Passive authentication

Hi All,

Hoping someone can help with this question. In version 11, do we have the ability to force federation at application load? In other words if I register with an in house SSO OAUTH process and create a username, will Telligent recognize me as a federated user and log me into the community? OR Do I have to click log in a second time when I reach the community?

We are building a new community and want the first time registration and log in process to be seamless.

Thanks

Lisa



title change
[edited by: lallison at 9:54 PM (GMT 0) on Wed, Sep 16 2020]
  • An offline source has told me this is possible.

  • Hi Lisa, I wanted to round out your question with some thoughts on my experience implementing Passive Authentication

    To recap the conditions where Passive Authentication can be beneficial

    • Your company has a publicly available Verint Community, and by "public", specifically content in open groups that can be viewed without authenticating
    • Your company has a "Global ID" system in place, where multiple web applications share the same login and that login gets you access to these multiple applications. Sometimes the user is aware of this, sometimes it doesn't matter. It's similar to the concept of Apple ID where user's are conscious that their Apple ID can get them access to most things Apple

    For the user experience of Passive Authentication

    1. The user visits your home page or another public page
    2. When the page loads, some scripting checks for a Global ID session (usually with a lightweight API endpoint) to see if the user has an existing session on your identity management system
      1. If there is a session, there is a quick flicker of redirects, but when the page loads fully, you're automatically logged in. It's "Passive" because you didn't ask to log in, but as a Community Manager, you're providing this convenience to your customer
      2. If there is a not a session, you do nothing and the user continues to browse anonymously

    or

    1. The user is on another company page, e.g. www.NameOfYourCompany.com and has logged in through your Global ID
    2. When the user clicks on a Community link that is on that website, naturally the user would expect to be logged in there as well
    3. Once the user lands on community, then the steps 1 and 2 a in the previous flow apply and the user will be logged in automatically to the community. There is a common misconception here to think that the main website is "passing" something to the community, which it's not. It just happens that the user is logged in with a Global ID, and both the www site and community are configured to check for it. 

    For many years, the benefit here was the ability to authenticate your users as a convenience. A similar use case for this endpoint is to meet a security requirement, where even when a user is logged in, you check the session on every page load and every 30-60s if the page is left idle, so if your Global ID session expires, you can force Vering logout as well, keeping the user's browser experience secure.

    This sounds amazing, why doesn't everyone use this

    One reason is the performance consideration. If the reality is that your community traffic is 90% public and 10% authenticated, then checking your Global ID's session endpoint every page for every user on every application (not just Verint!) can hurt performance with all that traffic. One way to mitigate this is to check on the user's first access, then set a cookie for a reasonable amount of time - say, 15-20m - then try again. During this time, the user may actively try to authenticate, so the same means will be achieved and the user will establish a Global ID session by actively logging into the community. Then if they go to the company's main site, e.g. www.SomeWebsite.com that uses the same Global ID, they will be automatically logged in there.

    What are reasons why you wouldn't use Passive Authentication

    1. If you have a closed or gated community, you're forcing the user to log in every time, so the user has to choose to authenticate
    2. If your main Identity Management System is not mature enough to manage this traffic, or is using a homegrown system that doesn't allow for easy integration with other web applications

    As you can see from the amount of content here to describe it, it's not a trivial exercise, but it also can be done with just a little work

    • A widget, plugin or automation rule in verint to check your auth system for an existing session
    • Your authentication system must have a cookie or API that the community can check to see if this session exists

    Hope this helps!