--- title: "Simple One-Way SSO" date: "2026-05-13T07:23:48+00:00" summary: image: type: "page" url: "/acquia-dam/simple-one-way-sso" id: "34b5963e-daf8-4095-a2bd-3ec2116ddf38" --- Simple One-Way SSO is a quick and easy way to create an authentication request into the Acquia DAM. The authentication request consists of fields used to identify the user attempting to authenticate along with a time-sensitive signature. Implementation examples ----------------------- Here are the implementation examples in several different languages. See [https://github.com/Widen/widen-sso-examples](https://github.com/Widen/widen-sso-examples). How to calculate a valid signature ---------------------------------- A signature value is required to authenticate that the login request was produced by a trusted server. The signature is generated by taking the MD5 hash value of all the user fields, sorted alphabetically by key name, and appending a shared secret key (issued by Acquia DAM) at the end of the string. ### Example If your request contains these parameters: timestamp=Sun, 20 Jul 1969 20:17:39 GMT&guid=123456&email=neil.armstrong@nasa.gov&username=moonWalker1969&first_name=Neil&last_name=Armstrong&title=Commander&company=NASA&street_address=300 E Street SW&city=Washington&state=DC&zip=20546&country=USA&phone=+12023580001&department=Spaceflight&roles=Astronaut, Apollo, Apollo 11®istration_code=National Hero&redirection_url=/portals&user_metadata_key=User Metadata Value And your shared secret is super-secure-shared-secret 1. Build string of all form values sorted alphabetically by key: `WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546` 2. Append the shared secret: `WashingtonNASAUSASpaceflightneil.armstrong@nasa.govNeil123456Armstrong+12023580001/portalsNational HeroAstronaut, Apollo, Apollo 11DC300 E Street SWSun, 20 Jul 1969 20:17:39 GMTCommanderUser Metadata ValuemoonWalker196920546super-secure-shared-secret` 3. Calculate the MD5 hash of the concatenated string. This is the signature submitted with the request: `b509c14e00e3b3134c985ae6fc4da298` Timestamp format ---------------- The timestamp value is required to be part of the request to prevent “replay” forgeries. Acquia DAM will reject any request that was generated 30 minutes ahead or behind the current time. The timestamp must be formatted according to the [RFC-2822](https://tools.ietf.org/html/rfc2822#page-14) date format. ### Formatting examples #### Java SimpleDateFormat df = new SimpleDateFormat("EEE, dd MMM yyyy HH:mm:ss z", Locale.US); df.setTimeZone(TimeZone.getTimeZone("GMT")); String value = df.format(new Date()); #### .NET [http://msdn.microsoft.com/enus/library/az4se3k1.aspx#RFC1123](http://msdn.microsoft.com/enus/library/az4se3k1.aspx#RFC1123) (RFC-2822 is a subset of RFC-1123.) #### PHP gmdate("D, d M Y H:i:s \G\M\T") [http://php.net/manual/en/function/gmdate.php](http://php.net/manual/en/function/gmdate.php) Data security ------------- All communications will be transmitted over a secure HTTP connection (TLS, aka SSL). Because the transmission is secured at the network layer, a signature value scheme is specified to ensure that form field values were not modified after your server generated the markup. Authenticating with Simple One-Way SSO \[/auth/simple\] ------------------------------------------------------- Note For ease of use, HTTP GET requests are supported but contain query parameters that are not encrypted via SSL and are therefore vulnerable to replay attacks. Acquia DAM recommends using HTTP POST requests for Simple One-Way SSO requests. ### HTTP POST [\[POST\]](https://example.widencollective.com/auth/simple) #### Parameters * timestamp: `Sun, 20 Jul 1969, 20:17:39 GMT` - Timestamp of the request in [RFC-2822](https://tools.ietf.org/html/rfc2822#page-14) format. * signature: `b509c14e00e3b3134c985ae6fc4da298` - See [how to calculate a valid signature](#calculate-signature). * guid: `123456` - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective. * email: `neil.armstrong@nasa.gov` * username: `moonWalker1969` (optional) * first\_name: `Neil` (optional) * last\_name: `Armstrong` (optional) * title: `Commander` (optional) * company: `NASA` (optional) * street\_address: `300 E Street SW` (optional) * city: `Washington` (optional) * state: `DC` (optional) * zip: `20546` (optional) * country: `USA` (optional) * phone: `+12023580001` (optional) * department: `Spaceflight` (optional) * roles: `Astronaut, Apollo, Apollo 11` (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration\_code (existing users in the Collective will simply not have their roles changed). * registration\_code: `National Hero` (optional) - Collective registration code name (used during just-in-time user creation only) * redirection\_url: `/portals` (optional) - Relative URL to redirect to after authentication * user\_metadata\_key: `User Metadata Value` (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value. #### Request (application/x-www-form-urlencoded) timestamp=Fri%2C%207%20Aug%202015%2C%2017%3A06%3A08%20GMT &signature=61d76586828232022304c863f0c48b82 &guid=123456 &email=postmaster%40usa.gov &username=postmaster &first_name=First &last_name=Last &title=Developer &company=Acquia &street_address=6911%20Mangrove%20Ln &city=Madison &state=WI &zip=53714 &country=USA &phone=6085555555 &department=Software &roles=US%20Region%2C%20France%20Region ®istration_code=Simple%20One-Way%20SSO%20Auto-Approve &redirection_url=%2Fportals &user_metadata_key=User%20Metadata%20Value #### Response 302 ##### Headers Location: /dam/dashboard (or value of redirection_url parameter, if supplied) ### HTTP GET \[GET /auth/simple{?timestamp,signature,guid,email,username,first\_name,last\_name,title,company,street\_address,city,state,zip,country,phone,department,roles,registration\_code,redirection\_url,user\_metadata\_key}\] #### Parameters * timestamp: `Sun, 20 Jul 1969, 20:17:39 GMT` - Timestamp of the request in [RFC-2822](https://tools.ietf.org/html/rfc2822#page-14) format. * signature: `b509c14e00e3b3134c985ae6fc4da298` - See [how to calculate a valid signature](#calculate-signature). * guid: `123456` - Unique identifier value for the user. This value determines user uniqueness in the Collective. If a unique identifier is not available for the user, the user’s email address may be a suitable substitute. Best practices says to not directly expose internal user identifiers, but instead salt and hash them before sending them to the Collective. * email: `neil.armstrong@nasa.gov` * username: `moonWalker1969` (optional) * first\_name: `Neil` (optional) * last\_name: `Armstrong` (optional) * title: `Commander` (optional) * company: `NASA` (optional) * street\_address: `300 E Street SW` (optional) * city: `Washington` (optional) * state: `DC` (optional) * zip: `20546` (optional) * country: `USA` (optional) * phone: `+12023580001` (optional) * department: `Spaceflight` (optional) * roles: `Astronaut, Apollo, Apollo 11` (optional) - A comma-delimited list of values that match any existing role names within the Collective that will update the user's roles to exactly match what was supplied. If a value for roles is not supplied, then newly created users will be given roles based on the registration\_code (existing users in the Collective will simply not have their roles changed). * registration\_code: `National Hero` (optional) - Collective registration code name (used during just-in-time user creation only) * redirection\_url: `/portals` (optional) - Relative URL to redirect to after authentication * user\_metadata\_key: `User Metadata Value` (optional) - Optionally, one or more additional parameters can be supplied within the request that match any existing User Metadata field keys within the Collective. If a parameter name is matched, the provided value will be set for the user’s metadata value. #### Response 302 ##### Headers Location: /dam/dashboard (or value of redirection_url parameter, if supplied)