Software Vendors, and Advisory Firms often have their own website, and they would like to have access to Orion Reporting or functionality directly from their own website.
One example is if you are developing, or have your own Client Portal. You want the end investor to log into your portal, then seamlessly Authenticate into the Orion API as that client to pull reports or perform actions on behalf of the client.
This requires you to have and store 2 things:
1.) Orion Service Level Credentials – These credentials can be created by Orion Tech Support, and they are Advisory Firm Specific. So each Advisory Firm will need their own set of service credentials. The only thing these credentials can do is “Impersonate” a user, they can not be used to do anything else against the api.
2.) Orion Household ID – This is the Unique Integer ID Orion uses to identify households. This value is how the API can return an API token that is impersonated as the specified Household.
Once you have those 2 values, that is all that is required. The next step is to code the impersonation.
How to Impersonate a Household
1.) First you must Authenticate like you would normally using the Service Level Credentials, and Basic Authentication. Pass the Service UserId[tongue]assword in the Basic Authorization Header to the token endpoint.
Code:
[GET]
/Security/Token
[HEADER]
Authorization:Basic{uid:pwd}– base64 encoded
[RESPONSE]
Auth_token - note: this auth token created using service credentials can only be used to Impersonate2.) Second, use the token returned by he Service Credentials to Impersonate. This requires passing the string “Impersonate” in the authorization header (instead of “Basic”, and adding 2 Custom Headers, “Entity” and “EntityId”.
Code:
[GET]
/Security/Token
[HEADERS]
Authorization: Impersonate {service_token}
Entity: 5
EntityId: {HouseholdId}
[RESPONSE]
Auth_tokenThe impersonated token can now be used in all api calls. You will be logged in as the specified Household, so all data returned is in the context of the data this household is allowed to see. The “Entity: 5” tells the api you are impersonating a Household, so that is constant, and will not change.