Single Sign-On with Signed URL Redirects (Convio CRM)
Comments
-
Is this usable now? or is this just a proposal? If it is a proposal when is it likely to be implemented?
0 -
Yep, this SSO methodology is currently available with no extra platform configs needed**.
**In order to use the server-side API methods, additional platform configs would be needed, assuming you haven't already had that set up.
0 -
Hey emiller,
Thanks. Is this sso_secret referred to in the documentation (below) the same things as the api_key that we set under setup - site options in Convio? Or something else?
0 -
It doesn't have to be the same as the api_key, but there's nothing in place that would prevent you from using the same string for both. It's certainly easier to use the same value, though some might argue that doing so weakens the security.
0 -
Just to clarify a little more... These are two distinctly differently items, but they can be set to the same value. The two items are completely unaware of one another. And I echo Eric's ease vs security comment.
0 -
They should absolutely be different. The API key is very public and not at all secret. This method puts a lot of faith in the fact that if a URL has been signed with the key, it had to come from Convio.
0 -
Quick question:
Is the login form on my site pointing to Convio or a script on my website.
i.e: is it < form action='http://mysite.com/login.py' > or < form action='http://secure2.convio.net/login' >
If it's pointing to a script on my website, then, should I using the getSingleSignOn/singleSignOn API calls to talk to the convio server??
0 -
Hi Kofi,
You should check with your account manager for the specifics of your site, SSO is achieved in a variety of ways. Your question involves two unrelated techniques - "SSO with Signed URL Redirects" and the "SSO API".
This particular document describes "SSO with Signed URL Redirects" and gives login control to your Convio-powered site. For this to work, the login form would point to your Convio site with an action of 'http://www.foo.org/site/UserLogin'. Please note that you must use the correct URL to reach your Convio site. If you have www.foo.org hosted elsewhere and donations.foo.org is on Convio, then your login action would be http://donations.foo.org/site/UserLogin.
The SingleSignOn API on the other hand gives login control to your non-Convio site. In that example, the third party server authenticates the user and retrieves a short-life "token" prior to sending the user to Convio hosted pages. Convio references that token when determining login status. Details for the SSO API can be found at http://open.convio.com/api/sso-api/
0 -
Thanks for your answers gpeck,
1) The information you just provided should be put on http://open.convio.com/api/sso-api/ . It would have saved me 2 weeks of trying to figure this thing out.
2) I am the API account manager and I have already setup my account for getSingleSignOn API calls.
How do I set it up for "Single Sign-On with Signed URL Redirects". Please point me to documentation that shows me how.
3) Please unconfuse me on the issues below:
The documentation uses the url http://www.foo.org/site/UserLogin.
Don't you mean http://foo.convio.net/site/UserLogin
It also uses the url http://www.foo.org/site/PixelServer.
Don't you mean http://foo.convio.net/site/PixelServer
It also uses the url http://www.foo.org/site/UserLogin?logout=logout&NEXTURL=partner_logout_url
Don't you mean http://foo.convio.net/site/UserLogin?logout=logout&NEXTURL=partner_logout_url
0 -
Hi Kofi,
1) I'll forward your comments to the API team for consideration. Taken together the three pages on the SSO API do say pretty much the same thing, but alternate ways to summarize it are always helpful. Thank you for this feedback.
2) The "SSO with Signed URL Redirects" document linked on this page outlines the steps to set this up. If you need help with any of the Convio tags or conditionals, please contact your account manager for additional guidance - be aware that we can only assist with the Convio hosted portion.
3) In the examples www.foo.org is used to indicate whatever domain or subdomain is appropriate for your Convio hosted site. Some clients use a distinct www.foo.org domain while others use a subdomain such as donate.foo.org. Ideally, clients do not use foo.convio.net - however there are some that do for their particular situation (most common in the case of migrated clients). If you use shortname.convio.net as your only way to get to Convio pages, that is what you would use in this case.
Sincerely,
Glen
0 -
"If the login credentials are invalid, the user is redirected to the Convio-hosted UserLogin page. That page offers the user several options if he has not registered yet or has forgotten his password. Failed logins cannot be redirected to a page on the partner site -- an aspect of the user experience that individual clients may want tweaked."
