whose username/password goes into the getSingleSignOn API Call
Ok I thought I understood this but now I'm really confused.
This is what I want to do:
1) User enters their convio login information on Oxfam website
2) User is logged in via convio and sent to a convio page
I guess what I'll be using to perform this task is the getSingleSignOn API Call - Is this Correct?
I could have sworn that I read somewhere that the username/password passed into the getSingleSignOn call is a separate user that is authorized to make API Calls. - Is this Correct?
If it is not correct and the username/password belongs to a random user, entering the information on the login page, then:
My question is: Apart from just a simple username/password I also have to pass their constituent id.
The problem is I have no way of knowing the constituent id - Am I supposed to save this information in a db and retrieve it everytime they try to log in?
My next question is: The authentication does not work if the user does not have the Contact Management "Use Convio API" permission set.
So am I supposed to turn this on for every one of the users? We have 1000s of users in convio so I hope I don't have to do this
Comments
-
You may consider checking out the alternative method for SSO Authentication in Convio posted at the following community document post:
http://community.customer.convio.com/docs/DOC-1739
Most people find this approach much easier to understand and implement. It allows you to authenticate the user with Convio as the "master" system while still having access to the external system.
To directly answer your question about the API, the "Use Convio API" permission is an administrative permission and should not be added to groups that end users belong to. Admin users that belong to groups with this permission will not be able to login through the admin console because the permission limits them to accessing the data via api calls.
0 -
Corey Pudhorodsky:
You may consider checking out the alternative method for SSO Authentication in Convio posted at the following community document post:
http://community.customer.convio.com/docs/DOC-1739
Most people find this approach much easier to understand and implement. It allows you to authenticate the user with Convio as the "master" system while still having access to the external system.
To directly answer your question about the API, the "Use Convio API" permission is an administrative permission and should not be added to groups that end users belong to. Admin users that belong to groups with this permission will not be able to login through the admin console because the permission limits them to accessing the data via api calls.
You mentioned that this is an alternative - Does this mean this has nothing to do with the single sign-on API described at the url below?:
http://open.convio.com/api/sso-api/
If these 2 are not the same then what is different and where can I find a similar document that explains the API described here http://open.convio.com/api/sso-api/
My reason for sticking with the api described here http://open.convio.com/api/sso-api/ is that I've already invested weeks coding the python API - I'm really close and just need some questions answered so I can finish it.
Thanks in advance for your answers
0 -
Corey Pudhorodsky:
You may consider checking out the alternative method for SSO Authentication in Convio posted at the following community document post:
http://community.customer.convio.com/docs/DOC-1739
Most people find this approach much easier to understand and implement. It allows you to authenticate the user with Convio as the "master" system while still having access to the external system.
To directly answer your question about the API, the "Use Convio API" permission is an administrative permission and should not be added to groups that end users belong to. Admin users that belong to groups with this permission will not be able to login through the admin console because the permission limits them to accessing the data via api calls.
Is there a similar pdf document that explains in detail the process described here
If not please please let me know what I'm doing wrong in the following steps below:
1) A user enters their username/password in the login form. The login form points to a script on my server
2) In the server I use the getSingleSignOn API call to get the authentication token. Now I did not use the username/password from the login form to do this. Instead I used the API user I created in the admin section to make this API call. The process for creating the admin user is described here:
Was I wrong in using the API admin user to get the authentication token? Was I supposed to use the username/password from the login form?
3) Now I have successfully retrieved an authentication token using the admin user I created. Now how do I authenticate the username/password from the login form??
0 -
Kofi Hamilton:
Is there a similar pdf document that explains in detail the process described here
If not please please let me know what I'm doing wrong in the following steps below:
1) A user enters their username/password in the login form. The login form points to a script on my server
2) In the server I use the getSingleSignOn API call to get the authentication token. Now I did not use the username/password from the login form to do this. Instead I used the API user I created in the admin section to make this API call. The process for creating the admin user is described here:
Was I wrong in using the API admin user to get the authentication token? Was I supposed to use the username/password from the login form?
