Single Sign-On is very simple to understand – you pass a user’s identity through the embed code, and we provision their access and identity on-the-fly, based on the information we receive. “That sounds so insecure!” you say? Rest assured, we have a mechanism to prevent anyone from tampering with your information, and it’s actually quite simple.
You will be taking all of the information we require about a user, and building a query string (a query string is series of letters, numbers, and symbols, beginning with a question mark, that are attached to the end of website URLs). A sample of a query string is below:
&avatarFull=http://c.api.userplane.com/sandbox/avatar-icon.jpg &avatarIcon=http://c.api.userplane.com/sandbox/avatar-icon.jpg &avatarThumb=http://c.api.userplane.com/sandbox/avatar-icon.jpg &displayName=Winston &email=user@email.com &line1=25 &line2=Male &line3=Santa Monica &line4=CA &ts=1305906667528 &userId=1
* ts is the “current time in milliseconds” for a detailed explanation of each property click here
** This is on multiple lines to make it easier to read but it should NOT have returns in it when you send us your information
Building this string based on the information for the user who is currently logged in is the key. You only ever need to identify the user who is already connected.
Here’s the component to pay particular attention to: you will append the string you generated above with the following ( sample below is written in pseudo code, so please adjust for your programming language):
mySsoToken = md5.hash( stringFromAbove & "&apiKey=YOUR API KEY" )
Please note that the hash above needs to be UTF-8 encryption. Once you have done this, your above string should be transformed to look something like this:
&avatarFull=http://c.api.userplane.com/sandbox/avatar-icon.jpg &avatarIcon=http://c.api.userplane.com/sandbox/avatar-icon.jpg &avatarThumb=http://c.api.userplane.com/sandbox/avatar-icon.jpg &displayName=Winston &email=user@email.com &line1=25 &line2=Male &line3=Santa Monica &line4=CA &ts=1305906667528 &userId=1 &token=7E5D5F3B7647A325368F7188F5DEA30F
In particular, notice this: &token=7E5D5F3B7647A325368F7188F5DEA30F
This is how we prevent your SSO token from being manipulated. Because the token is hashed using your API key, which you should NEVER expose to anyone, (keep it secret, keep it safe!) we have a way to identify and ensure that you did, indeed, provide us with this information.
Rather than providing a session key like you would with our integrated SSO approach, now you just provide the SSO token as a part of your embed code:
up.init({siteId:"39A55B392D75FB122278D491E0A6A2DA",
token: "&avatarFull=http://c.api.userplane.com/sandbox/avatar-icon.jpg&avatarIcon=http://c.api.userplane.com/sandbox/avatar-icon.jpg&avatarThumb=http://c.api.userplane.com/sandbox/avatar-icon.jpg&displayName=Winston&email=user@email.com&line1=25&line2=Male&line3=Santa Monica&line4=CA&ts=1305906667528&userId=1&token=7E5D5F3B7647A325368F7188F5DEA30F", lang: "en-US", settings: {}});
* For more information about the embed code refer to our embed code reference
Really, that’s all. If somehow you got to this point, and while enjoying your beverage realized it’s not working quite right, then give us a shout. We would be glad to help you out.