1

I'm attempting to implement a Single Sign On (SSO) using the Blackbaud documentation they sent to me. My client is on ColdFusion but Blackbaud's examples are all in PHP or C+. PHP is more readable (by me) so I opted to convert this code:

<?php
/* make_sso_url
* $sharedkey = the key that is specified in Sites & settings
* $username = the Blackbaud NetCommunity username to log in with
* $url = the URL of the page with the User Login part that users should be directed to
* $ip = the IP address the user should be from
* $includeip = whether or not to include ip address in the hash
*/
function make_sso_url($sharedkey,$username,$url,$ip){
    $time = time();
    $hashString = $sharedkey.$username.$time;
    return $url."&t=".$time."&u=".$username."&m=".md5($hashString);
}
?>

Before I get to far in this process, this looks to simply be an ajax call using PHP variables. If this is the case, then I can just use ColdFusion variables, build out the URL string, use jQuery JSONP to make the domain/ajax call, get what I need from Blackbaud's system and I'm golden. Have I missed anything?

HPWD
  • 2,232
  • 4
  • 31
  • 61
  • P.S. I'm still creating the estimate for this client so I have not put any code on paper so to speak, just working out the time estimate required to implement the process. – HPWD Mar 31 '15 at 18:28
  • 1
    This has nothing to do with Ajax. This takes a URL and appends a Get string containing time, username, and an MD5 of a key, the username, and time (supposedly so the other side can verify that the time and username are not faked). Note that IP is not used. Must be a planned or dropped security idea. – kainaw Mar 31 '15 at 18:34
  • kainaw - the lack of IP was copy and paste error on my part - thanks for pointing that out. Is there any reason why ajax couldn't be used assuming Blackbaud support JSON results? – HPWD Mar 31 '15 at 18:58
  • Ajax is used in JavaScript on the client side. This is PHP on the server side. There is no reason that you couldn't make an Ajax call to a PHP script - that is what is normally done. However, you can't run PHP code on the client. Is it possible you are confusing Ajax and cURL? It may be that this code is being used to build a URL to use in a cURL request. – kainaw Mar 31 '15 at 19:41
  • Based on the documentation provided (page 5 of https://www.blackbaud.com/files/support/guides/bbnc/ssore.pdf), I don't believe this to be a cURL request. I did email Blackbaud this evening so maybe I'll hear back tomorrow night and can provide additional feedback here. – HPWD Apr 01 '15 at 05:15

0 Answers0