About Single Sign-On
Eduplaces provides a Single sign-on (SSO) service that allows users to log in to all connected applications with a single set of credentials. This means that users can log in to Eduplaces and then access Apps without having to log in again.
Our SSO service is based on the industry standard OpenID Connect protocol. It's a simple identity layer on top of the OAuth 2.0 protocol. This allows us to use the same protocol for both Authentication and Authorization and bundle them together in a single flow. For more information on the difference between Authentication and Authorization, head over to our Authorization section.
For your application, Single sign-on is a form of Authentication just like logging in with a username and password. You might be familiar with this concept from other services like Google or Facebook. You could add a "Login with Eduplaces" button to your application and let users log in with their Eduplaces account. The process is very similar to logging in with a username and password, but instead of asking the user for their credentials, you redirect them to Eduplaces where they can log in and get redirected back to your application with an ID token.
Most of the time, users will access your application through the Eduplaces platform by clicking on a Tile. We will open your application in a new tab but can not include any ID or access tokens right away in that request for security reasons. You will have to start an authentication flow after we redirected the user to your application just like you would, if the user clicked on a "Login with Eduplaces" button to obtain an access token. In the OpenID Connect protocol, this is described as Initiating Login from a Third Party. We explain this process in detail on our Initiated Login page.
How to log in?
In short, the process of logging in users with Eduplaces is as follows:
- You start an authentication flow by redirecting the user to our authorization server.
- The user grants your application access to their data on our platform.
- You receive an access token that you can use to make API requests on behalf of the user at the end of the authentication flow.
- In addition to the access token, you will also receive an ID token that contains information about the user.
The ID token is the key to Single sign-on. It is a JSON Web Token (JWT) that contains information about the user and is signed by Eduplaces. Part of the information is the user's unique ID, which you can use to identify the user in your application. The ID token can also contain information about the user's school, which you can use to personalize your application for the user. Head over to our Scopes section for more information on additional claims.
If a user logs in to your application with Eduplaces for the first time, you can create a new user account in your database and associate it with the user's ID you received in the ID token. The next time the user logs in to your application with Eduplaces, you can use the ID token to identify the user and log them in automatically.
Our Step-by-Step Guide
Authenticating users via Single sign-on isn't as hard as it might sounds. We will guide you through the process with actual code examples in our Authenticate Users Guide.
Which Flow should I use?
As you learned in our Authorization section, we support multiple flows the OAuth 2.0 protocol defines. But not all of them are suitable for Single sign-on. Use one of the following flows to authenticate users with Eduplaces:
- Authorization Code Flow with PKCE
- Authorization Code Flow (deprecated by OAuth 2.1)
What about Registration?
Users should not be required to register for your application before they can log in with Eduplaces via Single sign-on. Instead of asking the user to create a new account, you should create a new user account in your database the first time the user logs in with Eduplaces. You should be able to get all the information you need from the ID token. If that is not the case, you can always ask the user to provide additional information after they logged in with Eduplaces.
What about Logout?
Logging out users is a bit more complicated than logging them in. In general, you should not attempt to log out users from Eduplaces when they log out from your application. Users should be able to use another App from their Eduplaces dashboard without having to log in again. As Single sign-on does not replace your own session management, just use your existing logout mechanism to log out users from your application.
But what if a user logs out from Eduplaces? In this case the user should also be logged out from your application. This is crucial for security reasons! Imagine a user logs in to your application with Eduplaces and then just closes your tab without logging out. The user continues to use other Apps, then logs out from Eduplaces and leaves their computer unattended. Another person could now open your application in a new tab and the former user would still be logged in. As shared computers in schools are quite common and students can have access to computers also used by teachers, this is a serious security issue.
There are two extensions to the OpenID Connect protocol that allow you to log out users from your application when they log out from Eduplaces. We will explain both of them in detail in our Logout section with addintional information on how to implement them.