Clarification Needed on SSO Authentication for Creatio API Using OData in Production
Hello Creatio Community,
I am currently working on a Python application that extracts data from the Creatio API using the OData protocol. The application has been successfully tested in our quality environment, where it functions flawlessly. However, as I prepare to deploy the application in our production environment, I need some clarification on how to handle SSO (Single Sign-On) authentication for API access.
Here are the key details and questions:
User Account for Authentication:
In our production environment, which uses SSO, should I use a Creatio user account that is specifically added to the SSO group, or can I continue using a regular Creatio production user account, as I did successfully in the quality environment without SSO?
API Authentication Configuration:
For SSO-based authentication in the production environment, is there any additional configuration required in the API call setup compared to what is recommended in the Creatio documentation for environments without SSO?
Here is the reference to the documentation I’m following: https://documenter.getpostman.com/view/10204500/SztHX5Qb#46f97170-d66d-4ed9-8941-08590bcdf444.
Environment Links for Reference:
- Quality Environment: https://QUALLINK.ma/Login/Login.html
- Production Environment (SSO): https://PRODLINK.ma/Login/Login.html?use_sso=true
If there are any best practices or specific considerations when transitioning from a non-SSO environment to an SSO-enabled production environment, I would greatly appreciate any insights. This includes potential pitfalls, user account configurations, and any modifications required in the API requests when dealing with SSO.
Thank you in advance for your support and guidance!
Like
Hello,
All external requests to Creatio must be authenticated. There are two ways to do this:
1) Forms authentication (cookie-based) implemented using the AuthService.svc web service. For this authentication, you need to use a regular user in the Creatio system that has not been created using SSO. You can test this on the Supervisor user who is initially logged in.
2) OAuth 2.0 is one of the supported authorization types in Creatio. Identity Service implements OAuth 2.0 in Creatio. It authorizes third-party apps and web services you integrate with Creatio using OAuth 2.0.
You can find the corresponding authorization examples (AuthService.svc and OAuth 2.0) in the official Postman collection of OData protocol requests for Creatio.
So, to summarize - you don't need to be tied to SSO users and you can use a regular user or OAuth 2.0 authorization.
Have a nice day!
Serhii Parfentiev,
Thank you for the clarification!
I wanted to provide some additional context regarding my situation. I am using user account authentication, and there are two different URLs for authentication in our production environment:
SSO Authentication: https://LINKPROD.ma/Login/Login.html?use_sso=true
This link is used when users need to authenticate via SSO.
VPN Authentication: This link is used for users connecting through a VPN and involves a different authentication process.
In my case, I need to connect using the SSO link. I’m currently trying to authenticate with this link: https://LINKPROD.ma/ServiceModel/AuthService.svc/Login, using the username and password of a regular Creatio user (not an SSO user). However, this approach doesn’t seem to be working.
Is there any specific configuration or additional steps I need to take to ensure successful authentication through the SSO link using a regular Creatio user account?
Thank you again for your support!