KNF:Single Sign On query/en: verschil tussen versies
Naar navigatie springen
Naar zoeken springen
| (20 tussenliggende versies door 2 gebruikers niet weergegeven) | |||
| Regel 1: | Regel 1: | ||
{{PageTitleCustom|title=Single Sign On query|name=Kennisnet Federation|image=true|imageurl=KNF:Hoofdpagina/en}} |
{{PageTitleCustom|title=Single Sign On query|name=Kennisnet Federation|image=true|imageurl=KNF:Hoofdpagina/en}} |
||
| + | ==Introduction== |
||
| − | The main reason to perform an SSO query is the following scenario: |
||
| + | The Single Sign On query can be used on websites that allows both anonymous and authenticated users. The latter will have access to extended functionality or content. |
||
| + | To authenticate, the user needs to press the “Log in” button on the website, which starts the authentication process. However if the user already has a valid Single Sign On session with Entree, pressing the “Log in” button immediately logs on the user, without any further interaction (eg. entering a username and password). The requirement to press “Log in” is therefore unnecessary and not user friendly. |
||
| − | A user enters a website that has functionality for both anonymous and authenticated users. |
||
| − | *For anonymous users, only limited functionality and information is available |
||
| − | *When the user wants access to other functionality and information, he needs to be authenticated |
||
| − | To |
+ | To prevent this scenario the website should have a detection mechanism in place which automatically recognizes users with a valid SSO session. This can be achieved with the Single Sign On query. This method is preferred over the 'SAML passive authentication' When using the SSO query, SAML passive authentication is not needed. |
| + | |||
| − | ==External links== |
||
| + | '''Note:'''<br/> |
||
| − | [https://docs.google.com/document/d/15Ng2VfA-rJf1GXTxO45niwwgNAA0LszLsTg-cPsvoBQ/edit?pli=1# Technical documentation] |
||
| + | To prevent abuse of this functionality, the domain should be included in the whitelist of Entree Federatie. Please contact [https://support.kennisnet.org/ Kennisnet] if you want to use SSO query. |
||
| + | |||
| + | The SSO query is a simple query/response implementation. Both the query and its response are sent using HTTP redirects. The query is sent to a predefined URL, the response is sent to the whitelisted URL that was specified in the query. |
||
| + | |||
| + | The process has three possible outcomes: |
||
| + | ;false |
||
| + | :The user does not have an SSO session and is not logged in anywhere by the Entree Federation. It is therefore unknown whether or not the user can log in via Entree Federation. |
||
| + | ;true |
||
| + | :The user has a valid SSO session with Entree. The user can be authenticated without any interaction |
||
| + | ;remote |
||
| + | :The user does not have an SSO session, but an SSO notification cookie has been found. The user is already logged in to their own Identity Provider and will most likely be able to log in without user interaction. |
||
| + | |||
| + | |||
| + | ==Implementation== |
||
| + | The query consists of an HTTP GET request with two parameters: |
||
| + | * response_url: this parameter must be URL encoded / UTF-8 in the URL |
||
| + | * format: this optional parameter can be used to receive the answer in json format |
||
| + | <br> |
||
| + | The following urls can be used: |
||
| + | |||
| + | {| class="wikitable" |
||
| + | | Staging environment: |
||
| + | |- |
||
| + | |https://ssoquery.aselect-s.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=<URL> |
||
| + | |} |
||
| + | |||
| + | {| class="wikitable" |
||
| + | | Production environment: |
||
| + | |- |
||
| + | |https://ssoquery.aselect.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=<URL> |
||
| + | |} |
||
| + | |||
| + | ===Example=== |
||
| + | ;The Service Provider sends the request: |
||
| + | :https://ssoquery.aselect.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=https%3A%2F%2Ftestapplicatie.kennisnet.nl |
||
| + | |||
| + | ;Entree Federation redirects to the specified response URL: |
||
| + | :https://testapplicatie.kennisnet.nl?result=true |
||
| + | |||
| + | |||
| + | ===Example implementation=== |
||
| + | <syntaxhighlight lang="html"> |
||
| + | <html> |
||
| + | <script> |
||
| + | var ssoQuery= 'https://ssoquery.aselect-s.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=https://domainname&format=json'; |
||
| + | |||
| + | function isLoggedIn() { |
||
| + | var xhr = new XMLHttpRequest(); |
||
| + | xhr.open("GET", ssoQuery, true); |
||
| + | xhr.withCredentials = true; |
||
| + | xhr.onreadystatechange = function () { |
||
| + | if (xhr.readyState === 4) { |
||
| + | if (xhr.status === 200 && JSON.parse(xhr.responseText)['result'] === 'true') { |
||
| + | <!-- the user already has an ongoing SSO session via Entree Federation and can be logged in directly --> |
