The closest thing I found was this service. It’s not free and I was playing around with it ages ago to see how it works. Might be worth giving it a go.
It seems that we are talking about two different things.
Single Sign On refers to have a single login for two or more apps like blog, forum and something else.
I insist, I totally appreciate your work! But Single Sign On (technically, SSO) It’s not about Social Media. It’s a feature that Ghost lacks from the beginning, for being honest.
@matenauta I implement SSO professionally and using a single Google account to access many services is absolutely is considered Single Sign On.
You’ll have to be more specific about what you want. Are you referring to using a Ghost login with other services? I wouldn’t recommend that. Users don’t have passwords or MFA, just login via email.
The other popular options are Oauth2 like Cathy implemented, SAML 2 and OpenID Connect.
Hello, thanks for your reply Mark! I suspect that passwords are not more secure than using e-mail links for login into our websites.
An integration between Ghost and FOSS services like Authentik, Authelia or Keycloak are way better for me, than using OpenID propietary solutions and forcing users to use and give their data to FB, Apple or Google (!)
There is a drastic difference between free and open-source and it seems that nobody around here are aware of that?
It depends. If the user has email provider with MFA and has MFA emailed, the email link could be more secure. If the password was strong, but the email system allowed weak passwords did not require a second factor, then a direct password would be more secure.
Those would usually integrate using integrate using one of the open protocols I mentioned: SAML, OAuth or OpenID Connect.
I’m not sure who or what you are directing that comment to. The dominant SSO solutoins all use the open protocols I mentioned. “Login with Google” is based on OAuth, while “Login with Apple” uses OAuth and OpenID Connect (OIDC).
If you are interested Authentik, Authelia and Keycloak for SSO, then it would be helpful to research which protocols they support that you recommend Ghost adopt. It would be easiest to start by supporting one of SAML, OAuth or OpenID Connect and not all three at once.
I’m a maintainer of the node-saml project,the most popular SAML library for Node.js, with about a half a million downloads per month. SAML is somewhat complex. It would be a signfiicant feature to implement and provide ongoing support for. I understand why Ghost hasn’t rushed into adopting it. But also know it’s a “must have” for a lot of enterprise customers so I imagine there’s demand for it from a certain segment of prospective customers as well.
I get a lot of emails, and I read a lot of forum posts. Absolutely agreed, there’s not one thing being requested! Here are some common themes/user stories related to sign-ins that I’ve seen multiple times in the last year or so:
User Stories
I want to be able to secure my blog, so I want to require MFA for staff users.
My organization doesn’t allow us to require/use any external accounts, so I need everyone (often this is both staff AND members) to authenticate against our organization-wide identity provider. (Could be Google or Microsoft or something else.)
My potential new members mostly reach my site on mobile, following links from social media. Magic link doesn’t get them back to the article they were reading, in the in-app browser they were using. My members get upset when they have to authenticate every time they follow a link to my site (because their in-app browser never gets a cookie).
I’m offering some paid benefit for my Ghost site members, and I need a way to check that they’re actually members before letting them have the access they’re requesting.
TL;DR:
MFA for staff accounts
Use something else as source of truth for Ghost:
a) Use something else as source of truth for staff accounts.
b) Use something else as source of truth for member accounts
Use something else as source of truth for member accounts, don’t leave the browser.
John’s not the only one not understanding which type of single login you’re asking for. Which kind ARE you asking for? I don’t personally understand what you mean by “single login within Ghost Blog and Forum”, given that Ghost blogs don’t have a forum by default…
Or are you talking just about logins to ghost.org?
I would like to add to Cathy’s wonderful answer, particularly points 1 and 2 from an enterprise SSO perspective.
1. SSO for staff users
1.A. Basic SSO
IT manages a single application in Okta, Entra, etc. to control who can login to Ghost as a staff user.
When users try to log into Ghost as staff, they are taken to the company login page if they are not already logged in, and redirected back to Ghost as a logged in user.
To grant access to a new user:
IT would have to grant access to the new user in Okta, Entra, etc.
Ghost admin would have to grant access to the Ghost blog.
1.B. SSO with user auto-provisioning (nice to have)
When IT assigns a user with to an application in Okta, Entra, etc. Ghost automatically creates a user in Ghost.
When IT assigns a different role to a user, role assignments within Ghost must be auto-update.
Within Ghost users cannot perform the following actions for themselves or other users:
Change user email.
Change user role.
To grant access to a new user:
IT would have to grant access to the new user in Okta, Entra, etc.
Teams are usually appreciative of auto-provisioning but don’t mind having to go through the extra steps of manually granting access especially if expectations are well documented.
2. SSO for members (nice to have)
In this case, IT would maintain an additional application registration in Okta, Entra, etc. to control who can access Ghost as a member.
I’m not very familiar with the Ghost’s members feature, but it will essentially a copy of the staff implementation.
(If the entire ghost blog needs to be accessible to employees only, it might be easier to add SSO at the proxy level for the entire Ghost instance (or for some paths) instead of implementing SSO for members in Ghost. )
Other notes
When users try to log into a Ghost instance, they are prompted to login at their company login page if they are not already logged in there, and redirected back to Ghost as an authenticated user.
When SSO is enabled on a Ghost instance other forms of login (passwords) must be prevented. This allows IT to manage access in one places (who has access to which applications, who requires MFA for which applications, etc.).
IT Teams do not usually mind having to setup an app registration within Okta, Entra, etc. Setting up OIDC in particular is very straightforward. So, there is no need to publish the app on the app catalog. (Publishing the app would requires a single domain for all Ghost instances and might make sense for managed ghost plans.)