When you require accessing the ExtraView API, and a Single Sign On server is in place, special needs exist to ensure that all API calls are correctly authenticated, and that every access is from an authorized source. ExtraView uses the following logic to establish whether a call to the API is authentic, when a Single Sign On server is in place:
-
The API call is examined and if the parameters user_id and password exist, these are used to authenticate the user
-
If the first step does not result in a valid user, the headers returned from a SSO connection are examined. If these contain a valid user ID and password, these are used to authenticate the user
-
If there is still no authenticated user, and if the behavior setting ALLOW_ANONYMOUS_API_ACCESS is set to YES, then an anonymous connection is established, using the permissions of the role of the user that is set in the behavior setting ANONYMOUS_API_USER_ID.