Merge pull request #2915 from jerriep/rework-sso-docs

Rework SSO documentation

Author: mpaktiti

articles/sso/index.md

@@ -9,16 +9,42 @@ SSO (Single Sign On) occurs when a user logs in to one Client and is then signed
 
 Google's implementation of login for their products, such as Gmail, YouTube, Google Analytics, and so on, is an example of SSO. Any user that is logged in to one of Google's products are automatically logged in to their other products as well.
 
-## How SSO Works
-
-SSO works by means of a *central service*. In the case of Google, this central service is [Google Accounts](https://accounts.google.com). When a user first logs in, Google Accounts creates a cookie, which persists with the user as they navigate to other Google-owned services. The process flow is as follows:
+Single Sign On usually makes use of a *Central Service* which orchestrates the single sign on between multiple clients. In the example of Google, this central service is [Google Accounts](https://accounts.google.com). When a user first logs in, Google Accounts creates a cookie, which persists with the user as they navigate to other Google-owned services. The process flow is as follows:
 
 1. The user accesses the first Google product.
 2. The user receives a Google Accounts-generated cookie.
 3. The user navigates to another Google product.
 4. The user is redirected again to Google Accounts.
 5. Google Accounts sees that the user already has an authentication-related cookie, so it redirects the user to the requested product.
 
+## An overview of how SSO works with Auth0
+
+In the case of SSO with Auth0, the *Central Service* is the Auth0 Authorization Server. 
+
+Let's look at how the SSO flow looks when using Auth0 and a user visits your application for the first time:
+
+1. Your application will redirect the user to the Auth0 Hosted Lock page where they can log in. 
+2. Auth0 will check to see whether there is an existing SSO cookie.
+3. Because this is the first time the user visits this Hosted Lock page, and no SSO cookie is present, they may be presented with username and password fields and also possibly some Social Identity Providers such as LinkedIn, GitHub, etc. (The exact layout of the Lock screen will depend on the [Identity Providers](/identityproviders) you have configured.
+
+    ![](/media/articles/sso/single-sign-on/lock-no-sso-cookie.png)
+
+4. Once the user has logged in, Auth0 will set an SSO cookie
+5. Auth0 will also redirect back to your web application and will return an `id_token` containing the identity of the user.
+
+Now let's look at flow when the user returns to your website for a subsequent visit:
+
+1. Your application will redirect the user to the Auth0 Hosted Lock page where they can sign in. 
+2. Auth0 will check to see whether there is an existing SSO cookie.
+3. This time Auth0 finds an SSO cookie and instead of displaying the normal Lock screen with the username and password fields, it will display a Lock screen which indicates that we know you the user is, as they have already logged in before. They can simply confirm that they want to log in with that same account.
+
+    ![](/media/articles/sso/single-sign-on/lock-sso-cookie.png)
+
+4. Auth0 will update the SSO cookie if required
+5. Auth0 will also redirect back to your web application and will return an `id_token` containing the identity of the user.
+
+If an SSO cookie is present you can also sign the user in silently, i.e. without even displaying Lock so they can enter their credentials. This is covered in more detail in the next section.
+
 ## How to Implement SSO with Auth0
 
 ::: panel-info Enabling Identity Providers
@@ -33,9 +59,13 @@ Near the bottom of the *Settings* page, toggle **Use Auth0 instead of the IdP to
 
 ![](/media/articles/sso/single-sign-on/sso-flag.png)
 
-You can set the Client's SSO flag using the [Auth0 Management API](/api/management/v2#!/Clients/patch_clients_by_id).
+Alternatively you can also set the Client's SSO flag using the [Auth0 Management API](/api/management/v2#!/Clients/patch_clients_by_id).
+
+Once you have set the SSO flag for your Client in the Auth0 Dashboard, you must add logic to your application to check the user's SSO status. Checking the user's SSO status can only be done via JavaScript by making use of the [`getSSOData`](/libraries/auth0js#sso) function in the [auth0.js library](/libraries/auth0js).  
+
+The result of this function will indicate whether an SSO cookie is present, and if so it will return the SSO data of the user which can then subsequently be used to log the user in silently without even displaying Lock.
 
