Use this area to configure Glance solutions to either integrate with one of our partners such as:
In addition to integrating with our partners, you can also configure our products to generate login keys and single sign-on. See below for more information.
Use this section to generate a Login Key for Single Sign-on when using Glance Cobrowse and Screen Share. This section also includes information on Login Key features and format, usage examples, and security considerations.
Login Key Definition
The Glance Login Key is a time-limited token issued by a partner or customer, used to authenticate a user to various Glance services.
The Login Key is passed on https: or glance: URLs in one of the following ways:
- Appended to the username—for example, fred.glance.net (a Glance Address) after a tilde:
- Passed along with Partner IDand Partner User ID parameters, typically:
A Glance user is uniquely identified by either a username or a Partner ID/Partner User ID pair.
Features of the Login Key
- Uses current best practice SHA-2 family of hashes.
- Expiration period selectable by the customer.
- Includes algorithm versioning to allow future changes with backward compatibility.
The Login Key format is identified by a leading dollar sign. (This distinguishes it from the previous format login key.)
Login Key Components:
||Must be 1 for this version of the key algorithm.|
||The Unix (POSIX) epoch time. The number of seconds decimal since 00:00:00 UTC Jan 1 1970.
There is also a maximum time in the future for a valid expiration time (currently set to one day) to protect against possible accidentally generated keys with extended expiration times.
The HMAC must then be encoded as Base64URL (RFC 4648) without any trailing padding (“=”) characters.
The resulting Login Key is 57 characters long.
Visit Glance Login Key Check to view an HTML page with a form to generate and test login keys.
Typically, key generation will be done by server-side code to protect the API Key.
.NET C# Sample:
public static string GenerateLoginKey(int partnerId, string partnerUserId,
int expirationSeconds, string apikey)
const int ver = 1;
DateTime expires = DateTime.Now.AddSeconds(expirationSeconds);
DateTime epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
int expiration = Convert.ToInt32((expires.ToUniversalTime() - epoch).TotalSeconds);
string message = partnerId.ToString() + partnerUserId.ToString() + ver.ToString()
var encoding = new System.Text.UTF8Encoding();
var hmac = new System.Security.Cryptography.HMACSHA256(encoding.GetBytes(apikey));
string hash = Convert.ToBase64String(hmac.ComputeHash(encoding.GetBytes(message)));
hash = hash.Substring(0, 43).Replace('+', '-').Replace('/', '_'); // base64url no padding
string loginkey = '$' + ver.ToString() + '$' + expiration.ToString() + '$' + hash;
A Login Key can be used instead of supplying a Glance username and password when accessing various Glance services.
The Login Key can be used to start a screen-sharing session in the following ways:
- Passing it to a web page that checks for an installed client optionally installs it, and signals it to start a session:
- Passing it on a glance:// URL to invoke the glance client:
- It can also be used to allow an agent to join a cobrowsing session as detailed in the Glance Cobrowse Getting Started section and the Glance Cobrowse Customizing section:
<span class="nowiki"> http://glance.net/cobrowse/AgentView.aspx?SessionKey=[</span>key]&partnerid=[pid]&partneruserid=[puid]&loginkey=[loginkey]
- The HMAC algorithm is current best practice for message authentication.
- SHA-2 is current best practice for hashing and approved by FIPS and other authorities.
- The security of HMAC is dependent on a sufficiently large key value. Glance currently assigns a 128 bit random API key, but a larger key can easily be assigned to any Glance customer.
- In the case that a Login Key is generated with an erroneously long expiration, the customer’s API key can be updated to invalidate any outstanding keys. This is mitigated somewhat by limiting how far in the future expiration will be allowed.
- There is no nonce value in the key that prevents replay attacks. This is because the mechanism is designed to be stateless. The expiration timestamp mitigates this potential concern. The Login Key should be sent over a secure connection. The Login Key is sent between the Glance user (session host or co-browse agent) and Glance. It is not sent to the end guest/visitor.
- The Login Key is intended as a password replacement, not for signing an entire command. It does not include the Session Key and other parameters including display, forward/reverse, and remote control requested.
- There is no three-party authentication as in OAuth. Currently, the usage is for customers or partners to generate their own keys for their own users, using their own API Key.