One Time Token (OTT) - using for one-time login link.

The idp/external-login page is very simple. It's POST /idp/ott/login to receive a session cookie and redirect to specific URI.  But it doesn't work for me as well. I will check and return to you with updates.

As a workaround, to login as another user you might do the same as the page does, use POST /idp/ott/login, receive a autorization cookie and use it be authorized as a user.

Was beginning to think I was losing the plot and missing something obvious!

It's more to allow users to login to our management portal, then got o Acronis portal if they need to without needing to do another sign-in.

Thanks :)

Yes, you need to write this cookie to your customer session and it should be enough to have access to Acronis portal without need to additional sign-in.

As well if you have implemented your own OAuth/oidc IdP endpoint, you can register your IdP provider and then create users with links to this provider, thus all the users will be authenticated through your endpoint. 

Just to be sure - checked with my Chrome (F12), adding the AUTH_SERVER_SECURE cookie from POST /idp/ott/login results.

Thanks.  I'll give it a go later.

Hi,

I've finally had time to look at this.  What you're proposing won't work the best I can tell, as we've no way of writing a cookie to the users browser for an Acronis domain (We're still waiting for our custom domain to be setup).  As it's Cross Domain so will be blocked - the same reason we can't do an Ajax call from the users browser to /idp/ott/login to set it.

Thanks,

Karl

I had a lot of pain trying to the API v2 method of single sign in working. In the end I used API v1 for logins

GET request to https://xx-cloud.acronis.com/api/1/users/$user_id/impersonate/

Returns a token then you can send the person to

https://xx-cloud.acronis.com/?jwt=returned_jwt_token

The v2 method of setting a password is also busted it seems.

UPDATE: Ignore me about password in v2, its working correctly now.

Above I admitted that redirect url doesn't work as expected now in v2. As soon as it's be fixed the functionality will be the same. I already raised an issue for R&D regarding that.

Could you please clarify you issues with password setting? 

Thanks Neil, I'll give v1 a try for now. Didn't think to go back and look at v1.

We've got password setting via v2 working. When I'm back at a machine I'll have a look what we did.

Karl

Apologies. I stand corrected, api v2 password is now working. I will admit its been a little while since I last tried but it appears the issue has been resolved.

Sorry for delay with OTT. I've received clarification and then just spent some time to be sure that all work as expected.

So, to have the URI /idp/external-login#ott={{ott}}&targetURI=<your_url> worked, you need to URLEncode {{ott}}. 

I've captured a small screencast to showcase how it works https://access.acronis.com/t/k83nb7ui 

We were already running it with urlencode for the OTT (the %3D in the original URL posted).

However, since our custom domain & SSL was setup the v2 OTT now seems to be working!

Thanks,

Karl

I've just drilled down together with R&D to the page script itself and checked that all work.

There are 2 main steps:
- post an urldecoded ott token to /idp/ott/login
- redirect to tagetURI

And we ensure that they work.

Happy to know that it started to work for you as well.

Can you see what im missing here. Its probably something obvious. I can login to this user with API v1 no problems. But when I attempt to request an OTT token with v2 I get an error:

$url = https://au1-cloud.acronis.com/api/2/idp/ott

Just an update on this it looks like it might be related to the authentication. Im actually using basic auth currently after looking through things. Going to look at the /idp/token endpoint for getting a token and then ill provide an update.

Yes, Neil. You are correct. The only difference is that I'm using an API Client and then Bearer Authentication with a token issued with the API Client. As well in the demo I've used the "login" field in JSON for an OTT request.