KNF:Single Sign On query/en: verschil tussen versies

Uit Kennisnet Developers Documentatie
Ga naar: navigatie, zoeken
 
Regel 47: Regel 47:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
==Whitelist==
 +
To prevent everyone from requesting a user’s status, the query can only be used by authorized parties. This authorization is done by a server side verification of the response URL. Entree keeps a list of all authorized response URLs.
 +
 +
Be sure to contact our service desk (entree@kennisnet.nl) when you plan to implement SSO query.
  
==External links==
 
[https://docs.google.com/document/d/15Ng2VfA-rJf1GXTxO45niwwgNAA0LszLsTg-cPsvoBQ/edit?pli=1# Technical documentation]
 
  
 
[[Categorie:Entree Federatie]]
 
[[Categorie:Entree Federatie]]

Huidige versie van 10 jan 2020 om 15:16

KNF-symbol.png Kennisnet Federation: Single Sign On query

Nl.gif Nederlands En.gif English

Introduction

The Single Sign ON query can be used on websites that allows both anonymous and authenticated users. The latter will have access to extended functionality or content.

To authenticate, the user needs to press the “Log in” button on the website, which starts the authentication process. However if the user already has a valid Single Sign On session with Entree, pressing the “Log in” button immediately logs on the user, without any further interaction (eg. entering a username and password). The requirement to press “Log in” is therefore unnecessary and not user friendly.

To prevent this scenario the website should have a detection mechanism in place which automatically recognizes users with a valid SSO session. This can be achieved with the Single Sign On query. This method is preferred over the 'SAML passive authentication' When using the SSO query, SAML passive authentication is not needed.

Implementation

The SSO query for Entree is based on the SSO query profile in OpenAselect. It is a simple query/response protocol. Both the query and its response are sent using HTTP redirects. The query is sent to a predefined URL, the response is sent to the URL that was specified in the query (if this URL is whitelisted - see below).

The process has three possible outcomes:

  1. The user has no SSO session, and as far as we can tell, he is not logged in anywhere
  2. The user has a valid SSO session with Entree. The user can probably be authenticated without any interaction
  3. The user has no SSO session with Entree, but an SSO notification is detected. This means, he is already authenticated in another remote identity provider (such as an LMS). The user can probably be authenticated without any interaction

Example PHP implementation

SSO query

<?php
        $query_url = 'https://ssoquery.aselect-s.entree.kennisnet.nl/openaselect/sso/ssoquery';
        $response_url = 'https://domeinnaam/ssoresult.php';

        $url = $query_url . '?response_url=' . urlencode($response_url);

        header('Location: ' . $url, 302);
?>

SSO query result

<?php
        $result = array_key_exists('result', $_GET) ? $_GET['result'] : false;

        $resultValue = ($result === false ? '*none*' : $result);

?>
<html>
        <head>
                <title>SSO query result</title>
        </head>
        <body>
                <p>SSO query result is <?php print $resultValue; ?>.</p>
        </body>
</html>

Whitelist

To prevent everyone from requesting a user’s status, the query can only be used by authorized parties. This authorization is done by a server side verification of the response URL. Entree keeps a list of all authorized response URLs.

Be sure to contact our service desk (entree@kennisnet.nl) when you plan to implement SSO query.