Single Sign-On
In order to allow seamless connection to an existing authentication system, Coral utilizes the industry standard JWT Token to connect. To learn more about how to create a JWT token, see this introduction.
- Visit:
https://{ CORAL_DOMAIN_NAME }}/admin/configure/auth
- Scroll to the
Login with Single Sign On
section - Enable the Single Sign On Authentication Integration
- Enable
Allow Registration
- Copy the string in the
Secret
box - Click Save
NOTE: Replace the value of
{{ CORAL_DOMAIN_NAME }}
with the location of your running instance of Coral.
You will then have to generate a JWT with the following claims:
jti
(optional) - A unique ID for this particular JWT token. We recommend using a UUID for this value. This claim controls the logout functionality on the embed stream. To disable the “Sign Out” links in the embed, remove this claim, and disable “Login with email authentication” on the Comment Stream. You can then calllogout()
on the embed, or expire the token when the SSO user should be signed out of Coral.exp
(optional) - When the given SSO token should expire. This is specified as a unix time stamp in seconds. Once the token has expired, a new token should be generated and passed into Coral. Without this parameter you will need to calllogout()
on the embed itself.iat
(optional) - When the given SSO token was issued. This is required to utilize the automatic user detail update system. If this time is newer than the time we received the last update, the contents of the token will be used to update the user. Any claims not present on the jwt will be ignored on update, and will not overwrite existing values.user.id
(required) - the unique ID of the user from your authentication system. This is required to connect the user in your system to allow a seamless connection to Coral. This should not contain personally identifiable information (such as email address) because this unique identifier is exposed in our API.user.email
(required) - the unique email address of the user from your authentication system. This is required to facilitate notification email's about status changes on a user account such as bans or suspensions.user.username
(required) - the username that should be used when being presented inside Coral to moderators and other users. There are no username validations or restrictions enforced by Coral when you're using SSO.user.badges
(optional) - array of strings to be displayed as badges and custom flair badges beside username inside Coral, visible to other users and moderators. Badges are configured by passing through strings and can be used to indicate a user's subscription status.- Custom flair badges are configured by passing through names that link to the desired flair badge image.
- To use custom flair badges, they must also be enabled in the admin, and each custom flair badge name, image URL must be added in the admin as well. If you include the badges claim, but you are not passing a badge value, then use an empty array instead of null.
user.role
(optional) - one of "COMMENTER", "STAFF", "MODERATOR", "ADMIN". Will create/update Coral user with this permission level. When users have both an assigned role greather than COMMENTER and a badge, both will be displayed.user.url
(optional) - url for user account management, where a user will be able to perform account management tasks such as changing password or deleting data. If provided, user will be able to access this URL by clicking on the "account" tab from the stream.
An example of the claims for this token would be:
{
"jti": "151c19fc-ad15-4f80-a49c-09f137789fbb",
"exp": 1572172094,
"iat": 1562172094,
"user": {
"id": "628bdc61-6616-4add-bfec-dd79156715d4",
"email": "bob@example.com",
"username": "bob",
"badges": ["subscriber", "https://www.example/com/image.jpg"]
}
}
With the claims provided, you can sign them with the Secret
obtained from the
Coral administration panel in the previous steps with a HS256
algorithm. This
token can be provided in the above mentioned embed code by adding it to the
createStreamEmbed
function:
Coral.createStreamEmbed({
// Don't forget to include the parameters from the
// "Embed On Your Site" section.
accessToken: "{{ SSO_TOKEN }}",
});
Or by calling the login/logout
method on the embed object:
var embed = Coral.createStreamEmbed({
// Don't forget to include the parameters from the
// "Embed On Your Site" section.
});
// Login the current embed with the generated SSO token.
embed.login("{{ SSO_TOKEN }}");
// Logout the user.
embed.logout();
External Integrations
You can integrate directly with the Coral GraphQL API in order to facilitate account updates for your users when using Coral SSO. The relevant mutations are as follows:
updateUserUsername
lets you update a given user with a new username using an admin token.updateUserEmail
lets you update a given user with a new email address using an admin token.deleteUser
lets you delete a given account using an admin token. Note that even with an admin token, you may not delete yourself via this method, and instead must use therequestAccountDeletion
mutation instead. This differs from therequestAccountDeletion
as it does the operation immediately instead of scheduling it asrequestAccountDeletion
does.requestUserCommentsDownload
lets you retrieve a given account's comments download. This mutation will provide you with aarchiveURL
that can be used to download a ZIP file containing the user's comment export.
If you're unsure on how to call GraphQL API's, refer to the section here on Making your first GraphQL request.
Login Prompts
In order to handle login prompts (e.g. a user clicks on the sign in button) you can listen to the loginPrompt
event.
var embed = Coral.createStreamEmbed({
// Don't forget to include the parameters from the
// "Embed On Your Site" section.
events: function (events) {
events.on("loginPrompt", function () {
// Redirect user to a login page.
location.href = "http://example.com/login";
});
},
});
Troubleshooting JWT Validation Errors
In addition to the uniqueness constraints on User id
and email
values, each user.id
/user.email
combination must also be unique inside Coral. This is true for both Single Sign On users created by JWT tokens, as well as users that register/login using Coral’s built in “Login with email authentication”. You cannot share authentication strategies for a single user; thus, if a user logs in with SSO, they cannot also login with email and vice versa. When you attempt to authenticate a JWT token with an email address that already exists in Coral with a different user.id
than was passed on the token Coral will throw a Duplicate User error.
Any JWT validation errors thrown can be found in Coral's server logs.