-Once you have set the SSO flag in Auth0, you must add logic to your Client to check the user's SSO status. This logic can be implemented either client-side (using JavaScript) or server-side:
+For more detailed information on how to implement this, please refer to the following documents:
 
 * [Client-Side SSO (Single Page Apps)](/sso/single-page-apps-sso)
 * [Server-Side SSO (Regular Web Apps)](/sso/regular-web-apps-sso)

articles/sso/regular-web-apps-sso.md

@@ -4,30 +4,40 @@ description: Server-side SSO with regular web applications.
 
 # Server-side SSO (Regular Web Apps)
 
-Let's say we have three applications
+To log a user in silently (i.e. without displaying the Lock screen) the following conditions need to be met:
 
-* App 1: app1.com (single page app)
-* App 2: app2.com (single page app)
-* App 3: app3.com (regular web app)
+1. The Client needs to be configured to **Use Auth0 instead of the IdP to do Single Sign On** in the [Clients section of the Auth0 Management Dashboard](${manage_url}/#/clients)
+2. An SSO cookie must exist for the tenant's domain. In other words the user must have signed in previously, and the SSO cookie which was saved is still valid.
+3. When calling the Auth0 authentication endpoint, the connection name is passed along for which the user must be signed in. This connection name is the same as the one specified in the SSO cookie. You can pass the connection name along either as a parameter when calling the `signin` function of the [**auth0.js** Library](https://auth0.com/docs/libraries/auth0js), or by passing the `connection` query string parameter when calling the `/authorize` endpoint of the [Authentication API](/api/authentication)
 
-> You can see an example of a Regular Web App configured to use SSO in [this github repository](https://github.com/auth0/auth0-sso-sample/tree/master/app3.com)
+## The SSO scenario
+
+In our SSO scenario, let's say we have 3 applications
+
+* App 1: app1.com (Single Page App)
+* App 2: app2.com (Single Page App)
+* App 3: app3.com (Regular Web app)
+
+If a user logs in to any of these applications, and then subsequently navigates from this application to any of the other applications, we would want the user to be logged in automatically. 
+
+In this document we will be looking specifically how to achieve this in a Regular Web Application
 
 ## Case 1: The user is already logged in and clicks on a link that redirects to a specific URL app3.com
 
-The user logs in on app1.com and clicks on a link that should take them to a particular URL on app3.com. In this case, you can create an endpoint on the target application (app3) that will redirect to the URL the user wanted to go after SSO. For example:
+The user logs in on one of the Single Page Applications and click on a link that should take them to a particular URL on app3.com. In this case, you can create an endpoint on the target application (app3) that will redirect to the URL the user wanted to go after SSO. For example:
 
-```
-https://app3.com/sso?targetUrl=/foo/bar
+```text
+https://app3.com/sso?targetUrl=/foo/bar&connection=<connection name>
 ```
 
-This endpoint would check if the user is already logged in to this app. If they are, then redirect to the target URL. If the user is not logged in to the application, then redirect to Auth0 for SSO:
+This endpoint would check if the user is already logged in to this app. If they are, then redirect to the target URL. If the user is not logged in to the application, then redirect to Auth0 for SSO, passing along the name of the connection to use:
 
-```
+```text
 handle("/sso")
   if (user is already logged in)
     redirect to targetUrl
   else
-    redirect to "https://YOURS.auth0.com/authorize?client_id=…&redirect_uri=http://urlTo/callback&response_type=code&state=' + targetUrl
+    redirect to "https://${account.namespace}/authorize?client_id=…&connection=<connection name>&redirect_uri=http://urlTo/callback&response_type=code&state=' + targetUrl
 ```
 
