Cloud Identity Broker Service
Single Sign on between two apps




This diagram shows how a user who needed to maintain multiple set of credentials can now login using one set of credentials using miniOrange Single Sign on service.


CONTENT

  1. Overview - miniOrange Identity Broker Service

  2. How to Enable Single Sign-On between apps ?

    1. Identify your primary identity source and configure it in miniorange.

      1. SAML Integration

      2. OAuth Integration

      3. OpenID Connect Integration

      4. LDAP Integration

    2. Establish trust between miniOrange and apps. ( And you are done! )

  3. What is Identity Brokering?

  4. What is an Identity Broker service?

  5. What are the advantages of using an Identity broker service?

  6. Advantages of using miniOrange Identity broker service


Overview - miniOrange Identity Broker Service

With miniOrange Identity broker service you can delegate all your single sign on requirements, user management, 2 factor authentication and even risk based access at the click of a button and focus on your business case. We can integrate with any type of app even if it does not understand any standard protocol like SAML, OpenId Connect or OAuth. miniOrange Single Sign-On Service can establish trust between two apps via secure https endpoint and automated user mapping to achieve sso.

How to enable single sign-on between apps ?

We can enable single sign-on between any apps which may or may not understand any standard protocols like SAML, OAuth, OpenID Connect. Follow the steps below to achieve this -

Step-1: Identify your primary Identity source and configure it in miniOrange.

1. SAML / ADFS Integration - if your identity source understands saml then click here to see the details.
    For Example - if you have ADFS, Okta, Salesforce, SimpleSamlPhp, Shibboleth, PING, Centrify, OpenAM, IBM Tivoli Identity Manager, RSA FIM (Federated Identity Manager), Oracle Identity Manager, miniOrange, etc.

SAML / ADFS Integration

Our SAML broker service will act as a Service Provider to any IDP of your choice. And you don't have to worry about understanding SAML protocol at all. It can work with ADFS, Okta, salesforce, SimpleSamlPhp, Shibboleth, PING, RSA, Centrify, One Login, miniOrange or any other saml identity provider (Idp). This SAML service returns all the attributes provided by the IdP along with the username of the logged in user. You can then use these attributes to login user into your application.

  • To configure and use miniOrange SAML Broker services, create a business free trial account here.
  • Click here to login to miniOrange admin dashboard.
  • Go to Identity Sources from side menu.
  • Click on Configure Identity Source Button on top right corner on screen.
  • Add your Identity Source here entering all the required fields and click on SAVE button.




If you don't see the specific guide for your IDP, please contact us at info@miniorange.com.

For registering miniOrange as Service Provider in your Idp following are the endpoint urls given below:

ACS Url https://auth.miniorange.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
SP Entity ID https://auth.miniorange.com/moas/

2. OAuth Integration - if your identity source understands oauth then click here to see the details.
    For Example - if you have Facebook, Google, Linkedin, Twitter, Windows Live, etc.

OAuth Integration


Configure and use miniOrange OAUTH broker service

  • To configure and use miniOrange OAUTH Broker services, you can create a business free trial account here.

  • Login to miniOrange console at https://auth.miniorange.com/moas/login

  • Now, go to Integrations -> Custom App Integration and collect your Customer Key, Customer API Key, Customer Token Key from here.




  • Go to Apps -> Configure Apps -> OAuth2 Client to configure an OAUTH2 app




  • You will see OAuth Apps listed here. Click on any of the apps here and then click on Add App




  • For Facebook:

    • Leave the Scope field empty.
    • Create Developers account with Facebook.
    • Create an App here.
    • Under "Tell us about your website" section, enter https://auth.miniorange.com/moas/oauth/client/callback in the Site URL field
    • Collect App ID and App Secret by navigating to My Apps -> (Your App name).
    • Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
    • Click on SAVE button to add the Facebook App.
    • Now to integrate Login With Facebook, add a button and add the following URL to it.

      https://auth.miniorange.com/moas/oauth/client/authorize?token=##token##&id=##customer_key## &encrypted=<true,false>&app=facebook_oauth&returnurl=##return_url##

      • ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp (Current Timestamp in milliseconds) and API Key (The Customer API Key you collected above) seperated by colon.
      • ##customer_key## is the Customer Key you collected above.
      • Value of encrypted value can be true or false depending on, if the token is encrypted or not.
      • ##returnurl## will be the url where you want to redirect user after Login with Facebook.



