Topic: Single Sign On
Hey I have a question about setting up single sign on for our app. First I'll explain the current set up.
- Currently, a user must have an account on our database (email and password) that they enter to log into our app.
- The user will also have to authenticate our app to use Wialon on their behalf (New Authorization Way). This only needs to be done once ever.
- I store that token in the database and associate it with an account in the database. The token never expires
- When a user logs into our app with their email and password, they will also be logged into the Wialon API with that token
What we want to do is allow the user to click on our app inside Wialon and automatically be authenticated when the new tab opens (like how Eco Driving doesn't make you log in). We don't want to have to use a query string because we're storing sensitive customer information in our database and had to pass a compliance test before being allowed access to it. Passing a session id and a username and linking a Wialon username to an account in our database then checking for a valid session with the session id isn't an option because of this. I would think it would be secure to send a POST request to our API with that information over https though and have our API authenticate the user that way.
So my question is:
Is this possible, and if so, how would I go about doing it?