Table of Contents
Testing MSSO Before Proceeding With Membee
Overview
The purpose of this document is to walk you through the easy implementation of Membee's free Member Single Sign-On service. The services enhance the member's experience by making it easy for them to login once to your site and access all the secured features found there; regardless of who the provider/vendor or platform used to provide these features. This document will cover:
- The Prerequisites - The requirements by your third-party application/website developer necessary to implement this powerful feature.
- The Need - This describes how without the "Member Single Sign-On", your members will have to use multiple username and password combinations to move through your site and you will also need to maintain multiple login databases.
- The Solution - See how Membee's Member Single Sign-On makes it easy to use one mechanism to control member access to all features of your site.
- Implementation Steps - The process to a simpler and more rewarding experience for your members.
- Steps in Membee - How to activate support for the member single sign-on feature for an individual or group of members.
- Technical Appendix - Developed in conjunction with numerous web developers, everything your third-party application developer needs to integrate Membee's Member Single Sign-On into the applications and/or sites they provide for you.
The Prerequisites
Your third-party developer needs to have experience in working with authentication protocols. MSSO does not set up or replace security on your site - if you are currently unable to secure content (such as making a page only accessible to people with a valid username and password), then you will need to ensure that your developer has the skills and/or experience necessary to implement security on your site and this will need to be in place before you will be able to implement MSSO. In order to implement MSSO, you should inquire with your developer about the following:
- Your third-party application developer must be experienced in or have the skills in the use of the standard authentication protocols, either the OAuth (LinkedIn, Yahoo, Twitter), OAuth2 (Facebook), or the OpenID2 (Google) authentication protocols as Membee's methodology is similar in approach.
- A good starting point to review the concepts is provided in Facebook's Developers documentation
- Your third-party developer's application must be able to pass information via the query string or form post.
- Your third-party developer's application must be able to accept information via the form post method.
- Your site management tool has the capability to track site users
- The site can restrict access to content based on someone being defined as a site user
- The site can restrict access to content based on being defined a site user and that site user having a specified access role(s) for example, if their tool does not have this data structure to store site users and their access roles, there is nothing for Membee to integrate with. Square is a popular site management tool that has no concept of a site user so you can never restrict access to content to only registered site users.
- Your developer understands and has the coding capability to do the integration - generally speaking, this integration would be roughly 3/4s of a page of code (PHP) but some site management tools don't allow this customization
We also suggest that you provide a link to this document to your developer before you begin your project so that they can review the document and confirm for you that they can implement this service on your site and/or application. The Technical Appendix below has evolved based on the feedback from previous web developers who have used the Member Single Sign-On service and should provide all of the details needed to launch this service.
How It Works
How Membee's Features Use MSSO
The Need: Eliminate Multiple Member Logins on Your Site
How Membee's Features Use MSSO
The Member Single Sign-On service is a feature that you will provide to your members and staff. Normally, access for a person is set using two program permissions (shown in the Access Information panel in the person record in Membee):
- A member typically has the "Member Service Center" program which allows them to log in to Member Profile Update, E-Billing, the Event Calendar, and Member's only page in our Content Management System.
- The "Integrated Login" program (that utilizes MSSO) to secure login and content on your website
If you're using Membee's Single Sign-On feature to restrict content to members only, you can set the Membee's widgets to use the same login page. This means that if the member logs in through the Profile, for example, they'll be logged into the members-only sections. Here are links to the instructions on how to set this up for each widget:
The Need: Eliminate Multiple Member Logins on Your Site
Associations commonly use third-party-developed web applications to provide a unique or specialized member/customer benefit. Since these applications are often developed independently of the implementation of Membee, these applications often provide an independent login mechanism to allow or deny access by the member to the application.
This often requires the member to utilize several different login IDs and passwords to access various portions of the association's website. See the example below.
In this example, you are maintaining two separate login databases. The member must sign in again (possibly with a different username and password) to move between Membee web content and third-party application content.
Multiple login scenarios detract from the member's experience on your website and create a barrier to the usage of your association site, simply as a result of the lack of integration between the third-party applications and the source member information managed by Membee. Administrative workload also increases as a result of having to develop, communicate, and maintain multiple usernames and passwords for each member.
The Solution
Members at your site have one username and password and move easily between your website, Membee features, and the third-party application and/or protected website content.
Membee provides a login page that addresses this issue and provides the following general capabilities:
- Each member has one ID and password for use on the association's site, regardless of the application or site feature being accessed.
- You can dramatically increase member participation in secured applications and/or content by implementing Membee's Social Login feature to permit members to use one of their social network identities (username and password) for access
- For details, refer to this article: https://membee.zendesk.com/hc/en-us/articles/205834488-Setting-up-Login#SetupSocial
- Only one login is required to access any "members-only" application or module on the association's site.