3) Now I have successfully retrieved an authentication token using the admin user I created. Now how do I authenticate the username/password from the login form??
To answer this question, it might be best to go back to the question in your original post:
My question is: Apart from just a simple username/password I also have to pass their constituent id.
The problem is I have no way of knowing the constituent id - Am I supposed to save this information in a db and retrieve it everytime they try to log in?The assumption here is that you have authenticated the user with your local server's login and password and the relationship between the Convio contact and your server's contact record that you are using to authenticate is already established (via data sync or prior registration). Since you have the token from the GeToken method, you can then use the singleSignOn method to log the client user onto the Convio site.
To troubleshoot or test with the code that you already have written, try passing the contact ID for a Convio end user via the GetToken API and then use that token on a client call to establish the session with the Convio server. Then the client should be able to view Convio pages as if they had logged in through the Convio login page.
0 -
There's been a lot of confusion around the getSingleSignOn API. It is intended to handle the scenario where you want to handle the authentication within your system and force a Convio session to login as a particular user id based on an authentication protocol that you are enforcing on your end (aka "Convio as slave" configuration).
It doesn't sound like this is the scenario that you are dealing with; it sounds like you want to do the more traditional "Convio as master" configuration. If that's the case, then the document that Corey referenced is definitely the way to go, and there's no way to accomplish the "Convio as master" SSO using the APIs. There are other ways to do it that leverage shared cookies, but the signed redirects is the easiest to implement and really makes for a pretty elegant solution. You will still be using the other Constituent APIs once the user logs in, so your investment in getting the Python code working will not be wasted.
Check out the document that Corey referenced. It explains the implementation pretty clearly along with some of the less obvious subtleties that you will need to deal with. You can also have your AM schedule a call with me, and I can give you some more help if you want.
Dave
0 -
DavidHart :
There's been a lot of confusion around the getSingleSignOn API. It is intended to handle the scenario where you want to handle the authentication within your system and force a Convio session to login as a particular user id based on an authentication protocol that you are enforcing on your end (aka "Convio as slave" configuration).
It doesn't sound like this is the scenario that you are dealing with; it sounds like you want to do the more traditional "Convio as master" configuration. If that's the case, then the document that Corey referenced is definitely the way to go, and there's no way to accomplish the "Convio as master" SSO using the APIs. There are other ways to do it that leverage shared cookies, but the signed redirects is the easiest to implement and really makes for a pretty elegant solution. You will still be using the other Constituent APIs once the user logs in, so your investment in getting the Python code working will not be wasted.
Check out the document that Corey referenced. It explains the implementation pretty clearly along with some of the less obvious subtleties that you will need to deal with. You can also have your AM schedule a call with me, and I can give you some more help if you want.
Dave
Ah - ok now I understand
I'll take a look at Corey's doc and hope I have no more questions
By the way you should post your replies about what the getSingleSignOn/singleSignOn API achieves on here http://open.convio.com/api/sso-api/
It will save people a lot of running around
0 -
Corey Pudhorodsky:
To answer this question, it might be best to go back to the question in your original post:
My question is: Apart from just a simple username/password I also have to pass their constituent id.
The problem is I have no way of knowing the constituent id - Am I supposed to save this information in a db and retrieve it everytime they try to log in?The assumption here is that you have authenticated the user with your local server's login and password and the relationship between the Convio contact and your server's contact record that you are using to authenticate is already established (via data sync or prior registration). Since you have the token from the GeToken method, you can then use the singleSignOn method to log the client user onto the Convio site.
To troubleshoot or test with the code that you already have written, try passing the contact ID for a Convio end user via the GetToken API and then use that token on a client call to establish the session with the Convio server. Then the client should be able to view Convio pages as if they had logged in through the Convio login page.
Quick question on the document Corey:
Is the Form action url the same as ??
In other words what is the url of the user login servlet that sits on Convio?
