Single-sign on where the user is authenticated by the caller and logged in to Luminate Online as the authentication client uses getSingleSignOnToken and singleSignOn.
The getSingleSignOnToken method is a server-only API that must be called from a trusted host. The host's IP address range must be specified in the Server API IP White List on the Luminate Online server, and the call must include login credentials for an API Administrator account. The call should not include any session cookie or token for an existing session, administrator or user.
The Caller passes in a cons_id or member_id for a constituent in the Luminate Online database, the user is logged in, and the caller and gets back a nonce and routing id that allow the end user to connect to the logged in session, and a token that can be used to authenticate further requests. The token expires after fifteen minutes, while the nonce expires after one use or when the logged in session ends, whichever comes first. The routing ID is valid for the life of the nonce, and is used to ensure that the subsequent request is sent to the correct load-balancing server.
The EstablishSession servlet is a client-only page called from the constituent’s browser with the nonce token returned by the getSingleSignOnToken call, typically by throwing a redirect or linking rather than via AJAX. Additional parameters include a redirect to send the browser to after the login is completed.
Subsequent requests to the Luminate Online site will connect as the user because of the session cookie that was pushed earlier. Additional client-side API requests can include sso_auth_token in a POST variable to verify that the request is coming from a trusted system.