  • For Google:

    • Enter https://www.googleapis.com/auth/plus.login in the Scope field.
    • Visit the Google website for developers console.developers.google.com
    • At Google, create a new Project and enable the Google+ API. This will enable your site to access the Google+ API
    • At Google, provide https://auth.miniorange.com/moas/oauth/client/callback for the new Project's Redirect URI
    • At Google, you must also configure the Consent Screen with your Email Address and Product Name. This is what Google will display to users when they are asked to grant access to your site/app
    • At Google, under APIs & auth -> Credentials get Client Id by clicking on the button Create Client Id.
    • Collect the Client ID and Client Secret
    • Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
    • Click on SAVE button to add the Google App.
    • Now to integrate Login With Google, add a button and add the following URL to it.

      https://auth.miniorange.com/moas/oauth/client/authorize?token=##token##&id=##customer_key## &encrypted=<true,false>&app=google_oauth&returnurl=##return_url##

      • ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp (Current Timestamp in milliseconds) and API Key (The Customer API Key you collected above) seperated by colon.
      • ##customer_key## is the Customer Key you collected above.
      • Value of encrypted value can be true or false depending on, if the token is encrypted or not.
      • ##returnurl## will be the url where you want to redirect user after Login with EVE Online.
  • For LinkedIn:

    • Leave the Scope field empty.
    • If you have not already done so, create an application. If you have an existing application, select it to modify its settings.
    • After app creation, collect Client ID and CLient Secret from here.
    • Enter https://auth.miniorange.com/moas/oauth/client/callback in Authorized Redirect URLs and click on Add button.
    • Now click on Update button to save settings.
    • Enter the Client ID and Client Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
    • Click on SAVE button to add the LinkedIn.
    • Now to integrate Login With LinkedIn, add a button and add the following URL to it.

      https://auth.miniorange.com/moas/oauth/client/authorize?token=##token##&id=##customer_key## &encrypted=<true,false>&app=linkedin_oauth&returnurl=##return_url##

      • ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp and API Key (The Customer API Key you collected above) seperated by colon.
      • ##customer_key## is the Customer Key you collected above.
      • Value of encrypted value can be true or false depending on, if the token is encrypted or not.
      • ##returnurl## will be the url where you want to redirect user after Login with EVE Online.
  • For EVE Online:

    • Leave the Scope field empty.
    • At EVE Online, go to Support. Request for enabling OAuth for a third-party application.
    • Add a new project/application. Generate Client ID and Client Secret.
    • Enter the Client ID and Client Secret in Client ID and Client Secret field respectively.
    • Click on SAVE button to add the EVE Online.
    • Now to integrate Login With Eveonline, add a button and add the following URL to it.

      https://auth.miniorange.com/moas/oauth/client/authorize?token=##token## &id=##customer_key##&encrypted=<true,false> &app=eveonline_oauth&returnurl=##return_url##

      • ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp and API Key (The Customer API Key you collected above) seperated by colon.
      • ##customer_key## is the Customer Key you collected above.
      • Value of encrypted value can be true or false depending on, if the token is encrypted or not.
      • ##returnurl## will be the url where you want to redirect user after Login with EVE Online.

Back To Top




  • 3. OpenID Connect Integration - if your identity source understands openid connect then click here to see the details.
        For Example - if you have Salesforce, Amazon, etc. as OpenID Connect Idp. etc.

    OpenID Integration


    Configure and use miniOrange OpenID Connect Integration.

    Before your application can use miniOrange Open ID Connect authentication system for user login, you must set up an application in miniOrange administrator console to obtain Open ID Connect credentials, set a redirect URI, and (optionally) and add an application name.

    Obtain OpenID Connect credentials

    You need OpenID Connect credentials, including a client ID and client secret, to authenticate users and gain access to miniOrange APIs.

    To get the credentials, do the following:

    Step 1. Create an Application in miniOrange Administrator Console

    • Go to the miniOrange Administrator Console.

