Standard SSO Integration (OAuth2)
A step-by-step integration mechanism into Kryterion SSO implementation using OAuth2 standard.
The integration Document provides a high-level overview of the Webassessor Single-Sign-On Integration offered by Kryterion, Inc to its clients. It is intended to capture the integration points and boundaries of the SSO implementation done by Webassessor and facilitate client integration with the Kryterion SSO solution.
References
[OAuth]: The OAuth 2.0 specification. http://tools.ietf.org/html/rfc6749
Prerequisites
The SSO follows the OAuth2 spec. In order for a client to be able to effectively integrate with Webassessor for SSO, either the client should have an in-house OAuth server or should be able to use a third-party, OAuth-validating server like Okta, Salesforce etc. Assuming there is a functioning OAuth server (typically consisting of a validating service, a token service and a profile service), the following diagram explains the communication during a typical OAuth2 SSO call between Webassessor and a potential client.
Client should be created in the Webassessor system as an entity and region. Brand should also be created since it is part of the communication during SSO calls.
Integration Points and Flows
Implementation Steps
Step 1: Client Provides OAuth 2.0 Server Details
Before the integration can be setup, we need certain values to be in our Webassessor system to be able to communicate with the client OAuth server. The first table below lists the information (per the standard OAuth spec) needed before we attempt to integrate.
The client will provide OAuth 2.0 server details (URL & login information) for Kryterion to register Webassessor as an application authorized to access the client’s User Profile information. In addition, Webassessor will require the following information to be stored in our database before an active SSO integration:
Authorization URI | URL address of OAuth 2.0 server that will provide authorization code |
Token Exchange URI | URL address of OAuth 2.0 server that will provide access token |
WebService URI | Client WebService address (or specification) |
Client Id | Identification of the application (Webassessor) as a “subscriber” to the client |
Client Secret | (Optional) The client secret |
Only after the above information is shared by the client and properly saved in Webassessor database can the SSO integration be tested.
Step 2: Client’s First Communication with Kryterion SSO
The client’s first communication with Kryterion SSO will be through this URL:
https://www.webassessor.com/form/ssoLogin.do?method=process&provider=PROVIDER&brand=BRAND
In the above URL, “PROVIDER” and “BRAND” values will be available to the client once the client is created in Webassessor system as an entity.
PARAMETER | SUPPLIED BY | DESCRIPTION |
provider | Webassessor | A unique name saved in the Webassessor database to identify the client |
brand | Webassessor | The client’s brand name created in Webassessor |
Only after the above information is shared by the client and properly saved in Webassessor database can the SSO integration be tested.
Step 3: Kryterion Access to Client’s Web Services/API Calls
Once the above request reaches Webassessor, the application prepares an authentication URL and executes an HTTP redirect to the client’s OAuth 2.0 server for authentication. The client will authorize Webassessor to access its web services or make API calls through the Authorization URI, which will accept the following parameters:
PARAMETER | SUPPLIED BY | DESCRIPTION |
scope | client | The scope of the access request (member permissions needed, data to be used to create user info for automatic creation / prepopulation of user profile) |
redirect_uri | Webassessor | The Webassessor call back URI |
state | Webassessor | Concatenated string “PROVIDER_NAME>-<BRAND>” |
response_type | client | The value is always “code” (indicating a request for an authorization code as defined in OAuth 2.0 specification) |
client_id | Webassessor | The registered client id of the application / API key |
Webassessor will access the URI in this manner:
AUTHORIZATION_URI?scope=SCOPE&redirect_uri=REDIRECT_URI&state=STATE&response_type=code&client_id=CLIENT_ID_OR_API_KEY
Step 4: Webassessor Call Back URL Parameters
After the URI is authenticated against the client’s OAuth 2.0 server, the Webassessor callback URL (REDIRECT_URI) is called back with the following parameters:
PARAMETER | SUPPLIED BY | DESCRIPTION |
state | Webassessor | This is the same ‘state’ parameter passed by the application in AUTHORIZATION_URI (see Step 3) |
code | client | Authorization code generated by client OAuth 2.0 server |
REDIRECT_URI?code=CODE&state=STATE
Step 5: OAuth 2.0 Server Parameters
Once the control reaches the Webassessor callback URL, the “code” received from the client is sent to OAuth 2.0 server (Token Exchange URI) together with the parameters below:
PARAMETER | SUPPLIED BY | DESCRIPTION |
code | client | The authorization code retrieved from previous step |
client_id | client | The registered client id of the application / API key |
client_secret | client | Issued to the application during registration |
response_uri | Webassessor |
|
grant_type | client | The value is always “authorization_code” (indicating request for access token as defined in OAuth 2.0 specification) |
Submission is via HTTP “POST” method as these parameters must not be transmitted through the request URI.
POST /TOKEN_EXCHANGE_URI HTTP/1.1Host: CLIENT_SERVERContent-Type: application/x-www-form-urlencoded
code=CODE&client_id=CLIENT_ID&client_secret=CLIENT_SECRET&redirect_uri=REDIRECT_URI&grant_type=authorization_code
In exchange, client authorization server must respond with an “access_token” written in JSON format. For example:
{
“access_token”:”ACCESS_TOKEN”,
“expires_in”:3600
}
Step 6: Retrieving the User Profile
Webassessor may now use the token to call (RESTful web service call) the Web Service provided by the client to retrieve the User Profile. Webassessor will be customized to call the client’s Web Service.
PARAMETER | SUPPLIED BY | DESCRIPTION |
ACCESS_TOKEN_PARAMETER | client | Access token retrieved from OAuth 2.0 server |
*Note that ACCESS_TOKEN_PARAMETER itself may vary per client.
Once the client Web Service receives the token sent by Webassessor, Web Service may opt to do the following:
Send the User Profile object back to Webassessor.
Call the Kryterion demographic Web Services to create the User (with all required attributes) in Webassessor. After the User creation is complete, the User profile object (with minimum information like “email” to help identify a User in Webassessor) is sent back by the client Web Service to Webassessor.
User Profile After Retrieval
Once SSO is authenticated and received from Clients, user profile data will be searched to match an existing User profile in Webassessor. Once the match is found (matching “email” in Webassessor), the User will be automatically logged into Webassessor and redirected to the home page where he/she will have options like registering for or launching an exam.
User Profile Attributes
At a minimum, Webassessor expects the following attributes to match and identify a User profile:
ATTRIBUTE NAME | DESCRIPTION | MANDATORY |
Webassessor Login OR Webassessor database User ID | When APIs are used to create a new user in Webassessor, both the login and the database ID are sent in the response. Clients can use either one for SSO, as agreed by both parties. | Yes |
Please Note: Identifying a user with a unique email address that also acts as a link between the two systems, is not ideal because email addresses may change. A User ID is a more secure and lasting way to identify a user.
Access to certain features is restricted based on role type in an effort to reduce item exposure and promote process integrity. Please see the member role description page for information on permissions.