now use the Agent API to validate and parse JWT tokens issued by the Neuron®. Use this service if you implement a remote web service accessible via a reverse proxy on the Neuron® to validate and parse unrecognized JWT tokens.

  3. You can now also initiate a Quick-Login using the Quick-Login REST API directly. For information on how to process Quick-Login URIs, see the tagsign URI scheme.

You can try the SSO capability of the Neuron® here on the Lab-Neuron, by simply logging in to the Community service, and then navigating to the page https://lab.tagroot.io/labproxy/DisplayBearerToken.md. The /labproxy resource is a reverse proxy back to the lab.tagroot.io Neuron® itself, but this time forwarded requests have the additional SSO-information attached in the HTTP header of the requests. The /DisplayBearerToken.md page simply displays the contents it finds (if it fins) in the Authorization: Bearer header. You can compare this request with the output of simply navigating to the same page, but without the proxy: https://lab.tagroot.io/DisplayBearerToken.md.

Note: If you have a normal form-based login in the session, that login takes presedence over an existing Quick-Login when forwarding login-information in a JWT-token to remote services via the reverse proxy.

This article is being written.

#new, #features, #neuron, #architecture, #network

Peter Waher
Peter Waher
3/21/2024 5:37:15 PM 3/22/2024 6:09:01 PM
387 0 1 0