Single Sign-On

Token-based Single Sign-on for MSS

Token-based single sign-on enables a user who is already logged in to your solution to be passed to Attendance on Demand MSS without having to log in again. An encrypted token is retrieved using the Attendance on Demand Access Account associated with a local user account on your system. Once the token is retrieved, it can be used on subsequent visits even if the password changes on the Attendance on Demand account. The user tokens only need to be created once and should be created when the user logs in for the first time. The user token represents a pre-authenticated user.

In a single sign-on environment, local accounts must be associated with Attendance on Demand access accounts in order to obtain a token for the user. At this first association, the Attendance on Demand access account name and password must be known. Using an access account with permissions to all users, passwords on other access accounts could be changed for this account association step. Once the accounts are associated and the token obtained, the token is all that is needed to pass the user to Attendance on Demand without signing on separately to Attendance on Demand.

Below is a .NET example of retrieving a user token via web services

1
2
3
4
5
6
7
8
TAeAuthenticationPackage authPkg = new TAeAuthenticationPackage();
authPkg.DomainAccount = cmbAccount.SelectedValue.ToString();
authPkg.Password = txtPassword.Text;
authPkg.VendorToken = txtVendorToken.Text;
authPkg.PreAuthAction = Convert.ToInt32(txtPreAuthAction.Text);
 
authPkg = service.getUserAuthPackage(authPkg);
lblUserKey.Content = authPkg.SendBackPackage;

The next step is retrieving the URL for the user to view MSS. This is done at the moment the user clicks on the link or button that will display MSS within the host application.

1
2
3
4
5
6
TAeSessionAuthenticationPackage sessionAuthPkg = new TAeSessionAuthenticationPackage();
sessionAuthPkg.PreAuthPackage = lblUserKey.Content.ToString();  // User token stored locally
sessionAuthPkg.ExpireImmediately = true;
sessionAuthPkg.EnforcementMode = 0;
string url = service.getPreAuthUserLoginURL(sessionAuthPkg);
frmMSS.Attributes["src"] = url;  // IFrame

MSS can be customized to hide the entire header completely, This is done by specifying the AE_HeadForm=16 parameter in the query string.

The following example would completely hide the MSS header

1
2
string url = service.getPreAuthUserLoginURL(sessionAuthPkg);
frmMSS.Attributes[“src”] = url + “&AE_HeadForm=16”;

An admin level Access Account is required to perform the single sign-on functions.

When using IP restrictions be sure to maintain them both in Attendance on Demand and your system. Otherwise, a user can access portions of the integrated solution in one system but not the other.

Single Sign-On for ESS

Single sign-on for ESS uses a similar approach but without the use of a vendor token. For ESS SSO, the employee identifier is used in a call to the getEmpESSPreAuthLoginURL web services method in order to retrieve a URL string that can then be used to navigate the user to ESS.

The URL returned from the method is used to set the src property of an iFrame within your application. This way ESS is displayed within your application without requiring the user to enter their credentials. The HTML code for your iframe would be the following:

1
<iframe id="frmESS" runat="server" width="1200" height="850"> </iframe>

If you are using an ASP page, your code-behind would contain the following code

1
2
3
TAeESSPreAuthPackage authPkg = new CC1.TAeESSPreAuthPackage();
authPkg.EmpID = myEmpID;
frmESS.src = service.getEmpESSPreAuthLoginURL(authPkg);

ESS can be customized to hide certain elements of the header or to hide the header completely. This can be performed via the query string or by setting properties within the TAeESSPreAuthPackage data structure.

Via the data structure:

1
2
3
4
5
6
7
8
9
10
11
CC1.TAeESSPreAuthPackage authPkg = new CC1.TAeESSPreAuthPackage();
authPkg.EmpID = txtEmpID.Text;
if (txtFilekey.Text != "")
authPkg.Filekey = Convert.ToInt32(txtFilekey.Text);
authPkg.ExcludeClock = chkExcludeClock.IsChecked ?? false;
authPkg.ExcludeCommands = chkExcludeCommands.IsChecked ?? false;
authPkg.ExcludeEmpname = chkExcludeName.IsChecked ?? false;
authPkg.ExcludeImage = chkExcludeImage.IsChecked ?? false;
authPkg.HideWholeheader = chkHideHeader.IsChecked ?? false;
string url = service.getEmpESSPreAuthLoginURL(authPkg);
wb1.Navigate(url);

Via the query string:

AE_HeaderID=[flags]

1 = Skip Command Buttons
2 = Skip name Block
4 = Skip Product Image
8 = Skip Middle Image/Clock
16 = Hide Whole Header

The following example would completely hide the ESS header:

1
2
string url = service.getPreAuthUserLoginURL(sessionAuthPkg);
frmESS.Attributes[“src”] = url + “&AE_HeaderID=16”;

Notes for including in iFrame:

When including Attendance on Demand products within an iFrame, it is recommended that a meta tag be included in the parent frame to specify IE compatibility mode. If not, some elements of ESS or MSS may not render correctly. This only affects IE users. Below is the meta tag to include in the parent frame.

1
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8"/>

Safari does not allow cross-domain cookies by default. The Single Sign-On for MSS requires cookies when performed from within an iFrame. To ensure proper operation of SSO in Safari, this setting must be modified to allow cross-domain cookies. If this change is not made, your users may see an “Unauthorized” message displayed in their browser window.

To find Single Sign On Solutions, please click here

Key Concepts