Single Sign-On - Remote Authentication

 

The Single Sign-On capability allows users arriving at Apteriks portal be pre-authenticated in your own environment. They log in to Apteriks helpdesk transparently, without entering their username and password.

 

Pre-requisies

  • Log in to Apteriks as an administrator. From here visit the Helpdesk Administration page >> Single Sign-On page. Enable the SSO functionality and obtain the secret SSO authentication key.
  • Select a server or a web page within your own environment. Ideally, this server is part of your corporate domain and therefore can retrieve the identity of visiting corporate users. As an example, it can be a page on a Microsoft Sharepoint server.

 

How it works

  1. A user wants to remotely (transparently) log in to Apteriks helpdesk.
  2. User visits your server that you set up earlier (see pre-requisites above).
  3. Your server obtains the user identity in one way or the other. Preferred option is an automatic retrieval from the corporate directory. Less convenient option would be a form asking for a username and a password.
  4. Your server computes the HMAC-MD5 hash on the key identity parameters: Email, Name, Time and the secret SSO key that Apteriks provides to you.
  5. User is redirected to the Apteriks portal along with the computed hash.
  6. Apteriks portal also performs the identical hash calculation using the stored secret SSO key. Matching results mean that the user identity has already been validated by you. Apteris grants user the access to the Helpdesk functionality without asking for login details.

 

Details

In order to compute the HMAC-MD5 hash, obtain the following parameters.

 

Parameter Status Description
email Mandatory A valid email of the user. This email will be used to deliver the ticket update notifications.
name Mandatory User name to display. Typically a combination of a firstname and a surname.
time Mandatory The UTC timestamp in the format of "seconds since epoch". This timestamp must be within 30 minutes of the actual UTC time otherwise the user will be rejected the login.
phone Optional User phone. This parameter is not used to generate the hash value. It can be included in the query string as an optional parameter.

 

The mandatory parameters from the above list are concatenated into a single string (Email+Name+Time+SsoKey) and a HMAC-MD5 hash is computed on it.

Once the hash value is computed, the user is redirected to the Apteriks helpdesk portal using the following URL:

https://www.apteriks.com/Helpdesk/[YourHelpdeskName]/Login/Sso
+ "?email=" + user_email
+ "&name=" + user_name
+ "&phone" + user_phone
+ "&time=" + epoch_time
+ "&hash=" + hash_value

The successfully authenticated user remains authenticated for the duration of 5 days.

 

Sample authentication

Please refer to the javascript-only sample authentication page.

Download SSO Authenticator