0 -
Kofi Hamilton:
Quick question on the document Corey:
Is the Form action url the same as ??
In other words what is the url of the user login servlet that sits on Convio?
You should use the http://www.foo.org/site/UserLogin URL to authenticate the user in all cases. When necessary, the site will redirect the user to a secure (https://secure2.convio.net/foo...) page to process the request. For the purpose of the user login, always direct to the http://www.foo.org/site/UserLogin where "foo" is the short name for your site.
0 -
Corey Pudhorodsky:
You should use the http://www.foo.org/site/UserLogin URL to authenticate the user in all cases. When necessary, the site will redirect the user to a secure (https://secure2.convio.net/foo...) page to process the request. For the purpose of the user login, always direct to the http://www.foo.org/site/UserLogin where "foo" is the short name for your site.
Thanks for you prompt reply Corey
what is the url that I need to redirect to on the Convio site
You started writing it out but ended with ...
0 -
Kofi Hamilton:
Thanks for you prompt reply Corey
what is the url that I need to redirect to on the Convio site
You started writing it out but ended with ...
Don't worry about the secure link, I included the .. to indicate that there could be a number of pages that are secured.
The link that you should be redirecting to is: http://www.foo.org/site/UserLogin where foo is equal to the short name of your site.
0 -
Corey Pudhorodsky:
Don't worry about the secure link, I included the .. to indicate that there could be a number of pages that are secured.
The link that you should be redirecting to is: http://www.foo.org/site/UserLogin where foo is equal to the short name of your site.
I guess I'm not understanding what is then
There's no path on my site that corresponds to
Is UserLogin a script that I can download or is it a script that does API calls or does the redirecting?
0 -
Corey Pudhorodsky:
Don't worry about the secure link, I included the .. to indicate that there could be a number of pages that are secured.
The link that you should be redirecting to is: http://www.foo.org/site/UserLogin where foo is equal to the short name of your site.
Let me explain my question a bit more:
The documentation says:
Form on a partner site is submitted to the UserLogin servlet on a Convio-powered site.
I guess my question is: This UserLogin servlet does not exist on my site. Where do I download it?
If it's not downloadable but rather it is a script which I create myself then my other question is:
What is the Convio Link that I can redirect to so the credentials get authenticated?
0 -
Kofi Hamilton:
Let me explain my question a bit more:
The documentation says:
Form on a partner site is submitted to the UserLogin servlet on a Convio-powered site.
I guess my question is: This UserLogin servlet does not exist on my site. Where do I download it?
If it's not downloadable but rather it is a script which I create myself then my other question is:
What is the Convio Link that I can redirect to so the credentials get authenticated?
I suspect your case is a little unique since you are still in deployment and your DNS has not been fully configured.
You can also use: http://foo.convio.net/site/UserLogin where "foo" is the short name of your site. Later, the domain which you are directing to your Convio site would also work in replace of "foo.convio.net".
0 -
Corey Pudhorodsky:
I suspect your case is a little unique since you are still in deployment and your DNS has not been fully configured.
You can also use: http://foo.convio.net/site/UserLogin where "foo" is the short name of your site. Later, the domain which you are directing to your Convio site would also work in replace of "foo.convio.net".
Where can I configure my DNS?
I have setup everyting (at least I think so) what when the user tries to login its redirects them to https://secure2.convio.net/oxfam/admin/AdminLogin
0 -
Corey Pudhorodsky:
I suspect your case is a little unique since you are still in deployment and your DNS has not been fully configured.
You can also use: http://foo.convio.net/site/UserLogin where "foo" is the short name of your site. Later, the domain which you are directing to your Convio site would also work in replace of "foo.convio.net".
