...

The endpoint should be in the same domain as the site and other authorisation callbacks.

The endpoint should:

• Invalidate any existing user session (as this is a new sign-in, possibly by a different user)TODO Should the site always invalidate any previous user sessions, if such exist? TODO

• Read added query parameters from the call

  • sso-token - The single-use SSO token

  • sso-validity - Token validity time in minutes from time of request, after which the token is invalidinvalidated if still unused.

• Store the received information. Add cookies to the browser from the site’s own domain. The cookies should contain enough information to be able to use the above information later.

• Optionally return a small logo image file in response, as this request came from an <img src=”callback-url” /> element.

...

Step 3: Add a “Single Sign-On Target”

...

In TIS management go to the “Single Sign-on” view.

...