Token Exchange Single Sign-On
Overview
Token Exchange is a custom Single Sign-On method. University systems send GradesFirst a security token and user id. GradesFirst responds with an authentication token which can be used to authenticate a user to the system.
Authentication Process
- A user logs into a university system, such as a web portal which displays a dashboard of online services including email, course information, and a link to GradesFirst.
- The user clicks the link to access GradesFirst. This references a script on the university server that has access to the user's authentication information, namely their user id.
- The university server sends the user id along with a security token to GradesFirst.
- Template Request
https://<School Sub-domain>.gradesfirst.com/cas/schools/<School ID>/reverse_session/new?<Security Token Parameter Name>=<Security Token>&<User ID Parameter Name>=<User ID> - Example Request
https://myschool.gradesfirst.com/cas/schools/1234-my_school/reverse_session/new?security_token=qwepor3940adsfkla6723jdflk24&user_id=my-username
- Template Request
- If the security token is verified and the specified user id is found, GradesFirst returns a HTTP 200 response with one of two values: the authentication token or the full return URL including the token as a parameter. This setting can be configured by GradesFirst Support.
Examples:- Authentication Token: df8fdbd5900d3fca7c5c76a1fcb881d5
- Full Return URL: https://myschool.gradesfirst.com/cas/schools/1234-my_school/reverse_session?token=df8fdbd5900d3fca7c5c76a1fcb881d5
- If the security token is not verified or the specified user id is not found, GradesFirst returns a HTTP 404 (not found) response.
- If a parameter is missing, GradesFirst returns a HTTP 500 response.
- Authentication Token: df8fdbd5900d3fca7c5c76a1fcb881d5
- The university server receives the authentication token.
- The university server redirects the user's browser back to GradesFirst, including the authentication token in the URL.
- Template Request
https://<School Sub-domain>.gradesfirst.com/cas/schools/<School ID>/reverse_session?<Token Parameter Name>=<Auth Token> - Example Request
https://myschool.gradesfirst.com/cas/schools/1234-my_school/reverse_session?token=df8fdbd5900d3fca7c5c76a1fcb881d5
- Template Request
- GradesFirst validates the authentication token, logs the user into the appropriate user account, and displays their GradesFirst home page.
Options
Parameter Names
The following parameter names can be configured by GradesFirst support to assist you in your implementation of Token Exchange authentication. We recommend that you use the default values if possible.
Parameter Name | Default Value |
---|---|
Security Token Parameter Name | security_token |
User ID Parameter Name | user_id |
Token Parameter Name | token |
Authentication Response
When a user is authenticated, GradesFirst returns a response in one of two formats. GradesFirst support can configure this setting for you based on your needs.
- Authentication Token
Example: df8fdbd5900d3fca7c5c76a1fcb881d5 - Full Return URL:
Example: https://myschool.gradesfirst.com/cas/schools/1234-my_school/reverse_session?token=df8fdbd5900d3fca7c5c76a1fcb881d5