By the way the pdf document shows the login form as:
<form method="post" action="http://www.foo.org/site/UserLogin">
<input type="text" name="USERNAME" id="USERNAME" maxlength="60" />
<input type="password" name="Password" id="Password" maxlength="20" />
<input type="hidden" name="NEXTURL" id="NEXTURL" value="http://www.foo.org/site/PageServer?pagename=sso_redirect" />
value="http</form>
shouldn't it be:
<form method="post" action="http://foo.convio.net/site/UserLogin">
<input type="text" name="USERNAME" id="USERNAME" maxlength="60" />
<input type="password" name="Password" id="Password" maxlength="20" />
<input type="hidden" name="NEXTURL" id="NEXTURL" value="http://foo.convio.net/site/PageServer?pagename=sso_redirect" />
</form>
0 -
Kofi Hamilton:
By the way the pdf document shows the login form as:
<form method="post" action="http://www.foo.org/site/UserLogin">
<input type="text" name="USERNAME" id="USERNAME" maxlength="60" />
<input type="password" name="Password" id="Password" maxlength="20" />
<input type="hidden" name="NEXTURL" id="NEXTURL" value="http://www.foo.org/site/PageServer?pagename=sso_redirect" />
value="http</form>
shouldn't it be:
<form method="post" action="http://foo.convio.net/site/UserLogin">
<input type="text" name="USERNAME" id="USERNAME" maxlength="60" />
<input type="password" name="Password" id="Password" maxlength="20" />
<input type="hidden" name="NEXTURL" id="NEXTURL" value="http://foo.convio.net/site/PageServer?pagename=sso_redirect" />
</form>
Also
<img src="http://www.foo.org/site/PixelServer" />
should be
<img src="http://foo.convio.net/site/PixelServer" /> . Right??
should be
0 -
Kofi Hamilton:
Also
<img src="http://www.foo.org/site/PixelServer" />
should be
<img src="http://foo.convio.net/site/PixelServer" /> . Right??
should be
Hi Kofi,
I'm really sorry for all the confusion we've created for you and glad to see that it looks like you're making good progress now.
The "foo.convio.net" style domain names are created as "staging" site names and are typically used only during the preparation of your site. Then once the site goes live, we will switch it over to use a more branded domain (aka www.foo.org) as the preferred domain name within our system. A few customers continue using the convio.net domains even after they have gone live. For customers who do have a branded domain, both domains will continue to work, but in general you want to phase out the use of the convio.net URLs quickly. In particular, if you are using the APIs and potentially domain level cookies that you want to share between the Convio site and other systems, you will need to use your own domain name.
Net net is that for now, you need to use your staging site name, but you should write your code to pick up the domain name from a single reference (property file or constant in the code). This way, you can quickly change it once you do go live with a branded URL.
0 -
DavidHart :
Hi Kofi,
I'm really sorry for all the confusion we've created for you and glad to see that it looks like you're making good progress now.
The "foo.convio.net" style domain names are created as "staging" site names and are typically used only during the preparation of your site. Then once the site goes live, we will switch it over to use a more branded domain (aka www.foo.org) as the preferred domain name within our system. A few customers continue using the convio.net domains even after they have gone live. For customers who do have a branded domain, both domains will continue to work, but in general you want to phase out the use of the convio.net URLs quickly. In particular, if you are using the APIs and potentially domain level cookies that you want to share between the Convio site and other systems, you will need to use your own domain name.
Net net is that for now, you need to use your staging site name, but you should write your code to pick up the domain name from a single reference (property file or constant in the code). This way, you can quickly change it once you do go live with a branded URL.
Ohhhhhhh - I see
so on my site points to by way of DNS aliasing. Is that correct?
I thought UserLogin was a script provided by Convio. A simple note in the pdf stating that it is a DNS aliased url will be very very helpful.
0 -
DavidHart :
Hi Kofi,
I'm really sorry for all the confusion we've created for you and glad to see that it looks like you're making good progress now.
The "foo.convio.net" style domain names are created as "staging" site names and are typically used only during the preparation of your site. Then once the site goes live, we will switch it over to use a more branded domain (aka www.foo.org) as the preferred domain name within our system. A few customers continue using the convio.net domains even after they have gone live. For customers who do have a branded domain, both domains will continue to work, but in general you want to phase out the use of the convio.net URLs quickly. In particular, if you are using the APIs and potentially domain level cookies that you want to share between the Convio site and other systems, you will need to use your own domain name.
