POST /oauth/login/ssoLogin

Allows a user to log in for OAuth authorization purposes by authenticating with an identity provider that has its own login screen, providing SSO is enabled for the OAuth Provider and the identity provider it's using. Examples: Facebook, Google. Sets the OAuthToken_{OAuthProviderName} cookie and redirects the user. Also for LDAP users. Uses HTTP POST.

In the payload, the domain name is required. Other parameters will be required depending on the domain. For example:

For a SAML Web SSO domain, the SAML assertion will be in the payload.
For an LDAP domain, the LDAP username and password will be in the payload.
For a CA SiteMinder domain configured with username/password, those are the required values; for a CA SiteMinder domain that uses the SMSESSION cookie, there is no content in the payload other than the domain, but the information is sent in the cookie.
For an OpenID Connect Relying Party domain, the ID token will be in the payload.

For information on why you might choose one or the other, see OAuth Operations: GET or POST?

Note: If the LDAP domain name includes special characters, such as %, &, or #, remember to encode them in the Domain input parameter. For example, for a domain name of OpenID Connector, you'd need to encode the URL with %25, like this: http://{oauth-provider-hostname}/oauth/login/ssoLogin?Domain=OpenID%25Connector.

Authorization Roles/Permissions: Anyone can run this operation.

This topic includes the following sections:

HTTP Method
URL
Sample Request
Request Headers
Request Parameters

Response
Sample Response
Response Headers
Response Body
Error Codes/Messages

HTTP Method

POST

URL

https://{oauth-provider-url}/oauth/login/ssoLogin

Sample Request

The example below shows an SSO login request.

Sample Request URL

https://{oauth-provider-url}/oauth/login/ssoLogin

Sample request headers

Content-Type: application/x-www-form-urlencoded
Accept: application/json

Sample request body #1

The request body is any SSO token, if available, that the identity provider domain can use. Also, optionally, the Domain parameter:

Domain=[domain-name]

Sample request body #2: LDAP user login (resource owner)

When the resource owner is logging in, the Domain parameter is not needed. The platform uses the resource owner authentication domain specified for the OAuth Provider.

identity_username=ldapuser01&secret_password=MyPassword123

Request Headers

For general information on request header values, refer to HTTP Request Headers.

Header	Description
Accept	application/json
Content-Type	application/x-www-form-urlencoded

Request Parameters

Request parameters are determined by the authentication domain. For more information, see Managing SSO Login for OAuth on the Platform.

Parameter	Parm Type	Data Type	Required	Description
Domain	Path	string	Optional	Optional domain name parameter. If this parameter is missing, the platform uses the resource owner authentication domain.
identity_xxxx	Path	string		All parameters that start with identity_ are used as identity parameters. For LDAP and OpenID Connect Relying Party domains, use identity_username.
secret_xxxx	Path	string		All parameters that start with secret_ are used as secret parameters. For LDAP and OpenID Connect Relying Party domains, use secret_password.

Response

If successful, this operation returns HTTP status code 200, with a cookie that will be used for subsequent requests. For non-browser scenarios, the application must save this cookie and include it in every request. The cookie name includes the OAuth Provider name. Cookie name: OAuthToken_{OAuthProviderName}.

The response includes the UserName and DomainName of the user. Example: { "DomainName" : "Local Domain", "UserName" : "Rep1" }.

Sample Response

The sample response below shows successful completion of this operation.

Sample response headers

Set-Cookie: AtmoAuthToken_acmepaymentscorp: TokenID%3D480a3a7c-240e-11e5-a1b9-8945fbb2b0eb%2Cclaimed_id%3Durn%3Aacmepaymentscorp%3Auser
%3Aacmepaymentscorp%3A8fb17266-354a-4032-96fb-2208ae7b4da4%2CissueTime%3D1436207946162%2CexpirationTime%3D1436209746144%2CAttributes
Included%3Dfalse%2CUserFDN%3D8fb17266-354a-4032-96fb-2208ae7b4da4%252Eacmepaymentscorp%2CUserName%3Dadminacmepaymentscorp%2Csig
%3Dd5YEgxmZQaCgfp64gs0EL1ttryepO3kWTwu4gO12OxLF6sjpcrojVKUf0X8heu9eoi8WlEd9ZIN7vPNgi6pu-XZ883L-OkD9fYnN4ktbRPwHQ2Phaa1H1bXaCpfgpeI8q6u
DjeqX_awH70N6-QQKrhF5n9Lm5PYCKciKNWTSWVooauthRedirectInfoCookie: %7B%22accessTokenUrl%22%3A%22%2Fapi%2Fdevconsole%2Foauth%2Faccesstoken%22
%2C%22providerEndpoint%22%3A%22%2Fapi%2Fdevconsole%2Foauth%2Faccesstoken%22%2C%22queryString%22%3A%22session_key%3Dapiv%253D090888
a5-27f8-454e-8319-c7900d1da4bc.acmepaymentscorp%2526scope%253DScope1%2526appRuntimeId%253D5tRKCWjfz599pLJ8Te4tvn1D.acmepaymentscorp
%2526granttype%253Dauthorization_code%2526policy_type%253DOAuth%2525202.0%2526appsecret%253De4d5949f72473acc151b34065f69169099ebe732
%2526appid%253Dacmepaymentscorp-5tRKCWjfz599pLJ8Te4tvn1D%2526token_url%253Dhttp%253A%252F%252F{hostname}%252Foauth%252Foauth20%252Ftoken%
2526opname%253DGetDiscussions%2526policy_key%253Doauth%2526guid%253Daf880c48-1389-4da4-98e5-2fb29dcca155%2526auz_url%253Dhttp%253A
%252F%252F{hostname}%252Foauth%252Fauz%252Fauthorize%2526callback%253Dhttp%253A%252F%252F{hostname}%252Fui%252Fapps%252Facmepaymentscorp
%252F_VcuNfhlXb0PE8hHDxAx9OhA%252Fresources%252Fconsole%252Fglobal%252Foauthclientredirect.html%253Fdynamic%25253Dtrue
%2526signature_method%253DSharedSecret%2526apienv%253DProduction%2526token_verb%253DPOST%22%7D
OAuthToken_acmepaymentscorp: TokenID%3D57d30fc7-240e-11e5-a1b9-8945fbb2b0eb%2Cclaimed_id%3DLDAP_acmepaymentscorp%5Ceng100
%2CissueTime%3D1436207972636%2CexpirationTime%3D1436208572626%2Csig%3DlOsIenU6JM-dYquJKhKMdKarQRtef4ALY5Abuls7KV5jaPgWapM1w0Y
thq0I1hJvMJ7xlWj8haU3OvM4b6I3LgGWGvw5_Uws935JKLW57xiti_UC2IvxFDrAIg4xx2k-x-icqUDsWfVGNfjWlun43_uRM667RjGOkh_ZmU2xq0Q

Sample response body

Not applicable.