Menu
API Single Sign On > Single Sign On
Single Sign On
| Environment | BASE_URL | API_BASE_URL |
| Staging | https://sso.bnlstg.com | https://sso-api.bnlstg.com/api |
| Production |
How todo integration
To be able to integrate a website with SSO, we must register your web application in SSO. Later your web application will be called an SSO client product. To become an SSO client, we need this following information.
| # | Info | Description |
|---|---|---|
| 1 | Client Name | Indicates the name of the client website that will appear on the SSO dashboard |
| 2 | Base URL | Indicates the main page URL of the client. For this example : https://pos.domain.com. This URL will be used as the redirect destination address if the login is successful in SSO. SSO will automatically add the path & query parameter sso/callback?token=xxx to the destination URL. |
| 3 | Description | Indicate short description about that web client |
| 4 | Logo URL | In the form of a logo URL from the website. |
| 5 | API Base URL | In the form of an API URL from the client, this URL will later be used by SSO to communicate regarding sending, updating or deleting user data. Example value : https://pos.domain.com/sso/callback. SSO will automatically add the path to that URL. |
After being registered with SSO, the client will get a Product Token. It will be used as an authentication method during the data transfer process. The product token will be static and consists of random characters in string form.
Example : lVC3WbusmJFK4UClg3wlJFOp4A6bxSxj1S2ezUqkSNIg8347fkOiovkAlGnfc.
Note:
If you don't want to use the default path generated by SSO for data communication, you can customize the URL. Below is a list of URLs and actions that you can customize based on your product.
| Action Name | Method | Description |
| verify | GET | Redirect destination after login success. This URL will automatically added URL parameter token by SSO. |
| check user | POST | Called when user not found in SSO on login process. Used on Check_User method |
| check by email | POST | This will be called when a user resets their password in SSO but the user data has not been previously synchronized. Used on Check by email method. |
| assign_user | POST | Called when user assign product to their sub user. Used on Assigning User in Product |
| get_property | GET | Part of assign user process. It will called on Get Property |
| get_roles | GET | Part of assign user process. It will called on Get Roles |
| remove_user | POST | Called on user remove product access to their sub user. It will called on Un Assign User process |
When accessing product custom endpoint, SSO will send Product Token as an authorization header.
API Responses
Each response provided by SSO will have the following json format. Apart from the following JSON format, you can also check the state of the process you are carrying out via the http response code which is responded to by SSO.
Success Response
{
"status": "success",
"message": "This is success message",
"data": ""
}Fail Response
{
"status": "error",
"message": "Unable to proccess",
"data": ""
}| Field | Descriptions | type |
|---|---|---|
| Status | Indicates whether the process was successful or failed, the value of this field can be success if the process is successful and error if it fails | bool |
| Message | Provide a message or brief description of the process carried out on the SSO | text |
| Data | This field can be anything depending on the endpoint used. Each endpoint has a different response | any |
Client Login
Before integration with SSO, the client may be have had its own login page which was accessed if the user had not logged in to the website. If you have integrated with SSO, you can redirect to the BASE_URL of SSO to carry out the user login process.
When redirected to that page, you also have to enter a query parameters in the URL.
redirect, Contains the URL that SSO will redirect to when the login process is successful. By default, if you do not include this parameter, a redirect will be made to the SSO dashboard. For example :https://pos.domain.com
The final URL will look link this:
https://sso.bnlstg.com?redirect=https://pos.domain.com
SSO Login Callback
After successful login on the SSO page, the user will be directed to the URL you provided in the section above by reading the user token. This user token is a key that will later be used to verify the user. This token will be sent to the SSO Client via the parameters in the callback URL. SSO will automatically add the path "sso/callback" to the redirect URL you used previously.
Example : https://pos.domain.com/sso/callback?token=sj9293uruwejdwe923jfee
On this path, the next task is for the client to process the token. The client must carry out a verification process to ensure that the token is valid. The verification process can be done using the endpoint API_BASE_URL/user/verify-by-product .
