Trusted Authentication Overview

Before using Trusted Authentication for embedding apps in client pages, get familiar with the Trusted Authentication protocol.

This topic includes the following sections:

Trusted Authentication Protocol

The protocol for authenticating data requests from within a client page consists of the following steps:

Protocol for authenticating data requests
  1. The User Browser requests an App page.

    More specifically, the user requests a web page from the parent Web server. The Web server has an embedded Arcadia visual within an <iframe> element.

  2. The App Server requests a ticket from Arcadia Server.

    The parent App Server makes a POST ticket request from the Arcadia server. The request contains the Arcadia username for authenticating the <iframe>.

    The ticket request may be authenticated using one of the following two methods:

    • Ticket-Granting User The ticket request includes the trusted ticket granter's Arcadia username and password. This account would not normally have admin or superuser privileges. See Post Ticket Request Using a Ticket-Granting User.

    • Trusted IP The parent Application server is included in the list of trusted IPs. The POST request includes only the Arcadia username to get the ticket-granting user's full credentials. See Post Ticket Request Using an IP.

    By default, the ticket may only be used one time. However, it can be configured for multiple use for debugging purposes. The ticket is valid for a configurable time period, and then it expires.

  3. Arcadia Server authenticates the request, and returns a unique ticket.

    • If the request is valid, it is authorized by the Arcadia Server, which creates a ticket and returns it as a response to the POST request.
    • If the request is invalid, it returns the value of -1 as response to the POST request.
  4. The App Server returns an HTML page that contains an iframe tag with Arcadia URL and the ticket.

    The parent App Server uses the ticket to generate a unique URL, which contains the ticket for the embedded visual. It uses this URL for the visual's <iframe> element in the HTML that it returns to the client. See Request Visual from Arcadia Server.

  5. The User Browser requests the iframe from Arcadia Server, including the ticket.

    The client browser uses the iframe URL obtained in the previous step to request the App from the Arcadia Server.

  6. Arcadia Server authenticates the User Browser based on the ticket, and returns the visualization for the iframe.

    The Arcadia Server authenticates the <iframe> request based on the ticket that is part of the request URL. If the ticket is valid, it automatically logs in the username specified in the original POST request. It then sends the visual to the client.

Session Behavior Notes

After the user is logged in using the ticket, she can request any other URL until that session expires.

Note that the login session expires at the end of the browser session.