Follow
Implementing Membee's Member Single Sign-On Service

Overview

The purpose of this document is to walk you through the easy implementation of Membee's free Member Single Sign-On service. The services enhances the member's experience by making it easy for then to login once to your site and access all the secured features found there; regardless of who the provider/vendor or platform used to provide these features. This document will cover:

  • The Prerequisites - The requirements by your third party application/website developer necessary to implement this powerful feature.
  • The NeedThis describes how without this "Member Single Sign-On" your members will have to have use multiple username and password combinations to move through your site and you will also need to maintain multiple login databases. 
  • The SolutionSee how Membee's Member Single Sign-On makes it easy to use one mechanism to control member access to all features of your site.
  • Implementation StepsThe process to a simpler and more rewarding experience for your members.
  • Steps in MembeeHow to activate support for the member single sign-on feature for an individual or group of members.
  • Technical Appendix - Developed in conjunction with numerous web developers, everything your third party application developer needs to integrate Membee's Member Single Sign-On into the applications and/or sites they provide for you.

 

The Prerequisites

Your third party developer needs to have experience in working with authentication protocols.  MSSO does not set-up or replace security on your site - if you are currently unable to secure content (such as making a page only accessible to people with a valid username and password)  then you will need to ensure that your developer has the skills and/or experience necessary to implement security on your site and this will need to be in place before you will be able to implement MSSO.  In order to implement MSSO, you should inquire with your developer about the following:

  • Your third party application developer must be experienced in or have the skills in the use of the standard authentication protocols, either the OAuth (LinkedIn, Yahoo, Twitter), OAuth2 (Facebook) or the OpenID2 (Google) authentication protocols as Membee's methodology is similar in approach.
  • Your third party developer's application must be able to pass information via the query string or form post.
  • Your third party developer's application must be able to accept information via the form post method.
  • Your site management tool has the capability to track site users
  • The site can restrict access to content based on someone being defined as a site user
  • The site can restrict access to content based on being defined a site user and that site user having a specified access role(s) for example, if their tool does not have this data structure to store site users and their access roles, there is nothing for Membee to integrate with. Square is a popular site management tool that has no concept of a site user so you can never restrict access to content to only registered site users.
  • Your developer understands and have the coding capability to do the integration - generally speaking this integration would be roughly 3/4s of a page of code (PHP) but some site management tools don't allow this customization

We also suggest that you provide a link to this document to your developer before you begin your project so that they can review the document and confirm for you that they can implement this service on your site and/or application. The Technical Appendix below has evolved based on the feedback from previous web developers who have used the Member Single Sign On service and should provide all of the details needed to launch this service.

The Need: Eliminate Multiple Member Logins on Your Site

Associations commonly use third party developed web applications to provide a unique or specialized member/customer benefit. Since these applications are often developed independently of the implementation of Membee, these applications often provide an independent login mechanism to allow or deny access by the member to the application.

This often requires the member to utilize several different login IDs and passwords to access various portions of association's web site. See the example in Figure 1.

 

 

 TwoLoginDatabases_02.jpg

Figure 1: In this example you are maintaining two separate login databases. The member must sign in again (possibly with a different username and password) to move between Membee web content and third party application content.

Multiple login scenarios detract from the member's experience on your website and create a barrier to usage of your association site, simply as a result of the lack of integration between the third party applications and the source member information managed by Membee. Administrative workload also increases as a result of having to develop, communicate, and maintain multiple usernames and passwords for each member.

 

The Solution

Membee provides a login page that addresses this issue and provides the following general capabilities (See Figure 2):

  • Each member has one ID and password for use on the association's site, regardless of the application or site feature being accessed.
  • You can dramatically increase member participation in secured applications and/or content by implementing Membee's Social Login feature to permit members to use one of their social network identities (username and password) for access
  • Only one login is required to access any "members-only" application or module on the association's site.
  • A single login form provided as part of this service handles the user/member login for all applications, site sections, and modules you wish to secure.
  • Only Third party applications or programs approved by your association and Membee can access member login capability.
  • Use Membee's Programs & Access Roles feature to define subset of members within Membee which may be the only members permitted to access a specific section, page or feature in your third party application or site. For example, a content page that is only visible to the members of your Board of Directors committee managed in Membee.
  • All login IDs and passwords are maintained in Membee functionality which further reduces administrative workload on association staff members.
    • All activation or deactivation of a member login in Membee applies to all Membee member functionality and any third party application and/or protected content secured with Membee's Member Single Sign-On service.
  • The Membee Member Single Sign On service is platform independent meaning the service can be used on sites in both the Windows and Linux platforms.
  • Membee uses an "embed" methodology for deploying much of its capabilities and this approach minimizes the technical skills required by your third party developer to utilize the Member Single Sign On service. 