    • Create an application by selecting Apps > Configure Apps.

    • In the Application name type "OpenId Connect".

    • Enter your client information and Save.

    • Once you have configured the application. Please note down the clientID and client secret by going to Apps > View Apps then Select your Open Id application and click on "Edit".

    Note that not all types of credentials use both a client ID and client secret and won't be listed in the document if they are not used.

    So now once you have created the application for OpenID Connect. You need to create a policy for the same to let user authenticate with our various strong authentication methods

    Step 2. Create a policy


    • Go to the miniOrange Administrator Console.

    • Go to Policy > App Authentication Policy. Then select tab "Add Policy".

    • In the Application name select the OpenID Application that you have created.

    • Enter configuration settings and Save.


    Download our miniOrange SampleApp

    You can download our miniOrange Sample Application written in JAVA/PHP/PYTHON to have a demonstration of our OpenId Connect flow or to make an OpenId Connect client application for yourself.


    JAVA

    Click here to download miniOrange OpenId Sample Application for JAVA

    Click here to refer Java sample application guide


    PHP

    Click here to download miniOrange OpenId Sample Application for PHP

    Click here to refer the PHP sample application guide


    Python

    Click here to download miniOrange OpenId Sample Application for Python

    Click here to refer Python sample application guide


    2. Create a REST service or similar on your application to handle response from Authorization Endpoint(Note : this must be the redirect URI parameter).

    Example (https://<your-domain>/rest/openidresponse)

    Response attributes: code, state.

    Now you just need to make two calls: one to get access token and another to get user info with the help of that access_token.

    //Click here to download the JAVA library //Java - Import our miniOrange API(copy all the JAR files in a lib folder and add them to build path) import com.miniorange.openid.client.AuthorizationServerRequest; //Get the parameters from the request String code = request.getParameter("code"); String state = request.getParameter("state"); String clientSecret = "enter-your-client-secret-noted-from-miniOrange-admin-console"; String hostName = "enter-the-miniOrange-host-name-without-http-or-subdomain Example: auth.miniorange.com"; //Step 1 : Initialize the Object with hostName, code and clientSecret. AuthorizationServerRequest clientObj = new AuthorizationServerRequest(hostName, code, clientSecret); //Step 2 : Make a token request using code and state parameter received on the redirect uri. String token = clientObj.sendTokenRequest(); /** String token is a JSON. Example string token JSON : {"scope":"openid","expires_in":3600,"token_type":"bearer", "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1 MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4 NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5 tNmjoWrEK4NzR1fWYXRmL5eyu51o", "access_token":"2f6fyjXdQRgVU9w"} **/ //Step 3 : OPTIONAL. Validate id_token on your side. <Your java code for validating id_token from the JWK set> //Step 4: Make a user_info request. Fetch access_token from the JSON string token received in Step 1. String user_info = clientObj.sendUserInfoRequest(access_token); /** Example user info JSON : {"sub":"demo@miniorange.co.in","primaryPhone":"+917XXXXXXX", "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User", "preferred_username":"demo@miniorange.co.in","given_name":"Demo"} **/ Return user_info; //Proceed your login flow with the user_info scopes.

    //Click here to download the PHP library //PHP - Step 1. Import the PHP Library require('AuthorizeOpenIDRequest.php'); $code = $_GET['code']; //Code response parameter $state = $_GET['state']; //Match the state received $host = 'auth.miniorange.com'; // Server host name without http or sub-domain name or port. $clientSecret = 'abcdefghijklm'; //Client Secret noted from The 'Configure App' page in miniOrange administrator Console. //Step 2. Initialize Object $obj = new AuthorizeOpenIDRequest(); $obj->authCode = $code; $obj->state = $state; $obj->hostName = $host; $obj->clientSecret = $clientSecret; //Step 3. Make request to token Endpoint to gain Access token. $token = $obj->sendTokenRequest(); /** {"scope":"openid","expires_in":3600,"token_type":"bearer", "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1 MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4 NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5 tNmjoWrEK4NzR1fWYXRmL5eyu51o", "access_token":"2f6fyjXdQRgVU9w"} **/ //Get the access_token from the JSON token. $jObj = json_decode($token); $access_token = $jObj->access_token; //Step 4. Validate id_token from $jObj->id_token; Using JWK Set uri. //Step 5. Make request to userinfo Endpoint with the help if access_token received. $user_info = $obj->sendUserInfoRequest($access_token); /** Example user info JSON : {"sub":"demo@miniorange.co.in","primaryPhone":"+917XXXXXXX", "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User", "preferred_username":"demo@miniorange.co.in","given_name":"Demo"} **/ //Read user_info JSON, contains user information. $uinfo = json_decode($user_info);

