Exhibitor SSO
This document gives instructions on how to use the SSO into ASP’s
Exhibitor Zone from an external source. We follow the OAUTH 1.0a HMAC-
SHA1 signature to generate and validate a URL
ASSUMPTIONS
The following assumptions have been made in relation to the integration
▪ The exhibitor data has been uploaded to both ASP and the external system
▪ Each exhibitor contact has a unique identifier that is the same in both systems
▪ ASP has supplied the shared secret to create the signature
REQUEST METHOD & URL
HTTP Method: GET
Base URL
The base URL is the URL to which the request is directed, minus any query string or hash parameters. It is
important to use the correct protocol here, so make sure that the “https://” portion of the URL matches the
actual request sent to the API.
BaseURL: [SiteURL]/__zone/sso
[SiteURL] will be replaced with the actual URL of the website,
e.g https://www.example.com/__zone/sso
SSO PARAMETERS
You now need to gather all the parameters used in the request and to generate the signature. Below is a
list of parameters required.
Parameter Name Example Value Description
clientreference 123e4567-e89b- This is a pre-shared value that is unique to each exhibitor
12d3-a456- and has been uploaded to both platforms
426655440000
timestamp 1318622958 This is a UNIX timestamp. The link will expire 1 hour after
this time.
PRIVATE & CONFIDENTIAL PAGE 1 | 3
These values need to be encoded into a single string which will be used later on. The process to build
the string is very specific:
1. Percent encode every key and value that will be signed.
2. Sort the list of parameters alphabetically
3. For each key/value pair:
a. Append the encoded key to the output string.
b. Append the ‘=’ character to the output string.
c. Append the encoded value to the output string.
d. If there are more key/value pairs remaining, append a ‘&’ character to the output string.
The following example string should be created
clientreference=123e4567-e89b-12d3-a456-426655440000×tamp=1318622958
CREATING THE SIGNATURE BASE STRING
The values collected so far need to be joined to make a single string from which we will generate the
signature. This is called the signature base string.
To encode the HTTP method, base URL, and SSO parameters into a single string:
▪ Convert the HTTP Method to uppercase and set the output string equal to this value.
▪ Append the ‘&’ character to the output string.
▪ Percent encode the URL and append it to the output string.
▪ Append the ‘&’ character to the output string.
▪ Percent encode the parameter string and append it to the output string.
This will produce a signature base string like the below
GET&https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.example.com%2F__zone%2Fsso&clientreference%3D123e4567-e89b-
12d3-a456-426655440000%26timestamp%3D1318622958
Make sure to percent encode the parameter string! The signature base string should contain exactly 2
ampersand ‘&’ characters. Any percent ‘%’ characters in the parameter string should be encoded as %25
in the signature base string.
CALCULATING THE SIGNATURE
Finally, the signature is calculated by passing the signature base string and signing key to the HMAC-
SHA1 hashing algorithm. The details of the algorithm are explained in depth here, but thankfully there
are implementations of HMAC-SHA1 available for every popular language.
PRIVATE & CONFIDENTIAL PAGE 2 | 3
The output of the HMAC signing function is a binary string. This needs to be base64 encoded to produce
the signature string.
For example, the output given the base string and signing key given on this page is
92 3D 0B 33 7E 58 5F 59 9F 58 7C 2B 0F 60 AD 59 01 FF F0 64
That value, when converted to base64, is the OAuth signature for this request:
kj0LM35YX1mfWHwrD2CtWQH/8GQ=
Putting this all together creates a final SSO link of
https://www.example.com/__zone/sso?clientreference=123e4567-e89b-12d3-a456-
426655440000×tamp=1318622958&signature=kj0LM35YX1mfWHwrD2CtWQH%2F8GQ%3D
PRIVATE & CONFIDENTIAL PAGE 3 | 3