Single Sign-On for the Registration UI

Important. The content on this page deals with single sign-on (SSO) using the JavaScript SDK. Due to changes in web browser technology, including the fact that most browsers prohibit the use of third-party cookies, SSO using the JavaScript SDK is no longer available to new Identity Cloud customers. (However, we will continue to support existing customers who use this methodology.) If single sign-on is important to you we recommend that you use Hosted Login for your login and registration needs. See our Getting Started Guide to learn more about how single sign-on is implemented in Hosted Login.

This article discusses how to implement the Single Sign-On (SSO) solution for a family of websites using the Registration UI.

Enable Required JavaScript Settings

SSO is configured in the JavaScript settings that you implement for Registration. The following settings must be enabled on all sites within your SSO network:


  janrain.settings.capture.federate = true;
  // The federateServer URL will be provided by Janrain.
  janrain.settings.capture.federateServer = 'https://example.janrainsso.com';
  janrain.settings.capture.federateXdReceiver = 'https://mysite.com/xd_receiver.html';
  janrain.settings.capture.federateLogoutUri = 'https://mysite.com/logout.html';
        

Set Up XD Receiver URLs

Each site needs to host a static XD receiver (cross-domain receiver) page. The page is never visible to the end user. The XD receiver page for each site must reside on the same domain as the main site, or SSO will not work in some browsers.

The following content must also be added to the federateXdReceiver page:


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
 <head>
 <title>Cross-Domain Receiver Page</title>
 </head>
 <body>
 <script type="text/javascript">
 <!--
 Cloudfront direct might be a little faster:
 https://d1lqe9temigv1p.cloudfront.net/js/lib/xdcomm.js
 but janraincapture.com will be easier for IT to whitelist:
 https://ssl-static.janraincapture.com/js/lib/xdcomm.js
 -->
 var xdcommJs = (("https:" == document.location.protocol) ? "https://ssl-static.janraincapture.com/js/lib/xdcomm.js" : "http://cdn.janraincapture.com/js/lib/xdcomm.js");
 document.write(unescape("%3Cscript src='" + xdcommJs + "' type='text/javascript'%3E%3C/script%3E"));
 </script>
 </body>
</html>
        

Set Up Logout URLs

Each site needs to host a static SSO logout page. The page is never visible to the end user. The SSO logout page for each site must reside on the same domain as the main site, or SSO will not work in some browsers.

Enable Optional JavaScript Settings

There are several optional settings that may be enabled as well. The following example shows how to configure segments to create groups of sites between which to enable SSO.


  janrain.settings.capture.federateSegment = 'segment_1';
  janrain.settings.capture.federateSupportedSegments = ["segment_2","segment_3"];
        

Handle SSO Logins

Once a user has logged into one of your sites, the Identity Cloud will automatically log that user into any other SSO-enabled site that he or she visits. Both the onCaptureLoginSuccess and the onCaptureFederateLogin events will fire with the ssoImplicitLogin property set to true to identify the login event with SSO. This gives you the option to treat logins via SSO differently.