Trusted Authentication Overview

The protocol for authenticating data requests from within a client application consists of the following steps:

  1. The User Browser requests an App page.

    More specifically, the user requests a web page from the parent Web server. The Web server has an embedded Arcadia visual within an iframe.

  2. The App Server requests a ticket from Arcadia Server.

    The parent App Server makes a POST ticket request from the Arcadia server. The request contains the Arcadia username for authenticating the iframe.

    The ticket request may be authenticated using one of the following two methods:

    • Ticket-Granting User. The ticket request includes the trusted ticket granter's Arcadia username and password. This account would not normally have admin or superuser privileges. See Example 1.

    • Trusted IP. The parent Application server is included in the list of trusted IPs. The POST request includes only the Arcadia username, to requiring the ticket-granting user's full credentials. See Example 2.

    By default, the ticket may only be used one time. However, it can be configured for multiple use for debugging purposes. The ticket is valid for a configurable time period, and then it expires.

  3. Arcadia Server authenticates the request, and returns a unique ticket.

    The Arcadia Server validates the ticket request.

    • If the request is valid, it is authorized by the Arcadia Server, which creates a ticket and returns it as response to the POST request.
    • If the request is invalid, it returns the value of -1 as response to the POST request.
  4. The App Server returns an HTML page that contains an iframe tag with Arcadia URL and the ticket.

    The parent App Server uses the ticket to generate a unique URL, which contains the ticket for the embedded visual. It uses this URL for the viz <iframe> in the HTML that it returns to the client, as demonstrated in Example 3.

  5. The User Browser requests the iframe from Arcadia Server, including the ticket.

    The client browser uses the iframe URL obtained in the previous step to request the App from the Arcadia server.

  6. Arcadia Server authenticates the User Browser based on the ticket, and returns the visualization for the iframe.

    The Arcadia Server authenticates the iframe request based on the ticket that is part of the request URL. If the ticket is valid, it automatically logs in the username specified in the original POST request. It then sends the visual to the client.

Session Behavior Notes

After the user is logged in using the ticket, she can request any other URL until that session expires.

Note that the login session expires at the end of the browser session.