Token Based Single Sign On

Configure token based SSO with LCvista

The Single Sign On capability in LCvista allows professionals to log in using your organization's Single Sign On Provider such as Okta, Azure AD, Centrify via SAML2.0. This saves them the time and effort involved in maintaining separate username and passwords. You can also set up an SSO mechanism to authenticate users from a web application using a locally hosted script. These could be the professionals who already have an account in your web application or whose information you have stored in your internal application like ActiveDirectory.

How SSO/Remote Authentication works using a Token

  • A user logs into your web application which performs the authentication.
  • The authenticated user clicks a link from your web application and you perform a SHA1 hash on the user's login details (timestamp, email, site slug, secret key) using the secret key LCvista shares with you and generate a hash.
  • You send LCvista the encrypted value and the user's login details like:
['your lcvista URL']+'/sso/oauth/?timestamp={}&email={}&slug={}&hash={}&next={}'.format(

n,

email,

slug,

hash_key,

'%2F'

)
  • LCvista performs the same SHA1 hash on the user's login details using the secret key and checks if the resulting hash matches the hash sent.
  • If they match, LCvista knows that the user has been validated by you already and grants access to your portal.

Enable Remote Authentication in LCvista


  • Login to LCvista as an administrator with access to the Organization menu.
  • Select Settings within the Organizations menu.
  • Within the OAuth SSO Secret Key section, select the Secret Key button.
  • Generate the secret key to be used by your web application.

Important: Keep the key confidential as anyone getting hold of this key can use it to access your support portal.

Parameters in the Redirect URL

Parameter Properties
timestamp The UTC timestamp of when the user attempts to log in remotely in seconds since epoch. This value has to be within the past 30 seconds. Else the hash is rejected and the user is denied login.
email A valid email address needs to be passed. If no user exists with this email in LCvista, an error message will be displayed.
slug This is the organization slug for your company's LCvista site.
hash_key A SHA1 encryption of Timestamp, Email, Site slug, Secret Key done using the shared secret key.
next (optional) Usually once a user logs into LCvista they are taken to the dashboard. You can customize this for other generic landing pages by passing in a value here.

 

Sample Python Code to Generate URL

import hmac

import hashlib

import datetime

from urllib.parse import urlencode

from collections import OrderedDict

from lcvista.organizations.models import Organization

n = datetime.datetime.now().timestamp()

email = 'admin@lcvista.com'

slug = 'rainier'

token = Organization.objects.get().oauth_secret_key

hmac_key = urlencode(OrderedDict((

('timestamp', n),    

('email', email),    

('slug', slug),    

('token', token),

))).encode()

hash_key = hmac.new(hmac_key, b'', hashlib.sha1).hexdigest()

url = '/sso/oauth/?timestamp={}&email={}&slug={}&hash={}&next={}'.format(  

n, email, slug, hash_key, '%2F'

)

print(url)