Secure Tokens
- Steve Ross
- Seth Petry-Johnson
This page describes the process for signing request tokens as part of Single Sign-On (SSO)
Overview
LearningBuilder digitally signs SSO tokens using SHA-256 to secure the data exchange during single sign-on.
This process requires that a secret key has been shared between LearningBuilder and the 3rd party system in advance.
This key must be stored in LearningBuilder’s TokenSecretKey AppConfig setting and should be different for live and test environments.
Generating a token
The identity provider will provide three pieces of data during the SSO process: a unique identifier, a time stamp, and a token.
Field | Description |
| The Unique Id of the member for whom information is being exchanged. Typically this is a license or credential number. Max 200 characters. It is possible for a LearningBuilder member account to have more than one Unique Id if they have multiple Roles or Credentials. This value can be any of the Unique Ids associated with the member. |
| The Unix Epoch GMT timestamp at the time the token is created (which can be used to verify that the token was generated recently). To confirm that your code is creating a proper timestamp, the GMT timestamp for 29Nov2007 15:20 Eastern/13:20 Arizona is 1196367600. |
| A 64-byte signature that results from concatenating HASH("SHA256", UniqueId + Timestamp + SharedSecretKey) |
Validating a token
LearningBuilder validates that token using its own copy of the shared secret key to compute its own hash value using the same approach:
HASH("SHA256", UniqueId + Timestamp + SharedSecretKey)If the tokens match, and Timestamp is within a pre-negotiated period of time, then a user session is generated for the Member that matches Unique Id.
Data Flow
The data flow for authenticating with a private key token.