For companies that require a single sign on solution, but do not have support for a federated identity solution (SAML, OpenID Connect), Image Relay will provide an alternative form of oneway single sign on (SSO), for our clients.
This simple-one way form of SSO depends on the ability of the customer’s software to generate an HTML form on their server, which will be used to POST data via HTTP to Image Relay. The details are outlined below.
- Customer software collects user information and builds an HTML form containing hidden fields.
- A specific set of values, including a secret key (obtained from Image Relay) are concatenated, and the MD5 hash of that string is calculated to form a signature. The signature is added as an additional hidden field on the form.
- The form is submitted via POST to Image Relay
- Image Relay validates the request, recreating the signature and making sure the values match, and the timestamp on the request is within predefined parameters. Assuming the request passes validation, the user is logged in to the portal.
The following fields are accepted via the request. Mandatory fields are denoted with an *
A signature is required to confirm that the login request was produced by a trusted customer. The value is generated by taking at the MD5 hash of all the values included in the SSO login form, sorted alphabetically by form field name, and appending a shared secret key (obtained from Image Relay) to the end of the string.
For example, given the following values:
email: firstname.lastname@example.org: 2015-08-28T12:55:24-04:00
And a shared secret of: 3A69E251E1F24CE0907AE7F498AD0C28
The string to MD5 hash would be: email@example.comJohnjohn_doeDoe2015-08-28T12:55:24-04:003A69E251E1F24C E0907AE7F498AD0C28
The following is the MD5 hash signature of that string: dae3670ceba08cd100feede8caa23dda
Based on the example above, a sample form would look like this:
<input type=”hidden” name=”signature” value=”dae3670ceba08cd100feede8caa23dda” />
<input type=”hidden” name=”imagerelay_username” value=”john_doe” />
<input type=”hidden” name=”first_name” value=”John” />
<input type=”hidden” name=”last_name” value=”Doe” />
<input type=”hidden” name=”email” value=”firstname.lastname@example.org” />
<input type=”hidden” name=”timestamp” value=” 2015-08-28T12:55:24-04:00” />
All communication will be transmitted over HTTPS (SSL). A signature value is used to ensure that form field values are not tampered with after your server generates the form. The shared secret is used to confirm the resource is coming from a trusted source.
User Creation (optional)
If the user specified in imagerelay_username does not exist. Customers will have the option of enabling Just-In-Time user creation for submitted requests. In this case, if the request is valid, and we are unable to find a user matching the imagerelay_username specified in the form, we will attempt to create a new user with that username, and assign them to a pre-configured default Permission Group and notify the configured New User email address that a new user has been automatically added via SSO.