We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Our new federated login system (SuperId) have been used for all new tenants in SOD since March 2018.

Read more about SuperID concepts here

Earlier today we migrated a lot of old partnersites in SOD to SuperId, and this means you may now try to configure single sign on by following the description here: https://community.superoffice.com/en/technical/documentation/prepare/crm-online/superid/configureIDPforSuperID/

Do note, the article is written for the production environment (online.superoffice.com), and you'll need to use the following url to register your identity provider for the SOD environment: https://id-sod.superoffice.com/identityprovider/register

The login dialog for SOD have information about the change and we would like to get your input if you experience any issues logging in now.

Also - if you have any questions, please post them here so more may benefit from the answer as well.

 

 

 

 

RE: Have you tried to configure your test tenant in SOD to use single sign-on?

Important- We are in the process of moving all our CRM Online customers to SuperID and more than half of our customers are already there. 
We are aware that some of you may experience problems with authentication inside iframes (web panels). 
You can read a little more about it here: https://community.superoffice.com/en/developer/create-apps/concepts/authentication/oidc/#iframe-idp-auth

Av: Margrethe Romnes 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Hi, this sounds like something we need more information about. We've got several applications that run inside webpanels in SuperOffice, both for users on SuperID and not. We haven't experienced any particular issues like the ones mentioned in the link above.

Can we then assume that our stuff is OK? Or are there some upcoming changes that will affect us? I'm not understanding quite when this becomes an issue we need to deal with.

Av: Frode Lillerud 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Hi,

I agree, more information is needed.

Last week I updated one of our apps to use openid connect (no popup) and it runs inside an iframe.
I’ve looked at the code here https://github.com/SuperOffice/SuperOffice.DevNet.Online/tree/master/Source/SuperOffice.DevNet.Online.Login to get ideas of how to implement OIDC support in our existing code base.
It works perfect in our tenants both in SOD, Stage and production (we don't use an extnernal idP), but for some customers in production it doesn't work when they use an idP like Office365 or Google.
I had to rollback the release and go back to the old authentication.

We get the error mentioned in the link:

SuperOffice.Exceptions.SoSessionException: Authentication failed! ---> System.NullReferenceException: Object reference not set to an instance of an object.
at SuperOffice.SoContext.Authenticate(SecurityToken[] tokens)

Is there any way we can find out if a customer/tenant has an external idP set for their domain?
I suspect it would be better not to open a popup window if it’s not necessary, i.e. when the customer is using SuperID passwords.

 

Av: Gunnar Stensby 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Three condintions have to be present at the same time for this problem to occur:

  • your app runs in an iframe (web panel)
  • your app uses OpenID Connect (OIDC) for authentication
  • the customer running the app has chosen identity provider as their authentication method


Any scenario that combines these 3 will trigger the issue. Two common triggers are:

  • you run in iframe, customer has IdP and then you switch to OIDC in your app
  • you run in iframe and uses OIDC, then the 1st customer switches to IdP

You cannot check if the customer running your app has an IdP or not, so you have to assume that they do - or will have in the future.

Av: Bergfrid Skaara Dias 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Thank you Bergfrid, then this sounds like an issue we are going to have with the new application we're currently writing. 

Our older applications do not use OIDC, but the old way of authenticating. We've decided to get the new application up and running with OIDC before we convert the older apps over to OIDC as well. Sounds like that was a lucky call for us.

When you say "...has chosen identity provider as their authentication method", does that mean only Office365/Google authentication? Or does it also include normal SuperOffice authentication with SuperID?

Av: Frode Lillerud 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

We recommend that you handle this proactively and do the authentication in a pop-up dialog. We are exploring other options.

What do you mean by opening a pop-up dialog? When the app is loaded inside an iframe we can't simply open up a dialog/tab since the browser will usually block that...

Only way I can see we can 'solve' this is by not authenticating immediately when opening an app in an iframe but instead provide a link to authenticate, this link should then open in an seperate tab (not in the iframe), but specifiying target _blank in an iframe won't work. Making this change would also hurt the user experience of using an app that is loaded inside a webpanel... (For all users, not just external IDP users since we can't detect if the user is using IDP or not before doing the authentication process)

 

Av: David Hollegien 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Frode, it means that the customer has gone throgh the steps described in the New login experience article, specifically the Enable and use Federated login services of SuperId instructions.

Av: Bergfrid Skaara Dias 21. feb 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Any updates on this?

I'm working on our new app, which will redirect the application to https://sod.superoffice.com/login/common/oauth/authorize if it detects that it isn't authenticated, and I'm getting this in Chrome-console:

Access to XMLHttpRequest at 'https://sod.superoffice.com/login/common/oauth/authorize?client_id=2f5f0248d(snipped)' (redirected from 'https://localhost:44330/api/user') from origin 'https://localhost:44330' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Is this a symptom of the issue we're discussing?

Av: Frode Lillerud 14. apr 2020

RE: Have you tried to configure your test tenant in SOD to use single sign-on / configure identity provider?

Our issue was solved by changing from a JavaScript based call, to a plain HTML based one instead.

However, I'm still interested in the status of the original topic. Do we still need to figure out a way to use popup when authenticating? Has anyone done this in a published app?

Av: Frode Lillerud 8. mai 2020