GET : API_BASE_URL/user/verify-by-product
curl --location 'API_BASE_URL/user/verify-by-product'
\ --header 'Authorization: Bearer sj9293uruwejdwe923jfee..'
\ --header 'ProductAuthorization: Bearer lVC3WbusmJFK4UClg3wlJFOp4A6bxSxj1S2ezUqkSNIg8347fkOiovkAlGnfc'Header Parameter
| Field | Descriptions | type |
|---|---|---|
| Authorization | Bearer + user_token | text |
| ProductAuthorization | Bearer + product_token | text |
Response Parameters
{
"status": "success",
"message": "Logged in user",
"data": {
"user": {
"id": 2,
"username": "johndoe",
"email": "user@domain.com",
"first_name": "John",
"last_name": "Doe",
"phone": "",
"phone_verified": false,
"email_verified": false,
"status": true,
"mfa_active": true,
"remember_token": "",
"last_login": "2024-01-10T02:04:14.692Z",
"last_login_ip": "127.0.0.1",
"created_at": "2023-11-21T09:03:28.119Z",
"updated_at": "2024-01-10T02:04:14.693Z",
"main_user_id": null
},
"user_product": {
"user_id": 2,
"product_id": 1,
"external_id": "16",
"role": "admin",
"product": {
"id": 1,
"name": "Point Of Sales",
"url": "https://pos.domain.com",
"description": "",
"status": true,
"image_url": "https://pos.domain.com/assets/logo.png",
"ip": "",
"token": "zIXOfxkiuFQny966eAU1mT4abkaWcz8v3v8psN88",
"api_endpoint": "https://pos.domain.com/sso/callback",
"created_at": "2023-11-03T15:40:42.419Z",
"updated_at": "2023-11-03T15:40:42.419Z"
}
}
}
}| Field | Descriptions | type |
|---|---|---|
user | Represent the user that successfully verified by user_token | object |
user.id | User ID, uniquely identifying the user. | integer |
user.username | Represent the username in SSO | string |
user.email | The user email to used to login in SSO | string |
user.first_name | First name of the user. | string |
user.last_name | Last name of the user. | string |
user.phone | User's phone number (if provided). | string |
user.phone_verified | Indicates whether the user's phone number has been verified. | boolean |
user.email_verified | Indicates whether the user's email address has been verified. | boolean |
user.status | User account status. true represents an active account. | boolean |
user.mfa_active | Indicates whether Multi-Factor Authentication (MFA) is active for the user. | boolean |
user.remember_token | Token used for remembering the user across sessions. | string |
user.last_login | Date and time of the user's last login. | datetime |
user.last_login_ip | IP address from which the user last logged in. | string |
user.created_at | Date and time when the user account was created. | datetime |
user.updated_at | Date and time when the user account was last updated. | datetime |
user.main_user_id | ID of the main user if applicable. | integer |
user_product | Represent user mapping with the client product | object |
user_product.user_id | User ID, uniquely identifying the user. | integer |
user_product.product_id | The product ID that has ben registered in SSO. This field represent your client product id in SSO storage data. | integer |
user_product.external_id | This column will store the user ID of your user in the client application.This column is the main key that can be used to verify the user in your application. For example, you can retrieve user data based on external_id, then if the user data is in your local database, then you can save the user data in a session which indicates the login process has been successful. | string |
user_product.role | User role in client application | string |
Error Responses
| Code | Message | Description |
|---|---|---|
| 401 | Please login to continue | Indicate the user token is expired |
| 404 | User not found, please sign in | Indicate the user was not found or deactivate in SSO |
| 401 | Unauthorized | Indicate the product token is un valid |
| 404 | User not found by product token | Indicate the user was not assign to current client Product |
Check User
If you don't import all user data, you can use this endpoint as an alternative. In this process, SSO will POST user credentials in the form of email and password to your API product.
The product must handle searching for user data based on email and password then returning it so that it can be processed by SSO. This process will be called if the user is not found on the SSO page during the login process.
