SSO Process
- To authenticate a user with SSO, a request is made to
https://<unimarket tenant url>/sso
. - The following url parameters should be passed:
?unimarket_sso_token=<token>
- If the Tenant the user is attempting to login to has SSO enabled, Unimarket makes a Web Service call to the configured Delegated Authentication Authority, asking it to validate the token or username and password.
- The Web Services call (
authentication-request
) passes the token and requestIp to the Delegated Authentication Authority (requestIp is the IP address from where the login request originated). The Delegated Authentication Authority must implement this Web Service and be accessible by Unimarket servers. - The implementation of the Web Service validates the passed information and returns the appropriate response (
authentication-response
). - If the response indicates successful authentication then the login process continues, a new session is generated, and the user proceeds to the application.
Token Based
1/2. A User logs in to the customers intranet or internal portal. The user then requests the web page from where he will initiate the login to Unimarket. During the process in which this web page is sent to the users browser a request is made to the customers 'Token Generator' to generate a unique token which is associated with the logged in user. This token is then used to create a login link on the web page. The required parameters for this link are described above and the resulting url would look something like http://<customer>.unimarket.com/sso?unimarket_sso_token=<generated token>
.
3. The user clicks on the login link described above and sends the generated token to Unimarket.
4. Unimarkets 'Authentication Manager' receives the SSO request and determines whether the given customer is configured to use SSO. If the customer has been configured to use SSO then the 'Authentication Manager' sends an authentication-request
Web Service message to the customers 'Delegated Authentication Authority' via configured integration url.
5. The customers 'Delegated Authentication Authority' receives the token (generated in step 1) and verifies that it is valid and which user it is associated with. An authentication-response
Web Service message is generated and returned to Unimarket. If the token was valid this response contains the username of the user to be granted access to Unimarket. If the token is not valid this response contains information about why it is not valid.
6. Unimarket evaluates the authentication-response
and determines if the user is granted access to Unimarket.
Tip on token generation
To ensure greater security and reduce the risk of a token from being re-used customers typically choose to give the tokens a limited lifespan during which it is valid.
Technical Information
Technical documentation and examples relating to the full list of Unimarket webservice interfaces can be found below: