Moovapps SSO
This is a custom SSO solution. The aim is to provide user transparent SSO. We based this SSO on :
- Directory synchronization. Client and provider must have a fully synchronized directory (except for the password). User logins have to be known by client and provider.
- A secret shared between client and provider
SSO protocol
The client must handle 2 query parameters SSOLogin and SSOToken.
When a query to the client provides these 2 parameters the client must check the SSOToken validity. To do this, the client computes the valid SSOToken and compares it to the SSOToken parameter. If the given SSOToken matches the computed one, the user must be automatically logged in client-side.
SSORedirectUrl parameter
When a user tries to get access to a secured page client-side without being authenticated, the following behavior must be enforced :
- The client must redirect the user to the provider’s login page with the SSORedirectUrl parameter
- If the user is logged in on the provider, the provider must redirect it to SSORedirectUrl
- Else
- The provider must prompt for login
- After being logged in provider-side, the provider must redirect it to SSORedirectUrl
When redirecting, the provider must decorate the SSORedirectUrl with SSOLogin and SSOToken.
SSOToken computing
The secret must be known by both the client and by provider.
SSOToken = MD5hex(login+:secret+date)
- login => the user’s login
- secret => the configured secret
- date => the current date formatted as ddMMyyyy
- + => is String concatenation
Moovapps Workplace as SSO provider
Workplace version 2.3 (and above) is capable to act as a provider for the described protocol. Please check the documentation for more details about the configuration.
SSO Client
To be client of this protocol the following must be implemented :
- directory synchronization
- SSOLogin and SSOToken handling
- SSOToken matching
- secret storing
- anonymous access to a secured page resulting in redirection with SSORedirectUrl