POST : https://pos.domain.com/sso/callback/check_user
Body Parameter
| Field | Descriptions | type |
|---|---|---|
email | User input email | string |
| password | User input password | string |
Expected API Responses
{
"status": "success",
"message": "User founded",
"data": {
"external_id": "1",
"main_user_external_id" : "0",
"username": "johndoe",
"email": "user@domain.com",
"first_name": "John",
"last_name": "Doe",
"status": 1,
"role" : "staff",
"phone": "",
"phone_verified": 0,
"email_verified": 1,
"mfa_active": 1
}
}| Field | Descriptions | type |
|---|---|---|
external_id | An external identifier associated with the user, used for integration purposes. | string |
first_name | The first name of the user. | string |
last_name | The last name or surname of the user. | string |
main_user_external_id | An external identifier referring to the main user associated with this account (if applicable). | string |
phone | The phone number associated with the user account. | string |
status | A numerical value representing the status of the user account (e.g., 1 for active, 0 for inactive). | boolean |
username | The unique username associated with the user account. | string |
| role | User role in your application | string |
| mfa_active | Represent the status of multi factor authentication | boolean |
| email_verified | Indicates whether the user's email address has been verified. | boolean |
| phone_verified | Indicates whether the user's phone number has been verified. | boolean |
Check User by Email
If the user has never synchronized with SSO, but its the first time they access SSO, and wants to reset the password. SSO will use this endpoint to synchronize from product. If a user is found on the product, we will save the user data and continue by sending a password reset email.
The product must handle searching for user data based on email then returning it so that it can be processed by SSO.
POST : https://pos.domain.com/sso/callback/check_email
Body Parameter
| Field | Descriptions | type |
|---|---|---|
email | User input email | string |
Expected API Responses
{
"status": "success",
"message": "User founded",
"data": {
"external_id": "1",
"main_user_external_id" : "0",
"username": "johndoe",
"email": "user@domain.com",
"first_name": "John",
"last_name": "Doe",
"status": 1,
"role" : "staff",
"phone": "",
"phone_verified": 0,
"email_verified": 1,
"mfa_active": 1
}
}| Field | Descriptions | type |
|---|---|---|
external_id | An external identifier associated with the user, used for integration purposes. | string |
first_name | The first name of the user. | string |
last_name | The last name or surname of the user. | string |
main_user_external_id | An external identifier referring to the main user associated with this account (if applicable). | string |
phone | The phone number associated with the user account. | string |
status | A numerical value representing the status of the user account (e.g., 1 for active, 0 for inactive). | boolean |
username | The unique username associated with the user account. | string |
| role | User role in your application | string |
| mfa_active | Represent the status of multi factor authentication | boolean |
| email_verified | Indicates whether the user's email address has been verified. | boolean |
| phone_verified | Indicates whether the user's phone number has been verified. | boolean |
Assign User
The register or assign user process is the process of registering users and integrating them with SSO. There are 2 integration options that will be carried out. First, create a user from SSO and then send it to the SSO Client to be registered. Second, clients register users from local applications and then send them to SSO for data integration.
Assign User From SSO to Product
On assigning a user, SSO will include the role and properties of the product or client to be assigned. Role and properties will become a select dropdown, so that each SSO client must provide an endpoint that is used by SSO to retrieve these options.
The suffix of this endpoint has been determined by SSO, while the base URL of this API is the base URL registered when registering the client product in SSO. In this example, the API base URL used is https://pos.domain.com/sso/callback so the list of endpoints you must prepare is:
Get Properties
GET : https://pos.domain.com/sso/callback/get_property/{external_user_id}
Path Variable
| Field | Descriptions | type |
|---|---|---|
| external_user_id | This field will be filled by your product user id that has login to SSO and willing to assigning some sub user to your another product | text |
Expected API Responses
Your endpoint must return JSON responses that will look like this.
{
"status": "success",
"message": "Property option by user",
"data": [
{
"id": 5,
"label": "Colosseum PIZZA"
}
]
}Option Result
SSO will creating select option based on your id as the value, and label as option label.
