KNF:SSOnotification/en: verschil tussen versies

Uit Kennisnet Developers Documentatie
Naar navigatie springen Naar zoeken springen
Regel 38: Regel 38:
 
* [[KNF:SSO_notificatie_middels_JavaScript/en|To implement SSO notification with an '''AJAX call''']]
 
* [[KNF:SSO_notificatie_middels_JavaScript/en|To implement SSO notification with an '''AJAX call''']]
 
* [[KNF:SSO_notificatie_middels_een_iframe/en|To implement SSO notification with an '''iframe''']]
 
* [[KNF:SSO_notificatie_middels_een_iframe/en|To implement SSO notification with an '''iframe''']]
  +
  +
When an Identity Provider places an SSO notification cookie via an AJAX call or an iframe by Entree Federation, this is considered to be a third party cookie. Third party cookies are placed by domains (in this case Entree Federation) other than the domain of the website you are visiting (the Identity Provider). Some organizations use third party cookies to track users when they visit different websites. Since this type of third party cookies (also called tracking cookies) can infringe the privacy of users, their use is increasingly discouraged by browsers and often blocked.
  +
  +
This may prevent the SSO notification cookie from being placed. In such a case, the user can still log in via Entree Federation, but will have to select his or her school on the WAYF screen of Entree Federation. Since browsers have indicated to block third party cookies completely in the long term, placing an SSO notification is best done by means of a redirect.
   
 
== Implementation using a redirect ==
 
== Implementation using a redirect ==

Versie van 14 sep 2020 15:12

KNF-symbol.png Entree Federation: SSOnotification

Nl.gif Nederlands En.gif English

If a school has its own connection with the Entree Federation (for example an ELE or an ADFS) there is the possibility to skip the inlog screen of Entree. This is done via the use of a cookie, which is set after the user has logged in on his own environment (for example an intranet page or the homepage of re ELE).

The cookie only contains information about the school on the basis of which the correct school is selected in the Entree inlog screen.

To show the advantage of SSOnotification follow the two scenarios beneath.

Example without SSOnotification:

To simulate this scenario follow these steps:

  1. The student/teacher logs in on the ELE/Active directory
  2. The student/teacher clicks on a link to learning material
    • Click on 'Naar dienst' ('To service')
  3. You're going to the WAYF (Where Are You From) screen. There's no information available about the school the user is coming from.
    • Select 'Inloggen via je school' ('Login by school')
    • Then select 'Referentie Klant Organisatie' ('Reference customer organisation')
    • Click on 'verder' ('next')
  4. This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel
    • Enter the dummy data
    • Click on 'Naar dienst' ('To service')
  5. The user is now logged in and subsequently the user attributes that were used during the login process are shown.

Example with SSOnotification:

To simulate this scenario follow these steps:

  1. The student/teacher logs in on the ELE/Active directory
  2. The student/teacher clicks on a link to learning material
    • Click on 'Naar dienst' ('To service')
      In this scenario the WAYF (Where Are You From) screen will not be shown. The system reads the cookie that is used for SSOnotification and automatically selects the correct school.
  3. This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel
    • Enter the dummy data
    • Click on 'Naar dienst' ('To service')
  4. The user is now logged in and subsequently the user attributes that were used during the login process are shown.

Implementation

When an Identity Provider places an SSO notification cookie via an AJAX call or an iframe by Entree Federation, this is considered to be a third party cookie. Third party cookies are placed by domains (in this case Entree Federation) other than the domain of the website you are visiting (the Identity Provider). Some organizations use third party cookies to track users when they visit different websites. Since this type of third party cookies (also called tracking cookies) can infringe the privacy of users, their use is increasingly discouraged by browsers and often blocked.

This may prevent the SSO notification cookie from being placed. In such a case, the user can still log in via Entree Federation, but will have to select his or her school on the WAYF screen of Entree Federation. Since browsers have indicated to block third party cookies completely in the long term, placing an SSO notification is best done by means of a redirect.

Implementation using a redirect

The following url has to be invoked:
https://ssonot.aselect.entree.kennisnet.nl/openaselect/profiles/entree?id=<identifier of the coupling>&url=<url encoded url>&redirectUri=<url encoded url>

For example: https://ssonot.aselect.entree.kennisnet.nl/openaselect/profiles/entree?id=http://authenticate.example.org&url=http%3A%2F%2Fwww.example.org&redirectUri=http%3A%2F%2Fwww.example.org

The URL has to be whitelisted by Kennisnet, you need to provide this URL to Kennisnet.