Single Sign On - New in WebCOBRA

Posted on February 10th, 2009 by Travis.Development | 0 comments »
Category: New Features
Topics: ,

What is Single Sign On?

Single Sign On (SSO) is the ability for users to only sign on to a set of systems once. In WebCOBRA’s case, your website is the signing authority – they sign on to your website once, and only once.

  1. User visits www.benefitsbyyou.com
  2. User signs in using the username/password provided by you
  3. User clicks on “Manage COBRA
  4. User is at the homescreen of WebCOBRA without having to:
    • Remember yet another username or password
    • Log In

Why Would You Use Single Sign On?

When users use SSO to visit WebCOBRA, they might not see a difference between your website and WebCOBRA. WebCOBRA becomes an extension of your product offering.

How Does Single Sign On Work?

Your programmers will need to program their website to create links that your users will click on. We provide technical documentation and sample code for them to use.

When Can I Have it?

Now – it’s enabled for Enterprise Customers now and is included as a part of your WebCOBRA subscription!

Technical Area – You’ve Been Warned

What Encryption do you use for SSO?

We use the SHA hash and the Hash Message Authentication Code to sign each sso request. We utilize the HMAC-SHA1 algorithm. More information about HMAC is located at http://en.wikipedia.org/wiki/HMAC—the original RFC for HMAC-SHA1 is located at http://www.faqs.org/rfcs/rfc2104.html

Is this like anything else out there?

The signing is a lot like Amazon uses to sign their S3 and SDB requests. oAuth (open authentication) uses HMAC-SHA1 and is very similar to what we’re doing.

What do you use for a Secret Key?

We randomly generate a secret key for you that is salted and uses SHA encryption. A secret key could look like “2H9k2vgh5U4g3DzJz5Sgyydtehs%3d” We encrypt your secret key using AES encryption – it’s safe.

What Programming Language can I use for SSO?

You can use any language that implements HMAC-SHA1. For example, VB.NET and C# at msdn, Ruby (hmac gem ); PHP, Perl, and Java examples were relatively easy to find using a search engine.

Can you integrate into my existing Central Authentication Server for a traditional SSO?

There are so many kinds of CAS servers; we chose to ask you to implement our signing system.

Do you have existing documentation?

Yes, we provide sample code, including technical definitions of the URL, response codes, and what variables to use; check the IT Resources of WebCOBRA to download the PDF.

What does a sample URL look like?

https://jwo.webcobra.com/exec/sso.aspx?user=59&logincode=jwo&expires=2009-02-10t15:28:22&signature=DmDLnXVX9QdkEUXMP1g%2b%2fsginZE%3d (This was generated with an old secret key and won’t work anymore; it also expired at 3:28 PM CST on 2/10/2009)

Where do I start?

Login to WebCOBRA and go to the IT Resources, and click on Single Sign On. Click enable, and copy your secret key to somewhere safe. Copy the sample URL, test it out (it will auto-log you in), and try to create the signature using your secret key in code.

Comments are closed for this article.