Get Roles
GET : https://pos.domain.com/sso/callback/get_roles
Expected API Responses
{
"status": "success",
"message": "Role list",
"data": [
{
"value": "admin",
"label": "Admin"
},
{
"value": "sales",
"label": "Sales"
},
{
"value": "waiter",
"label": "Waiter"
},
{
"value": "kitchen",
"label": "Kitchen"
}
]
}Option Result
SSO will create a role select option based on the application you created.
Assigning User in Product
Once a user is successfully assigned to a product in SSO, SSO will send the user data via API to the SSO Client. In this process, the client must handle the user data to be stored in the user database. Once the user data is successfully saved, you must provide a response back to SSO, so that SSO will process the user data.
POST : https://pos.domain.com/sso/callback/assign_user
Body Parameter
| Field | Descriptions | type |
|---|---|---|
email | Email of the user | string |
first_name | First name of the user. | string |
last_name | Last name of the user. | string |
main_user_id | Your main user id (sso client external_id) who assigned the user to the product. | string |
phone | User's phone number (if provided). | string |
property_id | I will be in the form of an array, indicating that 1 user can be assigned to several properties | array |
role | Role of user based on your select option | string |
username | Email of the user | string |
Expected API Responses
{
"status": "success",
"message": "User successfully assigned",
"data": "{user_id}"
}| Field | Descriptions | type |
|---|---|---|
status | must be “success“ if the process is success, and “error“ is the register process is fail. | string |
message | Optional message | string |
data | This is mandatory. Must be fill with your user ID that has ben registered. In SSO it will be stored as user external_id | string |
Assign User From Client Product to SSO
This is a reverse scenario that registers users is on your product, then the product must send the user data to SSO to be integrated. SSO will return a successful or failed response according to the condition of the data you sent.
POST : API_BASE_URL/user/product/add-user
curl --location 'API_BASE_URL/user/product/add-user' \
--header 'ProductAuthorization: Bearer lVC3WbusmJFK4UClg3wlJFOp4A6bxSxj1S2ezUqkSNIg8347fkOiovkAlGnfc' \
--form 'username="johndoe"' \
--form 'email="user@domain.com"' \
--form 'first_name="John"' \
--form 'last_name="Doe"' \
--form 'password="supersecurepassword"' \
--form 'status="1"' \
--form 'phone=""' \
--form 'phone_verified="1"' \
--form 'email_verified="1"' \
--form 'external_id="1000"' \
--form 'main_user_external_id="1"' \
--form 'role="kitchen"'| Field | Descriptions | type |
|---|---|---|
email | The email address of the user. This must be unique | integer |
email_verified | A boolean value indicating whether the user's email address has been verified (1 for true, 0 for false). | boolean |
external_id | An external identifier associated with the user, used for integration purposes. | string |
first_name | The first name of the user. | string |
last_name | The last name or surname of the user. | string |
main_user_external_id | An external identifier referring to the main user associated with this account (if applicable). | string |
password | The password for the user account. Ensure it is a secure and strong password. | string |
phone | The phone number associated with the user account. | string |
phone_verified | A boolean value indicating whether the user's phone number has been verified (1 for true, 0 for false). | boolean |
role | The role or designation assigned to the user (e.g., "kitchen"). Specifies the user's functional role within the system. | string |
status | A numerical value representing the status of the user account (e.g., 1 for active, 0 for inactive). | boolean |
username | The unique username associated with the user account. | object |
Response Parameters
{
"status": "success",
"message": "User saved successfully",
"data": {
"id": 2,
"username": "johndoe",
"email": "user@domain.com",
"first_name": "John",
"last_name": "Doe",
"phone": "082xxxxxxx",
"phone_verified": true,
"email_verified": true,
"status": true,
"mfa_active": true,
"meta_data": "",
"remember_token": "",
"last_login": null,
"last_login_ip": "",
"created_at": "2023-10-30T14:32:51.877Z",
"updated_at": "2023-10-30T14:44:48.992+08:00",
"main_user_id": null,
}
}Error Responses
| Status Code | Message | Description |
|---|---|---|
| 400 | Username or Email is already exits | Indicate the user with username or email was already exists |
| 500 | Error occurred | Internal Server Error |
| 400 | User with that ID was already registered | Indicate your external_id was already registerer |
Note: If this error was occurred, you can delete your user in your local database, or rollback you database transaction.
