In this case you can activate PhotoBulk manually (offline). If you don’t have Internet access on your Mac…
In the invoked window enter your activation code you’ve received from us:.If you want to do this right, and securely, that is what you should investigate and pursue.Note: Access to the Internet is required. There are a number of SAML implementations/references out there for many platforms, including PHP. This requires that you and the third-party exchange keys (in the form of certificates) and come to an understanding about what your assertions will contain, etc (typically expressed in SAML metadata that is exchanged between the Identity Provider and the Service Provider). The assertion is digitally signed so you can verify who issued it. This is a protocol where the third-party would authenticate to their system and it would generate a SAML Assertion that basically says who the user is (and other information, should that be required). The most standard way of doing this is SAML (Security Assertion Markup Language). There are a number of different industry-standard protocols for achieving this, but what you're basically doing is having another entity authenticate the user and provide that information to you in a way that you can verify that something you trust (their authentication system, whatever it is) has issued it. What you're looking for is known as single-sign-on (SSO). I will use another method to actually create the user account on foo.com) (Please note that this only covers an existing user who is attempting to log in. And I don't understand much about the security issues here. I can imagine someone brute-forcing different tokens, so I've included the user name in the second login url that the user clicks on so that the token will only work with that specific account.īut what I'm really worried about is what I don't know. What I'd like to know is, where are the security holes and how can I mitigate them? I know that the URL will be encrypted, and I know that an entry will show up in my server log, but it's a one-time token, so I'm not worried about that. When the user clicks on the link, foo.com checks the token in the database and (if it has not expired) removes it from the table of valid tokens and creates a session variable indicating that bob is now logged in, then redirects him to the training. The 'pass' component is a shared passkey known by foo.com and bar.com that is used to verify that the request is legitimate.įoo.com will respond with a one-time access token (for example, 0123456789ABCDEFG) which is stored into a database along with the user's id (bob).īar.com will present a hyperlink to the user that links back to the online training at foo.com. For example, they may request the following URL: When a user logs into bar.com (the other company's website), their backend will make a secure HTTPS request to foo.com (our website) requesting a one-time access token specifically for that user. One of the requirements is that their users should not need to create a separate login account on our site. We've agreed to allow another company (bar.com) to send their clients through our training. A user logs in, then completes their training. We have a website (foo.com) that does online training.