Identityserver4: Branding of IS4

OpenID connect is designed so that you go to the client (application) which may already have a cookie and the to the IdP if cookie is not present. Does that work?

From: Sarah Clements notifications@github.com
Sent: Sunday, November 12, 2017 7:00 PM
To: IdentityServer/IdentityServer4
Cc: Subscribed
Subject: [IdentityServer/IdentityServer4] Branding of IS4 (#1741)

Good evening!

We have several partners/applications that will be using IS4 in the future. We are going to start out by routing them to IS4 login page and then route them back to application in question. One of our applications is multi-tenant. Can you provide some insight into how we might style/brand IS4 login UI based off Partner and/or Application? This is a request from our product dept. I have been attempting to use the Header in the REST call, but I'm not having much luck.

v/r

Sarah Clements

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIdentityServer%2FIdentityServer4%2Fissues%2F1741&data=02%7C01%7Crp_tomj%40hotmail.com%7C1a20ec9bb7824bb8db3608d52a42bf0d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636461388512595403&sdata=NpdMg3Kt3AX7VAUXO1C7HeBh8OgzrR%2FjqTANDvL9H4s%3D&reserved=0, or mute the threadhttps://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAKxq1gkou7EaUF5FPBA8YWus_7RJUcmwks5s17DhgaJpZM4QbLv0&data=02%7C01%7Crp_tomj%40hotmail.com%7C1a20ec9bb7824bb8db3608d52a42bf0d%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C636461388512595403&sdata=tDnrrc13JqrWbjB9QIBEiq5I0fjIb7H2FYvGOId%2B7Vg%3D&reserved=0.

Can you provide some insight into how we might style/brand IS4 login UI based off Partner and/or Application

While this is possible (as you have client id in the AuthorizeRequest available to you in the login page), I discourage it. You should change your thinking that users are logging into your company's authentication system, not a specific app's login system. You don't login to google calendar, you're logging into google... from which you can access your calendar, drive, videos, email, etc..

We don’t disagree technically, however our partners “customers” who are logging in do not know of our company. We are more of a third party to them. Some are afraid it would cause confusion. Each partner is able to brand their space accordingly based off vanity url. We would like to provide an option if there is one. It would have to be more granular than Client Id.

Sent from my iPhone

On Nov 12, 2017, at 9:54 PM, Brock Allen notifications@github.com wrote:

Can you provide some insight into how we might style/brand IS4 login UI based off Partner and/or Application

While this is possible (as you have client id in the AuthorizeRequest available to you in the login page), I discourage it. You should change your thinking that users are logging into your company's authentication system, not a specific app's login system. You don't login to google calendar, you're logging into google... from which you can access your calendar, drive, videos, email, etc..

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.

I agree with brock. But the client has complete control of the redirect url and can add any hints it want to send to the idp.

It would have to be more granular than Client Id.

You can send custom parameters to the authorize endpoint - and can access them in the account controller via the IIdentityServerInteractionService.

Or also pass a tenant param in acr_values, as that sounds like it might match your scenario (if your partner is a tenant).

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.