Purpose: Orion provides an out of the box method for a Single Sign-on from Orion Connect into a customer or partner’s own custom application. This solution provides an “App” in the Orion Connect App dock that launches an SSO to the platform. This guide provides instructions for using this solution.
Simple Use Case: An Advisory firm has their own proprietor proposal and digital onboarding platform, which they want users to be able to launch from Orion Connect – therefore only needing to use a single login.
Scope and Outputs: What are the limits of this solution – what does it both do and NOT do?What is the end result?
Process Overview:
- Construct an SSO URL for receipt of the Orion token.
- Provide Orion with a name for the app, an App Icon, and SSO URL.
- Orion launches the App and passes the token to the platform for identification.
Process Steps:
This solution passes the Orion Connect token to a URL within the customer or partner’s site, allowing them to identify the user, validate their access rights, and then pass the user into the site.
- Create a web page that will perform the SSO process, accepting the Orion API token in the query string or in the posted body message. This page must be hosted over https.
- Upon receipt of the token, this process should then call Orion’s GET/Authorization/User endpoint
- The response from this endpoint will provide user details such as the Orion User ID, the username, the first and last name of the user, and the database the user belongs to.
- This process therefore validates that the token is active (if its not you will receive a 401 – unauthorized error), who the user is, if the user should have access, and can link the unique Orion user ID to the user in the other platform.
- At this point you can prompt the user for their username/password into the platform and log them in – while mapping/linking the user to the Orion user ID.
- For future attempts, If checks are successful, and the Orion user ID exists on a valid user in the platform, simply authenticate the user into the platform without prompting for username and password.
GET v1/Authorization/User?forMobileApp=false
[Header]
Authorization: Session
Returns:
{
“entity”: “sample string 1″,
“entityId”: 1,
“userName”: “sample string 2”,
“loginUserId”: “sample string 3”,
“databaseCount”: 4,
“userId”: 5,
“userDetailId”: 6, * Unique for User/Firm
“alClientId”: 7,
“alClientName”: “sample string 8”,
“userGuid”: “bef21604-88d1-4d4a-ac8a-423006f03ef8”,
“firstName”: “sample string 10”,
“lastName”: “sample string 11”,
“email”: “sample string 12”
}
- Provide Orion with the SSO URL that will process the token as described above.Provide Orion with a App name and Logo to use for the App creation. This logo should be 96 x 96 pixels, and should look professional with rounded corners against a white or black background. Logos with words are discouraged as they are difficult to read at the App size.
- Orion will create a new privilege for the App (so it can be enabled/disabled by user role), will create the new App, and will publish the App logo out to production. Allow 2-4 weeks for update, but this could take up to 6 weeks.
Process Tips or Controls:
- While this solution does not require development which must be prioritized by Orion into a development timeline, it does however require configuration and a push of the App icon to a production server. As such it may take 2-4 weeks to deliver this App with the next software release.
- Orion can provide custom SSO App using another method such as SAML, but this implementation would take custom development. The development would need to be prioritized among Orion’s roadmap and could take several weeks to several months to deliver. The method above is the faster method of delivery for an SSO from Orion Connect.