 Here is an example in node.js:
@@ -43,7 +53,8 @@ app.get('/sso', function(req,res, next) {
   } else {
     console.log("Authenticating with Auth0 for SSO");
     passport.authenticate('auth0', {
-      state: req.query.targetUrl
+      state: req.query.targetUrl,
+      connection: req.query.connection
     })(req, res, next);
   }
 });
@@ -77,7 +88,7 @@ app.get('/callback',
 The user is logged in on app1.com and opens a new tab and goes to app3.com. You would expect the user to be automatically signed in. To do that, you need to redirect the user to the following URL in a filter or a middleware:
 
 ```
-https://YOURS.auth0.com/authorize?client_id=…&response_type=code&redirect_uri=http://urlTo/callback
+https://${account.namespace}/authorize?client_id=…&response_type=code&redirect_uri=http://urlTo/callback
 ```
 
 Here is an example in node.js:
@@ -99,5 +110,5 @@ If the user was already logged in before, then Auth0 will automatically redirect
 The user has never logged in to any app. In this case, the filter or middleware mentioned in the previous point checks if the user is authenticated or not, and in the case they're not, redirects the user to the following URL:
 
 ```
-https://YOURS.auth0.com/authorize?client_id=…&response_type=code&redirect_uri=http://urlTo/callback
+https://${account.namespace}/authorize?client_id=…&response_type=code&redirect_uri=http://urlTo/callback
 ```

articles/sso/single-page-apps-sso.md

@@ -4,26 +4,95 @@ description: Client-side SSO with single page applications.
 
 # Client-side SSO (Single Page Apps)
 
-Let's say you have three applications:
+To log a user in silently (i.e. without displaying the Lock screen) the following conditions need to be met:
 
-* App 1: app1.com (single page app)
-* App 2: app2.com (single page app)
-* App 3: app3.com (regular web app)
+1. The Client needs to be configured to **Use Auth0 instead of the IdP to do Single Sign On** in the [Clients section of the Auth0 Management Dashboard](${manage_url}/#/clients)
+2. An SSO cookie must exist for the tenant's domain. In other words the user must have signed in previously, and the SSO cookie which was saved is still valid.
+3. When calling the Auth0 authentication endpoint, the connection name is passed along for which the user must be signed in. This connection name is the same as the one specified in the SSO cookie. You can pass the connection name along either as a parameter when calling the `signin` function of the [**auth0.js** Library](/libraries/auth0js), or by passing the `connection` query string parameter when calling the `/authorize` endpoint of the [Authentication API](/api/authentication)
 
-> You can see an example of a SPA configured to use SSO in [this github repository](https://github.com/auth0/auth0-sso-sample/tree/master/app1.com)
+## The SSO scenario
 
