Pass-through Authentication

Creation date: 4/18/2022 10:49 PM    Updated: 6/27/2023 9:33 PM
Pass-through Authentication is an Angelfish feature that lets you create a direct link to a Profile's reports, bypassing the login screen.  When the link is clicked, a script handles authentication and the User is sent to the reports for a single Profile.

The primary use case for Pass-through Authentication is when the User has already authenticated to the Page that contains the direct report link.

Global Admins can enable Pass-through Authentication in the General tab in Configure - Global - Settings.  Once enabled, the generated key must be used to generate the Auth Signature. 

OVERVIEW

  • Enable Pass-through Authentication
  • Generate the Auth Signature
  • Send POST request

ENABLE PASS-THROUGH AUTHENTICATION
  • Navigate to the General tab in Configure - Global - Settings
  • Click the Generate button in the Pass-through Authentication field
  • A key will appear in the field: use this key to generate the Auth Signature

GENERATE THE AUTH SIGNATURE
  • Concatenate the profile ID and time the request is made: 
    • PROFILE_ID + '-' + TIME
  • Create an MD5 HMAC hash (base64 encoded) of the concatenated string
    • Use the generated key to hash the string

SEND POST REQUEST

Send the POST to this URL: (use https if enabled):


  • SERVER: the hostname of the Angelfish Server
  • PORT: the TCP port of the Angelfish Server
  • PROFILE_ID: the ID of the Profile 

Example:

The POST also requires a few parameters:
  • p - the ID of the Profile to view
  • t - the timestamp of the request in GMT epoch seconds
  • sig - the Auth Signature

Once authenticated, a "ptsession" cookie is created, restricting the User's access to the specified profile ID.



RESTRICTIONS
  • The difference between the request timestamp and the server time cannot exceed 10 seconds
  • The Auth Signature is linked to the Profile ID: to view a different Profile, a new Auth Signature must be created

EXAMPLE SCRIPT (PHP)


<?php
// Pass-through KEY generated from Angelfish UI
$PASSTHROUGH_KEY = "3x4mP13k3Y";

// Location of Angelfish Server
$ANGELFISH = "http://10.1.1.15:9000";

// Capture Profile ID
$profile_id = $_GET["p"];

// Capture current epoch seconds
$time = time();

// Sign the data
$sig = base64_encode(hash_hmac("md5", $profile_id . "-" . $time, $PASSTHROUGH_KEY, true));
?>

// POST data

<form action="<?php echo $ANGELFISH; ?>/reports/#!/<?php echo $_GET["p"]; ?>/" method="post" name="frm" style="display:none;">
 <input type="hidden" name="p" value="<?php echo $_GET["p"]; ?>" />
 <input type="hidden" name="t" value="<?php echo $time; ?>" />
 <input type="hidden" name="sig" value="<?php echo $sig; ?>" />
</form>
<script type="text/javascript">
 document.frm.submit();
</script>