Security and Authentication

Each API requires a Anthology Student user identity to be associated with a Web service request. This is done by the integrating application calling the Anthology Authentication Web service and acquiring a security Token Id in the response message. This token Id represents a confirmed identity and is valid for a configurable period of time after the initial authentication request was made. The token Id is included in every subsequent message to the Web service by the calling application. 

Every time a Web service request is made with the token Id, the duration until timeout is reset (sliding window timeout). This timeout is set up in the API configuration file.

Use Secure Socket Layer (SSL) for communicating with the Web services. If communication occurs across an unsecured HTTP request path, all elements of the message, including Anthology Student username and password and application data, will be in plain text.

Options for Managing the Authentication Token

Use one of the following methods to manage the authentication token:

  • Call the Authentication Web service to get a new token for each transaction.

  • Set the token to “never expire” when calling the Web service.

  • Capture the exception of “token expired” and get a new token.

  • Store and use the token from the last response message (response includes a token that is reset for TTL.

A choice can be made depending on the application scenario.

Calling the Web Services

Prerequisites

  1. Install the Authentication Web service.

  2. Create an admin page to administer the creation, updating, and deletion of configurations, and to match those configurations to the correct External Application (EA).

  3. Create entries in the app or web.config to store restricted IPs and the configuration Id to use to create the tokens.

  4. Create a local landing page (that is, a page with no UI, just for running code), which will look up the correct configuration Id (from step 3) to use to generate a token using that configuration. The local landing page will then redirect to the EA’s landing page with the token Id in the URL.

  5. For single sign-on, expose the GetSso service to external applications which will allow for the EA landing page to get the needed user information to complete the auto login.

  6. Install the Web service(s) you want to use (e.g., ApplicantWebService, ChangeSchoolStatusService, etc.).

Once the Web services are installed, use the corresponding WSDL contract to create the message and call the Web services from your application. The Web services can be called from any Web service enabled development environment. The following code sample uses Microsoft Visual Studio .NET to consume the Web service.

Authentication Web Service

  1. Start a new project in Visual Studio .NET.

  2. Add a reference to the Authentication Web service. Call it AuthenticationService.

  3. Create a method to call the Authentication Web service and retrieve your security TokenId. 

    public void GetTokenId()
    {
     AuthenticationService.AuthenticationSoapClient service = new AuthenticationService.AuthenticationSoapClient();
     AuthenticationService.TokenRequest request = new AuthenticationService.TokenRequest();
     AuthenticationService.TokenResponse response;
     request.UserName = <Anthology Student UserId>;
     request.Password = <Anthology Student Password>;
     request.TokenNeverExpires = false;
     service.GetAuthorizationToken(null, request, out response);
     string tokenId = string.Empty;
     if (response.Status == AuthenticationService.TrxStatus.OK)
     tokenId = response.TokenId;
    }