Can we work together for adding this crucial feature, seeing that Ghost Team don’t really care about it?
I’m not a dev but I know some guys that could work on that or I can search for contract devs too.
I don’t know why SSO is not implemented but I hope that’s OK if we try to add something 100% necessary for us 
The closest thing I found was this service. It’s not free and I was playing around with it ages ago to see how it works. Might be worth giving it a go.
Has there been any progress on SSO in the last year?
I see some clues in the code has anyone implimented this?
One year on, just wondering if anyone had done any work on this?
I have SSO implemented. Free for small sites, cheap for big ones.
I fully appreciate your efforts and work but I think that some of us talk about ‘Single Sign On’ and not ‘Social Sign On?’
I have sign on with Google. Does that count? Apple and Microsoft coming soon.
It seems that we are talking about two different things.
Single Sign On refers to have a single login for two or more apps like blog, forum and something else.
I insist, I totally appreciate your work! But Single Sign On (technically, SSO) It’s not about Social Media. It’s a feature that Ghost lacks from the beginning, for being honest.
@matenauta I implement SSO professionally and using a single Google account to access many services is absolutely is considered Single Sign On.
You’ll have to be more specific about what you want. Are you referring to using a Ghost login with other services? I wouldn’t recommend that. Users don’t have passwords or MFA, just login via email.
The other popular options are Oauth2 like Cathy implemented, SAML 2 and OpenID Connect.
Hello, thanks for your reply Mark! I suspect that passwords are not more secure than using e-mail links for login into our websites.
An integration between Ghost and FOSS services like Authentik, Authelia or Keycloak are way better for me, than using OpenID propietary solutions and forcing users to use and give their data to FB, Apple or Google (!)
There is a drastic difference between free and open-source and it seems that nobody around here are aware of that?
It depends. If the user has email provider with MFA and has MFA emailed, the email link could be more secure. If the password was strong, but the email system allowed weak passwords did not require a second factor, then a direct password would be more secure.
Those would usually integrate using integrate using one of the open protocols I mentioned: SAML, OAuth or OpenID Connect.
I’m not sure who or what you are directing that comment to. The dominant SSO solutoins all use the open protocols I mentioned. “Login with Google” is based on OAuth, while “Login with Apple” uses OAuth and OpenID Connect (OIDC).
If you are interested Authentik, Authelia and Keycloak for SSO, then it would be helpful to research which protocols they support that you recommend Ghost adopt. It would be easiest to start by supporting one of SAML, OAuth or OpenID Connect and not all three at once.
I’m a maintainer of the node-saml project,the most popular SAML library for Node.js, with about a half a million downloads per month. SAML is somewhat complex. It would be a signfiicant feature to implement and provide ongoing support for. I understand why Ghost hasn’t rushed into adopting it. But also know it’s a “must have” for a lot of enterprise customers so I imagine there’s demand for it from a certain segment of prospective customers as well.
Because nobody really knows what they mean when they say “SSO for Ghost”
Staff users? or members? As an SSO consumer? or SSO provider? OAuth? or SAML? Additional auth method? Or primary service?
Looks like you’ve discovered the reason it’s not implemented!
I get a lot of emails, and I read a lot of forum posts. Absolutely agreed, there’s not one thing being requested! Here are some common themes/user stories related to sign-ins that I’ve seen multiple times in the last year or so:
User Stories
I want to be able to secure my blog, so I want to require MFA for staff users.
My organization doesn’t allow us to require/use any external accounts, so I need everyone (often this is both staff AND members) to authenticate against our organization-wide identity provider. (Could be Google or Microsoft or something else.)
My potential new members mostly reach my site on mobile, following links from social media. Magic link doesn’t get them back to the article they were reading, in the in-app browser they were using. My members get upset when they have to authenticate every time they follow a link to my site (because their in-app browser never gets a cookie).
I’m offering some paid benefit for my Ghost site members, and I need a way to check that they’re actually members before letting them have the access they’re requesting.
TL;DR:
I see Ghost Pro offers a beta version of Google / OAuth 2.0 SSO to their Business customers.
Can we consider this as a sign of having this feature built-in soon?
Do you think that a single login within Ghost Blog and Forum isn’t neccessary to give the best user experience?
We can have different point of views. I usually like to talk online about facts and discuss ideas.
This is called a straw man argument - if you aren’t going to communicate constructively then I won’t engage with you further.
Nop, it’s a very simple question. We are talking about Single Login and that’s a beautiful example of the possible application.
A strawman is literally what you are trying when refuse to give a clear and simple answer.
John’s not the only one not understanding which type of single login you’re asking for. Which kind ARE you asking for? I don’t personally understand what you mean by “single login within Ghost Blog and Forum”, given that Ghost blogs don’t have a forum by default…
Or are you talking just about logins to ghost.org?
Single Login Integration with FOSS software and not propietary one. It’s always about fundamentals and the real motivation behind the teams.
I would like to add to Cathy’s wonderful answer, particularly points 1 and 2 from an enterprise SSO perspective.
Teams are usually appreciative of auto-provisioning but don’t mind having to go through the extra steps of manually granting access especially if expectations are well documented.
I’m not very familiar with the Ghost’s members feature, but it will essentially a copy of the staff implementation.
(If the entire ghost blog needs to be accessible to employees only, it might be easier to add SSO at the proxy level for the entire Ghost instance (or for some paths) instead of implementing SSO for members in Ghost. )
