GoPilot - Your copilot for Ghost (Members Single Sign on just added)

Hi all :wave:. I’m Mark. You might have read my forum posts here and there on various topics. I like deep diving into technical issues and hack around to hopefully end up with something I enjoy using and also help people with similar issues.

I’ve been a Ghost user for a while and I like it a lot. I’m amazed at both the product itself, staff who built and is supporting it and the whole Ghost community around it. I read forums every day, see some people helping each other, or some people providing valuable services that are very usable to others.

I’ve been looking into adding some extra functionality to Ghost around SSO and Portal that I myself needed, and I noticed a lot of people have similar issues such as Third party Single Sign On (SSO), More customization for portal and Portal and email component translations. So I started building a service that will work well with Ghost core product, which I called GoPilot. So far I have some sort of an MVP with SSO (Google, Microsoft and GitHub - one or more can be used) for staff users (and now your members) and member portal customization (including translation to different languages). In the future I see GoPilot as an assistant to your Ghost administration, solving common problems people experience

If this sounds interesting to any of you, I’d love you to try and provide feedback, let me know if it’s a bit useful to you. It’s not a paid service yet, as at the moment I see it as a work in progress.
If you have any questions, send them over here or through GoPilot website.. I am also attaching a few screenshots to quickly show what GoPilot is all about

At the end, I’d like to thank all Ghost staff and community for making Ghost such a great product.

Cheers,
Mark

SSO

PORTAL

1 Like

Hi, I don’t understand the problem you want to solve.
Thanks!

Hey @pascalandy ,

Thank you for the question.

This service is for anyone who is self-hosting to do:

  • SSO for staff: Allow staff members login to Ghost admin directly without a challenge from Ghost when they login using one of the Identity providers. One less password to manage. Plus if they are already logged into Google, etc. enter Ghost admin directly
  • Portal customization: Update the default member portal with any text, plus add header if wanted (just to start, more to come). This also means use any language (Russian as an example above)

Possible future functionality to be added, that I can think of :

  • SSO for members
  • Bulk actions on posts and pages
  • Forms and data collection from users (wither natively or on the service)

Please let me know if you have any more questions.

Thanks,
Mark

1 Like

A huge thank you to forum user @mhalzahrani for trying GoPilot, finding a few issues with the Portal Customization and working with me diligently to resolve them. If anyone had any issue before, please give it a try one more time. Portal customization is ready to be used to change any text on the Member Portal and translate to any language.

There may be a few more places where text can be customized, such as welcome greeting and the email sent notification, so I’ll get working on those next.

Anyone who has questions, please ask here or send me a message directly

Cheers,
Mark

You’re welcome!
It is a huge time saver. For anyone who wants a portal translation solution, they should try GoPilot.

Keep up the good work!
Mohammad

a very interesting idea…I looked at your docs…for the SSO, do I understand correctly that a user clicking on the login would be taken to your website (GoPilot) to login and then be brought back to mine?

thanks

Yes.

Let me clarify a bit how GoPilot SSO works, a bit long and technical but you can skip to the summary at the end :slightly_smiling_face:

Setup:
You configure your Identity Providers, be it Google, Microsoft/Azure, GitHub (more to come…) within GoPilot by providing the OAuth parameters (usually an API Key and secret you acquire from your ID Provider account). You can choose to have one or more Identity Providers configured for each of your Ghost sites.
On your Ghost installation, you configure GoPilot SSO adapter, a minimal setup consisting of:

  • A zip file that you deploy under your ‘content’ folder
  • Update your config.production.json (or whatever config file you are using) to add a few lines to tell your Ghost to use GoPilot SSO, its location and the Client ID/Secret we provide)

Flow
The flow is industry standard OAuth2 flow which I’m sure you are familiar with if you already used any Social login provider.

  • You provide your users a link to your users for ‘Login’. This could be a navigational item, could be a link on your page (using the theme), it could be a button on any page(similar to how member portal button shows up).

  • User clicks this button, then is taken to GoPilot Login window which contains ONLY the Identity Providers you chose. The user clicks on one of them (let’s say Google) and is redirected to Google. What happens next depends on two things:

    • User is already logged into Google (by Gmail, drive, etc.) in another tab/window. No need for logging into Google again. Otherwise, user is asked by Google to login.
    • First time only, user is presented with a consent screen asking for their permission to allow providing their name and email address(no password, no other sensitive information. We only ask for minimum info). Again, this is standard practice in the industry and we ask for minimum scope.
  • If the user is already logged into Google and already provided consent first time, the user does not even see Google window, is seamlessly transferred to the next step.

