Geodi User Token API - SSO for trusted clients

Owned by Kemal Candan
Last updated: Aug 31, 2021 by Özgür Balcı
2 min read


An ILoginProvider implementation or an alternative method to use existing ILoginProvider implementations. It is a secure server-based method that can be preferred if you already have an already logged-in user.

(warning)  GEODI Oauth2 includes client. If the system to be integrated for SSO supports login with Oauth2, simple definitions can be made and common login interface and common session usage can be provided via GEODI.

GetAutoLoginLink
Definiton

Allows the application to redirect its user to a GEODI interface without requiring a login screen.

 Links obtained via this service do not requiere a login page. The user specified by the trusted application is considered to be logged in to the system.

Only applications defined underSettings/ClientToken can make use of this service. Application is validated by making a request to ValidateURL in the definion.

If a .net soap api that takes same parameters and returns same object as an output is implemented, then [ScriptMethod(ResponseFormat = ResponseFormat.Json)] attribute should be added to the method.

Request

[GEODIURL]/TokenHandler?op=GetAutoLoginLink&ClientID=[ClientID]&ClientValidator=[ClientValidator]&LoginUser=[LoginUser]&UserSession=[Token]

  • ClientID: This is the client ID defined under Settings/ClientToken. Desired complexity can be defined.
  • ClientValidator: The key to be defined by the requesting application. It is recommended to have encrypted data with time information It is expected to be validated by requesting ValidateURL in Settings/ClientToken and recieving "OK".
  • LoginUser: It is the user information that is logged in in the requesting application.
    • For the LDAP user: only the user name, LDAP:Domain\UserName or LDAP:UserName can be passed.  If the domain is not passed, GEODI uses the registered LDAP domain address of the user of its application.
    • For Geodi User, GEODI:UserName must be passed.
  • UserSession: It is the Token information. It can be obtained using the information give at Generating a GEODI Token page. Should have access to GetAutoLoginLink service.
  • IPFilter(Optional)It is the IP filter where the obtained link will work.
  • TimeOutMinute(Optional) : It is used to indicate how long it is possible to log into GEODI with the link obtained. The default value is 120 minutes.
Workflow
Example GEODI settings file

A UTF8 encoding definition such as the following should be saved in a jSettings file and dumped in the Settings/ClientToken folder that the GEODI application can reach.

{

ClientID:"MyClientID",
ValidateURL: "http(s)://yourhost/....?validator={ClientValidator}",
GEODIRequestHeader:"GEODI_Request"

}

ClientValidator is passed between request headers, even if {ClientValidator} is used in ValidateURL content.

If a GEODIRequestHeader definition is made, this information is added to the ValidateURL request as a header. It can be used to verify that the calling application is GEODI.


HttpMethodGET, POST
Expected Errors

401 Unauthorized access / Access denied

403 Forbidden

511 Network Authentication Required

452 ClientValidator could not be verified

453 LoginUser required

454 Invalid Client Id or empty ValidateUrl

455 LDAP domain not found  (This error can only be received when trying to find the LDAP domain when username is passed as LDAP: username)

500 -Other errors, Web Request errors-

Expected Result

Returns the URL containing the Token information.

Example applications
GetAutoLoginToken
Definition

Same with GetAutoLoginLink . Returns only Token, not URL+Token.