Spring naar het einde van metadata
Ga nar het begin van metadata

Je bekijkt een oude versie van deze pagina. Bekijk de huidige versie.

Vergelijk met huidige Toon pagina geschiedenis

Versie 1 Volgende »

By default PKIsigning uses OpenIDconnect or OAuth2.0 SSO integrations. Only if this type of integration is not possible, a fallback can be implemented using information below.

Custom SSO is a five-step process:

  1. Integrating party redirects user to PKIsigning IDP using a preconfigured parameter.

  2. PKIsigning IDP redirects the user back to a preconfigured url of integrating party to verify login-status of user

  3. User is redirected back to PKIsigning IDP

  4. PKIsigning IDP uses a backchannel API call to acquire user details

  5. User is logged in

This guide will explain what is necessary for an integrating party to fulfull steps 2 and 4. At the end also the changes for the redirect-url of step 1 is explained.

Verifying the login status of the user

To verify the loginstatus of the user, the PKIsigning IDP redirect the user back to a predefined url of the integrating party (e.g. https://…/getToken).

Please specify to us an url that only an authenticated user can access. We will append a query-parameter named returnUrl to that url with an encoded url.

The response of this page should be a form with method post containing a single hidden field “jwt”. The value is a token PKIsigning IDP can use in the next step to acquire user info. The page should post itself to the presented returnurl.

If the user is not logged in, a login page could be shown or a 403 error page.

By posting the form, the user is automatically redirected to the PKIsigning IDP again, which takes care of step 3 as mentioned above.

<html>
<head></head>
<body>
  <form method="post" id="jwtSubmitForm" action="https://devidentity.pkisigning.io">
    <input type="hidden" name="jwt" value="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvdGVzdC5waW5rd2ViLm5sIiwic3ViIjoiaW5pdGlhdGVHZXRVc2VySW5mb1JlcXVlc3QiLCJpYXQiOjE2MDY4MzcxNzYsImV4cCI6MTYwNjgzNzIwNiwiaGFuZHNoYWtlVG9rZW4iOiIwYmJlMTcyNDc4M2FmYjM5ZjE5NjcxZmE4MWNiOTg4NyJ9.0k3xUmzAYCcVT4HSYCaEj3gaVjeGqTeeiM4EhnhCbCo" />
  </form>
  <script type="text/javascript">
    document.getElementById('jwtSubmitForm').submit();
  </script>
</body>
</html>

Acquiring user information

The PKIsigning IDP will do a backchannel API call to acquire user information. This is done to a second url (e.g. https://…/getUserInfo), using the token as acquired in step 2 as bearer authentication method. The response of the third party should be like following snippet:

{
  "Id":"internal unique id of integrating party indicating the user parmanently",
  "Email":"emailaddress of the user",
  "Mobilephone":"mobile number of user in international format",
  "Surname":"Surname of user",
  "Firstname":"First name of the user",
  "Infix":"infix/prefix of lastname"
}

This backchannel call will be done immediately after the callback of step 3, so the used token doesn’t need to have a very long validity period.

Changing the redirecturl

Depending on the environment used, the user is directed to a specified PKIsigning IDP.

http://identity.pkisigning.io/connect/authorize?…

Please add an extra parameter named acr_values to this url.

http://identity.pkisigning.io/connect/authorize?…&acr_values=idp:SSO_ID

The specified SSO_ID will be given to you by the PKIsigning development team.

  • Geen labels