SmartCloud for Social Business supports two approaches for SSO: a Security Assertion Markup Language (SAML) approach and an Open Authorization (OAuth) approach. Regardless of the specific approach, it is the responsibility of the partner application to provide single sign-on capabilities.
SmartCloud for Social Business currently supports both OAuth 1.0a and 2.0. OAuth 1.0a is the default version. Note that OAuth 2.0 is not backwards compatible with previous versions of OAuth. For more information about OAuth, see Open Authorization
The SmartCloud for Social Business team can work with partners for setting a SAML partnership.
Login using SmartCloud for Social Business (LuLL) is a delegated authentication mechanism. The partner application delegates or outsources the user authentication to SmartCloud for Social Business. After the user is authenticated, it is up to the partner site to manage user's session. The LuLL approach involves two steps.
Step 1: Perform the OAuth dance
Perform OAuth dance every time user visits partner site. The OAuth dance will force the user to log in to SmartCloud for Social Business if user never logged in.
Step 2: Call identity API
Make an API call to get the user's identity information.
This call returns the information below, which is the same information that SAML payload provides.
- Subscriberid is the unique identifier that uniquely identifies the user.
- The rest of the fields are mutable. So partner applications should make a decision based on the subscriberid field only.
Comparison of the two approaches
The OAuth/LuLL approach provides a way to easily perform SSO without managing multiple secrets (one for SAML and another for OAuth). Also there is less operational overhead.
An advantage to the SAML-based approached is that it does not force the partner applications to perform the OAuth dance each time a user visits the partner website, even though the OAuth access token might be valid for the user.
Parent topic: Application integration for IBM SmartCloud for Social Business