    //Click here to download the PYTHON library "PHP - Step 1. Import the PYTHON Library" from AuthorizeOpenIdRequest import AuthorizeOpenIDRequest import json "Step 1. Initialize Object with hostName, AuthCode, clientSecret" "hostName : enter the miniOrange Host name without adding HTTP/HTTPS or SUBDOMAIN" "Enter the client secret noted while creating app in miniOrange Admin Console" "authCode is returned after authentication in miniOrange" hostName = "auth.miniorange.com" clientSecret = "iercoierncoiec" authCode = request.GET.get('code') "Initialize" authReq = AuthorizeOpenIDRequest(hostName, authCode, clientSecret) "Step 2. Make request to token endpoint" token = authReq.sendTokenRequest() print('token is ' + token) /** {"scope":"openid","expires_in":3600,"token_type":"bearer", "id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJhdXRoX3RpbWUiOiJUaHUgQXBy IDE2IDEzOjA2OjE4IElTVCAyMDE1IiwiZXhwIjoxNDMwMTY5Nzc4LCJzdWIiOiJkZW1vQG1pbmlvcmFuZ2UuY28uaW4iLCJub25jZSI6IkJ1U1 MxSjktZllmaDgwYmVDOVdwM2Vwc1BCdHRpLVdmS09xdGlmWnMxa0UiLCJhdF9oYXNoIjoiMmY2ZnlqWGRRUmdWVTl3IiwiYXVkIjpbIkFuemp4 NFNmM2FWZTZnZyJdLCJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3QiLCJpYXQiOjE0MjkxNjk3Nzh9.P6VXffhTX9B62tjupP8tWdv9eYpXCBnDt ramHDDF2pYujcgNPntX1OrEieD1Uvswdk2qagOfm0HbfG3OtGa6xZ8Ixpqg7RDUusPRHFptcgSw9YlZtyv1CyIIh_eQ4yrfo2oHfwW-5aDIUO5 tNmjoWrEK4NzR1fWYXRmL5eyu51o", "access_token":"2f6fyjXdQRgVU9w"} **/ "OPTIONAL. Perform token validation" "Step 3. Retrieve access_token from token JSON" jsonData = json.loads(token) accessToken = jsonData['access_token'] "Step 4. Make request to userinfo endpoint" userInfo = authReq.sendUserInfoRequest(accessToken) /** Example user info JSON : {"sub":"demo@miniorange.co.in","primaryPhone":"+117XXXXXXX", "email":"demo@miniorange.co.in","name":"Demo User","family_name":"User", "preferred_username":"demo@miniorange.co.in","given_name":"Demo"} **/ print('Userinfo is : ' + userInfo)

    4. LDAP Integration - if your identity source is ldap then click here to see the details.
        For Example - Microsoft Active Directory, OpenLDAP or any other directory systems.

    LDAP Integration


    • Click here to login to miniOrange admin dashboard.
    • Go to Identity Sources from side menu.
    • Click on Configure Identity Source Button on top right corner on screen.
    • Save your LDAP configuration here entering all the required fields and click on SAVE button.
      • If you want to store your LDAP/AD configuration here in miniOrange, enter your ldap details here and save.



      • If you want to store your LDAP/AD configuration on-premise, select option two and download miniOrange gateway.



    If you are not sure that your identity source is supported here or not, contact us at info@miniorange.com.


    Step-2: Establish trust between miniOrange and App A from which single sign-on is initiated.

    • Click here to login to miniOrange admin dashboard.
    • Go to Apps -> Manage Apps from side menu. Click on Configure Apps button on top right corner on screen.



