The Single Sign On capability in Niche Video Media lets the users arriving at your media channel log in with their Twitter/Facebook/Google credentials. This saves them the time and effort involved in creating a separate account for your media channel. You can also set up an SSO mechanism to validate users trying to log into your channel for Niche Video Media using locally hosted script. These could be the users who already have an account in your web application or whose information you have stored in your internal application like Active Directory or Database.
Here is how SSO/ Remote Authentication works:
- A user (agent/customer) wants to remotely login to your media channel
- You redirect the user to a remote login page you set up.
- The user enters his login credentials and you validate him.
- You perform a HMAC-MD5 encryption on his login details (name, email and time stamp) using the secret key Niche Video Media shares with you and generate a hash.
- You send Niche Video Media the encrypted value and the user’s login details this way:
['Niche Video Media_domain_name']+"login/sso?name="+current_user.username+"&email="+current_user.email+"×tamp="+utctime+"&hash="+gen_hash_from_params_hash(utctime)
- Niche Video Media performs the same HMAC-MD5 encryption on his login details using the secret key and checks if the resulting hash matches the hash you sent.
- If they match, Niche Video Media knows that the user has been validated by you already and grants access to your channel.
Quick guide on enabling remote authentication in your Niche Video Media channel:
- Login to you media channel as admin
- Go to Console -> General Settings – Security Model
- Enable “ My Site Defines Users” by clicking on the radio button.
- You will be given a Secret key that you will share with Niche Video Media. This key should be kept confidential as anyone getting hold on this key can use it to access your private media channel.
- Set up your Remote login and Remote Log out pages and provide those URLs here
Remote Login URL: This is the URL of the page to which Niche Video Media will redirect the users requesting remote Login to your media channel.
Remote Logout URL: Niche Video Media redirects the users who log out from your media channel to this page.
Parameters in the Redirect URL
The redirect URL which you send Niche Video Media after user validation should consist of the following parameters with their corresponding properties.
Parameters
|
Properties
|
Name
|
The name of the user logging in, whether new or old, will be set to the user with the corresponding email address sent.
|
|
A valid email address needs to be passed. If no user exists with this email in Niche Video Media, an account is created for him on the fly
|
Timestamp
|
The UTC timestamp of when the user attempts to log in remotely in seconds since epoch. This value has to be within the past 30 minutes. Else the hash is rejected and the user is denied login.
|
Hash value
|
A HMAC-MD5 encryption of Name, Email and Timestamp done using the shared secret key
|
redirect_to (optional)
|
Usually, once a user logs in to your media channel, he is taken to the home page. You can customize this according to the roles of your users. For example, once you verify the user and find out the he is an Admin, he could be redirected to media.yourcompany.com/Admin/home. If he is your customer, he could be taken to his recent tickets view.
This can be done by appending &redirect_to=”the URL to user needs to access” to the authentication string you send back to Niche Video Media that contains the hash and login values.
|
Creating the Remote Login Page
The next step is to setup a remote login page that will perform authentication with Niche Video Media using the Shared Secret Key. This is done by passing an HMAC-MD5 hash back to Niche Video Media which contains the necessary Email Address, Name, Time stamp together. You can get the sample code for the login page using the github repositories links:
Locked out of Niche Video Media?
In case you setup remote authentication and are locked out of Niche Video Media for some reason, you can use the following link to use a normal login.
http://yourcompany.Nichevid.com/login/normal
- User information must now be encrypted using HMAC-MD5. This improvement over the MD-5 encryption used before reduces security vulnerability of the hashed credentials.
- The time stamp of when the user logs in must be included in the encrypted data. So a HMAC-MD5 hash of Name + Email + Time Stamp created using Secret key is sent for validation. This hash will be valid for 30 minutes. This prevents malicious attempts to reuse your existing hash to login to your account.