We've launched a new support center at help.smartling.com. This site will continue to be maintained into January 2017. Please update your bookmarks.
Follow

Using Smartling Single Sign-On

The following article applies to Global Delivery Network, Application Resource Files, Business Documents, and CMS Connector project types. 

In cases where you don't want your users to have to register and/or login to Smartling to begin translating your site, you can use Smartling Single Sign-On (SSO) (Settings > Single Sign-On). SSO allows users to switch from your site to Smartling with minimal registration or login, and immediately begin translating. Users will default to a role of Translation Resource. To use SSO, provide Smartling with a login url for your site and Smartling will provide you with a SSO key and account ID. You can then embed links in your site to register and/or login users to Smartling.

To generate a SSO key:

  1. Browse to Settings > Single Sign-On.
  2. In the SSO Login Url box, enter the login url for your site.
    This url should login a user and redirect them to Smartling passing the SSO information (listed in Developer Details below).
  3. In the SSO Logout Url box, enter a url on your site that terminates a user’s session (optional).
    If provided, Smartling redirects users to this url once they logout of Smartling.
  4. From the Default Project drop-down menu, select the project with which you want to associate the user.
  5. If you want to approve users for SSO registration, select SSO Registration Requires Approval.
  6. If you want to use a public key for signature validation, enter this at Signature Validation Public Key (optional). See Developer Details below.
  7. Click Submit and Smartling generates a SSO key that your development team can implement for the login process.

Once you generate a SSO key, Smartling enables Single Sign-On.

You can disable SSO by clicking SSO Enabled.

Developer Details

Once you have a SSO key, have one of your developers configure your site to pass the following (URL encoded) user information and data to Smartling:

Parameter  Description
firstName (required) The first name of the user
lastName (required) The last name of the user
email (required) The email address of the user
externalId (required) An identifying value that references the user in your system
expires (required) The date when the url expires
All dates follow the Smartling Date Format:

"YYYY-MM-DDThh:mm:ss"

To implement Smartling Single Sign-On, you must first build and sign a multipass token, and then pass this along with your account uid to Smartling.

To build and sign a multipass token:

  1. Select an expiration date and build the JSON object; for example,
    {
    "firstName": "John",
    "lastName": "Doe",
    "email": "jdoe1234@johndoe.com",
    "externalId": 820349023,
    "expires":
    "2013-05-01T02:00:00"
    }
  2. Encrypt the hash using AES128-cbc encryption with the Single Sign-On (SSO) API key from the Smartling dashboard (Settings > Single Sign-On) as the password and the Account Id (SSO key and account Id concatenated in order with no extra characters).
    Use a block size of 16 bytes and pad the hash using this block size.
  3. Base64 encode the result.
    Convert to a URL-safe string by performing the following:
    • Remove any newlines
    • Remove trailing equal (=) characters
    • Change any plus (+) characters to dashes (-)
    • Change any slash (/) characters to underscore (_)
  4. If you have a private key for signature generation (DSA algorithm) and also provided Smartling with a public key that should be used for signature verification, use the former to generate digital signature over multipass token generated on steps 1-3.
    • Base64 encode the resulting signature.
    • Change any plus (+) characters to dashes (-)
    • Change any slash (/) characters to underscore (_)

Smartling expects the following three parameters:

  • multipass - This is the token received from step 3 above
  • signature - This is the signed multipass token received from step 4 above
  • accountUid - The uid of your account

Base URL: https://dashboard.smartling.com/users/v1/ssologin.htm

Example multipass URL: https://dashboard.smartling.com/users/v1/ssologin.htm?multipass=JzM3WisilOc2crxI1favdqV9nyturLh5Yuca_whKFSPNzUdoPl1vParoBL05YHSTgYMeWbTz10vA4PH6iF_PpMUFjMANeCsHN0mWM-Efrx1UPhA0MFPvqiFgRqL1EpudJ_R1Tm6SWVvuXEloENqFvGs84YJzxcgtJ_SgBQG_vx4xu9VWq2h_okgutlkUqs3HY-_u5jZGK6&signature=yqrJyJ-FItEG_lTACA&accountUid=5e8asdFfGQ154

Managing DSA Keys for Signature Generation

If you intending to force signature verification on the Smartling's side, generate a pair of DSA keys for the site. The private key should be securely stored by the Web site and used for signature generation. The public key is not secure and should be provided to Smartling for signature verification purposes.

There is more than one way to generate the key pair. You can use openssl (see below) or you can use using Java SSO SDK (the README.md document describes how it can be used for the purposes).

