Global Directory
Global Directory
EXPLORE OUR SITES
London Stock Exchange Group
LSEG Data & Analytics
MyAccount
LSEG Perspectives
London Stock Exchange
FTSE Russell
LCH
Contact Us
Home
TR Internal
How can I enable SAFE logins to my internal application?
Ed Brannin
I'm working on an internal (java) app that seems worth password-protecting.
Rather than using a single group password or making everyone have their own password (and have the app deal with password resets), I'd really like to use our existing single-sign-on service.
What would be involved in hooking my app up to the SAFE login system, just TechOverflow here?
Find more posts tagged with
authentication
refinitiv-internal
Accepted answers
mark.maruska
If you contact **Safe Support**, *thomson.safesupport@thomson.com*, then they will be able to provide you with the forms to request SAFE auth for your site and information about the call flow, etc.
You will need to have the following sort of information:
* Your Market Group, Business Unit, Application Name, Application Purpose, Business Owner name, email, phone number, and Technical Owner name, email, phone number, etc.
* The URL of your application SAFE will redirect to after successful authentication.
* For each URL, include the environment (Dev, QA, Prod, etc.)
* Do you need any return values?
* Do you need level 5 (seamless sign-on like theLink) or level 7 (forced sign-on like thePoint) security?
All comments
Peter Ketcham
Contact SAFE support, there is an article [here][1]
[1]:
https://thelink.thomsonreuters.com/portal/server.pt?open=18&objID=941292&parentname=Dir&parentid=24&mode=2&in_hi_userid=102644&cached=true
mark.maruska
If you contact **Safe Support**, *thomson.safesupport@thomson.com*, then they will be able to provide you with the forms to request SAFE auth for your site and information about the call flow, etc.
You will need to have the following sort of information:
* Your Market Group, Business Unit, Application Name, Application Purpose, Business Owner name, email, phone number, and Technical Owner name, email, phone number, etc.
* The URL of your application SAFE will redirect to after successful authentication.
* For each URL, include the environment (Dev, QA, Prod, etc.)
* Do you need any return values?
* Do you need level 5 (seamless sign-on like theLink) or level 7 (forced sign-on like thePoint) security?
Ed Brannin
According to the preview box, your email link would have worked better if you'd used markdown-style links: [SAFE Support](mailto:thomson.safesupport@thomson.com)
[SAFE Support](mailto:thomson.safesupport@thomson.com)
...so much for that. Gotta love it when an app's Preview and Back-end Markdown parsers behave differently.
mark.maruska
Thanks! I tried that too... must be a formatting bug that will need to be investigated. Thanks for the tip! ~ Mark
Ryan Morlok
The above answers are correct, I'd just like to provide some insight to how SAFE works under the covers.
When you register with SAFE using the above process, you are assigned an identifier for your application. When a user firsts comes to your application, if you see that they are not authenticated (presumably through a cookie), you redirect to a URL on SAFE including the identifier you were assigned as part of your registration. SAFE then has the user sign on with their SAFE credentials, and upon successful authentication, they are redirected back to your application to a URL you specify.
The redirection back to your site is in the form of a POST. After the user is successfully authenticated, SAFE renders down a webpage with an HTML form containing information your application has indicated it wants in hidden fields (e.g. user id, first name, last name, email, etc). It uses JavaScript to auto-post the form. Your application then processes the post and marked the user signed on, in the form of a cookie.
For security, there is a also a shared secret key between your application and SAFE that it used to sign information, but the above is a basic overview of the process.
Ed Brannin
Is the redirect-to-my-app URL set at request-time, or configured externally? My application lives at several different URLs, depending on which backend environment it's reading from.
Ryan Morlok
The redirect-to-my-app URL is configured externally, but you can also include a URL param (redirectUrl) on your redirect to SAFE which will be returned to you as part of the POST data you receive back. You can use this to get the user back to where they originally started from before your triggered SAFE.
Ryan Morlok
E.g. if TechOverflow redirects to
https://safe.thomson.com/login/sso/SSOService?app=TechOverflow&redirectUrl=/foo
, SAFE will return us via POST to
http://techoverflow.int.westgroup.com
(which we have configured with them), and it will include /foo in the POST data, so that once we have completed the authentication on the TechOverflow side, we can return to /foo.
Quick Links
All Forums
Recent Questions
Terms of use
Privacy & Cookie Statement
Cookies settings
Do not sell my info
Whistleblowing
UK Bribery Act
Modern Slavery Act