SSO - Single sign on
Meridix Studio supports single sign on (SSO) from external systems. There are two ways to allow an external system to automatically log in users into Meridix Studio without the users needing to manually input their credentials.
Signed - Recommended
The recommended method to log in users is to make a signed request (same signing mechanism as with the Web API) to the URL https://[meridixurl]/SSO?u=[username] but before sending it use a ticket from Meridix Studio (token/secret) to sign the request resulting in a signed URL ex:
https://companyname.meridix.se/SSO?auth_nonce=acd80a19&auth_timestamp=20121127113000&auth_token=3dsafdsa324c9bd4b8887b66baa8b566c28&u=user@user.com&auth_signature=81987e7899140e0c07e8dc26553fa7d2
The signing procedure is described in the Web API Authorization section.
This is the recommended solution because it never sends any passwords or ticket secrets over the wire and once a signed request has been used its no longed valid i.e. each signed URL can only be used once and is only valid for 10 minutes from creation/signing (based on the timestamp parameter in combination with the Meridix server time in UTC).
Basic - Not recommended (insecure)
The easiest way to log in a user from an external system is to make a request against https://[meridixurl]/SSO?u=[username]&p=[password]
Where [meridixurl] is the URL to your Meridix installation, [username] is the username/email of the user you want to log in and [password] is the Meridix password of the user.
This solution is not the recommended method since it sends the credentials in clear text and should not be used with public installations (available outside e.g. your intranet) and should not be used without SSL (https).
Responses
The SSO interface will return one of the following status codes depending on the result of the authentication operation.
Response: 302 - Found
If the SSO request was valid the HTTP status code 302 Found is returned with the Meridix authentication cookies set. The response also contains a Location header causing browsers to redirect to the logged-in users' start page.
http://en.wikipedia.org/wiki/HTTP_302
Response: 403 - Forbidden
The HTTP status code 403 Forbidden will be returned with an additional status message describing why the request was denied. An example of a reason can be Nonce already consumed that is returned if the nonce/token used for the signature already has been consumed during the timestamps allowed interval.
In addition to the standard response status message a response header with the key API.403_reason is added with the same response.
http://en.wikipedia.org/wiki/HTTP_403
Response: 400 - Bad request
The HTTP status code 400 Bad request will be returned if the request was in an invalid format if, for example, the request has missing query strings. A status description message is also added describing the reason for the 400 code.
In addition to the standard response status message a response header with the key API.400_reason is added with the same response.
http://en.wikipedia.org/wiki/HTTP_400
Additional options
You also have the ability to set the user interface language when logging in a user by using the query string key langage={language_code} where language_code is set to either sv-SE for Swedish or en-US for English.
At the time of writing, only English and Swedish are supported. But more languages will be supported in upcoming releases.
Webpage: www.meridix.se
Email: support@meridix.se
Tel: +46 (0) 21 38 30 32