- A single login form provided as part of this service handles the user/member login for all applications, site sections, and modules you wish to secure.
- Only third-party applications or programs approved by your association and Membee can access member login capability.
- Use Membee's Programs & Access Roles feature to define a subset of members within Membee who may be the only members permitted to access a specific section, page, or feature in your third-party application or site. For example, a content page that is only visible to the members of your Board of Directors committee managed in Membee.
- Membee makes this access role information available within the Membee Single Sign-On service so it may be used by your developer. For details, refer to this article: https://membee.zendesk.com/hc/en-us/articles/205834538http://membee.zendesk.com/entries/20730812-programs-and-roles
- Membee makes this access role information available within the Membee Single Sign-On service so it may be used by your developer. For details, refer to this article: https://membee.zendesk.com/hc/en-us/articles/205834538http://membee.zendesk.com/entries/20730812-programs-and-roles
- All login IDs and passwords are maintained in Membee functionality which further reduces the administrative workload on association staff members.
- All activation or deactivation of a member login in Membee applies to all Membee member functionality and any third-party application and/or protected content secured with Membee's Member Single Sign-On service.
- The Membee Member Single Sign-On service is platform-independent meaning the service can be used on sites in both the Windows and Linux platforms.
- Membee uses an "embed" methodology for deploying much of its capabilities and this approach minimizes the technical skills required by your third-party developer to utilize the Member Single Sign-On service.
In addition, Membee's login page provides the following benefit to the association's other third party web application developers:
- To determine if a member is already logged in, perhaps the member utilized an Membee feature (member profile, member event price, etc.) earlier in their session on your site before wishing to access the third party application or vice versa.
- Provide the member with a single, familiar login form to log in and generate a new valid session available to all authorized online applications, Membee features, and/or protected content.
- Integrated Forgot Password method so that your member can still log in as easily as possible to all applications on your site.
- Integrated Change Passwords method so that if your member changes their password in one place, the new password works everywhere on your site to enhance the member's experience.
- Integrated Single Sign Out that forwards the member to a common sign-out page.
Testing MSSO Before Proceeding With Membee
Secured login can be an integral part of your membership and is often a mission-critical member feature. Because of its importance, ensuring it works before the substantial resources of an implementation coordinator can put you in a good spot.
Before you proceed, you will be able to fully test the MSSO setup with your third-party developer. We will provide the test accounts and complete the peer-review process to confirm you can proceed with confidence.
Peer Review of Your Integration
Prototyping & Testing
You do not need a personal copy of Membee to develop and test your implementation of Membee. We will supply functioning member credentials for you to use to develop and test your integration. To access these credentials, please complete the steps below.
- Send an email to support@membee.com and include the following details
- The subject of the email: MSSO Prototyping & Testing
- Your first and last name
- The name of the client organization you are working with
- The domain you will be testing on
- We will then send you back the login credentials and setup information you will need to complete your testing. Specifically, we will be sending you login credentials for two members. Both sets of credentials will allow you to test member access to members-only content and one set of credentials will contain a member access role. This will allow you to test access to content where both a valid member login and the specified member access role are required for access. For example, the ability of a member who is also a Board member being able to access content intended only for members of the Board of Directors.
Once you provide the information required as listed above, we will send you back the active member logins to use for development and testing.
Peer Review of Your Integration
Very often, the ability of a member to access content and/or features are a primary member benefit. The purpose of the peer review is to ensure that the implementation of Membee's Member Single Sign-On (MSSO) capability will provide the necessary "members only" access control before the organization invests the substantial effort in a formal implementation of Membee.
To ensure that MSSO will handle the organization's needs, we will schedule a quick online meeting so you can demonstrate the following:
A) Basic Access to Members Only Content
Demonstrate how Sally (one of the member test logins you will receive) can login to access a secured content page
B) Access To Content That Requires An Access Role
Demonstrate how Joe can access (the second member test login you will receive) a different page that requires not only his valid login but also the member access role passed to your site vis MSSO
C) Deny Access to Content That Requires An Access Role When the Role is Note Present
Demonstrate that Sally cannot access the page that Joe has access to.
D) Basic Password Change
During the online meeting, we will change Sally's password in Membee. We will ask you to clear the browser cache and attempt to log in as her again.
D.1) Login should fail
We will then share with you her new password.
D.2) Login should succeed
E) Membership Cancellation
During the online meeting, we will deactivate Joe's login in Membee to simulate the cancellation of his membership. We will ask you to clear the browser cache and attempt to log in as him again.
