Implementing CDSSO via OAuth2.0 in FR Identiy Cloud

npundi01 · August 14, 2023, 3:21pm

Hello All,

We are implementing Cross Domain SSO via OAuth2.0 in ForgeRock Identity Cloud but not able to find the documentation for the same.

Below link provides the detail that it is possible but the steps are not mentioned anywhere :
https://backstage.forgerock.com/docs/idcloud/latest/am-authentication/about-sso.html

It will be really helpful if we can get any help. Thanks in advance.

Regards,
Neha Pundir

patrickdiligent · August 15, 2023, 12:02am

Hi @npundi01,

Are you referring to social authentication, perhaps? Is this blog answering the question: https://community.forgerock.com/t/getting-started-with-forgerock-identity-cloud-journeys-part-5-social-authentication?

Regards
Patrick

npundi01 · August 16, 2023, 1:46pm

Hello @patrick_diligent,

Thank you for your reply.

But I am not looking for Socail Authentication but for Cross Domain Single-Sign-On i.e. Single sign-on :: ForgeRock Identity Cloud Docs

The requirment is :
We have Application1 and Application2 integrated with FR identity Cloud via OAuth2.0. So when user login to Application1 and want to access Application2 then the user should be able to access the application without prompted for “username & password” again. This is SSO across different domain [CDSSO].

Please do let me know if you have any knowldge on the same.

Regards,
Neha Pundir

patrickdiligent · August 17, 2023, 1:43am

Hi Neha,

To support CDSSO, FR Identity Cloud must be fronted with an edge component, as explained here: Single sign-on :: ForgeRock Identity Cloud Docs. IG also provides CDSSO: Authentication :: ForgeRock Identity Gateway

So likely:

App1, once user is authenticated, goes thru the authorisation flow to obtain an Access Token (with scope=“app1” for example).
App2 does not need to authenticate the user again if the CDSSO session is still valid, initiate an authorisation flow to obtain an access toke with scope=“app2”.

Is it the scenario you’re looking for?

Regards
Patrick

npundi01 · August 18, 2023, 2:08pm

Hi @patrick_diligent,

Yes the scenario mentioned are correct.

Also this doc provide the flow diagram but there are no step how to acheive it. How 2 application will be connected in FR Identity Cloud console.

https://backstage.forgerock.com/docs/idcloud/latest/am-authentication/about-sso.html

I am looking for the steps which I can implement to achieve CDSSO btw 2 diiferent applications.

Regards,
Neha Pundir

patrickdiligent · August 21, 2023, 4:23am

Hi @npundi01

It’s difficult to pointing you to a particular solution, as it depends on many factors, such as:

Is it for Mobile or Web apps?
Are you planning to implement your own Login frontend, or use the login hosted page?
Using an embedded or centralised login scheme?
What is your domain architecture?
And what do you really mean by CDSSO?

CDSSO in the context of IG or webagents, is when the webagent/IG are on a different domain than the authentication platform (ForgeRock Identity Cloud); however, this may not be necessary, as you can setup the tenant with a custom domain - to match the organisation domain.

When it comes to OAuth2, in the web application case, for an authenticated user, the user agent will hold a cookie for the authentication server domain. So as long as all apps use the same authentication server, then any app can initiate an authorise flow without re-authenticating the user.

For an OAuth2 resource server what matters is the access token, so event if it’s on a different domain, it does not really matter - the session in this scenario is only used for the authorise flow against the authentication provider - not for a resource server usage.

Regards
Patrick

patrickdiligent · August 21, 2023, 4:47am

Also are you familiar with this material:

And possibly integrating ForgeRock SDKs with Forgerock Identity Cloud:

Regards
Patrick