### ROeID SSO Authorization Sequence Source: https://github.com/roeid-ro/integrare/blob/main/README.md This entry details the step-by-step HTTP requests for a browser-based authentication flow with ROeID. It includes initial requests to the service provider, redirection to the ROeID SSO authorization server, user authentication (username/password, 2FA push), consent, and the final callback to the service provider with an authorization code. Key parameters like `response_type`, `client_id`, `scope`, and `redirect_uri` are demonstrated. ```APIDOC ROeID Authentication Flow: This sequence describes the typical HTTP requests a browser performs to authenticate a user via ROeID SSO. 1. **Initiate Service Provider Interaction** GET https://www.ghiseul.ro/testare/ghiseul * Initial request to the service provider's portal. 2. **Redirect to ROeID Login** GET https://www.ghiseul.ro/testare/ghiseul/public/login-pscid * Service provider redirects the browser to initiate the SSO login process. 3. **Authorization Request to ROeID** GET https://sso.beta.roeid.ro/affwebservices/CASSO/oidc/ghiseul/authorize?response_type=code&client_id=ghiseul&scope=openid+profile+ghiseul&state=1698308536-441d47&redirect_uri=https%3A%2F%2Fwww.ghiseul.ro%2Ftestare%2Fghiseul%2Fpublic%2Flogin-pscid%2Findex * Browser is directed to ROeID's authorization endpoint. * Parameters: * `response_type`: Specifies the grant type, typically 'code' for authorization code flow. * `client_id`: Identifier for the service provider (e.g., 'ghiseul'). * `scope`: Requested permissions (e.g., 'openid', 'profile', 'ghiseul'). * `state`: Opaque value used to maintain state between the request and callback, preventing CSRF attacks. * `redirect_uri`: The URL where the user will be redirected after authentication. 4. **Secure Redirect with Parameters** GET https://sso.beta.roeid.ro/affwebservices/secure/secureredirect?response_type=code&client_id=ghiseul&scope=openid+profile+ghiseul&state=1698308536-441d47&redirect_uri=https%3A%2F%2Fwww.ghiseul.ro%2Ftestare%2Fghiseul%2Fpublic%2Flogin-pscid%2Findex&SMPORTALURL=x4%2FhHg3RAgUeQLhibKTJjbh4XcmhnbiyABkvshd1Fq2U4uBSDrRIcjKofI2U2MC69KmkY42AmSChet9AIN861tJ21Tled%2FV04A9axdvVSPqBq67qGh2vEdyNGItnVklo * Further redirection within the SSO system, potentially encoding parameters. 5. **Display User Credentials Form** GET https://sso.beta.roeid.ro/siteminderagent/forms/shim.fcc?TYPE=33554433&REALMOID=06-0005a1dd-fc2d-132d-abb5-04140a000000&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=accessgateway&TARGET=-SM-HTTPS%3a%2f%2fsso%2ebeta%2eroeid%2ero%2faffwebservices%2fsecure%2fsecureredirect%3fresponse_type%3dcode%26client_id%3dghiseul%26scope%3dopenid%2bprofile%2bghiseul%26state%3d1698308536--441d47%26redirect_uri%3dhttps-%3A-%2F-%2Fwww%2eghiseul%2ero-%2Ftestare-%2Fghiseul-%2Fpublic-%2Flogin--pscid-%2Findex%26SMPORTALURL%3dx4-%2FhHg3RAgUeQLhibKTJjbh4XcmhnbiyABkvshd1Fq2U4uBSDrRIcjKofI2U2MC69KmkY42AmSChet9AIN861tJ21Tled-%2FV04A9axdvVSPqBq67qGh2vEdyNGItnVklo * The browser displays the login form for the user to enter credentials. 6. **Submit Credentials and Initiate 2FA Push** POST https://sso.beta.roeid.ro/arcotafm/MasterController.jsp?profile=ldapandpush&tokenID=41ff090076adb6ac26710bf579125c78e8535d99&SMAUTHREASON=27&SMAGENTNAME=accessgateway&TARGET=-SM-HTTPS%3a%2f%2fsso%2ebeta%2eroeid%2ero%2faffwebservices%2fsecure%2fsecureredirect%3fresponse_type%3dcode%26client_id%3dghiseul%26scope%3dopenid%2bprofile%2bghiseul%26state%3d1698308536--441d47%26redirect_uri%3dhttps-%3A-%2F-%2Fwww%2eghiseul%2ero-%2Ftestare-%2Fghiseul-%2Fpublic-%2Flogin--pscid-%2Findex%26SMPORTALURL%3dx4-%2FhHg3RAgUeQLhibKTJjbh4XcmhnbiyABkvshd1Fq2U4uBSDrRIcjKofI2U2MC69KmkY42AmSChet9AIN861tJ21Tled-%2FV04A9axdvVSPqBq67qGh2vEdyNGItnVklo * User submits credentials. The system initiates a push notification for 2FA. 7. **Wait for Mobile Authorization (2FA Push)** GET https://sso.beta.roeid.ro/arcotafm/getOTTFromPushSMToken.jsp?txnId=89b5c46e70f4b3876de8f663114592e2f51a95d9 * Repeated requests to check for the completion of the 2FA authorization from the mobile application. 