To initialize the osdk client we are required to sign in, which is completely understandable. However, in certain scenarios we already know the user’s email so displaying the sign in page to the user is redundant and unnecessary.
Is there any way to by pass the sign in page? I think with the client we should be able to initiate a headless login by passing the email param directly to the client auth signIn method. Something like client.auth.signIn({ email: "user.email@example.com" });
When calling client.auth.signIn({ email: "user.email@example.com" }); how would you expect the user to authenticate with just their email address? Would you want this to trigger a login flow with a single sign on (SSO) provider using that email address?
If you’ve set up authentication in Foundry to integrate with such a provider and the user has an active Foundry session then they’ll be immediately redirected to the consent screen for the application if not previously authorized, or back to the application’s redirect URL silently without any interactive action if previously authorized. Additionally, if a valid OAuth refresh token is present from a previous session the token may be refreshed without any redirects.
For the consent screen there is an ability to enable organization level consent but care should be taken as it means that the application can obtain a token on behalf of your users without consent in the OAuth flow.
Not sure I am following on the authentication point you made. Is it possible to authenticate the user in the background if the external application has an authentication as well which is the same as the authentication for Foundry.
For example if the user logs into an external application via SSO, could that simultaneously authenticate them into Foundry?
In order to bypass the Palantir sign-in page, one option is to set a default authentication provider for that particular host in Control Panel. This would cause any user trying to access that host to be immediately routed to the single sign on page instead of being asked to put in their email address.
Not that this is a feasible only if you have only one authentication provider configured for a host. If there are multiple that need to be used, setting a default may block access for certain users if they get routed to the wrong authentication provider.
Thanks for your response. Yes the idea with client.auth.signIn({ email: "user.email@example.com" }); would be to initiate the SSO without the need for the user to do so.
For our particular use case, we are integrating a Foundry Client into only one part of our application. The user logs in with our identity manager, and when navigating to the part of the app that uses the Foundry Client we already know the email. So asking for it again with a full screen/redirect is redundant.
Right now, when the screen to enter the email pops up, the SSO is triggered. Which is great, but if we know the email then we don’t need the screen to capture the email again. Is this possible with the client.auth instance?
If it doesn’t can you help explain what’s missing from it? Additionally, if you have an existing example of another external integration with your SSO elsewhere in your application that behaves as you’d like it to are you able to share the equivalent code or docs to help illustrate?
Bumping on the question @cmckenna asked. Also needing to add Foundry into a single piece of an existing application where the user has already SSO’d in and don’t want them to need to do it again.
