What is SSO?
Single-sign-on, or SSO, is a collection of protocols that enables you or your users to utilize FastComments without having to register for a new account.
In the event that you disallow anonymous comments, FastComments requires an account to comment. We make the sign-up process incredibly simple; all a user needs to do is include their email while commenting. Even yet, we recognize that certain websites would like to avoid that added friction. This is where SSO comes in.
Where can I buy it?
SSO and support are currently available to all FastComment account types. The maximum SSO user count will change based on your plan, though.
There is no code to write if our WordPress plugin is being used. Simply click SSO Settings, followed by Enable, on the plugin’s Admin page.
This will direct you to a simple process where you can click one button to generate your API key, transfer it to your WordPress installation, and enable SSO. For your convenience, we’ve combined this into a single button click.
Keep in mind that you must complete the setup procedure if you are installing the plugin for the first time before you can access the admin page with the SSO Settings button.
FastComments uses HMAC-SHA256 encryption for custom integration with SSO. The broad architecture, examples, and specific steps will be covered first. However, there are instructions for switching from Commento and Disqus at the end of this post.
The flow looks like this:
FastComments SSO eliminates the need for new API endpoint creation. Simply use your secret key to encrypt the user’s data before sending the encrypted payload to the comment widget.
They offer fully working code samples in a variety of programming languages and environments, such as NodeJS, Java/Spring, and pure PHP. The native crypto packages in these run-times are sufficient to implement FastComments SSO.
You can find the code example repository here:
Acquire Your API Secret Key
You can get your API Secret from the FastComments dashboard. By heading to My Account, selecting the API/SSO tile, and then selecting “Get API Secret Key,” you can find the key.
Widget Parameters for Comments
When utilizing FastComments to pass your customer id, you already have the configuration object that the comment widget requires (called tenantId).
Pass a new “sso” object with the required parameters to enable SSO. The values ought to be created on the server.
- userDataJSONBase64: The user’s data is encoded in Base64 after being converted to JSON format.
- Hash: The HMAC-SHA256 hash produced from userDataJSONBase64 + UNIX TIME.
- timestamp: The time right now in unix. Must not be more than three hours in the past or future.
- The comment widget may display the URL loginURL to log the user in.
- The comment widget may display the URL logoutURL to log the user out.
- The comment widget will call the specified function when the login button is clicked if loginCallback is specified in place of the login URL.
- When specified, the comment widget will call the logoutCallback method when the logout URL is not available.
The following schema is present in the User object:
- id (string, necessary) (1k characters max)
- Email is a mandatory string (1k characters max). Note: It must be distinct.
- (String, Required) username (1k characters max). The username cannot be an email address. not required to be original.
- (String, optional) avatar (3k characters max)
- optedInNotifications (boolean, optional)
- displayLabel (string, optional, 100 characters max). Their name will appear with this label next to it.
- websiteUrl (string, optional, 2000 characters max). This will be linked to the user’s name.
Set the value of optedInNotifications to true or false to allow or disable notifications, respectively. The user’s notification settings will be updated the first time they load a page with this value in the SSO payload. They will be notified when they are replied to, or mentioned. Mentions are sent right away, while reply notifications are batched every hour.
Special Labels & VIP Users
Using the optional “displayLabel” property, you can show a unique label next to the user’s name.
Users who are not signed in
Simply leave out any data for userDataJSONBase64, verificationHash, or timestamp to represent an unauthenticated user. Offer a login URL.
Examples of User Data Serialization and Hashing in Direct Form
More information and examples in java, js, and (php) are in the fastcomments code examples repository.
Changing over from Disqus SSO
Disqus employs SHA1 for encryption while FastComments SSO uses SHA256, which is one of the greatest distinctions between the two services. This indicates that moving away from Disqus is simple: simply switch from SHA1 to SHA256 and update the property names supplied to the UI.
Changing over from Commento SSO
Commento takes a very different approach to SSO; they need you to provide an endpoint that they can utilize to carry out user authentication. FastComments works the other way around; all you have to do is hash and encrypt the user’s data before passing it on.
FastComments is aware that any integration process may be challenging and painful. They offer direct support that can work with your developers to set up the integration.