Single Sign-On returns the customer to the URL specified in the Vendor Token using HTTP GET or HTTP POST. SSO uses the same method the vendor used to send the Vendor Token. The Customer Token is available in the query string (HTTP GET) or in the form post (HTTP POST) of the incoming request from the customer.
The Customer Token follows the following format:
{timestamp:customer_token}K_VendorPassword
where:
· Timestamp is in YYYYMMDDHHMMSSsss format
· Customer_token is the one time use Customer Token that identifies the customer to SSO.
· K_VendorPassword is the vendor’s password to SSO. The vendor password is the key for encrypting and decrypting the Vendor Token.
When sent to the vendor using HTTP GET, a Customer Token looks like this:
https://localhost/vendora/secured.aspx?ct=b56ee9aeb64804ad383aa9ddc5decf488fa18f72628596d17ecf61c4dfc62c4a44a786e4044d01f9a82abe6a1674a320f26159952759fe5d561bddfaf845bb1f
Decrypt the Customer Token using your vendor password and initialization block.
After decryption, verify the unencrypted Customer Token against the SSO web services to ensure the Customer Token is valid and the customer is still logged in. To verify the Customer Token, use the CustomerTokenIsValid web service.
The Customer Token is one-time use for security purposes. This means that the Customer Token for a customer changes each time it is used. The next valid Customer Token for the customer is provided in the result from the web service in the NewCustomerToken property.
Vendors should check the Customer Token at least once when it is received from SSO via HTTP GET or POST. Further intervals of checking the Customer Token for continuing validity should be done on a periodic basis to check that the customer is still logged on. The customer may log off SSO on a different website. Vendors may want to perform this action on the execution of every secured page.
Vendors should save the current Customer Token for a customer so that it is available for the next call to the CustomerTokenIsValid web service. You can save the Customer Token in a number of places depending on your platform, such as in your database, a session, or as a cookie.