  • Once this is completed, user is taken back to GoPilot (user does not see this), then redirected to your Ghost site. Once user reaches your Ghost site, Ghost knows your user’s email address and then does a query against user database to match the email. If there is a match (which means the user with this email is your user), user is taken to your Ghost console directly without asking any password. If the person that is redirected to your site is not your user, then is not allowed and shown the Ghost login window

Summary
GoPilot SSO allows your users to login to your site with Social Login . It uses the industry standard OAuth2 protocol which is widely used and very secure. It does not require passing sensitive data such as passwords. Your users are taken to the Social provider of their choice and logs in there (If user is already logged in to the social provider, then is taken to the next step directly) After this, user is taken to your Ghost console through GoPilot without being asked for their password. Ghost logs in the user automatically.

Please let me know if you have any questions. I will be very glad to help you with the setup if you’d like to give it a try.

1 Like

Thanks, this clarifies a lot.

You say: “If the person that is redirected to your site is not your user, then is not allowed and shown the Ghost login window”

What if, from the outset, the user wants to keep using the regular Ghost magic link login? Is it just a matter of setting various links as follows:

  1. Ghost usual login
  2. GoPilot SSO 1
  3. GoPilot SSO 2…
    etc.
1 Like

Great question!

GoPilot SSO does not replace existing login process, only adds to it.

You can provide Social login link anywhere as you wish and also keep the existing login links. If user fails login through GoPilot for any reason (such as user is not known to your site), then user is taken to the site same as before, as an anonymous in user.

As a response to @josephkman and an update to others,

I have just added Members Single Sign on feature, so in addition to your staff users, your members can now login to your self-hosted Ghost site via third party social login providers with SSO

2 Likes

This is major, thanks

1 Like

Hello everyone.

My post doesn’t have to do anything with the GoPilot and it relates to its author, Mark.

He helped me several times when I had Qs about Ghost (and not only), he understood that I am not a specialist at all and he was patient explaining in details things that were not exactly where his passion is. Look here How to create a form on Ghost CMS? for example. Or even here https://forum.ghost.org/t/help-needed-to-move-site-to-another-server/25001

I want you to know that even if you have any Qs or problems with Marks products (we are all people), you’ll be supported and helped to the end. No doubt.

And once again: thank you, Mark.

2 Likes

Are there any setup instructions for people self hosting ghost in docker?

I have not created a documentation for specifically Docker installation. Although this is a good idea. Thanks for that !

In the meantime, I read through the docker installation document quickly

Since docker image is self contained, there are two things that need to be done :

  1. It needs to be configured to read the content folder (which will hold the adapters directory) from outside
    It is explained in the document:

Mount your existing content. In this example we also use the Alpine base image.

$ docker run -d --name some-ghost -p 3001:2368 -v /path/to/ghost/blog:/var/lib/ghost/content ghost:alpine

That ‘/path/to/ghost/blog’ is the directory on the server where you will keep all content folder, including themes, adapters,etc. What can be done is to map that folder into a different folder in the container first (let’s say /backup) , then :

  • exec a shell into Docker image
  • cp -R /var/lib/ghost/content /backup
    Now you have the original ‘content’ folder outside of Docker container.
    Once you have that you can extract GoPilot SSO into that folder and then use Docker command as explained in the document, by mapping ‘/var/lib/ghost/content’ to the updated directory on the server
  1. Update config.json file
    For this you have two options:
  • Run Ghost Docker container with environment variables that will map to config options as explained here.. This depends on whether Ghost will accept the variable to be consumed into configuration (part of core code)
    For example, one of the environment variables would be : adapters__sso__active=gopilot-sso
  • If that options does not work because Ghost will not accept ‘adapters’ as an acceptable Environment variable driven configuration second option would be to map the config.json (any flavor of it - development, production,etc.) to outside. For that the Docker option would be:
-v /path/to/ghost/blog/config.json:/var/lib/ghost/config.json

Source directory can be anywhere on the server, depending on your setup. Once you map the config.json file to outside world, you can follow same steps described on GoPilot docs

I’m currently working on Post management features of GoPilot, namely detailed email tracking and bulk operations. Hopefully will release that very soon and then I can do a Ghost Docker install and come up with Docker specific instructions.

Feel free to reach out to me directly if you want me to look at your installation and help out.