So, how do client "tweak" the user experience?
0 -
Hi Robert,
Your assessment is correct. Unfortunately there is not a way to readily "tweak" user experience here. This is a "Convio as Master" configuration and by definition it is the Convio system that needs to handle bad logins. The intent of this solution is to offer a fairly reliable SSO option for clients that does not require extensive programming or knowledge of server protocols to implement. For more robust management of the total user experience in a SSO scenario, you would need to go with more a complex option combining an external login system, programming languages and our SSO API to provide an alternate login experience driven by the third party server.
Sincerely,
Glen
0 -
On second read, a point of clarity may be in order here... The inflection of the statement in question is not carrying through in print.
The intention of the statement is to say essentially, "Some client's may want to tweak the user experience by sending failed logins to the partner site. This is not possible."
Thank you for raising this question and drawing attention to the lack of clarity here. We will include more direct language in V2!
0 -
Glen - I have been informed that beyond this document and the SSO API, Convio has a 3rd method for handling Convio-authenticated SSO documented on the internal wiki. Apparently it has something to do with checking a cookie set by the Convio system for the client's domain. Can you provide further information/documentation on this method? We need a working SSO solution that is Convio-authenticated as it is Convio that will be creating/storing all account & member information.
0 -
Hi Robert,
The method you are referring to is the "Shared Cookies - Convio as Master" solution. Shared cookies can be a less stable solution in some configurations and we are stepping away from this as a broadly applicable option. With shared cookies there are domain dependencies and setup requirements that will require Convio interaction to establish. Additionally, deployment of the shared cookies method disables the .convio.net URL syntax which can result in broken links in some cases. For these reasons, any client with SSO needs not met by the "Single Sign-On with Signed URL Redirects" method described in this document should contact their Account Manager to discuss other options - or visit http://open.convio.com/api/sso-api/ in the case of our Convio as Slave SSO API.
For full disclosure, there are four common SSO solutions in use on Convio sites. Each solution has its own requirements and limitations so it is important that you consult with you AM to discuss the particulars of your situation. The solutions fall into two categories "Convio as Master" and "Convio as Slave" - the master/slave indicates which system is functioning as the master authenticator.
Convio as Master
1. "Single Sign-On with Signed URL Redirects" (a.k.a. URL hash authentication)
2. "Shared Cookies"
Convio as Slave
1. SSO API - see http://open.convio.com/api/sso-api/
2. "Cookie Authentication" (essentially same approach as c.a.m. 2, but with authentication outside Convio)
Sincerely,
Glen
0 -
Hi Robert,
The method you are referring to is the "Shared Cookies - Convio as Master" solution. Shared cookies can be a less stable solution in some configurations and we are stepping away from this as a broadly applicable option. With shared cookies there are domain dependencies and setup requirements that will require Convio interaction to establish. Additionally, deployment of the shared cookies method disables the .convio.net URL syntax which can result in broken links in some cases. For these reasons, any client with SSO needs not met by the "Single Sign-On with Signed URL Redirects" method described in this document should contact their Account Manager to discuss other options - or visit http://open.convio.com/api/sso-api/ in the case of our Convio as Slave SSO API.
For full disclosure, there are four common SSO solutions in use on Convio sites. Each solution has its own requirements and limitations so it is important that you consult with you AM to discuss the particulars of your situation. The solutions fall into two categories "Convio as Master" and "Convio as Slave" - indicating which system is functioning as the master authenticator.
Convio as Master
1. "Single Sign-On with Signed URL Redirects" (a.k.a. URL hash authentication)
2. "Shared Cookies"
Convio as Slave
1. SSO API - see http://open.convio.com/api/sso-api/
2. "Cookie Authentication" (essentially same approach as c.a.m. 2, but with authentication outside Convio)
Sincerely,
Glen
0 -
Just a housekeeping note that there is a new SSO process that uses the Convio SSO APIs with Convio as master. This document is located:
http://community.customer.convio.com/docs/DOC-2183
and streamlines some of the steps that were necessary in the previous method.
0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board