Log In  |  Sign Up  |  Help

Single Sign-On (SSO)

Overview

The authentication solution offered by DudaMobile provides a true Single Sign-On user experience. The user will begin by logging in to the DudaWhite Partners Site. Once the login is successful, the user will be able to access the DudaMobile editor without any additional authentication. The Single Sign-On will be achieved using HMAC-SHA1 encryption based on the private key shared between the Partners Site and DudaMobile. Here is the process:

  • The user logs into the Partner's website and clicks on a link to access the mobile editor.
  • The Partner opens a new browser window/tab (or embeds an IFrame into an existing page), passing the set of predefined parameters (see below) in the URL, including the HMAC-SHA1 based signature.
  • DudaMobile reads the parameters, validates the HMAC-SHA1 signature, identifies the user and allows the user to work with the tool in the scope of a browser session.
  • Upon successful login, the user lands up on the page defined within the URL.

HMAC-SHA1 authentication details

The security of the authentication solution will be based on the following elements shared by the Partner and DudaMobile:

  1. A secret key shared and maintained only between the Partner and DudaMobile.
  2. Set of URL request parameters passed as part of the request redirecting the user to DudaMobile.
  3. HMAC-SHA1 signature encryption logic.

Secret Key

  • The secret key will be generated and shared securely between the Partner and DudaMobile. The key can be found inside of your DudaMobile account under the API section.
  • The security key will be of 128-bit length represented by 32 chars HEX string, i.e. 1a6db9c4f4cc5c870ff813290f961507 or 249ef41fcf9dbc935399296929594b43
  • DudaMobile reads the parameters, validates the HMAC-SHA1 signature, identifies the user and allows the user to work with the tool in the scope of a browser session.
  • Upon successful login, the user lands up on the page defined within the URL.

Request parameters

When the user is redirected to the DM tool, the URL request must contain the following parameters:

Parameter Name Parameter Type Description
dm_sig_site (String) Site name – the unique site identifier used during site creation
dm_sig_user (String) Account name (usually E-Mail) of the sub-user account you are trying to SSO into. This was used during account creation.
dm_sig_partner_key (6 chars HEX String) i.e. 6d00f Partner identifier key. This is a unique and secret key to the partner and can be found inside of the dashboard API section.
dm_sig_timestamp (Number) i.e. 1291050919 equivalent to (2010-11-29 17:15:19Z) Time at which the signature was generated. The time will be in UNIX time format, i.e. number of seconds elapsed since Universal Time (UTC) of January 1, 1970 (epoch). Used to validate that the signature has not been expired. Make sure you are generating this at time of SSO attempt.
dm_sig (String) The HEX string representing the signature value of HMAC-SHA1 encryption. See below of how to generate this value.

Signature validation/generation

In order to verify that the request came from the trusted party, the signature generation (your side) and validation (our side) should share the same algorithm logic. To generate/validate the signature:

  1. Make a list of all parameters that start with “dm_sig_” sorted in reverse alphabetical order.
  2. Create name/value pair strings for each entry in the list, removing the “dm_sig_”. For example, “dm_sig_site” becomes “site=examplesite_name”
  3. Concatenate all name/value pairs together, to form a string like “…timestamp=1378904651site=examplesite_name…”
  4. Prepend secret key to the beginning of the string.
  5. HMACSHA1 the entire string using the secret key. The result should be sent as the dm_sig parameter.

Example:

Given the following parameters, we will construct our SSO attempt:

  • Time Stamp = 1378904651 (should normally be generated at time of SSO request)
  • Account Name = example@email.com
  • Site Name = examplesite_name
  • Secret Key = 5eebe8de321dce05cb6b39fb2d5d9a9d
  • Partner Key = fA4dSQ

The generated signature should match:

4d5a67c25bad09b5da11ef858eb58096d1bcee55

Using all of this information, we can construct our URL that will permit SSO:

http://{editorurl.partnersite.com}/home/site/examplesite_name?dm_sig_partner_key=fA4dSQ&dm_sig_timestamp=1378904651&dm_sig_user=example@email.com&dm_sig_site=examplesite_name&dm_sig=4d5a67c25bad09b5da11ef858eb58096d1bcee55

SSO implementation, in PHP

<?php
//Set editor custom domain
$editor_url = '{Your Custom Editor Domain}';
//Set SSO Parameters
$dm_sig_site = '{Site Name you want to Login to}';
$dm_sig_user = '{Account Name you are logging in}';
$dm_sig_partner_key = '{Secret Partner Key}';
$dm_sig_timestamp = date_timestamp_get(date_create());
$secret_key = '{Secret SSO Key}';
//Concatenate sso strings so it can be encrypted
$dm_sig_string = $secret_key.'user='.$dm_sig_user.'timestamp='.$dm_sig_timestamp.'site='.$dm_sig_site.'partner_key='.$dm_sig_partner_key;
//Encrypt values
$dm_sig = hash_hmac('sha1', $dm_sig_string, $secret_key);
//Create SSO link
$sso_link = 'http://'.$editor_url.'/home/site/'.$dm_sig_site.'?dm_sig_partner_key='.$dm_sig_partner_key.'&dm_sig_timestamp='.$dm_sig_timestamp.'&dm_sig_user='.$dm_sig_user.'&dm_sig_site='.$dm_sig_site.'&dm_sig='.$dm_sig;
//Print SSO link
echo $sso_link;
?>