Configuring proprietary Single Sign-On

The Customer Portal can be integrated with an external website using an Itron-proprietary Single Sign-On mechanism. This mechanism requires implementing an enhancement to the external site and developing code to call the Itron Analytics Single Sign-On web service. The main advantage of this approach is that no third-party identity management infrastructure is required because it is based on a direct interaction between the external site and the Customer Portal. The main disadvantage of this approach is that computer programming skills are required to set it up.

The proprietary single sign-on procedure consists of the following:

  1. The user browses to the utility website.

  2. The utility website presents a login page application to collect credentials.

  3. The user posts their credentials to authenticate, and the utility web site authenticates the user.

  4. The user requests access to the Customer Portal via a link or button on the utility web site.

  5. The utility website calls the LoginSSO web service, passing a user id and one or more account IDs. It can also optionally pass an email address and the user’s first and last name.

  6. The LoginSSO web service does the following:

    1. Authenticates the caller to verify that it is being called by the utility website.

    2. If necessary, creates the user in the Itron Analytics database and associates the user with the specified accounts and email address. If the username already exists in the system and any of the additional information provided (account ID list, first name, last name, or email) does not match, it is updated.

      Important! The email address can be changed, but it must be unique among Customer Portal users or the web service will return an error. For more information, see Proprietary Single Sign-On workflow details.

    3. Creates a single sign-on session in the Itron Analytics database with a unique session token. The token is specific to the user and expires after two minutes.

  7. The LoginSSO web service returns the session token to the utility website.

  8. The utility website redirects to the Customer Portal and passes the session token. For users with multiple accounts and/or service points within accounts, a selected account and/or service point can also be specified so that it appears as pre-selected in the Customer Portal. If left unspecified, the first service point within the first account will be selected.

  9. The Customer Portal validates the session token against the database and then sets the token as expired so it cannot be reused.

  10. The Customer Portal writes a session cookie to indicate the user is authenticated.

To implement this message flow, a web developer must add code to the utility website that calls the LoginSSO web service and then redirects to the Customer Portal. There is also an UpdateSSOUser web service that can be used to update or create Customer Portal users without creating a Customer Portal session or login token.  For more information, see Proprietary Single Sign-On workflow details and Updating Customer Portal Single Sign-On user information.