-The user logs in on app1.com and tries to access app2.com. Since app2.com is a Single Page App you need to have some code like the following to do SSO. This code should be on every SPA you have (In this case App1 and App2).:
+In our SSO scenario, let's say we have 3 applications
+
+* App 1: app1.com (Single Page App)
+* App 2: app2.com (Single Page App)
+* App 3: app3.com (Regular Web app)
+
+If a user logs in to any of these applications, and then subsequently navigates from this application to any of the other applications, we would want the user to be logged in automatically. 
+
+In this document we will be looking specifically how to achieve this in a Single Page (JavaScript) Application
+
+## Obtaining the SSO cookie information  
+
+If a users logs in to any of the applications and then subsequently tries to log in to any of the other applications, you can check to see whether an SSO session is active for that user by making use of the `getSSOData` function in the [auth0.js library](/libraries/auth0js#sso).
+
+```js
+auth0.getSSOData(function (err, ssoData) {
+  if (err) return console.log(err.message);
+  expect(ssoData.sso).to.exist;
+});
+```
+
+This function will return an `ssoData` object which will indicate whether an active SSO session exist. The `ssoData` object will contain the fields as per the following example:
+
+```json
+{
+  sso: true,
+  sessionClients: [
+    "jGMow0KO3WDJELW8XIxolqb1XIitjkYL"
+  ],
+  lastUsedClientID: "jGMow0KO3WDJELW8XIxolqb1XIitjkYL",
+  lastUsedUsername: "[email protected]",
+  lastUsedConnection: {
+    name: "Username-Password-Authentication",
+    strategy: "auth0"
+  }
+}
+```
+
+## Passing the Connection Name when logging the user in
+
+You can then use this information to call the `signin` function to log the user in. When you call the `signin` function you pass along the name of the connection used in the active SSO session as the `connection` parameter. Auth0 will determine that an SSO cookie is saved for that connection, and will log the user directly without displaying the Lock user interface. 
+
+
+```js
+auth0.getSSOData(function (err, ssoData) {
+  if (!err && ssoData.sso) {
+    auth0.signin({
+      connection: ssoData.lastUsedConnection.name,
+      scope: 'openid name picture',
+      params: {
+        state: getQueryParameter('targetUrl')
+      }
+    });
+  } else {
+    // Display regular login option, e.g. a Login button which will invoke Lock
+  }
+});
+```
+
+## Full SSO Sample Code
+
+Below is an expanded code sample of how you can implement this in a SPA application using jQuery to either show or hide the Login button or user information depending on whether a user is logged in or not. 
+
+The full code sample for both the SPA applications as well as the normal web application can be found in [this github repository](https://github.com/auth0/auth0-sso-sample/tree/master/app1.com)
 
 ```html
 <script type="text/javascript">
   // hide the page in case there is an SSO session (to avoid flickering)
   document.body.style.display = 'none';
 
   // instantiate Lock
-  var lock = new Auth0Lock(''${account.clientId}', ''${account.namespace}');
+  var lock = new Auth0Lock('${account.clientId}', '${account.namespace}', {
+    auth: {
+      params: {
+        scope: 'openid name picture'
+      }
+    }
+  });
   var auth0 = new Auth0({
-    domain: ''${account.namespace}',
-    clientID: ''${account.clientId}',
+    domain: '${account.namespace}',
+    clientID: '${account.clientId}',
     callbackOnLocationHash: true
   });
 
@@ -76,37 +145,28 @@ The user logs in on app1.com and tries to access app2.com. Since app2.com is a S
   // Showing Login
   $('.btn-login').click(function (e) {
     e.preventDefault();
-    lock.show({
-      auth: {
-        params: {
-          scope: 'openid name picture'
-        }
-      }
-    });
+    lock.show();
   });
 
 </script>
 
 <!-- Regular login -->
 <body>
-  <button onclick="lock.show()">Login</button>
+  <button class="btn-login">Login</button>
 </body>
 ```
 
-If the single sign on happens against app3.com (a regular web app), then you have to redirect to `app3.com/sso?targetUrl=/foo/bar`. Read more about this on [Single Sign On with Regular Web Apps](/sso/regular-web-apps-sso).
-
 ## Single Logout
 
-If the user logged out from app1.com, then we want to clean up the token on app2.com (and app3.com). Read more about [Single Log Out](/logout).
+If the user logged out from app1.com, then we want to clean up the token on app2.com (and app3.com). Read more about [Single Log Out](/logout). 
 
-To do that, you have to check every X amount of time whether the SSO session is still alive in Auth0. If it is not, then remove the token from storage for the app.
+To do that, you have to check every X amount of time whether the SSO session is still alive in Auth0. If it is not, then remove the token from Local Storage for the application. This will ensure that the user's local session is cleared.
 
 ```js
 setInterval(function() {
   // if the token is not in local storage, there is nothing to check (i.e. the user is already logged out)
   if (!localStorage.getItem('userToken')) return;
 
-
   auth0.getSSOData(function (err, data) {
     // if there is still a session, do nothing
     if (err || (data && data.sso)) return;

config/sidebar.yml

@@ -145,12 +145,11 @@ articles:
       - title: "Overview"
         url: "/sso"
 
-      - title: "Server-side (Regular Web Apps)"
-        url: "/sso/regular-web-apps-sso"
-
       - title: "Client-side (Single Page Apps)"
         url: "/sso/single-page-apps-sso"
 
+      - title: "Server-side (Regular Web Apps)"
+        url: "/sso/regular-web-apps-sso"
 
   - title: "User Profile"
     url: "/user-profile"