Single Sign On (SSO)

Note: Single-sign on is available with Service Pack F or later (20.2.64.8730).

With single sign-on, a user logs in with a single username and password and can navigate through multiple applications without ever needing to log back in. To configure single sign-on with iMIS and your third-party applications, you will first need to set up your application in iMIS, then add the client application redirect (Single Sign On content item) to a page.

Understanding Single Sign On: FAQ

Can users log into the third-party system first, or do they need to login to iMIS first?

Because iMIS is the membership application, you must log into iMIS first. SSO will not work if you log in to the third-party application first.

You can configure iMIS so that after a member is logged in, they are redirected to the page with the SSO content item and have the content item redirect the user to the non-iMIS site.

Is it possible for a user to log into a third-party application using the iMIS log-in page and then be redirected back to the third-party system once iMIS logs them in?

Not at this time.

If a user is first signed into iMIS and then goes to a third-party website, how is iMIS going to verify their previous authentication?

The authentication is done via an OAuth2 refresh_token that is specific to the user. The refresh token is used to gain bearer access tokens from the /token endpoint. They do not need the end user’s credentials for this as long as the refresh token is valid. When the refresh token expires, the end user will need to log back into iMIS and click on their redirect link into the client application.

How is Single Sign On implemented?

Single Sign On uses OAuth2 authorization tokens. Once configured, iMIS will pass a refresh token to the client application. The refresh token granted to the client application will be used, along with the client application’s credentials, to grant access tokens on behalf of the user logged into iMIS. The client application will manage the local login, but can store this token in a cookie, or in an authorization middleware of their choosing.

How does Single Sign On work?

Single Sign On in iMIS works as follows:

  1. A GET is made to the content record containing the Single Sign On content item.
  2. The content item redirects to the configured URL with a POST containing a refresh_token.
  3. The redirected page then POSTS to the token end point with
  4. grant_type=refresh_token
    client_id=[id configured in the SSO content item]
    client_secrect=[secret configured in the SSO content item]
  5. The response from the Token request contains the access_token.
  6. The returned access_token can then be used by subsequent calls where the access_token value is a bearer token in the Authorization header.

Is there a sample SSO redirect page?

Yes. The following drop-down is an example of the type of code needed for an SSO implementation.

Warning! The test page is not intended to be repurposed or used in a real production environment. This information is for demonstrative purposes only.

Does anything need to be completed on the third-party side?

Yes. In addition to the iMIS setup, additional coding is required on the third-party side to create a local login (client ID and client secret) and a strategy to accommodate the refresh tokens to request access tokens. After the additional coding is completed, the non-iMIS site can then make API calls to obtain and display the iMIS information. The third-party client application must also support OAuth2.

What contact details are inherited from iMIS after the user clicks on the redirect link to the third-party application?

The user is only authorized authenticated, and no contact details are inherited. If you would like additional contact details to be inherited, a custom bridge must be built.

Configuring Single Sign On

To configure single sign-on with iMIS and your third-party applications, do the following:

  1. From the Staff site, go to RiSE > Maintenance > Client applications.
  2. Select Add client application.
  3. Enter the Client ID. This can be any name you choose. The name should reference the third-party application you are creating a link to. This name cannot be edited after the client application is saved.
  4. Enter the Client secret. The Client secret is used to authenticate the application's identity to iMIS upon an access token request and should not be publicly shared.
  5. In the Refresh token lifetime (minutes) field, enter the expiration of newly generated refresh tokens. This value determines the length of time a token is valid for in making authorization requests against iMIS between initial granting and expiration. When the refresh token expires, the user must return to iMIS and go back through the login flow.
  6. Enter the Login redirect URL. This is the link to the third-party application, and where the user will be taken.
  7. Click Save.

Next, add the Single Sign-On content item to a content record:

  1. From a content record, select Add content.
  2. Open the Contact folder, then select the Single Sign-On content item.
  3. Give the content item a Name.
  4. Select the Client application.
  5. Click OK, then click Save & Publish.
  6. Continue the process for each necessary client application.

The content record that the content item is added to does not need to be a publicly accessible content record, but it cannot be deleted. It is recommended to keep the content record in a secure folder.

You can add the redirect link to any location in your iMIS website. When the link is clicked, the contact will remain logged in with their same iMIS credentials.