Login Key for Single Sign-On

This section explains how to generate a Login Key for Single Sign-on when using Glance Cobrowse. Login Key features and format, usage examples, and security considerations are also discussed.

What is the Glance Login Key?

The Glance Login Key is a time-limited token issued by a partner or customer, used to authenticate a user to various Glance services.

The Login Key is passed on https: or glance: URLs in one of the following ways:

  1. Appended to the username—for example, fred.glance.net (a Glance Address) after a tilde: [username]~[loginkey]
  2. Passed along with Partner ID and Partner User ID parameters, typically: partnerid=[partnerid]&partneruserid=[partneruserid]~[loginkey]

A Glance user is uniquely identified by either a username or a Partner ID/Partner User ID pair.

Features

  • Uses current best practice SHA-2 family of hashes.
  • Expiration period selectable by the customer.
  • Includes algorithm versioning to allow future changes with backward compatibility.

Format

The Login Key format is identified by a leading dollar sign. (This distinguishes it from the previous format login key.)

Format: $[ver]$[expirationtime]$[signature]

Example: $1$1392680360$YsT2Kj8rOp6FaJOG69o3QOj-GUacRiOo7Gw6l1EPVB8

Components

Component Description
[ver]
Must be 1 for this version of the key algorithm.
[expirationtime]
The Unix (POSIX) epoch time. The number of seconds decimal since 00:00:00 UTC Jan 1 1970.
Also, the value returned by javascriptDate.valueOfmethod integer divided by 1000. The key is valid until this time (current time must be less than [expirationtime]).
There is also a maximum time in the future for a valid expiration time (currently set to one day) to protect against possible accidentally generated keys with extended expiration times.
[signature]
HMAC_SHA256([apikey], [partnerid][partneruserid][version][expirationtime])
HMAC_SHA256takes (secret key, message) arguments and generates a hash-based message authentication code.

NOTE: SHA-256 is the 256 bit variant of SHA-2.

The second (message) argument is the string concatenation of the four valuesThe HMAC must then be encoded as Base64URL (RFC 4648) without any trailing padding ("=") characters.

Samples

Visit Glance Login Key Check to view an HTML page with a form to generate and test login keys.

The page may be saved and used locally since the key generation is carried out in the browser-side JavaScript, and the page does not make server requests. To see working code that generates a Login Key, please refer to the JavaScript source.

Typically, key generation will be done by server-side code to protect the API Key.

.NET C# Sample

public static string GenerateLoginKey(int partnerId, string partnerUserId,
  int expirationSeconds, string apikey)
{
  const int ver = 1;

  DateTime expires = DateTime.Now.AddSeconds(expirationSeconds);
  DateTime epoch = new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc);
  int expiration = Convert.ToInt32((expires.ToUniversalTime() - epoch).TotalSeconds);

  string message = partnerId.ToString() + partnerUserId.ToString() + ver.ToString()
  + expiration.ToString();
  var encoding = new System.Text.UTF8Encoding();
  var hmac = new System.Security.Cryptography.HMACSHA256(encoding.GetBytes(apikey));

  string hash = Convert.ToBase64String(hmac.ComputeHash(encoding.GetBytes(message)));
  hash = hash.Substring(0, 43).Replace('+', '-').Replace('/', '_'); // base64url no padding
  string loginkey = '$' + ver.ToString() + '$' + expiration.ToString() + '$' + hash;
  return loginkey;
}

A Login Key can be used instead of supplying a Glance username and password when accessing various Glance services.

The Login Key can be used to start a screen-sharing session in the following ways:

  • Passing it to a web page that checks for an installed client optionally installing it, and signals it to start a session:
    https://www.glance.net/InstallStart.asp?partnerid=[pid]&partneruserid~[puid]~[loginkey]

  • Passing it on a glance:// URL to invoke the glance client:
    glance://startssn/webserver?key=[sessionkey]& username=[username]~[loginkey]

It can also be used to allow an agent to join a cobrowsing session as detailed in the Cobrowse Getting Started section.

By continuing to use the site, you agree to the use of cookies. Learn More