Single Sign-On with Meteor Accounts?

My app uses the Meteor Accounts package. I’m planning to use a third-party help desk that supports Single Sign-On (SSO). I’d like my users to be able to login to the support desk via SSO so that they don’t have to have a separate username/password to get to the help desk.

I’ve done a lot of searching for articles and YouTube videos, but I still have a question.

The articles (example) all mention an identity provider, and they seem to reference it as a third party app.

Can my app be its own identity provider?

Are there any constraints from the Helpdesk Software side? If it supports oAuth you could acutally use your Meteor server as OAuth provider (see the oauth and oauth2 core packages).

Thanks for this great info, @jkuester. Yes, the Helpdesk Software does support oAuth. Would the oauth2 package handle everything I need to log in via single sign-on to another service, or would I need to install something else in my Meteor app, in addition?

I think you will still have to implement the oauth2 Workflow but the package brings most functionality Out of the box. The package is not covered by the docs but it has some internal documentation. Maybe you give it a try and If you get stuck you can just post here.

1 Like

Here are the setup options on the help desk side:

There doesn’t seem to be a lot of documentation yet about single sign-on in general. And the docs that are there have a lot of unfamiliar terminology, that isn’t defined within the document – e.g. am I an oauth2 server, an oauth2 client, and so on. (Pinging @stolinski :grinning: )

@jkuester, could you possibly post some sample code for setting up oauth2 in Meteor, to login to a service like this help desk?

The Looks like your Help desk is an oauth provider which means it acts as an oauth server and allows clients (like your app) to register.

That would require to create an accounts-yourhelpdesk login service but would also shift the authentication away from your app. If you want your app to be the source for authentication you would have to make the helpdesk the client actually.

1 Like

Hmmmm… can I be my own Identity Provider? This is from the docs for the help desk:

What is Single Sign-on (SSO)?

In other words, Single Sign-On (SSO) is a system that lets users securely authenticate multiple cloud applications by logging in only once in a managed authentication system. This managed authentication system is also referred to as Identity Provider (IdP), and the cloud applications that rely on the data provided by Identity Provider are called Service Providers (SP).

Freshworks can ask identity providers to verify your identity. If they can, we take their word for it. With SSO, you don’t have to think and remember different passwords for different applications. Users can now use the existing login information managed by Identity Providers (IdP) like ADFS, OneLogin, Okta, Azure AD, and G-Suite.

Could I be my own Identity Provider using something like panva/node-oidc-provider ?

Of course you can. I did the same with the node-oauth2-server package, which I also wrapped in a session at the Meteor Impact 2020 Conference.

However this is one implementation example and you are totally fine with node-oidc-provider or even using the core Meteor oauth2 package.

Great! I will look at your session from the conference.

@jkuester I watched your great Meteor Impact 2020 Conference video and learned a lot. Naturally I have a few questions and will be studying the sample code to skill up!

Since we run a multi-tenant system where the optional SSO provider can be different for each user, we rolled our own SSO solution that as a last step creates and stores a session hash and then sends this value the client as a javascript snippet that stores it to localstorage to be picked up by the meteor accounts package in a resume login event.

This works fine - the only real hack is that the TTL for sessions is global so we backdate these to be able to get session hashes that expire after 24h instead of the 30 days that we use for user/pwd logins

1 Like