Forum Discussion

awitt's avatar
awitt
Guide
10 years ago

LithiumSSOClient Help

I'm following the instructions given at http://community.lithium.com/t5/Community-API/bd-p/developers-rest-api?page=authentication.

 

All I want to do is get an SSO Auth Token, authenticate, and then get a session key so that I can use my API user to then subscribe to certain events, namely UserCreate.  When a user is created, I wish to automatically send out a welcome email - pretty simple use case.

 

However, I'm having some trouble understanding everything in the documentation.  I've copied over the example LithiumSSOLogin class and am trying to change that for my purposes.  So, I know I need to get the SSO Key from our community manager and replace the example one in the code.  I've also replaced the SSO_CLIENT_DOMAIN and COMMUNITY_URL with our own.

 

However, I do not undertand what the SSO_CLIENT_ID and SSO_SERVER_ID are supposed to be - are these the names of the computers/servers making and receiving the requests?  Also, is the CALLER_PUBLIC_IP supposed to be the IP address of the computer from which I'm making these rest calls?  And then lastly, I'm not sure I understand what the ssoid parameter is when making the LithiumSSOClient.getLithiumCookieValue() call.  The API user already exists within our community and has been granted appropriate priviliges for making REST calls; that user ID is what I'm passing in for the login parameter.

 

If anyone can help me through this, I'd appreciate it.  Seems like it should be pretty easy and feels like I'm pretty close.

 

	private static String CALLER_PUBLIC_IP = "xxx.xxx.xx.xxx";

	private static final void init() {

		SSO_KEY = new Key("sso_key");
		SSO_CLIENT_ID = "apac_client_001";
		SSO_CLIENT_DOMAIN = ".stage.lithium.com";
		SSO_SERVER_ID = "apac_server_001";
		COMMUNITY_URL = "http://community.stage.company.com";
		CALLER_PUBLIC_IP = "xxx.xxx.xx.xxx";
	}

	// This java class assumes that Lithium SSO (Cookie-based) is configured in
	// Lithium community.

	public static void main(String[] args) {

		init();
		debug("start");

		// STEP 1: Got SSO Token from SSO Client
		String ssoid = "communityapi_sso_ssoid_new";// "hgu_sso_ssoid_new";
		String login = "communityapi";
		String ssoAuthTokenString = null;

		try {

			LithiumSSOClient ssoClient = LithiumSSOClient.getInstance(
					SSO_KEY.getRaw(), SSO_CLIENT_ID, SSO_CLIENT_DOMAIN,
					SSO_SERVER_ID);

			ssoAuthTokenString = ssoClient.getLithiumCookieValue(ssoid, login,
					"", "", "", "", CALLER_PUBLIC_IP);
			debug("ssoAuthTokenString: " + ssoAuthTokenString);
		} catch (SSOException e) {
			debug(e);
			return;
		}

		// STEP 2: Call SSO authentication URL to get SSO session key
		String restURL = COMMUNITY_URL
				+ "/restapi/vc/authentication/sessions/login?sso.authentication_token="
				+ ssoAuthTokenString;
		String s = httpGet(restURL);
		String restSessionKey = extractSessionKeyFromXML(s);

		// STEP 3: Call REST with a session key
		String vcURL = COMMUNITY_URL + "/restapi/vc?restapi.session_key="
				+ restSessionKey;

		httpGet(vcURL);
		debug("done");
	}

 

  • Hi awitt ,

     

    Based on the example you gave, here is some information I hope explains what the values you are asking above mean:

     

    SSO_CLIENT_ID is used to generate a unique cookie name, mainly to prevent clashes when a customer has more than 1 Lithium community.  It should be unique per community and "phase" (stage/prod).  Customers will often use <community id>.<phase> (ex. lithium.stage or lithium.prod) for their client id.

     

    SSO_SERVER_ID is mainly used to generate a unique id that is used to prevent clashes with other LithiumSsoClient instances and to handle some security-related operations like prevently replay attacks.  You can set this to null actually and it will generate a unique one for you.  It's mainly there for backwards-compatibility at this point.

     

    CALLER_PUBLIC_IP is supposed to be the IP address the request to the community will be coming from.  It's used in an additional security checking process to make sure the request is coming from the right IP.

     

    Finally, the ssoId parameter is the unique identifier for the user you are signing in.  Lithium takes at the ssoId passed in the token and looks for a user with that ssoId.  If it finds one, it creates a session for that user.  If it does not find one, but is able to decrypt the SSO token, it creates a new user for that ssoId and creates a session for that user.  If it can't decrypt the SSO token, authentication fails.

     

    I hope that helps.  Please let me know if you have any follow-up questions.

     

    -Doug

  • DougS's avatar
    DougS
    Khoros Oracle

    Hi awitt ,

     

    Based on the example you gave, here is some information I hope explains what the values you are asking above mean:

     

    SSO_CLIENT_ID is used to generate a unique cookie name, mainly to prevent clashes when a customer has more than 1 Lithium community.  It should be unique per community and "phase" (stage/prod).  Customers will often use <community id>.<phase> (ex. lithium.stage or lithium.prod) for their client id.

     

    SSO_SERVER_ID is mainly used to generate a unique id that is used to prevent clashes with other LithiumSsoClient instances and to handle some security-related operations like prevently replay attacks.  You can set this to null actually and it will generate a unique one for you.  It's mainly there for backwards-compatibility at this point.

     

    CALLER_PUBLIC_IP is supposed to be the IP address the request to the community will be coming from.  It's used in an additional security checking process to make sure the request is coming from the right IP.

     

    Finally, the ssoId parameter is the unique identifier for the user you are signing in.  Lithium takes at the ssoId passed in the token and looks for a user with that ssoId.  If it finds one, it creates a session for that user.  If it does not find one, but is able to decrypt the SSO token, it creates a new user for that ssoId and creates a session for that user.  If it can't decrypt the SSO token, authentication fails.

     

    I hope that helps.  Please let me know if you have any follow-up questions.

     

    -Doug

    • awitt's avatar
      awitt
      Guide

      Thanks, @DougS! Those were exactly the explanations I was looking for. Was that info in the online docs somewhere? I did try searching for it, and hadn't found it, but it seems like perhaps it should have.