Skip to content

Only login once for all applications

Currently users need to login once for every application.

From our chat discussion:

Varac hmm - I installed latest master on my test server (from scratch), logged into nextcloud as admin via sso (works, yeah!). Then I wanted to login to wp, but sso asked me again for my creds shouldn't the 2. login be obsolete (given we have SSO ?) in between there was a time span of ~1h, how log is the session by default ?

Mark Hm. let me check the docs. I guess this behaviour can be configured. But is this something we want in the case there are access policies configured for applications in the future? Like application A needs at least 2 factors and application B needs at least 3 facors or none at all?

Maarten de Waard I'd assume each application needs all factors

Varac @mark But from the basic concept, you should only need to login once, (single-sing-on) right ? Or is my case the current expected behaviour ?

Lets discuss this when we need it - right now all apps only require the same, only factor

Maarten de Waard I guess you could interpret "single sign-on" as "there's only one place where you sign on", but I see your point and I agree

 Mark I think varac is right and here is why i think it should be supported: https://open.greenhost.net/openappstack/single-sign-on/blob/master/login_provider/app.py#L75

 Varac good that we talk about it because we shouln't stress the term SSO too much publicly (and also not in our report) because this missing behaviour is what SSO is about imo. I mean, central authentication is already great

 Maarten de Waard it's not missing behaviour if the problem is just the session length

 Varac But did it work at all ? Or did nobody tried it yet ?

 Maarten de Waard hmm. I remember it worked in the past, but right now it doesn't seem to 

Maarten de Waard yeah it definitely doesn't work ATM though but it's not a missing feature, it's a bug in an implemented feature

 Varac Ok - that's good to know - hope it's not hard to add.

 Mark If it is not supported by hydra we can still add a session to the login provider. so it is not a big deal in any case

 Mark I haven't found any configuration options in the docs. I assume it's either an error in the implementation of the login provider (i really doubt that though) or a misconception on how OpenID Connect works in that respect. To clarify this i asked people in the public discord chat room of ory. I think I'll have an answer soon.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information