E.1) Login should fail
Success within all five of these tests is required in order for the Membee implementation to proceed.
Implementing MSSO
If you are a client and possess a subscription to Membee, you and your third-party web developer can proceed to implement the MSSO.
Terms & Conditions
While rare, a change to Membee or the code that supports your login page may cause the third-party application's interaction with the Membee Integrated Single Sign-On to stop working and such a change may happen without notice. Should this occur, you are responsible for the cost of modifying your third-party application to make it compatible with the revisions.
Implementation Steps
Getting up and going is easy, you'll need to set up the program in Membee first before your third-party developer(s) start dipping their toes.
There are steps you will need to do and steps that your third-party developer will need to do:
- You Need To Do The Following:
In Membee, create the new program and any associated roles (if needed) within that program within Membee: http://membee.zendesk.com/entries/20730812-programs-and-roles- You can name the new program anything you like - in our example, we called ours "Integrated Login"
- Your newly created program will contain all of the information your third-party developer needs to implement Membee's Member Single Sign-On service on your site or application
- For Your Third-Party Developer:
Share this document with your third party developer(s)- More specifically, you can share this link with them to direct them to the Implementation Process: Implementing MSSO
- The Technical Appendix contains everything they need and will allow them to get a handle on the changes they need to make to integrate the single login capability into their application.
- For further background information, please direct them to start at Overview
- For Your Third-Party Developer:
Add the login capabilities to your application/site - see Technical Appendix - For Your Third-Party Developer:
Test the third-party application using the new page in the application by using a person's username and password stored in your database and try to access your third-party application/website. - For You or Your Third-Party Developer: If you're using Membee's Single Sign-On feature to restrict content to members only, you can set the Membee's widgets to use the same login page. This means that if the member logs in through the Profile, for example, they'll be logged into the members-only sections. Here are links to the instructions on how to set this up for each widget:
Technical Appendix
4. Logout From Your Application and Membee
7. Output - ProfileSummary (JSON Object)
1. Technical Overview
The Membee Login Widget can be easily embedded within your application and provides the following benefits .
- This provides easy login integration to your application or site for our mutual client customers and their membership base.
- It provides all users with the ability to login via multiple Social Networks. The client can then easily manage member authentication and authorization from with Membee.
Here is the basic login workflow for a member using your application or site:
- The member will access the embedded login functionality within your application.
- They will then be presented with a screen that allows them to login via username/password or a number of social network logins.
- Based on the member’s choice, the login widget will process the login.
- The login widget will then redirect the process to the destination URL (DestURL).
- get the user id and roles via the ExchangeTokenForID service.
- If the ExchangeTokenForID service completes without error, authenticate the user. If the service does not complete, the user should not be authenticated on your site. Failure to do implement step could enable your secured content to be viewable by non members.
- If the attempt to login failed, the page should present the member with information to that respect and instructions on what to do next.
- If the attempt was successful, your Login Process Page should
The diagram below illustrates the process using "WordPress" as the third party application or site.
2. Terms/Definitions
The following terms are used by the service as parameters in its various capabilities:
Name | Example | Description |
ClientID | 501 | Each Membee client organization will have a unique id |
AppID | 350 | This will be the App ID provided by Membee which unqiuely identifies your application allowing your application to be used by more than one Membee client organization. It will be static for all clients. |
APIKey | eaf93280-1da7-4af6-96ab-d60b6c704f5e | Secret key for used for service integration. This will be the same for all implementations of your application within Membee. |
DestURL |
| This is the page that the Membee Login Widget will redirect to after attempted login. This pages must be able to process the values returned from Membee and then present the appropriate page for the process. It can contain querystring paremeters used by your site. For example, you could pass in the page the member originally requested. On successful login with Membee, this page should authenticate the user against your site and forward them on to desired content. If the login is not successful, then the user should be redirected back to the Membee Login Widget to present with the ability to try their login again. |
3. Embedding the Login Widget
The login widget allows you to place access to member login capability on any page using the following methods:
- IFrame Implementation - recommended
- Fly-out Modal method - an optional method that present the login functionality in a modal that appears after a link click event
Parameters
Name | Required | Description |
ClientID | Y | See Terms. |
AppID | Y | See Terms. |
DestURL | Y | This is where the system will pass the results of the login process to. The URL will be checked against valid domains stored within membee. |
Getting the Snippets You Need
Membee generates the few lines of code you need to deploy the Member Single Sign On service. Here the steps within Membee to to generate the code needed:
- Login to Membee
- Choose Admin
- Choose Programs & Access Roles
- Click on "Add" and fill in the following information
- Name: Give the program a name. This is the name that will be used to assign the user rights to the members in Membee.
