Secure Tokens

This page describes the process for signing request tokens as part of Single Sign-On (SSO)

Overview

LearningBuilder digitally signs SSO tokens using SHA-256 to secure the data exchange during single sign-on.

This process requires that a secret key has been shared between LearningBuilder and the 3rd party system in advance.

This key must be stored in LearningBuilder’s TokenSecretKey AppConfig setting and should be different for live and test environments.

Generating a token

The identity provider will provide three pieces of data during the SSO process: a unique identifier, a time stamp, and a token.

Field 

Description 

Unique Id

The Unique Id of the member for whom information is being exchanged.  Typically this is a license or credential number. Max 200 characters.

It is possible for a LearningBuilder member account to have more than one Unique Id if they have multiple Roles or Credentials. This value can be any of the Unique Ids associated with the member.

Timestamp

 

The Unix Epoch GMT timestamp at the time the token is created (which can be used to verify that the token was generated recently). To confirm that your code is creating a proper timestamp, the GMT timestamp for 29Nov2007 15:20 Eastern/13:20 Arizona is 1196367600

See http://www.epochconverter.com/

Token

 

A 64-byte signature that results from concatenating Unique Id, Timestamp, and the pre-shared secret key:

HASH("SHA256", UniqueId + Timestamp + SharedSecretKey)

Validating a token

LearningBuilder validates that token using its own copy of the shared secret key to compute its own hash value using the same approach:

HASH("SHA256", UniqueId + Timestamp + SharedSecretKey)

If the tokens match, and Timestamp is within a pre-negotiated period of time, then a user session is generated for the Member that matches Unique Id.

Data Flow

The data flow for authenticating with a private key token.