Can my users embed my sign in form on their own site?

We provide an online lesson journal SaaS to private schools. The schools are our customers but their students and teachers are our users. This is a mutli-tenant Rails app.

I recently had a request from a school asking if they could embed our sign in form on their own site. They say directing their students away from their site and towards our sign in page to view lessons is confusing. I tend to agree.

Is it possible to use an iframe to embed our Devise-based sign in form on their site which, on submission, would sign in the student and show their dashboard on our site?

I’ve done some reading on CORS but it seems that most solutions involve opening up the resource sharing to everyone (usually denoted by '*') but that sounds a bit risky.

How would I go about this?

I believe if you go the <iframe> route you won’t need to worry about CORS, but by default the login response would just render into the <iframe> tag, which doesn’t sound like the behavior you want.

If you submit the login in the <iframe>, you can then use javascript in the response to set the session cookie, then redirect via window.top.location.href to the url of your dashboard.

If you want to go the CORS route, you won’t need to do an <iframe>…while most responses give you the generic Access-Control-Allow-Origin: '*' solution, you can be as specific as you want in the header. So you could set it to something like Access-Control-Allow-Origin: http://example.com to only allow the response on the example.com domain. In Rails, you should be able to ensure the user login request is associated with a tenant that has set example.com as an associated domain and then set the header in the controller. (I know that’s kinda vague, but just trying to give you a broad overview not knowing your exact implementation).

There’s some good info on CORS here: http://www.staticapps.org/articles/cross-domain-requests-with-cors

Good luck!

1 Like