Moovapps SSO

This is a custom SSO solution. The aim is to provide user transparent SSO. We based this SSO on :

Directory synchronization. Client and provider must have a fully synchronized directory (except for the password). User logins have to be known by client and provider.
A secret shared between client and provider

SSO protocol

The client must handle 2 query parameters SSOLogin and SSOToken.

When a query to the client provides these 2 parameters the client must check the SSOToken validity. To do this, the client computes the valid SSOToken and compares it to the SSOToken parameter. If the given SSOToken matches the computed one, the user must be automatically logged in client-side.

SSORedirectUrl parameter

When a user tries to get access to a secured page client-side without being authenticated, the following behavior must be enforced :

The client must redirect the user to the provider’s login page with the SSORedirectUrl parameter
If the user is logged in on the provider, the provider must redirect it to SSORedirectUrl
Else
The provider must prompt for login
After being logged in provider-side, the provider must redirect it to SSORedirectUrl

When redirecting, the provider must decorate the SSORedirectUrl with SSOLogin and SSOToken.

SSOToken computing

The secret must be known by both the client and by provider.

SSOToken = MD5hex(login+:secret+date)

login => the user’s login
secret => the configured secret
date => the current date formatted as ddMMyyyy
+ => is String concatenation

Moovapps Workplace as SSO provider

Workplace version 2.3 (and above) is capable to act as a provider for the described protocol. Please check the documentation for more details about the configuration.

SSO Client

To be client of this protocol the following must be implemented :

directory synchronization
SSOLogin and SSOToken handling
SSOToken matching
secret storing
anonymous access to a secured page resulting in redirection with SSORedirectUrl