The Board Web SSO allows a user which has already authenticated on a web application, to link into Board web application without having to retype his username and password.
For example let's consider a web site (or portal) which contains the company's web mail and CRM systems, clearly access to these applications will require the user to authenticate. Suppose there is also a Board web application also requiring the user to authenticate before access is granted to the Board analyses. Thanks to the Board Web SSO, users which have already authenticated on the CRM or Web mail systems, can access the Board Web pages without having to authenticate again. The authentication task can therefore be delegated to a single centralized system, making the Board Web application fully integrated with the other existing Web services and applications.
Note that in case the user attempts to directly access the Board Web application without going through the main login page, then Board Web Server will detect the un-authenticated user and prompt the username and password.
If your users are logged-in in a Windows domain and your Board Web Server is in the same Windows domain (or a trusted domain) then it is possible to enable "Windows Authentication" on the Board Web Server, which will automatically recognise the user's network login ID see also Windows Authentication for Board Web Server.
The Board Web SSO mechanism is based on the use cookies.
The user logs-on the main Web application,
this Web application authenticates the user invokes a webservice of Board Web Server passing the login data of the user
if the Board authentication is successful, the webservice returns an encrypted cookie ready to be sent back to the browser,
the cookie contains the username and password, both encrypted with a private key. The method for creating the cookie is described later.
when the user accesses a Board Web Server page, the Board Web Server verifies the existence of the cookie and examines its contents.
if the content of the cookie is a valid Board username/password, then the Board Web Server authenticates the user: the SSO was successful,
if the username/password contained in the cookie are not valid (the user doesn't exist or the password is incorrect) then the log-on window will open, requiring the user to type a valid username/password for Board.
To implement SSO, the main Web application which carries out authentication
needs to call a webservice of Board Web Server.
The following code same shows how to make this webservice call using ASP.NET
protected void login_Click(object sender, EventArgs e)
{
// (in Visual Studio the call can be made using the function "Add ServiceReference")
WebClient w = new WebClient();
// 1. prepares the request
w.Headers.Add("Content-Type", "text/xml");
w.Headers.Add("SOAPAction", "http://schemas.board.com/IBoardAuthenticationService/GetAuthenticationCookie");
string xmlRequest = "<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/'>"
+ "<s:Body><GetAuthenticationCookie xmlns='http://schemas.board.com/'>"
+ "<username>" + HttpUtility.UrlEncode(username.Text) + "</username>"
+ "<password>" + HttpUtility.UrlEncode(pwd.Text) + "</password>"
+ "</GetAuthenticationCookie></s:Body></s:Envelope>";
// 2. sends the authentication request to webservice Board
string xmlResult = w.UploadString("http://www.mydomain.com:84/authentication","POST", xmlRequest);
// 3. reads the response (xml)
XmlDocument xdoc = new XmlDocument();
xdoc.InnerXml = xmlResult;
string authenticationCookie = xdoc.ChildNodes[0].ChildNodes[0].ChildNodes[0].ChildNodes[0].InnerText;
if (string.IsNullOrEmpty(authenticationCookie) || authenticationCookie.StartsWith("ERROR"))
{
// 4a. authentication failed.
Result.InnerText = authenticationCookie;
}
else
{
// authentication was successful.
string[] buff = authenticationCookie.Split(new char[] { '=' });
string cookieName = buff[0];
string cookieValue = buff[1];
// 4b. the cokie is ready to be sent to the user's browser
Response.Cookies.Add(new HttpCookie(cookieName, cookieValue));
}
}
To close the Board session (i.e. perform a log-out), it is sufficient to delete the cookie from the browser. This is generally done by setting a past expiry date.
HttpCookie expiredCookie = new HttpCookie("EncCredentials");
expiredCookie.Expires = DateTime.Now.AddDays(-1d);
Response.Cookies.Add(expiredCookie);
Usually the authentication cookie is encrypted with a randomly generated key. However, in case the Board Web Server is used in a cluster of server with other Board Web Servers for load balancing, then all instances of Board Web Server must share the encryption key. In this case (and only in this case), it is necessary to specify the key in the Board Web Server configuration program, as shown in the following picture.