Troubleshooting the SuiteSignOn Signature
This section covers generating a valid signature.
The values defined in this section are the values used in the examples in the following sections.
Generate a Signature
Some users have difficulty constructing a valid signature. There are many ways to generate a signature for SuiteSignOn (Outbound SSO). This is one example of how to do it correctly.
The following sections describe how to correctly create a signature. There are PHP examples for each step.
-
Step Two: Signature Key
-
Step Three: Signature
All encoding in SuiteSignOn (Outbound SSO) is percent-encoding. For more information about percent-encoding, go to (https://tools.ietf.org/html/rfc5849#section-3.6). The examples in this section use PHP rawurlencode.
Related Topics
Input Parameters for the Example
These are the input parameters used for this example.
$url = 'https://<accountID>.app.netsuite.com/app/common/integration/ssoapplistener.nl';
$httpMethod = 'GET';
$tokenKey = '030e6a121766126c6b445655477e7252517c395926f3430a';
$tokenSecret = ''; //Outbound SSO does not use token secret
$consumerKey = 'VutaTaro1ktGNXKD';
$consumerSecret = 'S3cr3t P@ssw0rd'; //In UI called "Shared secret"
$signatureMethod = 'HMAC-SHA256'; //or HMAC-SHA1 or PLAINTEXT
$nonce = 'fjaLirsIcCGVZWzBX0pg'; //substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 20);
$timestamp = '1508242306'; //time();
$version = '1.0';
Construct a Base String for the Signature
The first step in creating signature is constructing a Base String.
This step is not needed when using PLAINTEXT as a signature method.
Base String Creation
$baseString = oauth_get_sbs($httpMethod, $url, array('oauth_consumer_key' => $consumerKey,
'oauth_nonce' => $nonce,
'oauth_signature_method' => $signatureMethod,
'oauth_timestamp' => $timestamp,
'oauth_token' => $tokenKey,
'oauth_version' => $version));
Base String Example
GET&https%3A%2F%2F<accountID>.app.netsuite.com%2Fapp%2Fcommon%2Fintegration%2Fssoapplistener.nl&oauth_consumer_key%3DVutaTaro1ktGNXKD%26oauth_nonce%3DfjaLirsIcCGVZWzBX0pg%26oauth_signature_method%3DHMAC-SHA256%26oauth_timestamp%3D1508242306%26oauth_token%3D030e6a121766126c6b445655477e7252517c395926f3430a%26oauth_version%3D1.0
The examples use the oauth library. The command for installing the library is sudo pecl install oauth. See https://tools.ietf.org/html/rfc5849#section-3.4.1 for more information about the signature base string.
See also Create the Base String Manually.
Signature Key
The signature key must be percent-encoded as specified in https://tools.ietf.org/html/rfc5849#section-3.4.1.
The signature key is used to sign the base string in the HMAC-SHA algorithm. The key is constructed from the URL-encoded values for:
-
consumer secret and
-
token secret (empty string)
-
with the ampersand character (&) as the delimiter
$key = rawurlencode($consumerSecret) .'&'. rawurlencode($tokenSecret);
Signature
HMAC-SHA
Signature HMAC-SHA Example
$signature = base64_encode(hash_hmac('sha256', $baseString, $key, true));
//$signature = base64_encode(hash_hmac('sha1', $baseString, $key, true));
The signature is a base64 value of the HMAC-SHA, where the message is Base String and key is the key from the previous step.
Signature HMAC-SHA256 Example
PP1VMUdgDJeSkeNwJ8EqjKowOVddSWy9JqRT3WQJWck=
Signature HMAC-SHA1 Example
6nMUbMdr0cssfVDo0YmsBelwnpo=
PLAINTEXT
Signature PLAINTEXT
$signature = $key;
Signature PLAINTEXT Example
S3cr3t%20P%40ssw0rd&