Update User
There are 2 scenarios for the user update process.
- First, updates are initiated by users through the SSO (Single Sign-On) dashboard. In this scenario, SSO will send the update results to the relevant product to reflect the changes made.
- Second, the scenario involves users updating their profiles directly from the product. The product must send these updates to the SSO for data integration.
Update User from SSO to Product
Once a user is successfully updated in SSO, SSO will send the user data via API to the SSO Client. In this process, the client must handle the user data to be update by external_id.
POST : https://pos.domain.com/sso/callback/update_user
Body Parameter
| Field | Descriptions | type |
|---|---|---|
email | Email of the user | string |
first_name | First name of the user. | string |
last_name | Last name of the user. | string |
main_user_id | Your main user id (sso client external_id) who assigned the user to the product. | string |
phone | User's phone number (if provided). | string |
property_id | I will be in the form of an array, indicating that 1 user can be assigned to several properties | array |
role | Role of user based on your select option | string |
username | Email of the user | string |
| avatar | User avatar image | string |
Success API Responses
{
"status": "success",
"message": "User updated successfully",
"data": null
}Error API Responses
{
"status": "error",
"message": "Unable to update user",
"data": null
}Update User from Product to SSO
This is a reverse scenario that user update their profile in product, then the product must send the user data to SSO to be integrated with SSO. SSO will return a successful or failed response according to the condition of the data you sent
PUT : API_BASE_URL/user/{external_id}/product/update-user
curl --location --request PUT 'API_BASE_URL/user/1/product/update-user' \
--header 'ProductAuthorization: Bearer lVC3WbusmJFK4UClg3wlJFOp4A6bxSxj1S2ezUqkSNIg8347fkOiovkAlGnfc' \
--form 'username="johndoe"' \
--form 'email="user@domain.com"' \
--form 'first_name="John"' \
--form 'last_name="Doe"' \
--form 'avatar="http//example.com/avatar-image.png"'Path Variables
| Field | Descriptions | type |
|---|---|---|
external_id | Your local database user ID | string |
Body Parameter
| Field | Descriptions | type |
|---|---|---|
email | Email of the user | string |
first_name | First name of the user. | string |
last_name | Last name of the user. | string |
phone | User's phone number (if provided). | string |
username | Username of the user | string |
| avatar | User avatar image | string | optional |
Response Parameters
{
"status": "success",
"message": "User updated successfully",
"data": {
"id": 2,
"username": "johndoe",
"email": "user@domain.com",
"first_name": "John",
"last_name": "Doe",
"avatar" : "http//example.com/avatar-image.png",
"phone": "081xxxxxxxx",
"phone_verified": true,
"email_verified": true,
"status": true,
"mfa_active": true,
"meta_data": "",
"remember_token": "",
"last_login": null,
"last_login_ip": "",
"created_at": "2023-10-30T14:32:51.877Z",
"updated_at": "2023-10-30T14:44:48.992+08:00",
"main_user_id": null
}
}Error Responses
| Status Code | Message | Description |
|---|---|---|
| 400 | Username or Email is already exits | Indicate the user with username or email was already exists |
| 400 | Unable to get user data | Unable to get user data by external_id |
Note : If this error occurred, you can rollback the changes
Un Assign User
The user unassign process is carried out on the SSO dashboard for users on the product. For the unassign process, SSO will send unassigned user data from the related product. You can carry out a soft delete process or deactivate the user on your product.
