Single Sign On (SSO)
Customer Success avatar
Written by Customer Success
Updated over a week ago

You can manage the single sign on separately for every portal. Within 12Return you can turn on the setting, and also set the parameters that set the key & expiration period. To start using single sign on you will have to create a link with a set parameters in your own application. The following steps will explain the steps you will need to take to perform these actions.

Configure

First of go to your 12return admin page, click on settings then portal settings, then click on the appropriate portal. You are now in the portal settings page and by scrolling down you will see a category for singel sign on.

  1. Set the option "Single sign on enabled" to yes.

  2. Create a secret key (http://randomkeygen.com) to improve the safety of your sign on solution.

  3. Set the expiration of an URL in seconds.

Once you've set these settings, you can create the URL generation code in your application. The example below is written in PHP, but any implementation that follows these criteria will work regardless of the chosen language.

Creating a SSO-URL

Here we have a wrapper class that will encrypt or de-crypt the message:

   /**
    * requires the secretKey as a parameter
    * we use mcrypt ecb with padding to encrypt the message
    */
    class SsoCrypt
    {
        private $secretKey;
    
        public function __construct($secretKey) {
            $this->secretKey = $secretKey;
        }        public function decrypt($encryptedMessage) {
            $encryptedMessage = urldecode($encryptedMessage);
            //Url encode can transform + from base64 encode into spaces so we have to change it back
            $encryptedMessage = str_replace(' ', '+', $encryptedMessage);
            $encryptedMessage = base64_decode($encryptedMessage);
            $td = mcrypt_module_open(MCRYPT_BLOWFISH, '', 'ecb', '');
            $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
            mcrypt_generic_init($td, $this->secretKey, $iv);
            $decrypted_data = mdecrypt_generic ($td, $encryptedMessage);
            mcrypt_generic_deinit($td);
            mcrypt_module_close($td);
            $decrypted_data = $this->pkcs5_unpad($decrypted_data);
            $decrypted_data = rtrim($decrypted_data);
            return $decrypted_data;
        }        public function encrypt($plainMessage) {
            $size = mcrypt_get_block_size(MCRYPT_BLOWFISH, 'ecb');
            $plainMessage = $this->pkcs5_pad($plainMessage, $size);
            $td = mcrypt_module_open(MCRYPT_BLOWFISH, '', 'ecb', '');
            $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
            mcrypt_generic_init($td, $this->secretKey, $iv);
            $encryptedMessage = mcrypt_generic($td, $plainMessage);
            mcrypt_generic_deinit($td);
            mcrypt_module_close($td);
            $encryptedMessage = base64_encode($encryptedMessage);
            $encryptedMessage = urlencode($encryptedMessage);
            return $encryptedMessage;
        }        private function pkcs5_pad($text, $blocksize) {
            $pad = $blocksize - (strlen($text) % $blocksize);
            return $text . str_repeat(chr($pad), $pad);
        }
    
        private function pkcs5_unpad($text) {
            $pad = ord($text{strlen($text)-1});
            if ($pad > strlen($text))
                return false;
            return substr($text, 0, -1 * $pad);
        }
    }

A construction similar to this is will be needed in your application to create the URL that will log in an user, based on making certain that the email address used is identical in both systems. (yours and 12Returns) Example on how to use the class to create a URL:

    require_once __DIR__ . DIRECTORY_SEPARATOR . 'ssocrypt.php';    //the encryption key
    $key = 'discussedkey';
    
    //class to encrypt the message
    $urlMaker = new SsoCrypt($key);
    
    //the required parameters
    $parameters = array(
       'ip'=> "83.82.38.17", //ip of the current enduser which will be redirected to the 12return portal
       'email' => "[email protected]", //email of the user as known in the 12return system
       'timestamp' => time() //the time this url was created (needed to know when to expire the url)
    );
    $data = json_encode($parameters);
    $token = $urlMaker->encrypt($data);
    
    //the url the end user can click to login adjust to your own portal
    $loginUserUrl = '*portalname*.12return.com/portal/user/sso?token=' . $token;
    
    //you use decrypt for debugging purposes to see if everything you send works well (since this is done on the 12return side).
    var_dump($urlMaker->decrypt($token));
    var_dump($loginUserUrl);
Did this answer your question?