Authentication Architecture Overview
VIDEO TRANSCRIPT | Recorded: 2022-01-27 | Verify against current system state
Abstract¶
Comprehensive overview of the AANP authentication architecture. eBusiness is the foundation that creates cookies and tracks login information. SAML integrations connect to CraftCMS and Higher Logic communities. Identity Server provides OAuth for SurveyMonkey Apply, Conference Compass, and the mobile app. Legacy SSO tokens support older applications. Custom authentication integrations exist for vendors with non-standard requirements.
Key Procedures¶
- Understand eBusiness as authentication foundation
- Configure SAML service providers for CraftCMS and Higher Logic
- Use Identity Server for OAuth-based authentication
- Generate legacy SSO tokens for older app integrations
- Implement custom authentication for special vendor requirements
- Cross-authenticate between Identity Server and eBusiness
Notable Statements¶
- 0:00:14 "One of the first things we do is we talk about e-business. And e-business is where all of our applications start out"
- 0:00:53 "If you're not logged into e-business, you're not logged in anywhere"
- 0:01:09 "We have two SAML integrations at the moment. We have AMP.org, which is our Craft CMS. And we have community.amp.org, which is... higher logic"
- 0:01:37 "Aptify now provides this in Aptify 6.1 free"
- 0:02:43 "We didn't have an OAuth2 server, so this is... I set this up just for SurveyMonkey"
- 0:02:54 "We're using it for our new mobile app and it's going to be the main authentication point for our new AANP templates"
- 0:07:02 "Identity server lasts a really long time so if you're logged into identity server you're logged in for 30 days"
- 0:07:16 "eBusiness is finicky... a lot of times you're not" (logged in for 30 days)
- 0:07:25 "Once eBusiness restarts then you're no longer authenticated"
- 0:09:34 "All of these require that you already have a legacy login completed"
- 0:09:47 "We usually try to put those in one solution called redirects"
- 0:10:54 "I would personally like to see identity server at the front being the primary... but I don't think we'll be there for a while"
Systems & Configurations¶
Systems Mentioned¶
- eBusiness (Aptify web authentication)
- Identity Server (OAuth2 provider)
- SAML SSO (via Aptify plugin using Component Space SAML)
- CraftCMS (SAML service provider)
- Higher Logic (SAML service provider)
- SurveyMonkey Apply (OAuth consumer)
- Conference Compass (OAuth consumer)
- 6Connect (custom auth - virtual conference)
- Site Affinity (legacy CMS)
Specific Configurations¶
| Item | Value/Setting | Timestamp | Notes |
|---|---|---|---|
| Identity Server session | 30 days | 0:07:07 | Long-lived session |
| eBusiness session | 30 days (intended) | 0:07:16 | Resets on app restart |
| SAML endpoints | /sso/login, /sso/logout | 0:01:55 | Aptify plugin |
| Valid domains | .amp.org, .ampqa.com, .ampuat.com | 0:08:34 | Allowed return URLs |
| AANP Auth module | DLL in IIS | 0:04:19 | Web group restriction |
Credentials/Access Mentioned¶
- IIS modules access for AANP authentication
- Aptify 6.1 includes free SAML provider
Vendor Contacts Mentioned¶
- Ray and BHW (built legacy SSO tokens)
- Site Affinity removal discussion with Matt
Errors & Troubleshooting¶
- Issue: Logged into Identity Server but not eBusiness
- Cause: eBusiness restarts clear sessions
- Resolution: Request eBusiness login via Identity Server with token
- Timestamp: 0:07:28
Transcript Gaps & Quality Notes¶
- Architecture overview recording (15 minutes)
- Diagram referenced but not captured
- Discussion of Site Affinity removal obstacles
- Catalog/cart functionality as biggest blocker
- Development info section contains diagram