Simple One-Way SSO is a quick and easy way to create an authentication request into the Acquia DAM. The authentication request consists of fields used to identify the user attempting to authenticate along with a time-sensitive signature.
A signature value is required to authenticate that the login request was produced by a trusted server.
The signature is generated by taking the MD5 hash value of all the user fields, sorted alphabetically by key name, and appending a shared secret key (issued by Acquia DAM) at the end of the string.
Example
If your request contains these parameters:
timestamp=Sun, 20 Jul 1969 20:17:39 GMT&guid=123456&[email protected]&username=moonWalker1969&first_name=Neil&last_name=Armstrong&title=Commander&company=NASA&street_address=300 E Street SW&city=Washington&state=DC&zip=20546&country=USA&phone=+12023580001&department=Spaceflight&roles=Astronaut, Apollo, Apollo 11®istration_code=National Hero&redirection_url=/portals&user_metadata_key=User Metadata Value
And your shared secret is super-secure-shared-secret
Build string of all form values sorted alphabetically by key: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546
Append the shared secret: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546super-secure-shared-secret
Calculate the MD5 hash of the concatenated string. This is the signature submitted with the request: b509c14e00e3b3134c985ae6fc4da298
Timestamp format
The timestamp value is required to be part of the request to prevent “replay” forgeries.
Acquia DAM will reject any request that was generated 30 minutes ahead or behind the current time.
The timestamp must be formatted according to the RFC-2822 date format.
Formatting examples
Java
SimpleDateFormat df = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
df.setTimeZone(TimeZone.getTimeZone("GMT"));
String value = df.format(new Date());
All communications will be transmitted over a secure HTTP connection (TLS, aka SSL). Because the transmission is secured at the network layer, a signature value scheme is specified to ensure that form field values were not modified after your server generated the markup.
Authenticating with Simple One-Way SSO [/auth/simple]
Note
For ease of use, HTTP GET requests are supported but contain query parameters that are not encrypted via SSL and are therefore vulnerable to replay attacks. Acquia DAM recommends using HTTP POST requests for Simple One-Way SSO requests.
guid: 123456 - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective.
roles: Astronaut, Apollo, Apollo 11 (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration_code (existing users in the Collective will simply not have their roles changed).
registration_code: National Hero (optional) - Collective registration code name (used during just-in-time user creation only)
redirection_url: /portals (optional) - Relative URL to redirect to after authentication
user_metadata_key: User Metadata Value (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value.
Location: /dam/dashboard (or value of redirection_url parameter, if supplied)
HTTP GET [GET /auth/simple{?timestamp,signature,guid,email,username,first_name,last_name,title,company,street_address,city,state,zip,country,phone,department,roles,registration_code,redirection_url,user_metadata_key}]
Parameters
timestamp: Sun, 20 Jul 1969, 20:17:39 GMT - Timestamp of the request in RFC-2822 format.
guid: 123456 - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective.
roles: Astronaut, Apollo, Apollo 11 (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration_code (existing users in the Collective will simply not have their roles changed).
registration_code: National Hero (optional) - Collective registration code name (used during just-in-time user creation only)
redirection_url: /portals (optional) - Relative URL to redirect to after authentication
user_metadata_key: User Metadata Value (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value.
Response 302
Headers
Location: /dam/dashboard (or value of redirection_url parameter, if supplied)
Simple One-Way SSO
Simple One-Way SSO is a quick and easy way to create an authentication request into the Acquia DAM. The authentication request consists of fields used to identify the user attempting to authenticate along with a time-sensitive signature.
A signature value is required to authenticate that the login request was produced by a trusted server.
The signature is generated by taking the MD5 hash value of all the user fields, sorted alphabetically by key name, and appending a shared secret key (issued by Acquia DAM) at the end of the string.
Example
If your request contains these parameters:
timestamp=Sun, 20 Jul 1969 20:17:39 GMT&guid=123456&[email protected]&username=moonWalker1969&first_name=Neil&last_name=Armstrong&title=Commander&company=NASA&street_address=300 E Street SW&city=Washington&state=DC&zip=20546&country=USA&phone=+12023580001&department=Spaceflight&roles=Astronaut, Apollo, Apollo 11®istration_code=National Hero&redirection_url=/portals&user_metadata_key=User Metadata Value
And your shared secret is super-secure-shared-secret
Build string of all form values sorted alphabetically by key: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546
Append the shared secret: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546super-secure-shared-secret
Calculate the MD5 hash of the concatenated string. This is the signature submitted with the request: b509c14e00e3b3134c985ae6fc4da298
Timestamp format
The timestamp value is required to be part of the request to prevent “replay” forgeries.
Acquia DAM will reject any request that was generated 30 minutes ahead or behind the current time.
The timestamp must be formatted according to the RFC-2822 date format.
Formatting examples
Java
SimpleDateFormat df = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
df.setTimeZone(TimeZone.getTimeZone("GMT"));
String value = df.format(new Date());
All communications will be transmitted over a secure HTTP connection (TLS, aka SSL). Because the transmission is secured at the network layer, a signature value scheme is specified to ensure that form field values were not modified after your server generated the markup.
Authenticating with Simple One-Way SSO [/auth/simple]
Note
For ease of use, HTTP GET requests are supported but contain query parameters that are not encrypted via SSL and are therefore vulnerable to replay attacks. Acquia DAM recommends using HTTP POST requests for Simple One-Way SSO requests.
guid: 123456 - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective.
roles: Astronaut, Apollo, Apollo 11 (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration_code (existing users in the Collective will simply not have their roles changed).
registration_code: National Hero (optional) - Collective registration code name (used during just-in-time user creation only)
redirection_url: /portals (optional) - Relative URL to redirect to after authentication
user_metadata_key: User Metadata Value (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value.
Location: /dam/dashboard (or value of redirection_url parameter, if supplied)
HTTP GET [GET /auth/simple{?timestamp,signature,guid,email,username,first_name,last_name,title,company,street_address,city,state,zip,country,phone,department,roles,registration_code,redirection_url,user_metadata_key}]
Parameters
timestamp: Sun, 20 Jul 1969, 20:17:39 GMT - Timestamp of the request in RFC-2822 format.
guid: 123456 - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective.
roles: Astronaut, Apollo, Apollo 11 (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration_code (existing users in the Collective will simply not have their roles changed).
registration_code: National Hero (optional) - Collective registration code name (used during just-in-time user creation only)
redirection_url: /portals (optional) - Relative URL to redirect to after authentication
user_metadata_key: User Metadata Value (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value.
Response 302
Headers
Location: /dam/dashboard (or value of redirection_url parameter, if supplied)
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Did not find what you were looking for?
If this content did not answer your questions, try searching or contacting our support team for further assistance.
Acquia DAM