8. **Finalize Authentication After Mobile Approval** POST https://sso.beta.roeid.ro/arcotafm/MasterController.jsp?profile=ldapandpush&tokenID=7328f07ba3b60f604961eb9f5802c9c297af8a1e&SMAUTHREASON=27&SMAGENTNAME=accessgateway&TARGET=-SM-HTTPS%3a%2f%2fsso%2ebeta%2eroeid%2ero%2faffwebservices%2fsecure%2fsecureredirect%3fresponse_type%3dcode%26client_id%3dghiseul%26scope%3dopenid%2bprofile%2bghiseul%26state%3d1698308536--441d47%26redirect_uri%3dhttps-%3A-%2F-%2Fwww%2eghiseul%2ero-%2Ftestare-%2Fghiseul-%2Fpublic-%2Flogin--pscid-%2Findex%26SMPORTALURL%3dx4-%2FhHg3RAgUeQLhibKTJjbh4XcmhnbiyABkvshd1Fq2U4uBSDrRIcjKofI2U2MC69KmkY42AmSChet9AIN861tJ21Tled-%2FV04A9axdvVSPqBq67qGh2vEdyNGItnVklo * After mobile authorization, the SSO system processes the confirmation. 9. **Display User Consent Screen** GET https://sso.beta.roeid.ro/affwebservices/CASSO/oidc/userconsent * The browser shows the user a screen to review and consent to data sharing with the service provider. 10. **Submit User Consent** POST https://sso.beta.roeid.ro/affwebservices/CASSO/oidc/userconsent * User confirms consent, submitting the decision to the SSO system. 11. **Prepare Redirect to Service Provider** GET https://sso.beta.roeid.ro/affwebservices/CASSO/oidc/ghiseul/authorize?SMASSERTIONREF=QUERY&response_type=code&client_id=ghiseul&scope=openid+profile+ghiseul&state=1698308536-441d47&redirect_uri=https%3A%2F%2Fwww.ghiseul.ro%2Ftestare%2Fghiseul%2Fpublic%2Flogin-pscid%2Findex * The SSO system prepares the final redirect back to the service provider, including the authorization code. 12. **Final Redirect to Service Provider** GET https://www.ghiseul.ro/testare/ghiseul/public/login-pscid/index?code=YjAxOWJlZDYtYzdiZi00ZGZmLWFhZTQtNjU4YThiYTJhMTFkLStON3lLN3dKQ2NYRmY3TWh3QUlaR2czMmdPWT0%3D&state=1698308536-441d47 * The browser is redirected to the service provider's specified `redirect_uri`. * Parameters: * `code`: The authorization code obtained from the SSO process. * `state`: The original state parameter, for verification. **Note**: The `state` parameter in the examples appears to be a timestamp combined with a random string. The `TARGET` parameter in POST requests often contains URL-encoded versions of previous request URLs. ``` -------------------------------- ### Map Claims Data - JavaScript Source: https://github.com/roeid-ro/integrare/blob/main/README.md This snippet demonstrates how to conditionally map specific properties from the `claims.raw_claims` object into a structured format. It handles address components like bloc, nr, etaj, apartament, localitate, and judet, as well as document details such as tipact, serie, autoritatea_emitenta, and valabilitate_document. ```javascript { [if "bloc" in claims.raw_claims then "bloc" else null]: claims.raw_claims.bloc, [if "nr" in claims.raw_claims then "nr" else null]: claims.raw_claims.nr, [if "etaj" in claims.raw_claims then "etaj" else null]: claims.raw_claims.etaj, [if "apartament" in claims.raw_claims then "apt" else null]: claims.raw_claims.apartament, [if "localitate" in claims.raw_claims then "localitate" else null]: claims.raw_claims.localitate, [if "judet" in claims.raw_claims then "judet" else null]: claims.raw_claims.judet }, act: { [if "tipact" in claims.raw_claims then "tipact" else null]: claims.raw_claims.tipact, [if "serie" in claims.raw_claims then "serie" else null]: claims.raw_claims.serie, [if "autoritateaemitenta" in claims.raw_claims then "autoritatea_emitenta" else null]: claims.raw_claims.autoritateaemitenta, [if "valabilitatedocument" in claims.raw_claims then "valabilitate_document" else null]: claims.raw_claims.valabilitatedocument } } } } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.