- Description: Write a quick description that describes what this program is for.
- Trusted Domains: Enter the domain(s) for the site the login is being implement on. Each domain name should be separated by a semicolon (for example, domain1.com;domain2.com;...)
- Click on Save. This will generate the Secret, App ID and code for the Login Flyout, Login IFrame and Reset Login Widget that you will need below.
- Copy the required snippets from the Widget panel
Here is an example of defined program and its associated roles in Membee's Programs & Access Roles page:
Implementation of the Create/Reset Login Feature (Required)
This feature provides the functional capability for the member to either initially create, or in the future, revise their login preferences (perhaps they wish to use a different social network identity or change their password).
This feature is mandatory in your utilization of Membee's Member Single Sign On service because, without it, the member is unable to either create a username and password or associate their access with one of their social network identities.
To deploy this feature you:
- Create a page in your application or site
- Embed the Create/Reset Login Widget snippet on your page
Important Note: when you view the page with the embedded widget directly, it will display the note "Information required for this process is missing. The widget is in preview mode only" - this is normal. When a member needs to create or reset their login, they will always be sent a unique link in an email that will direct them to this page to continue with their login setup. This protects your member's login and prevents anyone from changing their password.
IFrame Implementation for the Login Feature
This allows you to present the member with a standard login page regardless of "what" they are trying to access. The member would see the login options upon navigation to this page. They would not have to click a link in order to open the login modal. This would be beneficial for when the member often enters an invalid username and password combination.
To deploy this feature you:
- Create a page in your application or site
- Embed the Login IFrame Widget snippet on your page
Fly-out Modal Implementation for the Login Feature
If you are using script-driven modals in your site or application then the fly-out modal for accessing Membee's login may be a nice feature to add (See the Fly-out Example below).
In terms of capability, it is exactly the same login functionality as presented if you employ the IFrame implementation. The only slight difference is that if the member is returned to the login functionality again by your application after a failed login attempt, the member would be required to click the link to trigger the fly-out again so they can try their login again.
To deploy this feature you:
- Embed the Login Flyout Widget snippet on your page
Values Sent To Processing Page
The following are sent to your processing page when login is attempted.
Name | Description |
Token | Used to call the ExchangeTokenForID service. It is only valid for 5 minutes. It is only included on successful logins. |
4. Logout From Your Application and Membee
Process the logout of the member on your site. Then redirect the member to https://memberservices.membee.com/feeds/Login/Logout.aspx to have them logged out of the Membee component. On successful logout, the member will be returned to the desturl.
Name | Required | Description |
ClientID | Y | See Terms. |
AppID | Y | See Terms. |
ReturnURL | Y | This is where the service will pass the results of the login process to. The URL will be checked against valid domains stored within Membee. |
5. Check Login
This page is available to see if the member has already been authenticated against the Membee Login services. Simply passing in the identified parameters will allow the system to check the member and then return information that identifies what step your system should follow next. This page can be found at https://memberservices.membee.com/feeds/login/LoginCheck.aspx.
Parameters
Name | Required | Description |
ClientID | Y | See Terms. |
AppID | Y | See Terms. |
DestURL | Y | This is where the service will pass the results of the login process to. The URL will be checked against valid domains stored within Membee. |
If the member has been previously authenticated, a token will be passed to the DestURL.
6. Services
ExchangeTokenForID
This service exchanges the token for the user's ID within Membee. This ID can then be used to request other information via our other services. This step is also your only way to ensure that the token received on your login processing page is valid. Failure to do this step could enable your secured content to be viewable by non-members.
Syntax:
https://memberservices.membee.com/Feeds/Profile/ExchangeTokenForID/?APIKEY=value&ClientID=value&AppID=value&Token=value
Parameters
Name | Required | Description |
APIKey | Y | See Terms. |
AppID | Y | See Terms. |
ClientID | Y | See Terms. |
Token | Y | This value is passed to your login processing page from the Membee Login Widget upon successful login. It is valid for 5 minutes. |
7. Output - ProfileSummary (JSON Object)
The following values are returned via the JSON object (See the sample below):
Name | Description |
UserID | User's ID used to interact with other services within Membee. This id will be used in all other service calls to request information on behalf of this user. |
FirstName | User's first name. |
LastName | User's last name. |
ConID | Legacy ID for use in older integrations. |
User's email address. | |
Roles | A list of roles that the user has been granted for this application. |
JoinDate | The date the member joined. |
Sample:
{"ConID":11111,
"Email":"testuser@test.com",
"FirstName":"Test",
"JoinDate":"\/Date(1366905036003-0400)\/",
"LastName":"User",
"Roles":["Role1","Role2"],
"UserID":11111}