DEV Community

Cover image for Modernizing Enterprise IT: The Unified Internal Portal
edmondgi
edmondgi

Posted on

Modernizing Enterprise IT: The Unified Internal Portal

#devops #tutorial #architecture #security

Every growing company eventually ends up with "The Tool Sprawl."

  • Utilization: "Log into the HR portal for leave."
  • Finance: "Log into the Payroll system (different password)."
  • Engineering: "Log into the Jenkins dashboard."

Employees are frustrated, and IT is overwhelmed with password resets.
The solution is Single Sign-On (SSO), usually via an expensive enterprise vendor. Today, we will build our own using Rugi Auth.

We will simulate a fragmented corporate environment and unify it.

The Components

  1. The "Legacy" System: A PHP-based employee directory (simulated).
  2. The "Modern" System: A Node.js Analytics Dashboard.
  3. The Identity Provider (IdP): Rugi Auth hosted on auth.internal.corp.

Step 1: Setting up the Identity Provider

We deploy Rugi Auth internally. We create two Apps in the dashboard:

  1. Legacy Directory (Client ID: legacy-app)
  2. Analytics Dash (Client ID: analytics-app)

We also enable LDAP or just use the database to store employee credentials centrally.

Step 2: The "Portal" (The Launchpad)

We build a simple static HTML page or a lightweight React app that serves as the "Dock" for employees.

<!-- portal.html -->
<h1>Welcome, Employee</h1>
<div id="user-info">Loading...</div>

<div class="apps">
  <a href="http://hr.internal.corp/login?sso=true">Go to HR Directory</a>
  <a href="http://analytics.internal.corp/login?sso=true">Go to Analytics</a>
</div>

<script>
  // Check if we have a valid Rugi Auth session
  async function checkSession() {
    const user = await fetch('http://auth.internal.corp/me');
    if (user.ok) {
      document.getElementById('user-info').innerText = `Hello ${user.email}`;
    } else {
      window.location.href = 'http://auth.internal.corp/login';
    }
  }
  checkSession();
</script>
Enter fullscreen mode Exit fullscreen mode

Step 3: Integrating the "Modern" Node.js App

This is easy. The Analytics app uses standard JWT validation.

  1. Login Flow:
    The user clicks "Login with SSO". We redirect them to Rugi Auth.
    http://auth.internal.corp/login?client_id=analytics-app&redirect_uri=...

  2. Callback:
    Rugi Auth validates the user (who is already logged in from the Portal!) and immediately redirects back with a code/token.

  3. Token Validation:
    The Node app validates the token against Rugi Auth's public keys (JWKS).

// Standard JWT verification using jwks-rsa
const client = jwksClient({
  jwksUri: 'http://auth.internal.corp/.well-known/jwks.json'
});
// ... verify token signature ...
Enter fullscreen mode Exit fullscreen mode

Step 4: Integrating the "Legacy" PHP App

This is often the scary part.

How do you teach a 10-year-old PHP script to understand modern Auth?

You don't need to rewrite the app, You just need a Bridge Script.

The PHP Logic (login.php):

<?php
// 1. Capture the ID Token sent from the redirect
$token = $_GET['access_token'];

// 2. Verify it (Simpler method: call the introspection endpoint)
// In a real high-traffic app, you'd verify the signature locally in PHP.
// For internal tools, asking Rugi Auth "Is this valid?" is fine.

$ch = curl_init('http://auth.internal.corp/me');
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Authorization: Bearer ' . $token]);
$response = curl_exec($ch);
$user = json_decode($response);

if ($user->id) {
    // SUCCESS!
    // Set the LEGACY session variable that the old app expects
    $_SESSION['user_id'] = $user->id;
    $_SESSION['is_logged_in'] = true;

    header('Location: /dashboard.php');
} else {
    die("SSO Failed");
}
?>
Enter fullscreen mode Exit fullscreen mode

By adding this one login.php file, you have effectively "modernized" the authentication of a legacy artifact without touching its spaghetti core code.

Step 5: The Employee Experience

  1. Morning: Employee logs into the Portal. (Enters password once).
  2. Mid-day: Opens Analytics. The app detects no session, redirects to Rugi Auth. Rugi Auth sees the cookie from the morning, and immediately redirects back with a token. Zero typing.
  3. Afternoon: Opens Legacy HR. Same thing.

Summary

In an enterprise environment, "Full Stack" often means gluing together different generations of technology.
Rugi Auth serves as the Universal Adapter.

  • It speaks JWT/OIDC for your modern React/Node apps.
  • It provides simple REST endpoints that even a bash script or PHP 5 app can consume to verify identity.

This centralization creates a single point of control.
When an employee leaves, you disable them in Rugi Auth, and they are instantly locked out of the Portal, the Analytics, AND the Legacy HR system.

Top comments (0)