POST : https://pos.domain.com/sso/callback/remove_user
Body Parameter
| Field | Descriptions | type |
|---|---|---|
user_id | Your local database user ID for the deleted user | string |
Expected API Responses
{
"status": "success",
"message": "User deleted successfully",
"data": null
}Import User
This endpoint is used when you want to carry out the bulk data import process for users
POST : API_BASE_URL/user/import
curl --location 'API_BASE_URL/user/import' \
--header 'ProductAuthorization: Bearer lVC3WbusmJFK4UClg3wlJFOp4A6bxSxj1S2ezUqkSNIg8347fkOiovkAlGnfc' \
--header 'Content-Type: application/json' \
--data-raw '[
{
"external_id": "1",
"main_user_external_id" : "0",
"username": "admin",
"email": "admin@domain.com",
"first_name": "admin",
"last_name": "Admin User",
"status": 1,
"phone": null,
"phone_verified": 0,
"email_verified": 1
},
{
"external_id": "28",
"main_user_external_id" : "1",
"username": "john",
"email": "john.doe@domain.com",
"first_name": "JOhn",
"last_name": "Doe",
"status": 1,
"phone": null,
"phone_verified": 0,
"email_verified": 1
}
]'Header Parameter
| Field | Descriptions | type |
|---|---|---|
| ProductAuthorization | Bearer + product_token | text |
Body Parameter
| Field | Descriptions | type |
|---|---|---|
email_verified | A boolean value indicating whether the user's email address has been verified (1 for true, 0 for false). | boolean |
external_id | An external identifier associated with the user, used for integration purposes. | string |
first_name | The first name of the user. | string |
last_name | The last name or surname of the user. | string |
main_user_external_id | An external identifier referring to the main user associated with this account (if applicable). | string |
phone | The phone number associated with the user account. | string |
status | A numerical value representing the status of the user account (e.g., 1 for active, 0 for inactive). | boolean |
username | The unique username associated with the user account. | string |
Response Parameters
{
"status": "success",
"message": "User data imported successfully",
"data": {
"imported": 0,
"error_validation": 0,
"unique_validation": 2,
"total_error": 0,
"total_data": 2
}
}| Field | Descriptions | type |
|---|---|---|
imported | The number of user that successfully imported | integer |
error_validation | The number of user data that fail to import due to error form validation | integer |
unique_validation | The number of user data that fail to import due to error unique username or email | integer |
total_error | The number of internal SSO error | integer |
total_data | Total data that has been processed | integer |
- On importing user data process, the password will be set empty in the Single Sign-On (SSO), so when attempting to log in to SSO, users will need to go through the password reset process first before being able to proceed with the login process.
Get Product List
This endpoint is used to get a list of products based on logged in users. On this endpoint, you can display a list of products in your user dashboard. This is useful so that users can easily navigate to each product without remembering the product URL.
Note: This endpoint will only return a list of products other than the product you used in the Auth Product Token in the header parameters.
GET : API_BASE_URL/product/list/by-user-product
curl --location 'API_BASE_URL/product/list/by-user-product' \
--header 'Authorization: Bearer sj9293uruwejdwe923jfee..' \
--header 'ProductAuthorization: Bearer lVC3WbusmJFK4UClg3wlJFOp4A6bxSxj1S2ezUqkSNIg8347fkOiovkAlGnfc...'Header Parameter
| Field | Descriptions | type |
|---|---|---|
| Authorization | Bearer + user_token | text |
| ProductAuthorization | Bearer + product_token | text |
Response Parameters
{
"status": "success",
"message": "Product list by user product",
"data": [
{
"id": "2",
"name": "Channel Manager",
"url": "https://cm.domain.com",
"description": "Some product description",
"status": true,
"image_url": "https://cm.domain.com/assets/logo.png",
"external_id": "272"
}
]
}| Field | Descriptions | type |
|---|---|---|
id | SSO Product ID | string |
name | Product Name | string |
url | Client product URL | string |
status | Indicate user product status in SSO | boolean |
image_url | Product logo image | string |
external_id | Logged in user external_id | string |
Error Responses
| Status Code | Message | Description |
|---|---|---|
| 401 | Please login to continue | Indicate the user token is expired |
| 401 | User not found, please sign in | Indicate the user was not found or deactivate in SSO |
| 401 | Unauthorized | Indicate the product token is un valid |
Logout User
During the logout process, SSO marks the user's token as expired. To carry out this process, you can direct your user to the BASE_URL + /auth/logout page.
GET : BASE_URL/auth/logout
Next, SSO will carry out the logout process and end by redirecting your user to the SSO login page.
On this page