    • Go to Create your Own App tab and select External App and click on Add App button.



    • Enter Custom App Name, Redirect Url where you want to single sign on and check enable user mapping.



    • Now save the app. From the list of configured apps, select the app and click on edit.
    • Select click to reveal App Secret and note down the app secret.



    • <YOUR_CUSTOMER_KEY> and <YOUR_TOKEN_KEY> needs to be copied from miniOrange Admin Console. Go to Integrations -> Custom App Integration from menu.



    • Integrate this sample code snippet in App A to establish trust between miniOrange and your application where you want to initiate the single sign-on from.

    protected void SSORedirect_Click(object sender, EventArgs e) { DateTime Jan1st1970 = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); long milliseconds = (long) (DateTime.UtcNow - Jan1st1970).TotalMilliseconds; String username = Session["currentUser"]; String appSecret = "Enter app secret noted from miniOrange admin console"; String token = milliseconds + ":" + username + ":" + appSecret; String encryptedToken = encrypt(token); String customerId = "<YOUR_CUSTOMER_KEY>"; encryptedToken = HttpUtility.UrlEncode(encryptedToken); Response.Redirect("https://auth.miniorange.com/moas/broker/login/http/"+ customerId + "?token=" + encryptedToken ); } private string encrypt(string value) { AesManaged tdes = new AesManaged(); String encryptionKey = "<YOUR_TOKEN_KEY>"; tdes.Key = Encoding.UTF8.GetBytes(encryptionKey); tdes.Mode = CipherMode.ECB; tdes.Padding = PaddingMode.PKCS7; ICryptoTransform crypt = tdes.CreateEncryptor(); byte[] plain = Encoding.UTF8.GetBytes(value); byte[] cipher = crypt.TransformFinalBlock(plain, 0, plain.Length); return Convert.ToBase64String(cipher); }

    public void ssoRedirect(HttpServletRequest request, HttpServletResponse response) { Long timestamp = System.currentTimeMillis(); String username = request().getSession().getAttribute("currentUser"); String appSecret = "Enter app secret noted from miniOrange admin console"; String token = timestamp + ":" + username + ":" + appSecret; String encryptedToken = encrypt(token); String customerId = "<YOUR_CUSTOMER_KEY>"; encryptedToken = URLEncoder.encode(encryptedToken, "UTF-8"); response.sendRedirect("https://auth.miniorange.com/moas/broker/login/http/"+ customerId + "?token=" + encryptedToken ); } private String encrypt(String value) throws Exception { String encryptionKey = "<YOUR_TOKEN_KEY>"; AesCipherService service = new AesCipherService(); service.setMode(OperationMode.ECB); service.setPaddingScheme(PaddingScheme.PKCS5); ByteSource byteSource = service.encrypt(data.getBytes(), key.getBytes()); return byteSource.toBase64(); }

    public function ssoRedirect($value){ $timestamp = round( microtime(true) * 1000 ); $username = $_SESSION['currentUser']; $app_secret = "Enter app secret noted from miniOrange admin console"; $token = number_format($timestamp, 0, '', ''). ':' .$username . ':' . $app_secret; $encryptedToken = encrypt($token); $encryptedToken = urlencode( $token_params_encode ); $customerId = "<YOUR_CUSTOMER_KEY>"; $redirectURL = "https://auth.miniorange.com/moas/broker/login/http/". customerId ."?token=" . encryptedToken; header('Location: '.$redirectURL); } private function encrypt($token){ $encryption_key = "<YOUR_TOKEN_KEY>"; $blocksize = 16; $pad = $blocksize - ( strlen( $token ) % $blocksize ); $token = $token . str_repeat( chr( $pad ), $pad ); $token_params_encrypt = mcrypt_encrypt( MCRYPT_RIJNDAEL_128,$encryption_key, $token, MCRYPT_MODE_ECB ); return base64_encode( $token_params_encrypt ); }


    Step-3: Establish trust between miniOrange and App B where you have to single sign-on into.

