Simple One-Way SSO is a quick and easy way to create an authentication request into the Acquia DAM. The authentication request consists of fields used to identify the user attempting to authenticate along with a time-sensitive signature.

Implementation examples

Here are the implementation examples in several different languages. See https://github.com/Widen/widen-sso-examples.

How to calculate a valid signature

A signature value is required to authenticate that the login request was produced by a trusted server.

The signature is generated by taking the MD5 hash value of all the user fields, sorted alphabetically by key name, and appending a shared secret key (issued by Acquia DAM) at the end of the string.

Example

If your request contains these parameters:
 timestamp=Sun, 20 Jul 1969 20:17:39 GMT&guid=123456&[email protected]&username=moonWalker1969&first_name=Neil&last_name=Armstrong&title=Commander&company=NASA&street_address=300 E Street SW&city=Washington&state=DC&zip=20546&country=USA&phone=+12023580001&department=Spaceflight&roles=Astronaut, Apollo, Apollo 11&registration_code=National Hero&redirection_url=/portals&user_metadata_key=User Metadata Value 

And your shared secret is super-secure-shared-secret

1. Build string of all form values sorted alphabetically by key: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546
2. Append the shared secret: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546super-secure-shared-secret

Simple One-Way SSO is a quick and easy way to create an authentication request into the Acquia DAM. The authentication request consists of fields used to identify the user attempting to authenticate along with a time-sensitive signature.

Implementation examples

Here are the implementation examples in several different languages. See https://github.com/Widen/widen-sso-examples.

How to calculate a valid signature

A signature value is required to authenticate that the login request was produced by a trusted server.

The signature is generated by taking the MD5 hash value of all the user fields, sorted alphabetically by key name, and appending a shared secret key (issued by Acquia DAM) at the end of the string.

Example

If your request contains these parameters:
 timestamp=Sun, 20 Jul 1969 20:17:39 GMT&guid=123456&[email protected]&username=moonWalker1969&first_name=Neil&last_name=Armstrong&title=Commander&company=NASA&street_address=300 E Street SW&city=Washington&state=DC&zip=20546&country=USA&phone=+12023580001&department=Spaceflight&roles=Astronaut, Apollo, Apollo 11&registration_code=National Hero&redirection_url=/portals&user_metadata_key=User Metadata Value 

And your shared secret is super-secure-shared-secret

1. Build string of all form values sorted alphabetically by key: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546
2. Append the shared secret: WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546super-secure-shared-secret
3. Calculate the MD5 hash of the concatenated string. This is the signature submitted with the request: b509c14e00e3b3134c985ae6fc4da298

Timestamp format

The timestamp value is required to be part of the request to prevent “replay” forgeries.

Acquia DAM will reject any request that was generated 30 minutes ahead or behind the current time.

The timestamp must be formatted according to the RFC-2822 date format.

Formatting examples

Java

SimpleDateFormat df = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US);
df.setTimeZone(TimeZone.getTimeZone("GMT"));
String value = df.format(new Date());

.NET

http://msdn.microsoft.com/enus/library/az4se3k1.aspx#RFC1123 (RFC-2822 is a subset of RFC-1123.)

PHP

gmdate("D, d M Y H:i:s \G\M\T")

http://php.net/manual/en/function/gmdate.php

Data security

All communications will be transmitted over a secure HTTP connection (TLS, aka SSL). Because the transmission is secured at the network layer, a signature value scheme is specified to ensure that form field values were not modified after your server generated the markup.

Authenticating with Simple One-Way SSO [/auth/simple]

HTTP POST [POST]

Parameters

• timestamp: Sun, 20 Jul 1969, 20:17:39 GMT - Timestamp of the request in RFC-2822 format.
• signature: b509c14e00e3b3134c985ae6fc4da298 - See how to calculate a valid signature.
• guid: 123456 - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective.
• email: [email protected]
• username: moonWalker1969 (optional)
• first_name: Neil (optional)
• last_name: Armstrong (optional)
• title: Commander (optional)
• company: NASA (optional)
• street_address: 300 E Street SW (optional)
• city: Washington (optional)
• state: DC (optional)
• zip: 20546 (optional)
• country: USA (optional)
• phone: +12023580001 (optional)
• department: Spaceflight (optional)
• roles: Astronaut, Apollo, Apollo 11 (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration_code (existing users in the Collective will simply not have their roles changed).
• registration_code: National Hero (optional) - Collective registration code name (used during just-in-time user creation only)
• redirection_url: /portals (optional) - Relative URL to redirect to after authentication
• user_metadata_key: User Metadata Value (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value.

Request (application/x-www-form-urlencoded)

timestamp=Fri%2C%207%20Aug%202015%2C%2017%3A06%3A08%20GMT
&signature=61d76586828232022304c863f0c48b82
&guid=123456
&email=postmaster%40usa.gov
&username=postmaster
&first_name=First
&last_name=Last
&title=Developer
&company=Acquia
&street_address=6911%20Mangrove%20Ln
&city=Madison
&state=WI
&zip=53714
&country=USA
&phone=6085555555
&department=Software
&roles=US%20Region%2C%20France%20Region
&registration_code=Simple%20One-Way%20SSO%20Auto-Approve
&redirection_url=%2Fportals
&user_metadata_key=User%20Metadata%20Value

Response 302

Headers

Location: /dam/dashboard (or value of redirection_url parameter, if supplied)

HTTP GET [GET /auth/simple{?timestamp,signature,guid,email,username,first_name,last_name,title,company,street_address,city,state,zip,country,phone,department,roles,registration_code,redirection_url,user_metadata_key}]

Parameters

• timestamp: Sun, 20 Jul 1969, 20:17:39 GMT - Timestamp of the request in RFC-2822 format.
• signature: b509c14e00e3b3134c985ae6fc4da298 - See how to calculate a valid signature.
• guid: 123456 - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective.
• email: [email protected]
• username: moonWalker1969 (optional)
• first_name: Neil (optional)
• last_name: Armstrong (optional)
• title: Commander (optional)
• company: NASA (optional)
• street_address: 300 E Street SW (optional)
• city: Washington (optional)
• state: DC (optional)
• zip: 20546 (optional)
• country: USA (optional)
• phone: +12023580001 (optional)
• department: Spaceflight (optional)
• roles: Astronaut, Apollo, Apollo 11 (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration_code (existing users in the Collective will simply not have their roles changed).
• registration_code: National Hero (optional) - Collective registration code name (used during just-in-time user creation only)
• redirection_url: /portals (optional) - Relative URL to redirect to after authentication
• user_metadata_key: User Metadata Value (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value.

Response 302

Headers

Location: /dam/dashboard (or value of redirection_url parameter, if supplied)