Single Sign-on

By default, users can comment as guests or sign up for a HYVOR account. However, if you already have an authentication system in place, you can use Single Sign-on (SSO) to allow users to comment using their existing accounts - no need of a separate HYVOR account.

HYVOR accounts and SSO accounts are different

We create a separate user account for each SSO user, which has no relation to HYVOR accounts. It is also important to note that each SSO accountis associated with your website ID. If you have multiple websites, you have to implement SSO for each website separately.

Data Privacy and GDPR Compliance

When using Single Sign-on, you will be sharing user data with us, which may include the user's name, email, and other metadata. This data will be handled according to our Privacy Policy. The email will only be used to send notifications to the user when someone replies to or mentions them. Other data will be shown publicly with the user's comment and profile.

GDPR requires you to allow users to edit and delete their data. Editing will be automatically done. For example, if the user edits their name on your website, his SSO profile will be automatically updated when he logs in again to the comments system. Deleting needs to be implemented using our Console API. When the user deletes their account on your system, call the /sso/delete-user endpoint to delete their account.

Setting up SSO

There are three ways to set up SSO:

Stateless SSO: Recommended for most users. You need access to the user's data and ability to configure your backend to generate an HMAC signature. See Stateless SSO.
OpenID Connect: If your organization uses an authentication provider that supports OpenID Connect, you can use it to authenticate users. See OpenID Connect below. This is simpler to set up but there is one caveat compared to Stateless SSO: the end user needs to click the "Login" button in the comments when authenticating for the first time.
Keyless Stateless SSO: This option should ONLY BE USED if you do not have access to your backend. For example, if your website is built using a website builder like Webflow. See Keyless Stateless SSO.

Tutorials

Here are some platform-specific tutorials from our blog to set up SSO (stateless) with HYVOR Talk:

OpenID Connect (OIDC)

OIDC Tested Providers

We have tested our OpenID Connect implementation with the following providers (follow the links for detailed instructions on our blog):

Auth0
Okta
FusionAuth
Amazon Cognito User Pools
Azure Active Directory
Subrite.no

Some providers may have slightly different OpenID Connect implementations. If you run into any problems, feel free to contact us. Azure Active Directory B2C is not supported due to lack of support for the user info endpoint.

OIDC Setup Guide

Create a new application in your authentication provider.
Add the following URL as an allowed redirect URL:
```
https://talk.hyvor.com/embed/oidc
```
Turn on SSO at Console → Settings → SSO. Choose OpenID Connect as the SSO type.
Set the Issuer URL to the full URL of your OpenID Connect provider. For example, https://login.identityprovider.com.
Copy the Client ID and Client Secret from the application you created in step 1 and paste them in the respective fields
Finally, click Save to save the settings.

Once it is set up, the login button in the comments section should take users to your authentication provider's login page instead of HYVOR login. Make sure to test it by logging in.