Multipass SSO

Setting up Multipass SSO

 

A Multipass is simply a hash of keys and values, provided as an AES encrypted JSON hash.

The keys are:

Name: name
Value:
The name of the user
Params:
{cid}                     

Name: ssoId
Value:
The user's login id (username or email)
Params:
{cid}@domain.com

Name: email
Value:
The user's email address, e.g. [email protected]
Params:
{cid}@domain.com               

Name: expires
Value:
Token expiry date
Params:
Example ISO-8601 format: "yyyy-MM-dd'T'HH:mm:ss.SSSZ"                            

Once your JSON hash is constructed, you'll want to encrypt it with an AES key using your site key as a password, and your api key as a salt. The IV used should be 16 bytes of zeros.


Building the Multipass

1) Pick an expiration date for the hash, like 5 minutes from now: 2011-05-04T12:34:56.789-0700

2) Start with a JSON hash of data:
 {"ssoId":"john.ideascale.com",email":"[email protected]","name":"John Doe","avatar":"http://myimg.com/my.jpg","expires":"2011-05-04T12:34:56.789-0700"}

3) Encrypt with AES and Base64 the resulting data:

4) Since these Base64 strings are being passed around the web, IdeaScale prefers a URL-safe variant. However, if your Base64 string is properly escaped for URLs, it'll still work. Here's how the Base64 can be converted to the URL-safe variant: -

  • Remove any newlines. Matching Regex: (\n+)

  • Remove trailing = characters. Matching Regex: (=+)$

  • Convert any + characters to -. Matching Regex: (+)

  • Convert any / characters to _. Matching Regex: (\)

Additional Parameters

  • Custom Fields: It is possible to populate member custom fields using multipass token. The custom fields are passed as label-value pairs. The data is in dictionary/hash format. The name of the dictionary/hash data is "attributes". The dictionary content should have the custom field label as key and custom field value as value. Here is an example JSON {"email":"[email protected] ","name":"John Doe","attributes":{"location":"Berkeley","department":"IT"}, "expires":"2011-05-04T12:34:56.789-0700"}

  1. If authentication is successful, the user will be created, logged in and be redirected to the IdeaScale community url : https://company.ideascale.com.

  2. If authentication fails they will be redirected to the login page.

HTML Request Example:
POST /a/community/auth HTTP/1.1
Host: company.ideascale.com
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded 

multipass=dHXSsQNl7sty-aGTckmEamrS4shK5thUPnOl2HCyJSlZ90b9oiAymW2QmDYhE0jBWis6pLavvOsurmQ8NUoWxYtXuxzJtY4glTPJFT0
 yX20tLuQyIHGcJmKlzZ0CwuGAwbwmTQbBjB_6lRmOg5ZlszyU_RO2gCYwKlbeySx3bv98MRnavKJsMF593bPEH
 StCy497DTpsPapuJhSgwC6cvsKgzBChmpkvgfVMNfMSEEG1f4a8JKm5_kGGoJOMqNe

  • Groups/Departments/Subscription Lists: IdeaScale has a feature called "Community Role" which allows a member group be be defined and used for restricting access to private campaigns or use the member groups in features like polling, assessment or Idea comparison. If an enterprise maintains the groups in their Directory server or user database, it is possible to pass that information to IdeaScale using multipass token and keep the groups in full sync. For this to work, the multipass token can contain the group names the user is member of. This data is in array format and the name of the array is "groups". The array should contain the group names that will map one-to-one to community role in IdeaScale. Please note, once a community role is managed using multipass token (SSO), it can no longer be managed by administrator in IdeaScale settings page. Here is a example JSON for a member who is member of group name "Group1" and "Group2". {"email":"[email protected] ","name":"John Doe","groups":["Group1","Group2"], "expires":"2011-05-04T12:34:56.789-0700"}

IdeaScale Enterprise license holders have access to a feature called "Community Roles". "Community Role" allows a member group to be defined and used for restricting access to private campaigns or use the member groups in features like Polling, Assessment or Idea comparison.

If the community role does not exist, it will be created and if already exists by same name, it will be converted to SSO Managed Community Role. 

Groups/Departments/Subscription Lists are available for Enterprise license holders only.

Multi-Pass Code Samples

Click here to visit our repository of IdeaScale-compatible Multipass/SSO implementations on GitHub. The repository provides examples in several popular languages.


What DES encryption mode should I use?
Please use the ECB mode.

The API I use requires me to set the padding mode. Which padding mode should I use?
Please use the PAD_PKCS5 mode.

Is there a way I can test my configuration?
Yes. The following URL can be used to test your setup.

http://[yourcommunity_url]/a/jsp/useradmin/cookie-test.jsp

Sample DES Encryption Code

Java

public static String encriptDES(String passPhrase, String value) throws Exception
 {
 SecretKey key = new SecretKeySpec(passPhrase.getBytes(), "DES");
 // Create the ciphers
 Cipher ecipher = Cipher.getInstance(key.getAlgorithm());
 // Encode the string into bytes using utf-8
 ecipher.init(Cipher.ENCRYPT_MODE, key);
 byte[] utf8 = value.getBytes("UTF8");
 // Encrypt
 byte[] enc = ecipher.doFinal(utf8);
 // Encode bytes to base64 to get a string
 return new sun.misc.BASE64Encoder().encode(enc);
 }

public static String decriptDES(String passPhrase, String value) throws Exception, Illegal Block Size Exception

 {
 SecretKey key = new SecretKeySpec(passPhrase.getBytes(), "DES");
 Cipher dcipher = Cipher.getInstance(key.getAlgorithm());
 // Create the ciphers
 dcipher.init(Cipher.DECRYPT_MODE, key);
 byte[] dec = new sun.misc.BASE64Decoder().decodeBuffer(value);
 // Decrypt
 byte[] utf8 = dcipher.doFinal(dec);
 // Decode using utf-8
 return new String(utf8, "UTF8");
 }



Last Updated: November 12, 2024