||
| + | window.location.href = ''; <!-- redirect to the page where your application sends the authentication request to Entree Federation --> |
||
| + | } else { |
||
| + | <!-- the user does not have an ongoing SSO session via Entree Federation and user interaction is required --> |
||
| + | window.location.href = ''; <!-- redirect the user to the login page of your application --> |
||
| + | } |
||
| + | } |
||
| + | }; |
||
| + | xhr.ontimeout = function () { |
||
| + | <!-- in case of a timeout from the SSO query service, redirect the user to the login page of your application --> |
||
| + | window.location.href = ''; <!-- redirect the user to the login page of your application --> |
||
| + | }; |
||
| + | xhr.send(); |
||
| + | } |
||
| + | isLoggedIn(); |
||
| + | </script> |
||
| + | </html> |
||
| + | </syntaxhighlight> |
||
| + | |||
| + | |||
| + | [[Categorie:Entree Federatie]] |
||
Versie van 20 apr 2020 10:39
Kennisnet Federation: Single Sign On query
 Nederlands
|
 English
|
Introduction
The Single Sign On query can be used on websites that allows both anonymous and authenticated users. The latter will have access to extended functionality or content.
To authenticate, the user needs to press the “Log in” button on the website, which starts the authentication process. However if the user already has a valid Single Sign On session with Entree, pressing the “Log in” button immediately logs on the user, without any further interaction (eg. entering a username and password). The requirement to press “Log in” is therefore unnecessary and not user friendly.
To prevent this scenario the website should have a detection mechanism in place which automatically recognizes users with a valid SSO session. This can be achieved with the Single Sign On query. This method is preferred over the 'SAML passive authentication' When using the SSO query, SAML passive authentication is not needed.
Note:
To prevent abuse of this functionality, the domain should be included in the whitelist of Entree Federatie. Please contact Kennisnet if you want to use SSO query.
The SSO query is a simple query/response implementation. Both the query and its response are sent using HTTP redirects. The query is sent to a predefined URL, the response is sent to the whitelisted URL that was specified in the query.
The process has three possible outcomes:
- false
- The user does not have an SSO session and is not logged in anywhere by the Entree Federation. It is therefore unknown whether or not the user can log in via Entree Federation.
- true
- The user has a valid SSO session with Entree. The user can be authenticated without any interaction
- remote
- The user does not have an SSO session, but an SSO notification cookie has been found. The user is already logged in to their own Identity Provider and will most likely be able to log in without user interaction.
Implementation
The query consists of an HTTP GET request with two parameters:
- response_url: this parameter must be URL encoded / UTF-8 in the URL
- format: this optional parameter can be used to receive the answer in json format
The following urls can be used:
| Staging environment: |
| https://ssoquery.aselect-s.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=<URL> |
| Production environment: |
| https://ssoquery.aselect.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=<URL> |
Example
- The Service Provider sends the request
- https://ssoquery.aselect.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=https%3A%2F%2Ftestapplicatie.kennisnet.nl
- Entree Federation redirects to the specified response URL
- https://testapplicatie.kennisnet.nl?result=true
Example implementation
<html>
<script>
var ssoQuery= 'https://ssoquery.aselect-s.entree.kennisnet.nl/openaselect/sso/ssoquery?response_url=https://domainname&format=json';
function isLoggedIn() {
var xhr = new XMLHttpRequest();
xhr.open("GET", ssoQuery, true);
xhr.withCredentials = true;
xhr.onreadystatechange = function () {
if (xhr.readyState === 4) {
if (xhr.status === 200 && JSON.parse(xhr.responseText)['result'] === 'true') {
<!-- the user already has an ongoing SSO session via Entree Federation and can be logged in directly -->
window.location.href = ''; <!-- redirect to the page where your application sends the authentication request to Entree Federation -->
} else {
<!-- the user does not have an ongoing SSO session via Entree Federation and user interaction is required -->
window.location.href = ''; <!-- redirect the user to the login page of your application -->
}
}
};
xhr.ontimeout = function () {
<!-- in case of a timeout from the SSO query service, redirect the user to the login page of your application -->
window.location.href = ''; <!-- redirect the user to the login page of your application -->
};
xhr.send();
}
isLoggedIn();
</script>
</html>