Präsentation SSO Integration Guide V1.3

User Manual:

Open the PDF directly: View PDF .
Page Count: 13

MANAGE QUALIFICATION IN A SINGLE SYSTEM

IM|S INTELLIGENT MEDIA SYSTEMS AG

STAND 10.03.2016

CRME® 3.0

SSO Integration Guide

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

Authentication Workflow

Application

Context

1. User clicks on

link to be

redirected to

CRME

2. A request to

CRME is sent to

check if the user

already exists.

3. If the User

Exists a Session

Token is

generated and

returned.

4. If not, a new

user has to be

created.

5. The Server

redirects the users

to the CRME,

using the Token

and Public Key

6. The user is

silently logged in

as a CRME User

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

Security Overview

Public Key: a public key will be used for

redirects.

Private Key: a private key that should be used

only for Server to Server communication.

IP Security: Each Private API Key is associated

with a set of IP Addresses and usage is

allowed only from those specific IP Addresses

Only HTTPS encryption is allowed

CRME Server

External

Provider Server

Public Key

User’s Browser

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

Authenticating and Authorizing

To authenticate the requests to CRME you have to set the Private Key as the

Authorization Bearer token in each request.

Example authentication header:

The Private Key could only be used for the API requests.

Authorization: Bearer mF_9.B5f-4.1JqM

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

API Interface

/api/v1/auth

 GET: checks for existing user by identifier

 POST: create a new user

 PUT: update an existing user

Usage Examples:

GET: {url}/api/v1/auth/9nU2W01dJK

PUT: {url}/api/v1/auth

{ “Identifier”: “9nU2W01dJK”, “FirstName”: “John”, “FastName”: “Doe”, “Email”:

“john@doe.org” … }

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

6

API Errors

If the request fails, the response will have a status of 400 Bad Request and will have

contents as follows:

For example, you might receive the following data in the response body after a failed

request:

{ "error" : "invalid_request", "error_description" : "One or more parameters are missing: client_secret" }

Parameter

Description

BODY DATA

A JSON object with the following properties:

error: (string) An error code.

error_description: (string) A more detailed description of the error intended for the

developer of your app.

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

User Model

Name

Datatype

Description/Restrictions

Identifier

String

X

Unique Identifier to identify the user account in the external

provider. Max 256 chars

UserName

String

X

Max 256 chars

Email

String

X

Max 256 chars

IsNonUniqueEmail

Bool

X

Boolean with true / false (default

is false)

FirstName

String

X

Max 100 chars

LastName

String

X

Max 100 chars

CountryCode

String

X

Country two letter ISO Code e.g. GB

LanguageCode

String

X

Region ISO Code e.g.

en-GB

ActivationCode

String

Max 200 chars

AuthorizationToken

String

Max 256 chars

(will be provided by CRME)

Expiration

Timestamp

e.g.

1448046245 (will be provided by CRME)

The following JSON object will be used for the API requests:

All required fields are marked with an X within the table above.

All chars are unicode.

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

GET /api/{version}/auth

Method/Request

GET

/api/v1/auth/{id}

Summary

Get existing user by identifier

Parameters

Response

Name

Type

Located In

Description

Required

Identifier

String

URL

Unique

Identifier of

the User

Yes

Http Response

Code

Description

200

Successful,

returns a User Model object with the

authorization token and expiration timestamp

400

Invalid data

404

User not found

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

PUT /api/{version}/auth/{id}

Method/Request

POST

/api/v1/auth/{id}

Summary

Create a

new user User with identifier {id}

Parameters

Response

Name

Type

Located In

Description

Required

User

User Model

Body

The user model

to be created

Yes

Http Response

Code

Description

200

Successful,

returns a User Model object

400

Invalid data

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

POST /api/{version}/auth/{id}

Method/Request

PUT

/api/v1/auth/{id}

Summary

Update

an existing User with identifier {id}

Parameters

Response

Name

Type

Located In

Description

Required

Identifier

String

URL

Unique Identifier

of the User

Yes

User

User Model

Body

The user model

with the updated

properties

Yes

Http Response

Code

Description

200

Successful,

returns a User Model object

400

Invalid data

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

SSO Workflow

The External Provider requests to sign in a user to the CRME by using the GET request.

In case the requested user does not exist, a new user is created by using the PUT

request.

If the request is successful, the response will deliver a user model with the

Authorization Token and Expiration Timestamp for this user.

The user can be then redirected to CRME by using the Public Key and Authorization

Token.

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

Redirection to CRME via [GET]

After the AuthorizationToken has been delivered to the External Provider this is used to sign in the

user to the CRME via GET:

Redirection URL:

https://crme.com/api/oauth2/Authenticate?PublicKey={PublicKey}&Token={AuthorizationToken}

&ReturnUrl={URL}

The request required data:

Public Key is used to identify the External Provider

AuthorizationToken of the specific user

ReturnUrl to the target website

This will work only if the Authorization Token has not expired.

If the token has expired, a redirection back to the External Authentication Provider will occur and a

failed status result will be returned. It is recommended to store the AuthorizationToken and

Expiration in order to refresh it when necessary.

To refresh an AuthorizationToken another GET request has to be made and will be then provided

within the User Model.

IM|S INTELLIGENT MEDIA SYSTEMS AG

netTrainment 3.0

FOLIE 13

Redirection to CRME via [POST]

After the AuthorizationToken has been delivered to the External Provider this is used to sign in the

user to the CRME via POST:

Redirection URL: https://crme.com/api/oauth2/Authenticate

The request required data:

Public Key is used to identify the External Provider

AuthorizationToken of the specific user

ReturnUrl to the target website

This will work only if the Authorization Token has not expired.

Sample script to submit a redirection request via POST:

function jspost(path, params, method) {

method = method || "post";

var form = document.createElement("form");

form.setAttribute("method", method);

form.setAttribute("action", path);

for (var key in params) {

if (params.hasOwnProperty(key)) {

var hiddenField = document.createElement("input");

hiddenField.setAttribute("type", "hidden");

hiddenField.setAttribute("name", key);

hiddenField.setAttribute("value", params[key]);

form.appendChild(hiddenField);

}

}

document.body.appendChild(form);

form.submit();

}