Simplified single sign-on model for different cloud CRM configurations
With the expansion of the number of clients and the number of different software configurations of our cloud-based CRM system, it became necessary to organize single sign-on from the landing site (the main site) to all configurations available to a specific employee.
By configuration, we mean a separate copy of the CPM system, located on a separate subdomain (for example, conf1.acme.com), which has its own database (MySQL). In all configurations, there is always a user table with the same or approximately the same structure: the "login" and "password" fields are always of the same type. Within one configuration, several organizations may be available: certain types of documents are linked and available only in a specific organization. The same user can be a member of several different organizations in the same configuration.
On the landing site (acme.com) there is a login / password entry form.
')
In order not to involve third-party services, it was decided to develop an internal software solution for single sign-on in all configurations. It is assumed that the MySQL account from which the site database is being processed has read access to the configuration database user tables. In addition, for the password reset form, you must provide the account with write access to the password field and a password reset hash in the configuration user tables.
The list of configurations is recorded in the configuration table of the database of the main site.
During authorization, the following actions occur:
1. The user enters the username and password on the site, clicks the "Login" button. According to the configuration table, requests are sent for matching the login and password in the configuration user tables and the presence of such a user in configuration organizations.
2. A list of available configurations and organizations is built and returned. If no matches are found, then the message “invalid login / password” is displayed.
3. By clicking on the desired configuration and organization, the user enters the system.
One of the advantages of this approach is certain secrecy: a user with the same login can have different passwords in different configurations. When you enter a username and one password, he will not see the configuration with a different password. This is useful if, for example, in the presence of one customer one cannot show that there is another customer. Unfortunately, the same point can be attributed to the shortcomings: you need to remember many different passwords, and the meaning of a single login is lost.
To add a new CPM configuration to such a model, it is enough to enter the corresponding line in the configuration table and register the rights specified earlier in the configuration database.
To delete - just delete the corresponding line from the configuration table.
In the case of this model, it is possible to implement a quick change of configuration to any other configuration available. For example, from configuration 2 you can quickly switch to configuration 1. Either switch between organizations of the same configuration. In this case, to ensure the operation of the script, you must either grant read access to the configuration table of the MySQL configuration account, or access this table through the MySQL account of the main site.
By configuration, we mean a separate copy of the CPM system, located on a separate subdomain (for example, conf1.acme.com), which has its own database (MySQL). In all configurations, there is always a user table with the same or approximately the same structure: the "login" and "password" fields are always of the same type. Within one configuration, several organizations may be available: certain types of documents are linked and available only in a specific organization. The same user can be a member of several different organizations in the same configuration.
On the landing site (acme.com) there is a login / password entry form.
')
In order not to involve third-party services, it was decided to develop an internal software solution for single sign-on in all configurations. It is assumed that the MySQL account from which the site database is being processed has read access to the configuration database user tables. In addition, for the password reset form, you must provide the account with write access to the password field and a password reset hash in the configuration user tables.
The list of configurations is recorded in the configuration table of the database of the main site.
During authorization, the following actions occur:
1. The user enters the username and password on the site, clicks the "Login" button. According to the configuration table, requests are sent for matching the login and password in the configuration user tables and the presence of such a user in configuration organizations.
2. A list of available configurations and organizations is built and returned. If no matches are found, then the message “invalid login / password” is displayed.
3. By clicking on the desired configuration and organization, the user enters the system.
One of the advantages of this approach is certain secrecy: a user with the same login can have different passwords in different configurations. When you enter a username and one password, he will not see the configuration with a different password. This is useful if, for example, in the presence of one customer one cannot show that there is another customer. Unfortunately, the same point can be attributed to the shortcomings: you need to remember many different passwords, and the meaning of a single login is lost.
To add a new CPM configuration to such a model, it is enough to enter the corresponding line in the configuration table and register the rights specified earlier in the configuration database.
To delete - just delete the corresponding line from the configuration table.
In the case of this model, it is possible to implement a quick change of configuration to any other configuration available. For example, from configuration 2 you can quickly switch to configuration 1. Either switch between organizations of the same configuration. In this case, to ensure the operation of the script, you must either grant read access to the configuration table of the MySQL configuration account, or access this table through the MySQL account of the main site.
Source: https://habr.com/ru/post/276291/
All Articles