To generate a DSA key pair:

  1. Generate DSA parameters:

    shell> openssl dsaparam -out dsaparam.pem 512

    Here, 512 is a key size and dsaparam.pem is an output file.
    After the command is run it will have contents similar to:

    -----BEGIN DSA PARAMETERS----- MIGcAkEAukYhTa7zPTCdRT6liux6kXS09A/uj0tJ7poT6fLXThOjkC4cHKQkSp3i
    096uy/rA8pYzR6R1/8CF
    -----END DSA PARAMETERS-----
  2. Use the parameters file to generate a DSA private key:

    shell> openssl gendsa -out privkey.pem dsaparam.pem

    After the command is run, privkey.pem file will contain private key, similar to:

    -----BEGIN DSA PRIVATE KEY-----
    MIH4AgEAAkEAukYhTa7zPTCdRT6liux6kXS09A/uj0tJ7poT6fLXThOjkC4cHKQk Sp3inN2loNc/VWTjbrWzBLDliLoJk2kt2wIVAO2/UvS7NS1VfVZHokr/cKrnIbgL  71dzvdVtp8XBaDpZVUOeUlVPXONcoHctnDqF8Y2nZuqwWocAMAIUIxD3hYd/ESbo tR243sf2hlTWrIA= -----END DSA PRIVATE KEY-----
  3. As both Java and PHP SSO SDKs can be used for the SSO login link generation, to use the private key obtained on the previous step, you have to convert the file to PKCS8 format:

    shell> openssl pkcs8 -topk8 -in privkey.pem -out privkey_pkcs8.pem -outform pem -nocrypt

    Output file privkey_pkcs8.pem will have contents like this:

    -----BEGIN PRIVATE KEY----- MIHGAgEAMIGoBgcqhkjOOAQBMIGcAkEAukYhTa7zPTCdRT6liux6kXS09A/uj0tJ  DEKdelLRUq/hlZZ0XiL8BW8v096uy/rA8pYzR6R1/8CFBBYCFCMQ94WHfxEm6LUd uN7H9oZU1qyA
    -----END PRIVATE KEY-----

    After this you may use this key, without header and footer lines and new-line character in a command like this (Java SSO SDK):

    shell> mvn exec:java -Dexec.args="-i -k f4ba20a8-5030-4aae-a42c-18c3e798e2f5 -u aaabb199 -s MIHGAgEAMIGoBgcqhkjOOAQBMIGcAkEAukYhTa7zPTCdRT6liux6kXS09A/uj0tJ7poT6fLXThOjkC4cHKQkSp3inN2loNc//rA8pYzR6R1/8CFBBYCFCMQ94WHfxEm6LUduN7H9oZU1qyA"
  4. The command will produce SSO login link, which may be used later for the SSO login to the Smartling: https://dashboard.smartling.com/users/v1/ssologin.htm?multipass=8BiJ6aW2wwqDCnfon9umwCUuTWzdH4qh9ds0lFqke3t4u6fSxUg6dgSTOpbe2p4t5yGkkKnPts6oXpeqrQdS75JPrgMOcjjd3_b8m4DXQ&signature=MCwCFFEVqJSuuB2qa6i4X1yxC5O9gLXJAhZOLEwsRDeUoEpqiSA&accountUid=aaabb199 *
  5. Before you generate and use SSO login link with the signature, you need to generate corresponding public key, for the previously generated private key:

    shell> openssl dsa -in privkey.pem -pubout -out pubkey.pem

    Output file pubkey.pem will have contents like this:

    -----BEGIN PUBLIC KEY-----
    MIHxMIGoBgcqhkjOOAQBMIGcAkEAukYhTa7zPTCdRT6liux6kXS09A/uj0tJ7poT  LKde0VT8pRcxp7eDR37a71dzvdVtp8XBaDpZVUOeUlVPXONcoHctnDqF8Y2nZuqw WocAMA==
    -----END PUBLIC KEY-----

    Without header and footer lines, and new-line characters enter the key at Settings > Single Sign-On in the Signature Validation Public Key field:

    MIHGAgEAMIGoBgcqhkjOOAQBMIGcAkEAukYhTa7zPTCdRT6liux6kXS09A/uj0tJ7poT6fLXThOjkC4cHKQkSp3inN2loNc/VWTjbrWzBLDliLoJk2kt2wIVAO2/UvS7NS1VfVZHokr//DdmpLKde0VT8pRcxp7eDR37a71dzvdVtp8XBaDpZVUOeUlVPXONcoHctnDqF8Y2nZuqwWocAMA==

    You can then generate SSO login links and use them, with the request signature verification enabled.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk