Authentication is via an API key which is registered for your organisation in the first instance. The method of authentication then depends on your organisations Front-End & UI choice.
If your organisation requires multiple themes then multiple API keys can be registered, each one corresponding to a unique theme.
If Embedded,
The combination of API key and SSO token is used to identify an end-user for the UI and Digital Vault API which drives it.
The Legado embedded product works with your existing SSO scheme. We can support any OAUTH2 or OpenID Connect provider.
There is a Demo environment in which it is possible to bypass the SSO mechanism in order to get up and running quickly in order to see Legado embedded in your own test environment. In this environment the user’s email is simply passed into the iFrame URL using the ‘user’ parameter:
https://client-app-demo.legado.io/?apikey=<Your API Key>&user=<email address>
In production we will provide a URL unique to your organisation which will be configured to accept your SSO token. The Api Key will only need to be specified when multiple themes are enabled.
If Bespoke UI,
If you are working directly with our APIs to build your own user experience, then it is necessary to attach an SSO Bearer token to the authorisation header on each API call, as well as the API key. We will provide a URL unique to your organisation which will be configured to accept your SSO token This is covered in the ‘Digital Vault API’ documentation. In addition, there will be a subscription ID to identify your product.
Integrating SSO
When you are ready to integrate SSO into your trial, we will need the following information in order to configure your sandbox to work with SSO.
| Authority | Your SSO base URL |
| Clientld | The Client or Application ID |
| ClientSecret | The Secret, if any |
| ClaimName | The claim in your token which represents the ID of the user |
| Audience | The Audience value from your application registration |
| AuthorizeEndpoint | The Authorise endpoint |
| TokenEndpoint | The token endpoint |
| RefreshEndpoint | The refresh token endpoint |
If White labelled,
Passwordless authentication is provided in our white labelled product. Your customers will be presented with a login screen in which they will enter their email. An email is sent to their address with a temporary link which provides access into their vault. Two factor authentication is in effect using SMS.
The first time they access the site they will be asked to provide a phone number and enter the code that is sent. On subsequent visits they will need to go through the SMS authentication each time they use the passwordless login.
If No Front-End or UI (Data-only transaction),
Legado’s data API is built for machine-to-machine interactions. A combination of API key, subscription key and secret is used to provide access. In production the API will have a URL unique to your organisation so the API Key will not be required.