In addition, Membee's login page provides the following benefit to the association's other third party web application developers:

  • To determine if a member is already logged-in - perhaps the member utilized an Membee feature (member profile, member event price, etc.) earlier in their session on your site before wishing to access the third party application or vice versa.
  • Provide the member with a single, familiar login form to login and generate a new valid session available to all authorized online applications, Membee features and/or protected content. 
  • Integrated Forgot Password method so that your member can still login as easily as possible to all applications on your site.
  • Integrated Change Passwords method so that if your member changes their password in one place, the new password works everywhere on your site to enhance the member's experience.
  • Integrated Single Sign Out that forwards the member to a common sign out page.

OneLoginDatabases_02.jpg

Figure 2. Members at your site have one username and password, and move easily between your website, Membee features, and the third party application and/or protected website content.

 

 

 

Terms & Conditions

While rare, a change to Membee or the code that supports your login page may cause the third party application's interaction with the Membee Integrated Single Sign On to stop working and such a change may happen without notice. Should this occur, you are responsible for the cost of modifying your third party application to make it compatible with the revisions.

 

Implementation Steps

Getting up and going is easy by simply following these steps:

  1. Create the program and any associate roles (if needed) within that program within Membee
    1. You can name the new program anything you like - in our example here, we called ours "Integrated Login"
    2. For the detailed steps for creating a new program in Membee, please refer to this article - http://membee.zendesk.com/entries/20730812-programs-and-roles
    3. Your newly create program will contain all of the information your third party developer needs to implement Membee's Member Single Sign On service on your site or application
  2. Share this document with your third party developer(s)
    1. The Technical Appendix contains everything they need and will allow them to get a handle on the changes they need to make to integrate the single login capability into their application. We have even provided sample code to make this process easier for them.
  3. Add the login capabilities to your application/site - see Technical Appendix
  4. Test the third party application using the new page in the application by using a person's username and password stored in Membee and try to access your third party application or site.

 

Steps in Membee

The Member Single Sign On service is a feature that you will provide to your members and staff. Normally, Membee access for a person is set using two program permissions (shown in the Access Information panel in their person record in Membee):

  1. A member typically has the "Member Service Center" program which allows them to log in to Member Profile Update, E-Billing, the Event Calendar, and Member's only page in our Content Management System.
  2. A fellow staff member typically has the "Association Staff" to allow them access to Membee and the Content Management System.

If you want someone to be able to access your third party web application, you will need to add the "Integrated Login" program. The details on how to do this for an individual or for a group in a batch, please refer to this article:

http://membee.zendesk.com/entries/20730812-Programs-Access-Roles

 

Technical Appendix

1. Technical Overview

The Membee Login Widget can be easily embedded within your application and provides the following benefits .

  • This provides easy login integration to your application or site for our mutual client customers and their membership base.
  • It provides all users with the ability to login via multiple Social Networks. The client can then easily manage member authentication and authorization from with Membee.

Here is the basic login workflow for a member using  your application or site:

  1. The member will access the embedded login functionality within your application.
  2. They will then be presented with a screen that allows them to login via username/password or a number of social network logins.
  3. Based on the member’s choice, the login widget will process the login.
  4. The login widget will then redirect the process to the destination URL (DestURL).
    1. If the attempt to login failed, the page should present the member with information to that respect and instructions on what to do next.
    2. If the attempt was successful, your Login Process Page should 
      1. get the user id and roles via the ExchangeTokenForID service.
      2. If the ExchangeTokenForID service completes without error, authenticate the user.  If the service does not complete, the user should not be authenticated on your site.  Failure to do implement step could enable your secured content to be viewable by non members.

The diagram below illustrates the process using "WordPress" as the third party application or site.

 Authentication_Roles.jpg

 

2. Terms

The following terms are used by the service as parameters in its various capabilities:

Name

Example

Description

ClientID

501

Each Membee client organization will have a unique id

AppID

350

This will be the App ID provided by Membee which unqiuely identifies your application allowing your application to be used by more than one Membee client organization. It will be static for all clients.

APIKey

eaf93280-1da7-4af6-96ab-d60b6c704f5e

Secret key for used for service integration. This will be the same for all implementations of your application within Membee.

DestURL

 

This is the page that the Membee Login Widget will redirect to after attempted login. This pages must be able to process the values returned from Membee and then present the appropriate page for the process. It can contain querystring paremeters used by your site. For example, you could pass in the page the member originally requested. On successful login with Membee, this page should authenticate the user against your site and forward them on to desired content. If the login is not successful, then the user should be redirected back to the Membee Login Widget to present with the ability to try their login again.

 

3. Embedding the Login Widget

The login widget allows you to place a access to member login capability on any page using the following methods:

  1. IFrame Implementation - recommended
  2. Fly-out Modal method - an optional method which present the login functionality in a modal that appears after a link click event 

Parameters

Name

Required

Description

ClientID

Y

See Terms.

AppID

Y

See Terms.

DestURL

Y

This is where the system will pass the results of the login process to.  The URL will be checked against valid domains stored within membee.

