Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The signing procedure is described in the Web API Authorization section.

This is the recommended solution because it nevers send never sends any passwords or ticket secrets to over the wire and once a signed request has been used its no longed valid i.e. each signed URL can only be used once and is only valid for 10 minutes from creation/signing (based on the timestamp parameter in combination with the Meridix server time in UTC).

Note
If you need to link a user from ex. a portal site the rendered link must be signed a maximum of 10 minutes before its clicked otherwise the Meridix authentication will respond with a 401 Not authorized http 403 Forbidden HTTP response since the signature has been deprecated.

Basic - Not recommended (insecure)

The easiest way to login log in a user from an external system is to make a request against https://[meridixurl]/SSO?u=[username]&p=[password]
Where [meridixurl] is the URL to your Meridix installation, [username] is the username/email of the user you want to login log in and [password] is the Meridix password of the user.

This solution is not the recommended method since its it sends the credentials in clear text and should not be used with public installations (available outside e.g. your intranet) and should not be used without SSL (https).

Note
This feature is not recommended and are is disabled by default and must manually be enabled in the Meridix Studio Platform to work. [system-property: ui.sso_basic_insecure_enabled]

...

If the SSO request was valid the HTTP status code 302 Found is returned with the Meridix authentication cookies set. The response also contains a Location header causing browsers to redirect to the logged-in users startpage' start page.
http://en.wikipedia.org/wiki/HTTP_302 

...

The HTTP status code 403 Forbidden will be returned with an additonal additional status message descripting describing why the request was denied. An example of a reason can be Nonce already consumed that is returned if the nonce/token used for the signature already have has been consumed during the timstamps timestamps allowed interval.
In additon addition to the standard response status message a response header with the key API.403_reason is added with the same response.
http://en.wikipedia.org/wiki/HTTP_403 

...

The HTTP status code 400 Bad request will be returned if the request was in an invalid format if, for example, the request has missing query strings. A status description message is also added describing the reason for the 400 code.
In additon addition to the standard response status message a response header with the key API.400_reason is added with the same response.
http://en.wikipedia.org/wiki/HTTP_400

 


Additional options

You also have the abbility ability to set the user interface language when logging in a user by using the query string key langage={language_code} where language_code is set to either sv-SE for swedish Swedish or en-US for english. If not supplied the system uses the to be logged in users setting.English.

At the time of writing, only english English and swedish is Swedish are supported. But more langages languages will be supported in upcoming releases. 

...