    • Add the following code snippet in App B where you want to Single Sign-On (SSO) into.
    //receive the http post request from miniOrange protected void Page_Load(object sender, EventArgs e) { String status = Request["STATUS"]; if (status != null && status.Contains("SUCCESS")) { String username = Request["NameID"]; if (username != null && username != "") { username = decryptUser(username); Session["currentUser"] = username; } } } private String decryptUser(String encryptedUser){ String encryptionKey = "<YOUR_TOKEN_KEY>"; byte[] encryptedUserBytes = Convert.FromBase64String(encryptedUser); AesManaged tdes = new AesManaged(); tdes.Key = Encoding.UTF8.GetBytes(encryptionKey); tdes.Mode = CipherMode.ECB; tdes.Padding = PaddingMode.PKCS7; ICryptoTransform crypt = tdes.CreateDecryptor(); byte[] cipher = crypt.TransformFinalBlock(encryptedUserBytes, 0, encryptedUserBytes.Length); return Encoding.UTF8.GetString(cipher); }

    //receive the http post request from miniOrange public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { String status = request.getParameter("STATUS"); if (status != null && StringUtils.equals(status, "SUCCESS")) { String username = request.getParameter("NameID"); if (username != null && username != "") { try { username = decryptUser(username); response.getSession().setAttribute("currentUser", username); response.sendRedirect(); } catch (Exception e) { e.printStackTrace(); return; } } } } private String decryptUser(String encryptedUser){ String encryptionKey = "<YOUR_TOKEN_KEY>"; byte[] base64decoded = Base64.decodeBase64(encryptedUser.getBytes()); AesCipherService decryptService = new AesCipherService(); decryptService.setMode(OperationMode.ECB); decryptService.setPaddingScheme(PaddingScheme.PKCS5); ByteSource decrypt = decryptService.decrypt(base64decoded, key.getBytes()); return new String(decrypt.getBytes()); }

    //receive the http post request from miniOrange public function getSSOUser() { $status = $_POST['STATUS']; if (status != null && strcmp(status, "SUCCESS")) { $username = $_POST['NameID']; if ( $username != null && $username != "") { try { $username = decryptUser($username); $_SESSION["currentUser"] = $username; } catch (Exception $e) { exit; } } } } private function decryptUser($encryptedUser){ $encryption_key = "<YOUR_TOKEN_KEY>"; $strIn = base64_decode($encryptedUser); $plainText = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $strIn, MCRYPT_MODE_ECB); $pad = ord($plainText{strlen($plainText) - 1}); if ($pad > strlen($plainText)) return false; if (strspn($plainText,$plainText{strlen($plainText) - 1}, strlen($plainText) - $pad) != $pad) { return false; } return substr($plainText, 0, -1 * $pad); }

    What is Identity Brokering?

    Identity brokering is a way to establish trust between parties that want to use online identities of one another. Over the years we have developed many standards for doing this like SAML, OPENID, OAUTH, OPENID Connect but the problem is that very few people understand how these protocols work and where are they supposed to be used. It gets complicated to implement such protocols and is also expensive and time consuming.


    What is an Identity Broker service?

    An Identity broker service hides all the complexity of these protocols and provides a simple HTTPS endpoint for parties to use. Without implementing SAML, OPENID, OAUTH or OPENID Connect, you can suddenly start speaking these languages and have access to identity and access tokens from hundreds of providers. The only thing you will need to know is how to call an HTTPS endpoint which is much simpler than understanding different standards.


    What are the advantages of using an Identity broker service?

    • You don't need to understand complex Single Sign on protocols like SAML, OpenID and OAUTH.
    • You can SAML enable your apps using simple HTTPS calls.
    • You can provide social login to your site without the hassle of understanding how all this works
    • If you get access tokens from the site of your choice, you can then put custom code and extend that application.

    Advantages of using miniOrange Identity broker service:

    Besides all the advantages listed above, miniOrange identity broker services provides

    • The ability to configure any IdP of your choice including OKTA, PING, RSA, Centrify, Google, Facebook, LinkedIn and even Custom ones.
    • Once you have the identity established with your choice of Identity provider, miniOrange allows you to use our 2 factor authentication product on top for the app of your choice.
    • miniOrange also allows you to provide risk based access to your apps so that you can have another layer of security based on trusted devices, trusted locations, trusted time of access and even user behavior.

    Back To Top