POST /oauth/login/ssoLogin

Allows a user to log in for OAuth authorization purposes by authenticating with an identity provider that has its own login screen, providing SSO is enabled for the OAuth Provider and the identity provider it's using. Examples: Facebook, Google. Sets the OAuthToken_{OAuthProviderName} cookie and redirects the user. Also for LDAP users. Uses HTTP POST.

In the payload, the domain name is required. Other parameters will be required depending on the domain. For example:

  • For a SAML Web SSO domain, the SAML assertion will be in the payload.
  • For an LDAP domain, the LDAP username and password will be in the payload.
  • For a CA SiteMinder domain configured with username/password, those are the required values; for a CA SiteMinder domain that uses the SMSESSION cookie, there is no content in the payload other than the domain, but the information is sent in the cookie.
  • For an OpenID Connect Relying Party domain, the ID token will be in the payload.

For information on why you might choose one or the other, see OAuth Operations: GET or POST?

Note: If the LDAP domain name includes special characters, such as %, &, or #, remember to encode them in the Domain input parameter. For example, for a domain name of OpenID Connector, you'd need to encode the URL with %25, like this: http://{oauth-provider-hostname}/oauth/login/ssoLogin?Domain=OpenID%25Connector.

Authorization Roles/Permissions: Anyone can run this operation.

This topic includes the following sections:

HTTP Method

POST

Back to top

URL

https://{oauth-provider-url}/oauth/login/ssoLogin

Back to top

Sample Request

The example below shows an SSO login request.

Request URL

https://{oauth-provider-url}/oauth/login/ssoLogin

Sample request headers

Content-Type: application/x-www-form-urlencoded
Accept: application/json

Sample request body #1

The request body is any SSO token, if available, that the identity provider domain can use. Also, optionally, the Domain parameter:

Domain=[domain-name]

Sample request body #2: LDAP user login (resource owner)

When the resource owner is logging in, the Domain parameter is not needed. The platform uses the resource owner authentication domain specified for the OAuth Provider.

identity_username=ldapuser01&secret_password=MyPassword123

Back to top

Request Headers

For general information on request header values, refer to HTTP Request Headers.

Header Description
Accept application/json
Content-Type application/x-www-form-urlencoded

Back to top

Request Parameters

Request parameters are determined by the authentication domain. For more information, see Managing SSO Login for OAuth on the Platform.

Parameter Parm Type Data Type Required Description
Domain Path string Optional Optional domain name parameter. If this parameter is missing, the platform uses the resource owner authentication domain.
identity_xxxx Path string   All parameters that start with identity_ are used as identity parameters. For LDAP and OpenID Connect Relying Party domains, use identity_username.
secret_xxxx Path string   All parameters that start with secret_ are used as secret parameters. For LDAP and OpenID Connect Relying Party domains, use secret_password.

Back to top

Response

If successful, this operation returns HTTP status code 200, with a cookie that will be used for subsequent requests. For non-browser scenarios, the application must save this cookie and include it in every request. The cookie name includes the OAuth Provider name. Cookie name: OAuthToken_{OAuthProviderName}.

The response includes the UserName and DomainName of the user. Example: { "DomainName" : "Local Domain", "UserName" : "Rep1" }.

Back to top

Sample Response

The sample response below shows successful completion of this operation.

Sample response headers

Set-Cookie: AtmoAuthToken_acmepaymentscorp: TokenID%3D480a3a7c-240e-11e5-a1b9-8945fbb2b0eb%2Cclaimed_id%3Durn%3Aacmepaymentscorp%3Auser
%3Aacmepaymentscorp%3A8fb17266-354a-4032-96fb-2208ae7b4da4%2CissueTime%3D1436207946162%2CexpirationTime%3D1436209746144%2CAttributes
Included%3Dfalse%2CUserFDN%3D8fb17266-354a-4032-96fb-2208ae7b4da4%252Eacmepaymentscorp%2CUserName%3Dadminacmepaymentscorp%2Csig
%3Dd5YEgxmZQaCgfp64gs0EL1ttryepO3kWTwu4gO12OxLF6sjpcrojVKUf0X8heu9eoi8WlEd9ZIN7vPNgi6pu-XZ883L-OkD9fYnN4ktbRPwHQ2Phaa1H1bXaCpfgpeI8q6u
DjeqX_awH70N6-QQKrhF5n9Lm5PYCKciKNWTSWVooauthRedirectInfoCookie: %7B%22accessTokenUrl%22%3A%22%2Fapi%2Fdevconsole%2Foauth%2Faccesstoken%22
%2C%22providerEndpoint%22%3A%22%2Fapi%2Fdevconsole%2Foauth%2Faccesstoken%22%2C%22queryString%22%3A%22session_key%3Dapiv%253D090888
a5-27f8-454e-8319-c7900d1da4bc.acmepaymentscorp%2526scope%253DScope1%2526appRuntimeId%253D5tRKCWjfz599pLJ8Te4tvn1D.acmepaymentscorp
%2526granttype%253Dauthorization_code%2526policy_type%253DOAuth%2525202.0%2526appsecret%253De4d5949f72473acc151b34065f69169099ebe732
%2526appid%253Dacmepaymentscorp-5tRKCWjfz599pLJ8Te4tvn1D%2526token_url%253Dhttp%253A%252F%252F{hostname}%252Foauth%252Foauth20%252Ftoken%
2526opname%253DGetDiscussions%2526policy_key%253Doauth%2526guid%253Daf880c48-1389-4da4-98e5-2fb29dcca155%2526auz_url%253Dhttp%253A
%252F%252F{hostname}%252Foauth%252Fauz%252Fauthorize%2526callback%253Dhttp%253A%252F%252F{hostname}%252Fui%252Fapps%252Facmepaymentscorp
%252F_VcuNfhlXb0PE8hHDxAx9OhA%252Fresources%252Fconsole%252Fglobal%252Foauthclientredirect.html%253Fdynamic%25253Dtrue
%2526signature_method%253DSharedSecret%2526apienv%253DProduction%2526token_verb%253DPOST%22%7D
OAuthToken_acmepaymentscorp: TokenID%3D57d30fc7-240e-11e5-a1b9-8945fbb2b0eb%2Cclaimed_id%3DLDAP_acmepaymentscorp%5Ceng100
%2CissueTime%3D1436207972636%2CexpirationTime%3D1436208572626%2Csig%3DlOsIenU6JM-dYquJKhKMdKarQRtef4ALY5Abuls7KV5jaPgWapM1w0Y
thq0I1hJvMJ7xlWj8haU3OvM4b6I3LgGWGvw5_Uws935JKLW57xiti_UC2IvxFDrAIg4xx2k-x-icqUDsWfVGNfjWlun43_uRM667RjGOkh_ZmU2xq0Q

Sample response body

Not applicable.

Back to top

Response Headers

For general information on response header values, refer to HTTP Response Headers.

Header Description
Set-Cookie The OAuthToken_{OAuthProviderName} cookie.

Back to top

Response Body

Not applicable.

Back to top

Error Codes/Messages

If the call is unsuccessful an error code/message is returned. One or more examples of possible errors for this operation are shown below.

Item Value
500 An error occurred processing the call.

More information about Akana OAuth API error messages.

Back to top

Related Topics