Authentication Token requirements for SSO with HI application
Token mainly comprises of 4 parts separated by a “|” (pipe separator).
Token generated in the given format, has to be encrypted to make it secure.
Chosen Encryption Algorithm details:
- Algorithm – AES
- Mode – ECB
- Padding – PKCS5Padding
- Secret Key – HSpnzzfCLqrBn8Lk(This is the secret key which is shared between the encryptor and the decryptor applications)
- Encrypted token is Base64 URL Safe encoded
key = "HSpnzzfCLqrBn8Lk"; algorithm = "AES"; mode = "ECB"; padding = "PKCS5Padding"; Cipher cipher = Cipher.getInstance(algorithm + "/" + mode + "/" + padding); SecretKeySpec secretKey = new SecretKeySpec(key.getBytes(), algorithm); cipher.init(1, secretKey); return Base64.encodeBase64URLSafeString(cipher.doFinal(strToEncrypt.getBytes()));
Token Samples for Testing
Below are few tokens and its encrypted form (using the shared secret key). This is to enable you to test your token generation and encryption logic. If the below tokens, when encrypted from your ruby code, match the provided encrypted values, it will mean that those tokens will get successfully decoded on the reporting application(Helical Insights) side.
Additional Information about the SSO Token
- username – loggedInUsername (mandatory parameter in the token)
- At present,
- if a tenant is not provided in the token, a user will be created in the organization mentioned in the properties file (Default Value)
- if the tenant is present, a tenant will be created in the DB, by default ROLE_USER mapped with given tenant name and user will be created in that tenant (organization) and ROLE_USER will be assigned to that user
- Optional parameter in the token
- If provided in the token, the token will be valid up to the date and time provided
- If the zone is not provided in the token, by default it will take IST timezone (IST)
Application URL -> http://localhost:8085/hi-ee/