Does Vnext 55'S Tapatalk Integration Support Logging In With Sso Integration — a configuration and setup topic from the APG vNext support community.
Key Configuration Points
- IIS App Pool: .NET 4.0 Integrated Pipeline mode is required.
- Connection String: Verify SQL Server name, database, and credentials in
web.config. - File Permissions: App pool identity needs read/write on the
upfilesfolder. - URL Rewriting: Install IIS URL Rewrite 2.0 module for clean SEO-friendly URLs.
- Full-Text Search: Enable SQL Server Full-Text Indexing for forum search.
More Help
APG vNext 5.5 Tapatalk Integration - SSO Support
APG vNext 5.5's Tapatalk integration does support SSO (Single Sign-On) for communities that have APG vNext's SSO configured. When Tapatalk users log in via the mobile app, they can authenticate through the same SSO provider as web users - eliminating the need for separate credentials for the mobile app.
SSO + Tapatalk Configuration
<!-- web.config -->
<add key="APG.Tapatalk.Enabled" value="true" />
<add key="APG.Tapatalk.SSOEnabled" value="true" />
<add key="APG.Tapatalk.SSOProvider" value="FormsAuth" />
<!-- SSOProvider options: FormsAuth | LDAP | OAuth2 | SAML -->
How Tapatalk SSO Works
- User opens the forum in Tapatalk and taps "Log In"
- Tapatalk sends an auth request to APG vNext's Tapatalk API endpoint
- APG vNext delegates authentication to the configured SSO provider
- If the SSO provider approves, APG vNext returns a Tapatalk session token
- The user is logged in across both the web interface and Tapatalk
Limitations
- SAML-based SSO requires Tapatalk app version 6.0+ to function correctly
- If SSO uses a browser-based redirect (OAuth2 authorization code flow), Tapatalk displays a web view for the SSO login page
Tapatalk SSO Token Expiry and Refresh
When Tapatalk SSO is enabled, the session token issued to the Tapatalk app has a configurable expiry time. By default, tokens expire after 30 days of inactivity. When a token expires, the member is prompted to log in again in the Tapatalk app. Configure token lifetime based on your community's security requirements versus member convenience trade-off:
<add key="APG.Tapatalk.SessionTokenExpireDays" value="30" />
<!-- Shorten for high-security corporate forums (e.g., 7 days) -->
<!-- Extend for consumer community forums (e.g., 90 days) -->
<add key="APG.Tapatalk.SlidingExpiration" value="true" />
<!-- Sliding: reset timer on each app interaction -->
Handling SSO Provider Downtime in Tapatalk
If the external SSO provider (LDAP, OAuth2, SAML) is temporarily unavailable, Tapatalk users attempting to log in during the outage will receive an authentication error. Configure APG vNext to show a meaningful error message in this scenario rather than a generic failure. For internal corporate forums where SSO provider downtime coincides with Windows infrastructure issues, also configure APG vNext to fall back to local form authentication for emergency admin access so the admin panel remains accessible even if the primary SSO provider is down.
Tapatalk SSO Logging and Audit Trail
All Tapatalk SSO authentication attempts (successful and failed) are logged in the APG vNext audit log with the member username, IP address, device identifier from the Tapatalk app, and timestamp. Review this log periodically to identify unusual patterns: multiple failed login attempts from a single IP could indicate a brute-force attack on the Tapatalk API endpoint, or a misconfigured SSO provider rejecting valid users. The Tapatalk API endpoint should be included in your IIS rate limiting rules to prevent brute-force attacks.
Tapatalk Integration Verification Checklist
After configuring APG vNext 5.5 Tapatalk integration with SSO, run through this verification checklist before announcing Tapatalk availability to your members. First, install the Tapatalk app on at least one iOS device and one Android device. Open the app, search for your forum by domain or name, and verify it appears in the search results. Tap your forum listing and verify the category structure and thread list loads correctly. Tap a thread and verify posts display correctly, including any custom HTML or BBCode formatting. Tap the post reply button and verify the editor opens and a test reply can be submitted. Log out within the Tapatalk app and log back in using an account with SSO enabled to verify the SSO flow completes successfully. Finally, verify that a push notification arrives on the test device after a reply is posted to a watched thread.
SSO Configuration Considerations for Different Forum Types
The optimal Tapatalk SSO configuration differs significantly between forum types. Public consumer communities benefit from social login SSO (Google, Facebook, Apple) so members can use existing social accounts without creating a forum-specific password. Corporate intranet forums require Active Directory or Azure AD SSO so staff authenticate with their corporate credentials. Academic forums typically use institution-provided OAuth2 or SAML providers. For each forum type, the Tapatalk SSO configuration should mirror the web-based SSO configuration so that the mobile and web authentication experience is as consistent as possible — members should not need to understand or manage different credentials for the same forum depending on whether they access it via browser or via Tapatalk.
Related Resources
Looking for more help? Browse the support forum or check the Knowledge Base.