Single Sign-On (SSO)

Union requires single sign-on (SSO) using SAM. Unlike normal SAM integrations however, applications hosted in Union obtain their SAM token from Union directly, rather than the traditional SAM redirect.

Union/SAM Integration Steps

1. Add a JavasScript reference to \[UNION\_URL\]/assets/access-token\[.min\].js.

   • For best performance, make this the first script reference on your page.
   • On a user’s first request to your application, this script will cause a transparent redirect to Union to fetch and store the user’s initial access token.

2. Use the “union-access-token” variable located in sessionStorage to authenticate API calls and retrieve the user’s profile from SAM.

   • This value is initially set by Union during the transparent redirect and subsequently maintained by Union via the Distributed Event Manager.

3. “union-access-token” is in encrypted format and can be used only after decrypting it. Union encrypts the accessToken before storing it in SessionStorage. Union uses https://www.npmjs.com/package/crypto-es for encrypting the token via AES algorithm same can be used for decryption. Check with the Union team for the key.

4. Once you have the access token, you will need to obtain the user object. You can either obtain from the SAM API directly or from the Union API. This table details the Union API call that is available for obtaining the user.

   Endpoint	Method	Request Headers	Response Body
   https://api.uat.finapps.ihsmarkit.com/user https://api.finapps.ihsmarkit.com/user	GET	“authorization”	{ “access_token”: string, “expires_at”: date,”scope”: string, “token_type”: string, “profile”: { “email”:string, “family_name”: string, “given_name”: string, “name”:string, “sub”:string } }

5. Optionally, setup a logout API endpoint to be notified when the user logs out of Union.(Set the endpoint via manifest file for the product)

6. If you have reason to log a user out from within your application, you can do so by emitting the logout event via the DEM.