These docs are for AuthRocket 1. Looking for AuthRocket 2 docs?

SSO - Single Sign-On with AuthRocket

AuthRocket makes it easy to implement single sign-on across multiple apps or multiple components that all need to act like a single app.

It’s really straight-forward: configure each app (or app component) to talk to the same Realm. That’s basically it.

AuthRocket supports multiple API keys on your account. For auditing and security purposes, we recommend using separate API keys for each app or app component.

AuthRocket also includes additional features to help you build a more flexible, more powerful SSO setup.

SSO for Logins and Signups via LoginRocket

With very little effort, LoginRocket can be configured to handle logins and signups in an intelligent manner for your SSO-enabled app.

The most basic setup will let each app share the same Realm, but otherwise treats each app independently. Each app will have its own login and signup page, and those pages can have app-specific titles, colors, and other visual elements.

To do this, simply configure one Connected App for each of your apps. Connected Apps each have their own login and signup handler URLs, making it easy to match those URLs to each app.

Seamless SSO

Seamless SSO lets you setup an even more powerful SSO experience. It adds two key features:

  • Extended login state tracking
  • Flexible redirects upon login

Both features can be used independently or together.

Login state tracking

By default, every time a user is sent to a LoginRocket login page, they have to login again. LoginRocket won’t silently re-login a user who still has an unexpired session. Extended login state tracking changes that.

With login state tracking, LoginRocket will remember the user’s login. Each time the user arrives at the login page, LoginRocket will first check for an unexpired and not-logged-out session. If found, the user will be automatically logged back into the app without having to login again.

This feature can be toggled on and off for each Realm under Settings -> LoginRocket -> Seamless SSO.

Tracked logins work on a single domain / single Connected App, since a cookie is used to remember the session data.

Flexible redirects

As discussed above, every Connected App within LoginRocket has a Login Handler URL which is where the user is redirected to upon a successful login. For separate apps that all want to use the same set of users (the same Realm), simply add two or more Connected Apps, each with their own Login Handler.

But what if you want to conditionally send the user to different pages? Or what if you want to send them to entirely different apps? What if you want to remember logins (as above) and seamlessly transfer users between apps?

Each Connected App also accepts a configured list of allowed URIs that can be redirected to. Then, when sending a user to the login page, include a target redirect URI that matches (or is more specific than) one of the URIs on the list. When the login is complete (or an existing login session is found), the user will be automatically redirected there instead.

In the absence of a valid redirect alternative, the user will go to the Login Handler instead–ensuring no dead ends.

Let’s see exactly how it works.

  1. A user visits your app and needs to login.

  2. Your app redirects them to LoginRocket, with a redirect URI.

  3. LoginRocket checks for an existing session. If not found, the user is prompted to login. Once logged in, or with the existing session, the user is redirected back to your app.

For multiple apps, modifying the redirect_uri parameter will ensure the user ends up in the right place, and only one Connected App needs to be configured.

To learn more, see LoginRocket redirect handling.

As you can see, each of these features provides you with a lot of flexibility to connect apps together and to build a flexible, frictionless login experience for your users. Combined, they’re even more powerful and let you build a world-class login experience.

Questions? Find a Typo? Get in touch.