Temenos Lifecycle Management Suite - Account Origination Product Guide
Virtual Capture Single Sign On
This technical guide describes the mechanism that allows seamless navigation between customers’ online banking applications and the Temenos Lifecycle Management Suite Virtual Capture application (Virtual Capture). The Single Sign-on (SSO) process permits an online banking end user to begin a new application, bypassing the standard Virtual Capture login page.
Reference the following diagram for an overview of the SSO Process:
The SSO Process uses two levels of security to prevent unauthorized access to Virtual Capture.
The SSO request to Virtual Capture must be transmitted using SSL (https) to prevent request eavesdropping and tampering.
The SSO request to Virtual Capture must contain a valid username and password of a Lifecycle Management Suite user. This gives the customer control over which credentials are used for SSO. The same password policies are in place for the SSO request as any other Lifecycle Management Suite user. The customer also has the flexibility to shut down SSO access by simply deactivating this user in the Lifecycle Management Suite.
It is recommended that system administrators create a separate user in the Lifecycle Management Suite to perform Virtual Capture SSO requests. The following list includes recommendations for the settings to assign to the SSO user:
The token generated by Virtual Capture is encrypted and does not contain any user information. The user information once saved is not passed back to the browser or saved within the token. If any of the user information needs to be changed, a new token would need to be generated.
This section outlines the specific requirements for the HTTP GET to use SSO correctly. The expectation is that this request is made on the online banking applications server as to not expose sensitive data to network traffic.
The SSO URL is a static URL, but it varies between customers. The Virtual Capture application exists as a virtual directory under a website, both of which are defined by the customer. For example, the website is “www.MyFI.org” and the virtual directory is “Virtual Capture.” In this scenario, the SSO URL is: https://www.MyFI.org/VirtualCapture/Login/GetLoginToken.
The following table defines all fields supported in the HTTP GET for SSO:
| Field Name | Description | ||
| PersonNumber |
This field is the person number which identifies the online banking end user in the core system.
|
||
| AccountNumber |
This field is the account number which identifies the online banking end user in the core system.
|
||
| TIN |
This field is the Tax Identification Number which identifies the online banking end user.
|
||
| Username |
This field is the username for the third party application created by the customer through the Lifecycle Management Suite module.
|
||
| Password |
This field is the password for the third party application created by the customer through the Lifecycle Management Suite module.
|
 |
At least one of the fields identifying the end user is required. A banking core system typically sends PersonNumber and not AccountNumber. A credit union core system typically sends AccountNumber and not PersonNumber. |
https://www.MyFI.org/VirtualCapture/Login/GetLoginToken?UserName=myuser
&Password=mypassword&AccountNumber=myAccountNumber
YO9A56MvKGgLdpSxh6XfBZAxVTADlkqEDBWecaOCHowBP4egJFBI0fT2UI/Ey9Ep
The response is JSON data containing the needed information.
{
"AuthToken": “YO9A56MvKGgLdpSxh6XfBZAxVTADlkqEDBWecaOCHowBP4egJFBI0fT2UI/Ey9Ep”,
"Result": true,
"Messages": [],
"ExceptionId": 0,
"RequiresOverride": false
}
This section outlines the specific requirements for the form POST after the encrypted token is returned.
The SSO URL is a static URL, but it varies from customer to customer. The Virtual Capture application exists as a virtual directory under a website, both of which are defined by the customer. For example, the website is “www.MyFI.org” and the virtual directory is “Virtual Capture.” In this scenario, the SSO URL is: https://www.MyFI.org/VirtualCapture/Login/SSO.
Before the HTTP POST takes place, the encrypted token needs to be stored in a form field called “Data” as either JSON or string.
The following table defines all the Form fields that SSO can accept:
| Field Name | Description |
|
Data |
Encrypted token received from the GetLoginToken method. This value must be in JSON format. For example: { "AuthToken": "YO9A56MvKGgLdpSxh6XfBZAxVTADlkqEDBWecaOCHowBP4egJFBI0fT2UI/Ey9Ep" } |
|
RedirectURL |
This field is the default URL where the financial institution wants Virtual Capture to redirect to after a successful single sign-on. The possible values are as follows:
|
|
ProductCategory |
This field is the Product Category that is loaded if Virtual Capture is configured to redirect to the Products URL. If a value for this field is not supplied, Virtual Capture redirects to the first Product Category. |
To navigate a user to the product selection page, a sample request would be: https://www.MyFI.org/VirtualCapture/Login/SSO.
A token expires 15 minutes after it is generated. If an expired token is used to enter Virtual Capture, no error or feedback is given. However, the user is not authenticated and treated as a guest.
This section details what occurs if authentication fails.
Failure to authenticate the member results in Virtual Capture returning an error (JSON string). The financial Institution can handle the error and take appropriate action. The following is an example of an authentication error:
{
"AuthToken": "",
"Result": false,
"Messages": [{
"Type": 0,
"Text": "Invalid username or password",
"Code": "",
"IsUserFriendly": false
}],
"ExceptionId": 0,
"RequiresOverride": false
}
On All Authentication failures, a record is created in the error log.
