Kratos or Hydra required for SSO?

[sietsevanderbom]

I've gone through the docs but it is not clear to me whether Kraton is sufficient when you want to login once for multiple domains, or that you'd need Hydra for this. Any suggestions?

[sietsevanderbom]

Ah found it: ory/kratos#662
So not yet possible with just Kratos. Need Hydra currently.

[vinckr]

I changed the title a bit since it seems you are looking for SSO for multiple domains, correct?
In that case you can build that with Hydra & Kratos, check out this document.

[bitbay]

As far i understand ory's architecture, SSO for different domains is limited by kratos using cookies heavily for authentication - sending tokens explicitly between domains instead implicit cookies was the answer to this by OAuth2 (ie. ory's hydra).
I wasn't able to setup even the kratos-selfservice-ui-node and kratos being on two different domains because cookies where not sent between them.
If You use "subdomains" like

• kratos.mydomain.com
• auth.mydomain.com - UI for login, register, etc.
• clientA.mydomain.com
• clientB.mydomain.com

and set kratos session/csrf cookies for the domain mydomain.com, You probably can get away with just kratos - although having an IAP like ory/oathkeeper for checks and redirections will be handy.

The general flow could be:

1. user navigates to clientA.mydomain.com
2. clientA
   2.1. checks with kratos if the user has a session or not (using received cookies) calling kratos/sessions/whoami
   2.2. if it has, the user is authenticated
   2.3. if the user isn't authenticated, redirect to auth.mydomain.com/login?followup=clientA.mydomain.com
3. auth.mydomain.com
   3.1. starts a (browser) login flow with kratos
   3.2. once finished, redirects back to &followup=