/ Development  

Ring the alarm bells; The hidden struggles of retrieving the current user SAMLart ID

Hi there “Process Automation” fans,

Welcome to a new installment of “Process Automation” tips.

Two weeks ago, we eXperienced some great Node-RED details with some valuable insights at authentication level! For this week, a quick recap on the authentication part as getting a grip on the current (OTDS!) user session seems to be a recurring struggle in lots of projects. Why would we want to use the current user session? Well, for further communication to xECM for example! Only, for people not understanding seamless authentication via OTDS, the answer is mostly the usage of a “Service account”. Because of all the disadvantages of a service account, it’s time to turn the tide with a real seamless reusable authentication flow…


Let get right into it…

Make sure you have the platform up and running and login to your favorite spot via an OTDS account (as recommended by OpenText). Once, you’re in (and having a session!) open a second tab and tune in on this URL: http://192.168.56.107:8080/home/opa_tips/com.eibus.sso.web.authentication.AuthenticationToken.wcp

The result is a SAMLart ID as “token”:

1
2
3
<AuthenticationToken xmlns="http://schemas.cordys.com/SSO/Runtime/1.0">
<Token>...</Token>
</AuthenticationToken>

It’s a temporary token available for a period (see below in the Request example). We already know what we can do with it (read here) and we also know this token is a critical string of characters to get a grip on when you want to do further communication. Now is the URL great, but we can’t call it from a BPM!

Don’t be smart calling the AuthenticationToken.wcp URL via a GET request over the HTTP connector; Trust me, you’re already outside the platform where the token is EMPTY!

Right, but how CAN we get a SAMLart token in a BPM? That’s the greatest question where one service call is key:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<SOAP:Envelope 
xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP:Body>
<Request
xmlns="urn:oasis:names:tc:SAML:1.0:protocol"
RequestID="" MajorVersion="1" MinorVersion="1" IssueInstant="">
<AuthenticationQuery AuthenticationMethod="">
<ns1:Subject
xmlns:ns1="urn:oasis:names:tc:SAML:1.0:assertion">
<ns1:NameIdentifier NameQualifier="" Format=""/>
</ns1:Subject>
</AuthenticationQuery>
</Request>
</SOAP:Body>
</SOAP:Envelope>

Minimal requirements (after 25 try-outs) for this service call are:

  • MajorVersion="1"
  • MinorVersion="1"
  • <ns1:NameIdentifier NameQualifier="" Format=""/>

This is the result where samlp:AssertionArtifact contains again the SAMLart ID as “token”:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<data>
<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2025-02-26T20:20:45.871Z" MajorVersion="1" MinorVersion="1"
ResponseID="BBECF2ED-0527-A1EF-BD1F-C8E718CD4C07" InResponseTo="">
<Signature
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<Reference URI="#BBECF2ED-0527-A1EF-BD1F-C8E718CD8C07">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>...</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
</Signature>
<samlp:Status
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<samlp:StatusCode Value="samlp:Success" />
</samlp:Status>
<saml:Assertion
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
AssertionID="BBECF2ED-0527-A1EF-BD1F-C8E718CD8C07"
IssueInstant="2025-02-26T20:20:45.871Z"
Issuer="https://www.cordys.com/SSO"
MajorVersion="1" MinorVersion="1">
<saml:Conditions
NotBefore="2025-02-26T20:15:45.871Z"
NotOnOrAfter="2025-02-27T04:20:45.871Z" />
<saml:AuthenticationStatement
AuthenticationInstant="2025-02-26T20:20:45.871Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier>...</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
</saml:Assertion>
<samlp:AssertionArtifact
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">...
</samlp:AssertionArtifact>
</samlp:Response>
</data>

Investigating the result tells me the period of the token validity: <saml:Conditions NotBefore="2025-02-26T20:15:45.871Z" NotOnOrAfter="2025-02-27T04:20:45.871Z" />. So, that’s 8 hours and 5 minutes in this example! Let’s not dive into further details about where we can change this (I would not even know and even care at this moment). We have a SAMLart ID available in our BPM of our current user…that’s important! 🤗

If you can’t find the Request operation in the BPM, you need to add a runtime reference (in your project!) of type ‘Web Service Interface’ under the category ‘Cordys Single Sign-On’ and select ‘SAMLProtocol’!

Another great tip is #RTFM…have a search for AssertionArtifact in the administration manual of the OPA platform for additional details.


I give it a “DONE” for the quick recap on this oh so important topic. It’s the entrance to our next step where we want to call xECM/OTCS for reading and updating business workspace data (or any other data) via the ReST API layer of that platform. It’ll be great as where we always hear that it’s an impossible task, and you really need a service account…Well, #SPOILER_ALERT…We nailed it with a lot a sweat and tears! Have a great weekend and till next week on a new “Process Automation Tips” topic.

Don’t forget to subscribe to get updates on the activities happening on this site. Have you noticed the quiz where you find out if you are also “The Process Automation guy”?