1. Create a JSON object of a user’s information

The first step is to take your user information that you want sent over to U4TM and put into a JSON object.

You should end up with something that looks like this:

Example JSON:

{"first_name": "John", "last_name": "Smith", "email":"john.smith@intuo.io", "organization": "Intuo", "student_groups": "Marketing,Sales", "courses": "1,33", "redirect_uri": "/courses/effective-management"}

2. Create a Single Sign-On Token

Next, we’ll turn that JSON object into a token that grants the user access to U4TM.

  • Encrypt the JSON object with AES using your intuo_subdomain (If you're default.intuo.io then this value would be 'default') as the password and your sso_key as the salt to generate an SSO token. You can get your sso_key from  Settings > Integrations > Single Sign-On
  • Base64 encode the encrypted output to generate the token.
  • Escape the token to make it web-safe.
  • If you are using multibyte strings in PHP, use mb_internal_encoding(‘ASCII’); & mb_internal_encoding(); around the SSO generation code

3. Passing the Single Sign-On Token to U4TM

The next step is to forward the token on to U4TM by including it as a URL parameter named sso. You have a couple options in how you do this:

  • You can append the token onto a link to the platform (ex: https://default.intuo.io/sign_in?sso=TOKEN)
  • You can create a link to http://yourdomain.com/academy and then have that URL generate a token and redirect to https://default.intuo.io/sign_in?sso=TOKEN

4. Login Redirection

What we’ve described so far enabled you to take a user who's logged into your system and send them to your U4TM platform. But, what if they go directly to your U4TM platform before logging into your system? You can handle this by setting a remote login URL where your users will be sent when they arrive at U4TM not logged in.

Let’s say your platform (default.intuo.io) is set up to allow SSO users and your platform is publicly accessible.

  1. Go to the'Settings' > 'Connections' > 'Single Sign-On' tab and add your SSO Remote Sign-in URL, http://default.com/login (for example)
  2. A user goes to default.intuo.io
  3. They can browse the platform but when they want to perform an action that requires authentication, then they’re prompted to sign in.
  4. User clicks the sign-in button and is forwarded to http://default.com/login
  5. Your users will be redirected to your site.
  6. User logs in to your Login page and signs in
  7. You construct the return URL and add the SSO token (e.g. https://default.intuo.io/sign_in?sso=XXXXXXXXX)

Need Help?

If you have any questions please contact support.talentmanagement@unit4.com.

  • Example code in PHP
  • Please include your code and a log output (including all the warnings PHP interpreter prints).
  • Print the original user data in JSON, the encrypted data, the URL-escaped data, and finally how you are using it (the entire URL which you are using).