single sign-on dialog scheme

Using One-Time URL for single sign-on scenarios or one-time invitations

Using One-Time URL for single sign-on scenarios or one-time invitations

Thinfinity® VirtualUI offers a special access method called “One-Time URL”. This mechanism was designed to create a temporary, unique url to provide one-time access to a specific application. This temporary url is disposed as soon as it is used or after a specified period of time has elapsed.
These are the main scenarios where the One-Time URL access method is most useful:

  • Single Sign-on scenarios.
  • External authentication methods.
  • One-time invitations to run a program  (i.e. application demos/presentations).

How it works

The One-Time URL is a unique, disposable URL leading to a specific VirtualUI application. What makes it useful is that it allows for passing credentials and/or custom data to the application through an independent secure channel, hidden to the end user.

single sign-on dialog scheme

A usual scenario involves a backend service (ie. a web server), where the user’s credentials are validated. This backend service communicates with a VirtualUI Server to request the creation of a One-Time URL, passing information about the application to run, credentials and custom data. This information is stored temporarily and indexed by a unique access key. Also, a random passcode is created and used to encrypt the stored information. This access key and passcode are returned to the backend service to build the final One-Time URL.
Once the user is directed to the provided URL (automatically or by clicking on a link), VirtualUI validates the access key and passcode and starts the application passing the associated data. Finally, this key and associated data are removed from memory and therefore the URL becomes invalid. The same happens if the URL was not used for the amount of time specified in the creation request.

Creating a One-Time URL

The VirtualUI Server processes a One-Time URL creation request in the form of an http(s) request, as follows:

serverurl + "/ws/oturl/get?apikey=" + apikey + "&accesskey=" + accesskey +
    "&userid=" + userid + "&password=" + password + "&customdata=" + customData +
    "&plen=" + passlen + "&expires=" + expires,

where:

serverurl optional VirtualUI Server address (protocol, domain and port)
apikey required VirtualUI installation [API] key. Find this information in Thinfinity.VirtualUI.Server.ini at C:\ProgramData\Cybele Software\Thinfinity\VirtualUI
accesskey required Identifies the application that will be run. Complete this parameter with the “access key” parameter found in the application profile in the VirtualUI Server Manager.
userid optional A valid user that meets the criteria set in the application profile’s ‘Permission’ tab.
password optional The password of the user specified in the ‘userid’ parameter.
customdata optional Use this field to send any information you may need to make available to the application. This is the right place to pass sign-on credentials. This information will be accessible in the application through the BrowserInfo.CustomData property.
plen optional Length of the passcode to be returned.
expires optional Ticket expiration time, in minutes.

If the request is unsuccessful, the following HTTP codes can be received:

  • 400: Invalid parameters
  • 401: Userid/password invalid

If the request is successful, the http call returns a 200 HTTP status code, and a JSON object consisting of two fields:

{
    "key": "LnJwsxGHp5d@6MHeiEswRdfxFCiIcLAUttRS$9FSUs-Utz3o",
    "pass":"1U4KRLN0"
}

With this information, the backend can build the final URL,following this format:

http(s)://server-url/oturl.html?key=[accesskey]&pass=[passcode]

Here’s an example that uses the JSON object shown above:

http(s)://server-url/oturl.html?key=LnJwsxGHp5d@6MHeiEswRdfxFCiIcLAUttRS$9FSUs-Utz3o&pass=1U4KRLN0

Single Sign-on Sequence Example

The sequence diagram below shows a complete one-time-URL example using single sign-on. In this example, the same credentials —the ‘jdoe’ username and ‘pass’ password—  are first used for the single sign-on, and then sent to the application in the customdata parameter.
single sign-on sequence
In conclusion, the One-Time URL offers a useful way to extend web-enhanced applications to new scenarios. We are fully convinced that you will greatly benefit from this new Thinfinity® VirtualUI feature.

Have any questions?

Book a call today to learn more about how Thinfinity® can help your organization. We are always available to guide you and provide the best solution based on your specific needs.

2 Comments

Mariana
Reply
October 4, 2019 at 7:02 pm

Hi Andrew,
Thanks for your inquiry. We need to know the version you’re running and some other information to investigate.
I’ll send you an email to work with you.
Best regards,
Mariana

Andrew
Reply
October 4, 2019 at 2:18 pm

I’ve set up application with anonymous access and would like to authenticate user passing token in “customdata”. However when trying to obtain one-time URL parameters I’m receiving “You do not have permission to view this directory or page using the credentials that you supplied” disregarding whether I specify empty userid and password or omit them at all.
Could you please explain all the required preconditions in more details?

Add Comment

Thinfinity_logo

Get a Demo

Experience how Universal ZTNA with Thinfinity® integrates with VDI and DaaS for unmatched security and flexibility.

Blogs you might be interested in

<span>Application Integration</span>, <span>IT Security</span>, <span>One-Time URL</span>, <span>RBAC</span>, <span>SDK</span>, <span>Secure Access</span>, <span>Single Sign-On (SSO)</span>, <span>Thinfinity Workspace</span>