Best Way to Authenticate and Login External User Via Webservice / Single Signon

Posted on 2011-05-10
Last Modified: 2012-05-11
Hi Experts,

I need to allow some users into my application from a partner application (and they will do the same). The partner will pass to my webservice a userid, organization id and a secret organization key which will have been predetermined and already set up on the partner side database. I need to get the passed user through my login authentication (which normally would require a password but will not in this case) and then provide a link back to my partner's side with a session id for the user to click and get into my application. I'm not sure of the best way to do this and have little experience in webservices. (I know I know!)  

I'm not sure if I should just rebuild my fairly complicated login process in the webservice cfc (the login process checks for expired or inactive userids, records an access attempt, assigns session variables and so on) or is there a way to just include the existing login.cfm inside the cfc and then pass back the resulting sessionid? And then how exactly do I code the session id into the link returned to my partner so that my user can get right in?

Both environments are https.

This is probably not written correctly but hopefully you get the gist.


Question by:logic_lover
    LVL 11

    Expert Comment

    by:Brijesh Chauhan
    From Docs..

    you can handle the user name/password string in your Application.cfc or Application.cfm file as part of your own security mechanism. In this case, you use the cflogin tag to retrieve the user name/password information from the authorization header, decode the binary string, and extract the user name and password, as the following excerpt from an Application.cfc onRequestStart method shows:

        <cfset isAuthorized = false>
        <cfif isDefined("cflogin")
            <!--- Verify user name from and password from 
        cflogin.password using your authentication mechanism. --->
            <cfset isAuthorized = true> 
    <cfif not isAuthorized>
        <!--- If the user does not pass a user name/password, return a 401 error. 
            The browser then prompts the user for a user name/password. --->
        <cfheader statuscode="401">
        <cfheader name="WWW-Authenticate" value="Basic realm=""Test""">

    Open in new window


    Author Comment

    Well, I'm not using cflogin and I wonder how hard it would be to convert? This is something I should put on my list.

    I finally ended up figuring out a solution that I think is not very elegant and awkward but it works. The other application makes a call to my webservice with user auth info and I find the user and create a uuid for them and write it to the user table. then I pass that uuid back to the caller in a url that that authenticates again with the uuid and if the user is not inactivated etc. it just lets him/her into the application without the login. I don't like it much because the uuid will always be in the table until the caller application generates another one - it seems like I should expire it somehow. Can you see other holes in this?

    Author Comment

    I decided to delete the uuid from the table as soon as the user is validated.
    LVL 11

    Accepted Solution

    It is not very difficult to use CFLOGIN / CFLOGOUT combination, you can read about it in the docs here

    Yes, you should have the UUID expire after a certain time, probably have a Schedule task to check for the UUID time which they were created and then clean the ones which were created certain time back....

    I don't see anything else apart from this which should be an issue.

    Author Comment

    Brijeshchauhan, thanks. I've been meaning to rewrite my whole user auth process anyway. This looks like the way to go.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Hi, I will be creating today a basic tutorial on how we can create a Mail Custom Function and use it where ever we want. The main advantage about creating a custom function is that we can accommodate a range of arguments to pass to the Function and …
    Recently while working on a project I got a very annoying cfdocument has no body error message. I had never seen this error before. So I checked the code. The code was pretty simple; it was Just showing me the cfdocumnt tag and inside that tag a …
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now