This document describes the mechanism to allow seamless navigation between customers’ online banking applications and the Temenos Lifecycle Management Suite WebLoan application (WebLoan). The Single Sign-on (SSO) process permits an online banking end user to begin a new loan application bypassing the standard WebLoan login page. There is functionality in WebLoan that is only made available to users coming from SSO (e.g. copying data from previous applications, editing existing applications).
SSO Process
- The online banking application will send an HTTPS GET or POST to WebLoan from the server to receive an authentication token (AuthToken). The GET/POST must contain specific fields and values so that WebLoan can verify the request.
- The online banking end user will click a link, tab, button, etc., to launch WebLoan. The actual implementation (link, button, new window, etc.) is decided and implemented by the customer and its provider of the online banking application. The request to made to WebLoan must include the AuthToken received in step 1.
Security
The SSO Process uses two levels of security to prevent unauthorized access to WebLoan.
SSL
The SSO request to WebLoan must be transmitted using SSL (https) to prevent eavesdropping and tampering of the request.
User Credentials
The SSO request to WebLoan must contain a valid username and password of a Lifecycle Management Suite user. This gives the customer control over which credentials are used for SSO. The same password policies are in place for the SSO request as any other Lifecycle Management Suite user. The customer also has the flexibility to shut down SSO access by simply deactivating this user in the Lifecycle Management Suite.
GET/POST Specifications
This section outlines the specific requirements for the form GET/POST to use SSO correctly.
Location
The SSO URL is a static URL, but it will vary from customer to customer. The WebLoan application exists as a virtual directory under a website, both of which are defined by the customer.
For example, the website is “www.MyFI.org” and the virtual directory is “WebLoan.” In this scenario, the SSO URL is: https://www.MyFI.org/WebLoan/Login.mvc/GetAuthToken.
Request Fields
The following table defines all fields supported in the GET/POST for SSO. These fields may be included in the body of the request (POST) or as query string parameters (GET).
| Field Name | Description |
| PersonNumber | This is the person number identifying the online banking end user in the core system. Typically a banking core system will use a Person Number. |
| AccountNumber | This is the account number identifying the online banking end user in the core system. Typically a credit union core system will use an Account (member) Number. |
| TIN 1 | This is the Tax Identification Number identifying the online banking end user. The TIN is typically the SSN for a person and an EIN for an organization. |
| Username | This is the username for the third party application created by the customer through the Lifecycle Management Suite user management module. This field is required. |
| Password | This is the password for the third party application created by the customer through the Lifecycle Management Suite user management module. This field is required. |
 |
At least one of the fields identifying the end user is required. A banking core system will typically send PersonNumber and not AccountNumber. A credit union core system will typically send AccountNumber and not PersonNumber. |
For example: https://www.MyFI.org/WebLoan/Login.mvc/GetAuthToken?Username=myuser&Password=mypassword&AccountNumber=100120.
Response
The response is JSON data containing the needed information.
{
"AuthToken": null,
"AuthTokenUrlEncoded": null,
"Result": true,
"Messages": [],
"ExceptionId": 0,
"RequiresOverride": false
}
The AuthToken property contains the token needed to seamlessly log in to WebLoan. Include this token in the request to WebLoan as either a form field or as a query string parameter. The name of this field/parameter must be “AuthToken” for SSO to work. If this token is used in the query string, it must be url encoded. Use the AuthTokenUrlEncoded property as this is the same value of AuthToken, but it has already been encoded for convenience.
To navigate a user to the product selection page, the request would be: https://www.MyFI.org/WebLoan/Product.mvc?AuthToken=+pYnN11AU5H.
This is an example of an AuthToken:
+pYnN11AU5HkjdMnQhpVodTiWK62eGRFZTSGRNdW2ZM//Uj2ebq7osTWkzsbCU3nA8oReS+l1Z46yd73QA7m75
bySi692B5GCIXunwvMrjS038PIPeSEvQK6QMyN4YBuHkfum0z1U6zo6TxYnjqOSDOScVCt9wba9YD2OhpBSvp/
bm7NRBkc1vYLXqQmRnEScETF/1HZbyh3l+thhyopZ7Fs8cq3Dr6bybuBxnvCm2MfoqZPx0agX6/ErFCdTnKTEO
NIxnq/MLvkNbsLWn+qw6dRTPKa5vFY5CIIAcw43KJXy7R2dWaQMkZLtXkTMlzeDlEztJwK0VwR1Dg9xagqnJaw
rKnXDGMuiU0IU2Efw8c9Bnd95vN+zFu8HofgGg6o
Authentication Token Expiration
An AuthToken will expire 20 minutes after it is generated. If an expired token is used to enter WebLoan, there will be no error or feedback. However, the end user will not be authenticated and will be presented with the login screen before creating an application.
Authentication Failures
If authentication fails for any reason, information will be included in the response about the error. Use the Result property to check for success/failure. This is an example of an authentication error:
{
"AuthToken": null,
"AuthTokenUrlEncoded": null,
"Result": false,
"Messages": [{
"Type": 0,
"Text": "Invalid username or password",
"Code": "",
"IsUserFriendly": false
}],
"ExceptionId": 0,
"RequiresOverride": false
}
End User Experience
The online banking application must properly handle all errors from the GetAuthToken request. If a request is made to WebLoan without a valid AuthToken (no token or it is expired), the end user will be presented the login screen before creating an application.