Single Sign-On (SSO) with pre shared key
The Single Sign On (SSO) feature enables automatic login from an existing web page. It can be used for instance from an existing intranet page sending the user via a specially crafted link to automatically log them in.
It works by sending a link like the following:
The signature is created by runnning a command similar to:
sha256(email + timestamp + sso_secret_key)
|The email (or shortname if you're logging in with LDAP)|
|timestamp||The current UTC (GMT) time in format YYYYMMDDHHMM. So if the clock is 3:20 AM 21st of September 2011 in San Francisco (UTC-8h +1h for daylight savings), the timestamp would be 201109211020 which is 11:20 Sep 21, 2011 in UTC.|
|sso_secret_key||The SSO secret key needs to be secret between the LiquidFiles appliance and the system generating the login key. Anyone who knows the SSO secret key can login as anyone. It is configured in Admin → Settings|
|name||Optional parameter which is used when creating users with the SSO login|
|group||Optional parameter which is used when creating users with the SSO login. If specified the user will be assigned to the specified group. If not set the user will be automatically assigned to their group based on the standard matching for any user. Please test by going to Admin → Groups on your LiquidFiles system and entering usernames/email in the user test to validate that users will be assigned to the group you intend them to.|
So in the example above, the email is firstname.lastname@example.org, the timestamp 201109211011 and the secret key cRkhmn6egNLz5Bbv2uY1CB. This leads to the signature being: f59f2e8c728cd13563f02371248850e1e9be2ed0b120e79241d43c8e4855ffa0.
The SSO login system also have a +-1 minute grace period so if it's 1:12, it will also check 1:11 and 1:13, just in case one of the clocks is a few seconds off.
The SSO login will try to match the user in the following order:
- Check if the user already exists on the system.
- Check if the user exists in LDAP (if configured) and create the user as an LDAP authenticated user if the user exists. The email parameter is matched against the LDAP search attribute, same as on a normal login. Name is grabbed from LDAP if none is provided.
- Create the user as a locally authenticated user (without password) with the optional name from the name parameter