1. Security Administration Guide
  2. Authenticate Tokens

Authenticate Tokens

EnterpriseOne uses an authenticate token to achieve single sign-on. The authenticate token contains criteria that grants access to an EnterpriseOne application from JD Edwards Collaborative Portal. When a user signs on to either system, after successful authentication, the system generates an authenticate token. When a user accesses an EnterpriseOne application, the system uses the generated token to validate the user against the EnterpriseOne security server. As a result, the user does not have to manually sign on to the system again.

When a user signs on to either system, an authenticate token is generated after successful authentication. When the user accesses an EnterpriseOne application, the system uses the generated token to validate the user against the EnterpriseOne security server. As a result, the user does not have to manually sign on to the system again.

For security purposes, all authenticate tokens expire after a certain period of time and contain a digital signature that ensures the token cannot be tampered with.

An authenticate token contains these properties:

Property

Description

User ID

The user ID that the server issued the token for. When the browser submits this token for single sign-on, this is the user that the application server signs in to the system.

Language Code

The language code of a user. When the system uses a token for single sign-on, it sets the language code for the session based on this value.

Date and Time Issued

The date and time the token was first issued. The system uses this field to enforce a time-out interval for the single sign-on token. Any application server that accepts tokens for sign-on compares this value against the amount of time set in the application server to accept tokens. The value is in Greenwich Mean Time (GMT) so it does not matter which time zone the application server is in.

Note: The system date and time is used to validate the expiration of a token. Changing these values on the server may expose a potential security risk.

Issuing Node Name

The name of the machine that issued the token.

Signature

A digital signature that the application server (node) uses to validate the token for single sign-on by ensuring that the token has not been tampered with since it was originally issued. The machine issuing the token generates the signature by concatenating the contents of the token (all the fields that appear in this table) with the message node password for the local node. Then the system hashes the resulting string using the SHA1 hash algorithm. For example ("+" means concatenation),

signature = SHA1_Hash (UserID + Lang + Date Time issued + Issuing Node Name+ Issuing Node Password)

There is only one way to derive the 160 bits of data that make up the signature, and that is by hashing exactly the same User ID, Language, Date Time, Issuing System, and node password.