Net net is that for now, you need to use your staging site name, but you should write your code to pick up the domain name from a single reference (property file or constant in the code). This way, you can quickly change it once you do go live with a branded URL.
Also are there any administration setups that I need to complete to do "Single Sign-On with Signed URL Redirects". Please point me to documentation that shows me how.
0
Categories
- All Categories
- Shannon parent
- shannon 2
- shannon 1
- 21 Advocacy DC Users Group
- 14 BBCRM PAG Discussions
- 89 High Education Program Advisory Group (HE PAG)
- 28 Luminate CRM DC Users Group
- 8 DC Luminate CRM Users Group
- Luminate PAG
- 5.9K Blackbaud Altru®
- 58 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 409 bbcon®
- 2.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- donorCentrics®
- 1.1K Blackbaud eTapestry®
- 2.8K Blackbaud Financial Edge NXT®
- 1.1K Blackbaud Grantmaking™
- 527 Education Management Solutions for Higher Education
- 1 JustGiving® from Blackbaud®
- 4.6K Education Management Solutions for K-12 Schools
- Blackbaud Luminate Online & Blackbaud TeamRaiser
- 16.4K Blackbaud Raiser's Edge NXT®
- 4.1K SKY Developer
- 547 ResearchPoint™
- 151 Blackbaud Tuition Management™
- 1 YourCause® from Blackbaud®
- 61 everydayhero
- 3 Campaign Ideas
- 58 General Discussion
- 115 Blackbaud ID
- 87 K-12 Blackbaud ID
- 6 Admin Console
- 949 Organizational Best Practices
- 353 The Tap (Just for Fun)
- 235 Blackbaud Community Feedback Forum
- 55 Admissions Event Management EAP
- 18 MobilePay Terminal + BBID Canada EAP
- 36 EAP for New Email Campaigns Experience in Blackbaud Luminate Online®
- 109 EAP for 360 Student Profile in Blackbaud Student Information System
- 41 EAP for Assessment Builder in Blackbaud Learning Management System™
- 9 Technical Preview for SKY API for Blackbaud CRM™ and Blackbaud Altru®
- 55 Community Advisory Group
- 46 Blackbaud Community Ideas
- 26 Blackbaud Community Challenges
- 7 Security Testing Forum
- 1.1K ARCHIVED FORUMS | Inactive and/or Completed EAPs
- 3 Blackbaud Staff Discussions
- 7.7K ARCHIVED FORUM CATEGORY [ID 304]
- 1 Blackbaud Partners Discussions
- 1 Blackbaud Giving Search™
- 35 EAP Student Assignment Details and Assignment Center
- 39 EAP Core - Roles and Tasks
- 59 Blackbaud Community All-Stars Discussions
- 20 Blackbaud Raiser's Edge NXT® Online Giving EAP
- Diocesan Blackbaud Raiser’s Edge NXT® User’s Group
- 2 Blackbaud Consultant’s Community
- 43 End of Term Grade Entry EAP
- 92 EAP for Query in Blackbaud Raiser's Edge NXT®
- 38 Standard Reports for Blackbaud Raiser's Edge NXT® EAP
- 12 Payments Assistant for Blackbaud Financial Edge NXT® EAP
- 6 Ask an All Star (Austen Brown)
- 8 Ask an All-Star Alex Wong (Blackbaud Raiser's Edge NXT®)
- 1 Ask an All-Star Alex Wong (Blackbaud Financial Edge NXT®)
- 6 Ask an All-Star (Christine Robertson)
- 21 Ask an Expert (Anthony Gallo)
- Blackbaud Francophone Group
- 22 Ask an Expert (David Springer)
- 4 Raiser's Edge NXT PowerUp Challenge #1 (Query)
