Redirecting to a external log in page, if login is successfull go back

Hello guys,

I want to create a flow that does this thing:

  1. Click a button from the ui
  2. The button redirects to a website that asks you to log in. This is the site:

Sign in to Universitatea Politehnica București

  1. If authentication is successfull go back to node-red ui.

I want to know if this is possible and if yes, how do I launch that page
Thank you

For now I have used this template to launch my site

[{"id":"71bd6044.791278","type":"ui_template","z":"27e6a447.75ae8c","group":"d8596899.c56458","name":"","order":0,"width":0,"height":0,"format":"<div>\n    <a href=\"http://google.com\"><span>Google</span></a>\n</div>","storeOutMessages":true,"fwdInMessages":true,"templateScope":"local","x":580,"y":300,"wires":[[]]},{"id":"d8596899.c56458","type":"ui_group","z":"","name":"Default","tab":"ae47cffa.963c78","disp":true,"width":"6","collapse":false},{"id":"ae47cffa.963c78","type":"ui_tab","z":"","name":"Home","icon":"dashboard"}]

If your University is using Ldap for login you can use that one of the ldap nodes.
node-red-node-ldap

I am not sure how to know/verify if my University is using Ldap but I am inclined to say no... since there is a two-factor authentification.

Please correct me if I am wrong.

OK, you are wrong :slight_smile: Maybe.

This is a standard approach for external authentication. There will be an authentication service wrapped around the LDAP directory. That is likely to use something like the OAuth standards. You will need to speak to your Uni's IT department or use their reference documentation (if that exists). They will almost certainly want some assurances from you about how you will be using it.

I have two questions:

  1. the approach that I tought of: launch the page, if log in is successful get back, can't be implemented?
    I am asking this since I don't know if my University will give me the information needed.
  2. What exactly do I need to ask from my uni, I'm a bit confused. The LDAP server so my credentials can be validated?

Yes, but typically the callback page has to be defined to the authentication service. What happens is that, as you attempt to access a controlled page, you are redirected to the authentication service which recognises that you are not authenticated and directs you to the login page. You complete the login and the authentication service knows where to redirect you to because of its configuration.

Initially, you need to ask them whether they permit the use of their directory for "Single Sign-On".

If they say yes, they will probably want you to fill in some paperwork or might want to talk to you directly. You will need to explain why you want to use that service and how.

You said yes, but after it looks like an explanation for why it won't work :smile:
I know that I need to do the work but can you please give me some directions related to node-red(nodes, logic) because I really have no idea how to do that or from where to start?

I can't give more detail because that depends on the system that is being used for authentication. I can only give generic info.

You might want to do a search for using Google Authentication for Node-RED though as that is a typical authentication service you might use and it uses OAuth and a callback method as described. Really any of the OAuth based services work the same way.

Bottom line though is that unless the IT department lets you do it, you won't be able to. If they do allow it, they should have the details you need. Once you have that, then you can come back and we can help more specifically.

what you're trying to accomplish is called single-sign-on: before you are authorized to access a service (node-red in your case) you need to authenticate against a directory service. You want to "federate access", between node-red and whatever is the identity provider of your university.

This could be achieved through different approaches, in the java-script world called "strategies". All modern systems use modern protocols (OAuth / Open ID Connect) to authenticate and authorize this kind of accesses.

All the redirections you mention on your post, from node-red to your university, then back to your node-red instance are called authentication flows (nothing to do with node-red flows :wink: ).
If your University is using a 2FA, there must be some sort of directory that matches users and their phone numbers. This directory (open-Ldap, Active Directory, or any other...) is the source of trust you want to use.

So, what should you do?: I would get familiar with all this topics and concepts before contacting your University IT and ask for permission to use their identity provider to be fededared with your app.

Hello again guys, after doing some investigations and getting more familiar with all this stuff I came to a conclusion.
My University is using an SSO - OpenId Connect Identity Provider and I need to ask them for the Client Id and Client Secret so I can use their endpoint, as you said.

Now, I searched for nodes that use OpenId and I found node-red-contrib-openid.
Is this what I need to achieve my goal (Have a login button on my dashboard that launches my University SSO)?
Did I understood things the right way?