delegated authentication

iVocalize rooms use Persona as the normal method of login. Server customers with many rooms may use delegated authentication in place of Persona to provide their own user authentication.

Delegated Authentication means that iVocalize does not attempt to directly sign in the user. Instead iVocalize delegates that function to your website.

To enable delegated authentication, contact iVocalize support to set the URL of your delegated authentication script.

Consider a typical delegated authentication scenario for xyz.com:

Delegated Authentication Stages

  1. Your website directs the user to https://yourserver.net/#ServerName/RoomName##AuthToken

  2. iVocalize POSTs these fields to back your authentication script:

    ivHosthost name of conference room: yourserver.net
    ivPathpath of conference room: ServerName/RoomName
    ivTokenauthentication token: AuthToken
    ivIPclient IP address
  3. Your authentication script responds with a JSON object containing 2 fields:

    unameuser name. string.
    1-30 characters.
    unique for each user in your system
    roleprivilege level. integer.
    -1:blocked
    0:guest
    1:member
    2:presenter
    3:moderator
    4:administrator
    5:owner
    redirredirect url. string.
    url where the user will be redirected following logout or invalid auth token.

    For example, to sign John Smith in as an administrator, the auth script returns:
    {"uname":"John Smith","role":4, "redir":"http://yoursite.com/logout" }

    To reject the login due to an invalid token, the auth script returns:
    {"uname":null, "role":-1, "redir":"http://yoursite.com/login" }

For security purposes, authentication tokens should be single-use, time-limited or tied to a specific client ip address. It should not be possible for John Smith to share his login URL with another user, since that other user would then be logged in using John Smith's identity.

It is possible to use both delegated authentication and standard authentication in the same room, depending on whether the URL contains an authentication token. To disable standard authentication, configure the room to disable guest logins, which prevents new users from signing in on the standard login page. Since a delegated authentication script returns only registered users, have your auth script returns users who are Members (role 1) or greater.

sample authentication script

<?php  

// look up the auth token
$result = LookupToken( $_POST['ivHost'],  $_POST['ivPath'],
                       $_POST['ivToken'], $_POST['ivIP']);

// return the JSON encoded result
echo $result; 
exit;

// LookupToken 
// input: 
// - host name  ex: yourserver.net
// - room path  ex: ServerName/RoomName        
// - auth token ex: abcdefghijklmnop
// - client IP address
// return:
//   JSON string, ex: {"uname":"John Smith" , "role":4, "redir":"http://google.com"}
//   : uname must be unique, or null if token is invalid
//   : roles: -1:blocked 0:guest 1:member 2:presenter 3:moderator 4:admin 5:owner
//   : redir: URL where user is redirected upon logout or invalid token
function LookupToken($roomHost,$roomPath,$authToken,$clientIP){

    // todo: look up token in database

    // For testing, use token like John Smith-4 and split on the hyphen
    $a = split("-",$authToken);

    // return uname and role
    return json_encode(array("uname"=>$a[0],"role"=>$a[1],"redir"=>"http://google.com"));
}

?>