In order to use a custom CNAME and avoid browser warnings related to 3rd party cookies, Gigya can act as a client proxy for your site, thus eliminating browser security warnings. In order to do so, Gigya uses an SSL certificate issued to your subdomain to encrypt your user's information transmitted during social login. A general overview of the process can be found in our 3rd Party Cookies documentation. The following is a more detailed explanation.
Why an SSL Certificate?
There are a number of reasons:
- Using a CNAME (and certificate) instead of socialize.gigya.com allows you to preserve the site branding and user experience that you've invested so much time and effort in.
- Because without one, every time your user is redirected from login.yoursite.com to Gigya's servers, their browser will warn them with a security message. Using an SSL certificate verifies that the redirect to Gigya's servers is a trusted process, thus eliminating this security popup for your site visitors experience.
- Using an SSL certificate also ensures that data transmitted to and from the browser is encrypted, reinforcing trust between you and your visitors and helping to prevent Man-in-the-middle attacks.
A Few Notes About Certificates
- Gigya can obtain a certificate on your behalf as part of your subscription. When we do, we use Comodo.
- For the best user experience possible, we require a SAN certificate.
- For security reasons, Gigya will not install wildcard SSL certificates.
- Gigya does offer Multi-Domain certificates under certain circumstances.
What Is A Multi-Domain Certificate
A multi-domain certificate is an SSL certificate that can be used for multiple (pre-defined) domains, i.e., myfirstsite.com and mysecondsite.net and subdomain.mythirdsite.mobi. Multi-Domain certificates differ from wildcard certificates in that a wildcard certificate can be used for all sub-domains of a single FQDN without defining what those URLs may be beforehand (e.g., *.mysite.com ), whereas a multi-domain certificate can be used for multiple FQDNs (up to 100 unique URLs per certificate). Gigya does not support wildcard certificates due to security issues that can arise from not pre-defining the authorized URLs.
A multi-domain certificate would be best used if your company has multiple TLDs, i.e., .net, .com, .co.uk, etc.
When provisioning an SSL certificate for a site, make sure the trusted domain is unique for this site. Provisioning will fail if any of the trusted domains are already associated with another site.
Before You Set Up Your Certificate
For this solution to work effectively, every site connected to the API Key needs to use a Domain Prefix with an SSL Certificate connected to it. Whenever a new site or subdomain is added to the API key's list of Trusted Site URLs on the Site Settings page of the Gigya Console, this certificate must be re-generated and domain ownership re-verified for all listed subdomains.
- Ensure that all domains and subdomains needed for the API key are listed correctly in the Trusted Site URLs section of the Site Settings page in the Gigya Console.
- Determine the Prefix (alias) that will be used for all the Trusted URLs of your site (e.g., login.yoursite.com or social.yoursite.com) as the CNAME.
- Contact Gigya Support or your Implementation Consultant to receive the Site ID of whichever API key you are setting up the SSL Certificate for and to make sure that they have the correct Prefix that you previously defined above.
Create a CNAME alias in your DNS records for each of the listed sites using the pre-defined Prefix and point them to
<siteID>.gigya-api.com. (Where siteID is the ID you received in Step 3, above).
Obtaining and Installing the Certificate
There are several steps required in order to obtain an SSL certificate.
Gigya will purchase and host your certificate, once you have given the necessary data to your Implementation Consultant you will only need to verify the emails that are sent to each of the Official email addresses associated with each of the trusted domains. Once verification is complete for all domains, your SSL certificate will be automatically installed for the listed domains.
Domain verification is performed by the Certificate Authority to ensure that you own the domain listed in the certificate. Gigya only supports verification via email, which requires the official contact emails listed in Whois for the domains to validate a verification email.
Gigya only supports domain verification by email via pointing your new CNAME to
<siteID>.gigya-api.com(Where siteID is received from Gigya Support during Step 3 of section Before You Set Up Your Certificate.
- The CA signs your certificate with their intermediate certificate(s), and sends the intermediate certificate(s) and your certificate for installation.
This recommended best practice that Gigya supports, is illustrated below.
Once the Certificate has been requested, the domain verification process takes place. If you correctly pointed your new CNAME to
<siteID>.gigya-api.com (you can receive your siteID from your Implementation Consultant) you will be asked to verify domain ownership of all listed sites via email. Once domain ownership has been verified (Gigya only supports domain verification via email to the domain's registered contact addresses), the Certificate Authority will sign your SSL certificate and provide the certificate bundle.
Gigya now has everything we need to install the certificate and your SSL should be active within one business day.
Detailed flow chart
The Custom Endpoint
Gigya will create a custom proxy endpoint dedicated to your CNAME in the form
<siteID>.gigya-api.com. You can receive the Site ID when you contact your Gigya Support or your Implementation Consultant to discuss the Prefix you will be using as an alias so that you can update the CNAME in your DNS record correctly.
As always, please contact your Gigya Support or your Implementation Consultant with any questions you may have.
If it is necessary for you to purchase your own certificate(s), contact Gigya Support for more information.