 

Getting the Snippets You Need

Membee generates the few lines of code you need to deploy the Member Single Sign On service. Here the steps within Membee to to generate the code needed:

  1. Login to Membee
  2. Choose Admin
  3. Choose Programs & Access Roles
  4. Click on "Add" and fill in the following information
    1. Name: Give the program a name.  This is the name that will be used to assign the user rights to the members in Membee. 
    2. Description: Write a quick description that describes what this program is for.  
    3. Trusted Domains: Enter the domain(s) for the site the login is being implement on. Each domain name should be separated by a semicolon (for example, domain1.com;domain2.com;...)
  5. Click on Save.  This will generate the Secret, App ID and code for the Login Flyout, Login IFrame and Reset Login Widget that you will need below.
  6. Copy the required snippets from the Widget panel 

Here is an example of defined program and its associated roles in Membee's Programs & Access Roles page:

IntegratedLoginProgram_RoleConfig.png

Implementation of the Create/Reset Login Feature (Required)

This feature provides the functional capability for the member to either initially create, or in the future, revise their login preferences (perhaps they wish to use a different social network identity or change their password). This feature is mandatory in your utilization of Membee's Member Single SIgn On service because without it, the member is unable to either create a username and password or associate their access with one of their social network identities.

To deploy this feature you:

  1. Create a page in your application or site
  2. Embed the Create/Reset Login Widget snippet on your page

IFrame Implementation for the Login Feature

This allows you to present the member with a standard login page regardless of "what" they are trying to access. The member would see the login options upon navigation to this page. They would not have to click a link in order to open the login modal. This would be beneficial for when the member often enters an invalid username and password combination. 

To deploy this feature you:

  1. Create a page in your application or site
  2. Embed the Login IFrame Widget snippet on your page

Fly-out Modal Implementation for the Login Feature

If you are using script-driven modals in your site or application then the fly-out modal for accessing Membee's login may be a nice feature to add (See the Fly-out Example below).

In terms of capability, it is exactly the same login functionality as presented if you employ the IFrame implementation. The only slight difference is that if the member is returned to the login functionality again by your application after a failed login attempt, the member would be required to click the link to trigger the fly-out again so they can try their login again.

 

FlyOutLoginModal.png

To deploy this feature you:

  1. Embed the Login Flyout Widget snippet on your page

Values Sent To Processing Page 

The following are sent to your processing page when login is attempted.

Name

Description

Token

Used to call the ExchangeTokenForID service.  It is only valid for 5 minutes.  It is only included on successful logins.

Error

Text returned in the event of an unsuccessful login or error in the system.

Error_description

More descriptive error.

 

4. Logout From Your Application and Membee

Process the logout of the member on your site. Then redirect the member to https://memberservices.membee.com/feeds/Login/Logout.aspx to have them logged out of the Membee component. On successful logout, the member will be returned to the desturl.

Name

Required

Description

ClientID

Y

See Terms.

AppID

Y

See Terms.

ReturnURL

Y

This is where the service will pass the results of the login process to. The URL will be checked against valid domains stored within Membee.

5. Check Login

This page is available to see if the member has already been authenticated against the Membee Login services. Simply passing in the identified parameters will allow the system to check the member and then return information that identifies what step your system should follow next.  This page can be found at https://memberservices.membee.com/feeds/login/LoginCheck.aspx.

Parameters

Name

Required

Description

ClientID

Y

See Terms.

AppID

Y

See Terms.

DestURL

Y

This is where the service will pass the results of the login process to. The URL will be checked against valid domains stored within Membee.

If the member has been previously authenticated, a token will be passed to the DestURL.

6. Services

ExchangeTokenForID

This service exchanges the token for the user's ID within Membee. This ID can then be used to request other information via our other services.  This step is also your only way to ensure that the token received on your login processing page is valid.  Failure to do this step could enable your secured content to be viewable by non members.

Syntax:

ExchangeTokenForIDSyntax.png

Parameters

Name

Required

Description

APIKey

Y

See Terms.

AppID

Y

See Terms.

ClientID

Y

See Terms.

Token

Y

This value is passed to your login processing page from the Membee Login Widget upon successful login. It is valid for 5 minutes.

 

7. Output - ProfileSummary (JSON Object)

The following values are return via the JSON object (See the sample below):  

Name

Description

UserID

User's ID used to interact with other services within Membee. This id will be used in all other service calls to request information on behalf of this user.

FirstName

User's first name.

LastName

User's last name.

ConID

Legacy ID for use in older integrations.

Email

User's email address.

Roles

A list of roles that the user has been granted for this application.

JoinDate

The date the member joined.

 Sample:

{"ConID":11111,

"Email":"testuser@test.com",

"FirstName":"Test",

"JoinDate":"\/Date(1366905036003-0400)\/",

"LastName":"User",

"Roles":["Role1","Role2"],

"UserID":11111}

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments