DEFENSE LOGISTICS AGENCY AMERICAS COMBAT LOGISTICS SUPPORT AGENCY

DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY PIEE (Procurement Integrated Enterprise Environment) Generic Single Sign On (SSO) WARFIGHTER FIRST

SSO Solution • OAuth (Open Authentication) o OAuth is an open standard for authentication. o OAuth allows users to hand out tokens instead of credentials to their data hosted by a given service provider. o Each token grants access to a specific site (e. g. Wide Area Workflow e-Business Suite) for specific resources (e. g. user’s first name, last name) and for a defined duration (e. g. the next 5 minutes). • Open. ID Connect o Open. ID Connect is used in conjunction with OAuth 2. 0 to allow registered SSO client applications access to user information from PIEE Applications. o Open. ID requests must first be authorized by OAuth 2. 0. o User Info can include: User ID, First Name, Last Name, Enabled Flag, DOD ID, Email Address, Title, and Organization. For more information about Open. ID Connect, please visit http: //openid. net/connect/ For more information about OAuth, please visit http: //oauth. net/documentation/getting-started/ WARFIGHTER FIRST 2

SSO Overview Trusted System Account Registration, Approval, and Single Sign On OAuth to authorize user, then Open. ID to retrieve info. WARFIGHTER FIRST SSO Client Application in PIEE 3

SSO Sequence Diagram User’s Browser User Accesses the Trusted System Log onto Trusted System Target PIEE Application Create Session User Clicks on the SSO Client Application Sends request to specified URL provided by client application User Requests access to the SSO Client User’s Browser Receives URL Send OAuth HTTP(S) redirect URL to user’s browser Build OAuth authorization URL to User Browser Redirects to provided URL Browse Receive Redirect From Trusted System • Format of the URL request: <Trustedsys Sever URL>/portal/oauth 2/authorize? response_type=code &client_id=<Provided client ID>&redirect_uri=<Client provided redirect URI> Redirect to Trusted Sys Redirect to browser Validate provided Client ID Create Authorization Code WARFIGHTER FIRST 4

SSO Sequence Diagram User’s Browser redirects back to SSO client Trusted System Target PIEE Application Browser redirects to provided redirect URI in step 3 • Format of the URL response: <Client redirect URI>? code=<Trust generated authorization code> Validate POST Request received Authorization JSON Data Format: { “user_id”: ”<user. Id>”, “expires_in”: ” 300”, (seconds until access token expires) “refresh_token”: ”<refresh token>” “access_token”: ”<access token>” (token used to retrieve user information) } Create Authorization token JSON data Send POST Request to Trust Sys • POST Request must include a HTTP Authorization of base 64 encoded client ID and password provided to SSO client application (example: Authorization: Basic ZGFp. Y 2 xp. ZW 50 OIFhendze. EAx) • POST Request URL format: <Trust Server URL>/portal/oauth 2/ token? grant_type=authorization_code& code=<Authorization Code Provided>&redirect_uri=<Client redirect URI> Send POST Response to client WARFIGHTER FIRST Receive authorization code Build OAuth authorization request to Trusted System Receive JSON Authorization token data 5

SSO Sequence Diagram User’s Browser User JSON Data Format can include: { “user. Id": “<user. Id>", "roles": [ { <role particular information> } ], “dod. Id": “<EDPI Number>", "title": “<user’s title>", "organization": ”<user’s organization>”, "first. Name": “<first name>", "last. Name": “<last name>", "enabled": true, "email": “<email address>", "phone. Number": “<phone number>", "dsn. Phone. Number": ”<DSN phone>” } Trusted Systems Validate the access token received Build JSON response of User’s Data Target PIEE Application Send Get Request to Trusted Sys • Get Request URL format: <Trust Server URL>/userdata/ <provided user ID>? oauth_token= <provided access token> Send response to client Build request for user data (per Open. ID Connect) Receive requested User JSON data Note: this can change based on the SSO Client’s needs WARFIGHTER FIRST 6

SSO More Information • For more information on interfacing with PIEE system SSO, you may view the document linked below for sample requests and detailed steps. WARFIGHTER FIRST 7

Questions/Comments? ? ? WARFIGHTER FIRST 8