Single Sign On (SSO)
This endpoint is used to authenticate the user using your own existing authentication system.

HTTP Request

GET /sso_login/?sig=<hmac-signature>&sso=<payload>
To generate SSO URL, you need to generate
  1. 1.
    Payload
  2. 2.
    HMAC signature.

Payload

The payload is a special string which is generated as follows
  • Concatenate the parameters in the following table with &
  • Encode the concatenated string with base64 encoding.
Parameter
Type
Description
email/username
string
Email Address or username of the user respectively
time
string
Time since epoch
Example with email
[email protected]&time=1554879681
Example with username
[email protected]&time=1554879681
Python
NodeJS
Php
1
import base64, time
2
3
epoch_time = int(time.time())
4
query_string = "[email protected]&time={}".format(epoch_time)
5
payload = base64.b64encode(query_string)
6
7
print(payload)
8
Copied!
The above snippet returns payload as shown below
1
ZW1haWw9ZGVtb0B0ZXN0cHJlc3MuaW4mdGltZT0xNTU0ODc5Njgx
Copied!
1
let epochTime = Math.floor((new Date).getTime()/1000);
2
queryString = "[email protected]&time=" + epochTime
3
payload = btoa(queryString)
4
5
console.log(payload)
Copied!
The above snippet returns payload as shown below
1
ZW1haWw9ZGVtb0B0ZXN0cHJlc3MuaW4mdGltZT0xNTU0ODc5Njgx
Copied!
1
<?php
2
$epoch = time();
3
$email = "[email protected]";
4
$qstring = "email=" . $email . "&time=" . $epoch;
5
$payload = base64_encode($qstring);
6
echo $payload;
7
?>
Copied!
The above snippet returns payload as shown below
1
ZW1haWw9ZGVtb0B0ZXN0cHJlc3MuaW4mdGltZT0xNTU0ODc5Njgx
Copied!

HMAC Signature

HMAC (Hash-based message authentication code) is used to avoid tampering during the request flow. We use a time-based HMAC algorithm to limit the lifetime of the HMAC.
To generate the HMAC signature, the following are need
  • payload - Generate from the above step
  • secret_key - Obtained from Testpress Team
The final step is to encrypt the payload using the HMAC-SHA256 algorithm with the secret key.
Python
NodeJS
Php
1
import hashlib, hmac, time
2
3
epoch_time = int(time.time())
4
query_string = "[email protected]&time={}".format(epoch_time)
5
payload = base64.b64encode(query_string)
6
7
secret_key = "abcxyzqwerty"
8
hmac_signature = hmac.new(secret_key, payload, hashlib.sha256).hexdigest()
9
10
print(hmac_signature)
11
Copied!
The above snippet returns HMAC signature as shown below
1
aa747c502a898200f9e4fa21bac68136f886a0e27aec70ba06daf2e2a5cb5597
Copied!
1
var CryptoJS = require("crypto-js")
2
3
let epochTime = Math.floor((new Date).getTime()/1000);
4
queryString = "[email protected]&time=" + epochTime
5
payload = btoa(queryString)
6
7
let secreteKey = "abcxyzqwerty"
8
let hmacSignature = CryptoJS.HmacSHA256(payload, secreteKey).toString(CryptoJS.enc.Hex);
9
10
console.log(hmacSignature)
11
Copied!
The above snippet returns payload as shown below
1
aa747c502a898200f9e4fa21bac68136f886a0e27aec70ba06daf2e2a5cb5597
Copied!
1
<?php
2
$epoch = time();
3
$email = "[email protected]";
4
$qstring = "email=" . $email . "&time=" . $epoch;
5
$payload = base64_encode($qstring);
6
$secret_key = "abcd";
7
$hmac_signature = hash_hmac('sha256', $payload, $secret_key);
8
echo $hmac_signature;
9
?>
Copied!
The above snippet returns payload as shown below
1
aa747c502a898200f9e4fa21bac68136f886a0e27aec70ba06daf2e2a5cb5597
Copied!

SSO URL

The SSO URL format is as shown below
https://demo.testpress.in/sso_login/?sig=<hmac-signature>&sso=<payload>
In the above URL replace the <hmac-signature> and <payload> with your hmac signature and payload values generated using the above steps.
E.g. https://demo.testpress.in/sso_login/?sig=aa747c502a898200f9e4fa21bac68136f886a0e27aec70ba06daf2e2a5cb5597&sso=ZW1haWw9ZGVtb0B0ZXN0cHJlc3MuaW4mdGltZT0xNTU0ODc5Njgx
The epoch time limits the validity of the HMAC. We have a *30 minute* delta to ensure the validity of the HMAC. For e.g. if the HMAC was generated at 10.30 AM, it will be valid only for the next 30 minutes and expires after 11.00 AM.
Last modified 2mo ago