- 6 Ask an All-Star Sunshine Reinken Watson and Carlene Johnson
- 4 Raiser's Edge NXT PowerUp Challenge: Events
- 14 Ask an All-Star (Elizabeth Johnson)
- 7 Ask an Expert (Stephen Churchill)
- 2025 ARCHIVED FORUM POSTS
- 322 ARCHIVED | Financial Edge® Tips and Tricks
- 164 ARCHIVED | Raiser's Edge® Blog
- 300 ARCHIVED | Raiser's Edge® Blog
- 441 ARCHIVED | Blackbaud Altru® Tips and Tricks
- 66 ARCHIVED | Blackbaud NetCommunity™ Blog
- 211 ARCHIVED | Blackbaud Target Analytics® Tips and Tricks
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- Luminate CRM DC Users Group
- 225 ARCHIVED | Blackbaud eTapestry® Tips and Tricks
- 1 Blackbaud eTapestry® Know How Blog
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)
- 1 Blackbaud K-12 Education Solutions™ Blog
- 280 ARCHIVED | Mixed Community Announcements
- 3 ARCHIVED | Blackbaud Corporations™ & Blackbaud Foundations™ Hosting Status
- 1 npEngage
- 24 ARCHIVED | K-12 Announcements
- 15 ARCHIVED | FIMS Host*Net Hosting Status
- 23 ARCHIVED | Blackbaud Outcomes & Online Applications (IGAM) Hosting Status
- 22 ARCHIVED | Blackbaud DonorCentral Hosting Status
- 14 ARCHIVED | Blackbaud Grantmaking™ UK Hosting Status
- 117 ARCHIVED | Blackbaud CRM™ and Blackbaud Internet Solutions™ Announcements
- 50 Blackbaud NetCommunity™ Blog
- 169 ARCHIVED | Blackbaud Grantmaking™ Tips and Tricks
- Advocacy DC Users Group
- 718 Community News
- Blackbaud Altru® Hosting Status
- 104 ARCHIVED | Member Spotlight
- 145 ARCHIVED | Hosting Blog
- 149 JustGiving® from Blackbaud® Blog
- 97 ARCHIVED | bbcon® Blogs
- 19 ARCHIVED | Blackbaud Luminate CRM™ Announcements
- 161 Luminate Advocacy News
- 187 Organizational Best Practices Blog
- 67 everydayhero Blog
- 52 Blackbaud SKY® Reporting Announcements
- 17 ARCHIVED | Blackbaud SKY® Reporting for K-12 Announcements
- 3 Luminate Online Product Advisory Group (LO PAG)
- 81 ARCHIVED | JustGiving® from Blackbaud® Tips and Tricks
- 1 ARCHIVED | K-12 Conference Blog
- Blackbaud Church Management™ Announcements
- ARCHIVED | Blackbaud Award Management™ and Blackbaud Stewardship Management™ Announcements
- 1 Blackbaud Peer-to-Peer Fundraising™, Powered by JustGiving® Blogs
- 39 Tips, Tricks, and Timesavers!
- 56 Blackbaud Church Management™ Resources
- 154 Blackbaud Church Management™ Announcements
- 1 ARCHIVED | Blackbaud Church Management™ Tips and Tricks
- 11 ARCHIVED | Blackbaud Higher Education Solutions™ Announcements
- 7 ARCHIVED | Blackbaud Guided Fundraising™ Blog
- 2 Blackbaud Fundraiser Performance Management™ Blog
- 9 Foundations Events and Content
- 14 ARCHIVED | Blog Posts
- 2 ARCHIVED | Blackbaud FIMS™ Announcement and Tips
- 59 Blackbaud Partner Announcements
- 10 ARCHIVED | Blackbaud Impact Edge™ EAP Blogs
- 1 Community Help Blogs
- Diocesan Blackbaud Raiser’s Edge NXT® Users' Group
- Blackbaud Consultant’s Community
- Blackbaud Francophone Group
- 1 BLOG ARCHIVE CATEGORY
- Blackbaud Community™ Discussions
- 8.3K Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
- 5.7K Jobs Board