EZone SSO
EZone SSO
This document gives instructions on how to use the SSO into ASP’s
Exhibitor Zone from an external source. We follow the OAUTH 1.0a HMAC-
SHA1 signature to generate and validate a URL
ASSUMPTIONS
▪ The exhibitor data has been uploaded to both ASP and the external system
▪ Each exhibitor contact has a unique identifier that is the same in both systems
▪ ASP has supplied the shared secret to create the signature
Base URL
The base URL is the URL to which the request is directed, minus any query string or hash parameters. It is
important to use the correct protocol here, so make sure that the “https://” portion of the URL matches the
actual request sent to the API.
BaseURL: [SiteURL]/__zone/sso
SSO PARAMETERS
You now need to gather all the parameters used in the request and to generate the signature. Below is a
list of parameters required.
timestamp 1318622958 This is a UNIX timestamp. The link will expire 1 hour after
this time.
clientreference=123e4567-e89b-12d3-a456-426655440000×tamp=1318622958
The values collected so far need to be joined to make a single string from which we will generate the
signature. This is called the signature base string.
To encode the HTTP method, base URL, and SSO parameters into a single string:
▪ Convert the HTTP Method to uppercase and set the output string equal to this value.
▪ Append the ‘&’ character to the output string.
▪ Percent encode the URL and append it to the output string.
▪ Append the ‘&’ character to the output string.
▪ Percent encode the parameter string and append it to the output string.
GET&https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.example.com%2F__zone%2Fsso&clientreference%3D123e4567-e89b-
12d3-a456-426655440000%26timestamp%3D1318622958
Make sure to percent encode the parameter string! The signature base string should contain exactly 2
ampersand ‘&’ characters. Any percent ‘%’ characters in the parameter string should be encoded as %25
in the signature base string.
Finally, the signature is calculated by passing the signature base string and signing key to the HMAC-
SHA1 hashing algorithm. The details of the algorithm are explained in depth here, but thankfully there
are implementations of HMAC-SHA1 available for every popular language.
For example, the output given the base string and signing key given on this page is
92 3D 0B 33 7E 58 5F 59 9F 58 7C 2B 0F 60 AD 59 01 FF F0 64
That value, when converted to base64, is the OAuth signature for this request:
kj0LM35YX1mfWHwrD2CtWQH/8GQ=
https://www.example.com/__zone/sso?clientreference=123e4567-e89b-12d3-a456-
426655440000×tamp=1318622958&signature=kj0LM35YX1mfWHwrD2CtWQH%2F8GQ%3D