Requesting a Security Token

For SBM systems that are configured to use Single Sign-On (SSO), you must provide a security token in the HTTP header with the JSON call. Upon successful authentication, the TokenService call returns a valid SSO SAML token that you can pass in subsequent JSON API calls, SOAP-based calls via the SBM Application Engine Web Services API, or other SBM interfaces that require a valid SAML token.

To request a security token:

  1. Invoke the TokenService POST call using the following URL (with your SSO server's host name):

    http://SSOHostName:8085/idp/services/rest/TokenService/
  2. Pass the following header information:

    • Content-Type: application/json;charset=UTF-8
    • Accept: application/json
  3. Include authentication credentials in the payload:

    {"credentials": { "username" : "bill", "password":"mypassword"}}

For example:

Content-Type: application/json;charset=UTF-8
Accept: application/json
Content-Length: 56
Source message

POST /idp/services/rest/TokenService/ HTTP/1.1
HOST: SSOHostName:8085
content-type: application/json;charset=UTF-8
accept: application/json
content-length: 56
 
 {"credentials": { "username" : "bill", "password":"mypassword"}}

Alternatively, if your administrator has selected Protect SSO web services with Windows Authentication in SBM Configurator, you can use a REST-based URI that accepts NTLM credentials for SSO token requests. This means you can make a GET call from your custom application to http://AEhostname/idp/services/rest/iwa and receive an SSO token without having to provide a password.

If authentication succeeds, a response message is returned:

{
"status": "OK"
"lifetime": {
"created": "2019-04-17T10:32:11.224Z",
"expires": "2019-04-17T18:32:11.224Z"
}
"token": {
"tokenType": "SSO"
"encoding": "base64"
"value": "PHNhbWw6QXNzZXJ0...pBc3NlcnRpb24+"
"tokenProperties": {
"ticketType": "TGT",
"nativeTokenType": "saml:SAML",
"nativeTokenVersion": "1.1",
"tokenId": "urn:uuid:6DE440D4ADF151C6CF1555522331340",
"issuer": "https://localhost/idp/services/Trust",
"subjectName": "bill",
"subjectNamespace": "00000",
"issueInstant": "2019-04-17T10:32:11.224Z",
"notBefore": "2019-04-17T10:32:11.224Z",
"notOnOrAfter": "2019-04-17T18:32:11.224Z",
"identiyStoreType": "AE",
"identityStoreURI": "http://SSOHostName/gsoap/gsoap_ssl.dll?sbminternalservices72"
}
}
}

The token information is in the base64-encoded value string. You now have a valid security token that you can pass with ALFSSOAuthNToken in the HTTP header in subsequent JSON API calls or as part of the WS-trust envelope for SOAP-based calls made via the SBM Application Engine Web Services API.

The following example shows how to pass the token in ALFSSOAuthNToken with the GetVersion call:

GET /jsonapi/GetVersion HTTP/1.1
HOST: SSOHostName
alfssoauthntoken: PHNhbWw6QX...<base64 encoded string>...dGlvbj4=
cookie: authrequired=

An alternative option is to use the _GetSSOToken() function that exists on custom forms. This function attempts to retrieve your current SSO token, or ping a new one (synchronously) if needed. It is defined in custom forms' shared aeplugin script, and used elsewhere throughout such as in the relational grid widget or REST service wrappers.

Refer to the headers example below to see a generic jQuery post() call to the JSON API with _GetSSOToken():

jQuerySBM.ajax({
		async: true,
		url: dburl,
		headers: { alfssoauthntoken: _GetSSOToken() },
		dataType: "json",
		data: data,
		type: "POST",
		contentType: "application/json; charset=utf-8",
		...

Related Topics