Single-sign on where the user is authenticated by the caller and logged in to Luminate Online as the authentication client uses getSingleSignOnToken and singleSignOn.

The getSingleSignOnToken method is a server-only API that must be called from a trusted host. The host's IP address range must be specified in the Server API IP White List on the Luminate Online server, and the call must include login credentials for an API Administrator account. The call should not include any session cookie or token for an existing session, administrator or user.

The Caller passes in a cons_id or member_id for a constituent in the Luminate Online database, the user is logged in, and the caller and gets back a nonce and routing id that allow the end user to connect to the logged in session, and a token that can be used to authenticate further requests. The token expires after fifteen minutes, while the nonce expires after one use or when the logged in session ends, whichever comes first. The routing ID is valid for the life of the nonce, and is used to ensure that the subsequent request is sent to the correct load-balancing server.

The EstablishSession servlet is a client-only page called from the constituent’s browser with the nonce token returned by the getSingleSignOnToken call, typically by throwing a redirect or linking rather than via AJAX. Additional parameters include a redirect to send the browser to after the login is completed.

1. Partner site presents a login form that submits username and password to the partner site, authenticates the user, logs him in and retrieves the user's Luminate Online ID or Member ID from its database.
2. Partner site calls the getSingleSignOnToken API, passing the ID that it retrieved.
3. Normally, the partner site would redirect to its own page (say http://www.example.org/index.html), but instead sends a redirect to the Luminate Online EstablishSession API: http://member.example.org/site/EstablishSession;jsessionid==(value of 'routing_id' returned by getSingleSignOnToken)?NONCE_TOKEN=(value of 'nonce' returned by getSingleSignOnToken)&NEXTURL=http://www.example.org/index.html The browser will make a request to the Luminate Online system, which will connect the user to the logged in session, push a session cookie and throw a 302 redirect back to the partner site.

Subsequent requests to the Luminate Online site will connect as the user because of the session cookie that was pushed earlier. Additional client-side API requests can include sso_auth_token in a POST variable to verify that the request is coming from a trusted system.