ScoutID in English

Single Sign On

Button logo with ScoutID
When you see this symbol, you know they support logging in using ScoutID.

In order to be able to offer more and better web services without increasing the amount of login information you need to keep track of, we have introduced the ScoutID service. ScoutID means that you who are a member of the Scouts only need to keep track of one login to access most of our websites and e-services.

Initially, ScoutID is only available to you who are a member of an “direktansluten scoutkår”, but our ambition is that the collaborating organizations that are interested should also be connected and be able to use the same login solution.

For Scout group (kår) and Service Providers

The system offers login both for the Scouterna’s central services (scout-group-sites, web courses, etc.) and for external services. What is required is that your service supports the SAML2-protocol or JWT-tokens, which are easily added with plugins and libraries for most common frameworks and content management systems.

Examples:

We can configure ScoutID so that all members of the Scouterna can log in to your service, or control so that only those who meet certain criteria are given access. You also have the option of doing your own filtering based on data about the logged in user:

  • Membership in Scout groups, department, and patrol
  • Roles in organization, district, Scout group, department, and patrol
  • Age
  • Name and email address
  • Member number (unique ID)

Interested?

If you have a project that addresses all or some of the Scouts’ members and wants to offer a simple login, contact us at scoutid@scouterna.se and we will see How we proceed!

Generic JWT

Can be used for javascript frameworks such as react and vue.

Conditions

  • Your project is online¹ and connected via https.
  • Your project has a backend that can verify JWT tokens with asymmetric RS256 key.

How our JWT setup works

The JWT solution is built on top of the SAML2 solution, so:

  • Your project makes an ajax request and asks if the user is logged in at ScoutID.
  • If the user is not logged in, you will receive a url in the answer, where you can send the user to log in (where a SAML2 login is made),
  • After the user logs in at ScoutID, the user lands in your project again. (on a url configured in ScoutID).
  • Your project resends an ajax request and asks if the user is logged in ScoutID.
  • You will receive a JWT token as response, whit a validity period of 15 minutes, after these 15 minutes you will have to renew / request a new one, which you will receive if the user is still logged in ScoutID.
  • This JWT token can then be sent to your backend. In the backend you verify that the token is valid, if it is has expired, it is recommended that you answer with an error code 498, and that you then in the frontend automatically retrieve a new token, and resend the request to your backend.
  • Since the token contains the information about memberships and more (see above), your backend does not need to keep track of sessions.

Code Exemaple

const login = async () => {
   const response = await fetch("https://scoutid.se/jwt/jwt.php?app_id=" + location.hostname, {credentials: 'include'});
   if(!response.ok) throw response;
   const result = await response.json();
   if(!result || !result.ok || !result.token) {
      throw result;
   }
   return result.token;
};

login().then(console.log)

 

Our current public RS256-key

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApjMTez3ey8PjJtAx/XrA
nnburBb9DRcqbPYAuR75BSF3Nau8DIiCZEyc4MK88Vji7bLC16GfIldxnBc7AGmF
IG6u7sZJhFd1zb9ggoSVU68c5RM0AhTeCoYyuZj7Vd2rM6PkAzi+wVjVFIAntmIf
KMrUuQqstLof8vDoPhY/37ciI1tlrkLut3CMOyE5sFbFr/D8lvIX7wELUKaz0BIz
XzBsE5PhB7EoC4Ureglm2SRxHL/HcXMYjun1M2yaMDMTJEW8pom0UbRLePx9CT56
hmqVYBGZHKKt97nQiHrYjNeYlV1Czqu9NUzFYInRikhuUCtmSrjkeoDTBVFY79lx
NLnUlc4iyKu+RsHfB+bORuqc2ockxzz8CEwAkNvmqpVV+P1msGrq4aF5LjOvV+iq
mfZYXpe/9ECYHOKxN2rExyCwAU6bUTDtrSCMFIZc1SlZ7+OgcX/9V0Cxlh7DURh6
xpHgCBiAMK5LgcJt7LBth36+Kp7IjE0r4nY+HIfE8D5uTztscD2XAoA5K46TjLPy
XVQhIUSP/7nLuq+SNfam6TX4HDm0HP2AzX5I4am5amUGl7/fWWdS50T0ZmMH7s7C
GQ6VodVFuYVL+9VQTw6UtlWYpxcrsGbt6Ycpt18PZF/S/k4r55r330hJMRIbNb+4
ehXj1RGoxKDk09vDzXCsJnsCAwEAAQ==
-----END PUBLIC KEY-----

Help

Contact scoutid@scouterna.se to request help from us.

Generic SAML2

Conditions

  • Your project is online¹ and connected via https.
  • You can add and configure a library/plugin that supports adding SAML2-login / SAML2-Identity-Provider

What information do ScoutID need from you

To set up your project as a Service-provider in the ScoutID konfiguration, we need to register 3 values:

  • Name, a name so we can easy find your project in the list.
  • Entity-id, the identifier your library sends to ScoutID to identify your project, it depends on the library you using, but the most common is the domain “myproject.com” or the URL “https://myproject.com/”. If you try to login with ScoutID before we added your Entity-id to the whitelist, the error message includes the Entity-id your project tried to use.
  • ACS, an url for Assertion-Consumer-Service
  • SLS, an url for Single-Logout-Service-URL, may be the same URL as ACS.

We can also add extra filtering option, but if your library also can do filtering, its recomended that you kepp the filter configuration in your project, so you have full controll over it.

What your project needs from ScoutID

  • In SAML terms, ScoutID is a IDP, IDentity Provider, so you need to add us as IDP in your project.
  • You also need to add us as trusted a IDP, by adding our certificate to your project.
  • You need to tell your project the location of us, our SSO, Single Sign On, url is: https://scoutid.se/simplesaml/saml2/idp/SSOService.php
  • Some libraries instead of the SSO-url, require you to add “metadata”, our metadata is located here: https://scoutid.se/simplesaml/saml2/idp/metadata.php
  • Some libraries supports SLS, Single Logout Service, our SLS-url is: https://scoutid.se/simplesaml/saml2/idp/SingleLogoutService.php

Help

Contact scoutid@scouterna.se to request help from us.