This is the seventh blog in our tutorial series on the best solutions from Logi’s Expert-on-Demand (EOD) team. In our previous blog, we looked at creating responsive dashboards to extend both the form and functionality of the Logi application. Now, we’re tackling application security with Logi Hybrid Security – which allows for single sign-on authentication with available standard security from outside of a parent application.
Logi Hybrid Security is still a standard security model, but it utilizes a globally unique identifier (GUID) similar to our secure key. What this allows you to do is provide single-user sign-on from inside your parent application (the parent controls the token), while providing standard authentication as a stand-alone site. To do this without Hybrid Security, you would need two separate applications. In essence, it’s the same application – but you don’t have to duplicate your effort.
How Logi Hybrid Security Works
When using EOD Hybrid Authentication in single sign-on mode, the parent application writes the current user’s UserID, a GUID token, and the current datetime stamp to a database table within the Logi application’s security database, and then passes those values into an iFrame request.
The Logi application determines that a GUID has been passed and compares the UserID and GUID with the ones written to its database. The timestamps must be within a specified value in order for the GUID to be accepted. Once the GUID is accepted, or another attempt is made, all GUID tokens for that UserID are removed from the database. Meanwhile, standard security authentication functions as normal.
The Benefits of Hybrid Security
One of the biggest benefits of this solution is that you don’t have to rely on Logi to allow a host to request tokens. That’s because your parent application is the one providing the security token – and therefore it controls the access. Here’s how it works:
- The parent application creates the token and writes it to the Logi authentication database.
- The Logi application determines the length of time to consider a valid vs. expired token. This should be adjusted based upon your environment; however, the request and subsequent redirect should be very quick.
- Once the token is written to the database, the parent application has one post-request for the Logi application and passes the user ID and the GUID token.
The security element in the Logi application is geared to look for that GUID token. If the GUID is valid, it automatically authenticates the user. On the other hand, if the GUID is invalid or expired, the user is presented with an error message and prompted with the normal Logi Standard Security requiring a username and password.