SSO Glossary

The following are some terms specific to SSO:

Term

Definition

Advanced Encryption Standard (AES)

A Federal Information Processing Standard (FIPS), specifically, FIPS Publication 197, that specifies a cryptographic algorithm for use by U.S. Government organizations to protect sensitive, unclassified information. NIST anticipates that the AES will be widely used on a voluntary basis by organizations, institutions, and individuals outside of the U.S. Government, and outside of the United States in some cases.

 

SSO uses a 256-bit key and a 16-byte initialization block. Passwords and blocks are typically stored as string representations of bytes in hexadecimal form, for example: A39321266122A223EB1B3A23669721B2. These are usually converted back to byte arrays in most development platforms and then fed into the encryption APIs.

Customer

Website users.

Customer ID

The Personify Customer Number. The unique identifier for all customers in the Personify database. Use the TIMSSCustomerIdentifierGet web service to pass the Customer Token and return the Personify Customer Number.

Customer Token

A one-time stamp and a unique identifier that is specific to a customer and also to the vendor requesting authentication information. The unique identifier can be verified against SSO using the CustomerTokenIsValid web service. The unique identifier is single use and each successful check results in a new unique identifier being created. A positive response indicates that the customer is logged in to SSO. The vendor can then use the unique identifier to ascertain further information about the customer using other web services such as VendorCustomerIdentifierGet and TIMSSCustomerIdentifierGet.

 

The Customer Token follows the following format:

{timestamp:customer_token}K_VendorPassword

where:

·       Timestamp is in YYYYMMDDHHMMSSsss format.

·       Customer_token is the one-time use Customer Token that identifies the customer to SSO.

·       K_VendorPassword is the vendor’s password to SSO. The vendor password is the key for encrypting and decrypting the Vendor Token.

Encrypted Customer Token

The Customer Token encrypted with the requesting vendor’s password. The method of encrypting with a shared password is similar to the Kerberos network authentication protocol.

Encrypted Vendor Token

The Vendor Token encrypted with the requesting vendor’s password. The method of encrypting with a shared password is similar to the Kerberos network authentication protocol.

HTTP POST/HTTP GET

The method according to HTTP protocol where parameters are sent in the query string. HTTP POST is where parameters are sent with a form submission. HTTP GET tends to be slightly simpler and works well with bookmarks but has a length limitation on the amount of data that can be reliably transported in the query string.

Initialization Block

See “Vendor Block.”

Return URL

Included as part of the Vendor Token, this is the URL to which SSO sends a customer after successful authentication.

Rijndael Encryption Algorithm

The encryption algorithm selected by NIST for use in AES.

SSO Database

A centralized database that maintains data for all web users and participating vendors. This database is accessed only by the web service. The data in this database includes web users of all sites.

Timestamp

Uses in both the Vendor Token and Customer Token to ensure that the content to be encrypted is unique. This is designed to allow the addition of replay caches in the future to provide even greater levels of security.

 

The timestamp has YYYYMMDDHHMMSSsss format.

Personify Customer

A customer stored in the Personify database.

Universal Login Screen

Allows a customer to log in to any web application using Personify Single Sign-On. It includes options to login, register, and reset password.

Valid Customer Token

A Customer Token that has been successfully decrypted using the Vendor Password and Vendor Block and verified with SSO using the CustomerTokenIsValid web service.

Valid Vendor Token

A Valid Vendor Token is a Vendor Token that can be successfully decrypted and matches a valid vendor in SSO.

Vendor

Refers to all website owners who provide web services to associations and enroll in Personify SSO.

Vendor Block

Issued to the vendor upon joining SSO. It is used in the encryption and decryption process. It is sometimes referred to as an initialization vector and is common when using block ciphers such as the Rijndael encryption algorithm.

Vendor Identifier

Issued to the vendor upon joining SSO. It is a unique numeric identifier for each vendor. It is used when processing a Vendor Token and is used instead of the Vendor User Name to limit exposure of vendor credentials.

Vendor Password

Issued to the vendor upon joining SSO. It is a 16-byte array that is usually represented as a 32-character hexadecimal string. It is unique to the vendor and is known by SSO. It is the shared password used to encrypt vendor/SSO communications.

Vendor

Refers to all website owners who provide web services to associations and enroll in Personify SSO.

Vendor Block

Issued to the vendor upon joining SSO. It is used in the encryption and decryption process. It is sometimes referred to as an initialization vector and is common when using block ciphers such as the Rijndael encryption algorithm.