Skip to main content Skip to navigation

Getting started with old mode (non-Java)

This is a basic summary of what to do when a request comes in, in pseudo-Python:

if the "WarwickSSO" cookie is set
token = cookie value
if no user in the session
post to "https://websignon.warwick.ac.uk/origin/sentry?requestType=1" with body "token=%s" % token
get and parse results as INI-style properties ("key=propertyvalue" etc.)
if results['returnType'] == 1
user is valid, store these attributes in the session
else
token was invalid. clear the session if there is any data
else
clear any existing session data

The results returned from the POST contain attributes about the user. A summary of which attributes to expect is here (the ones for SSOv2 are the ones that will apply):
SSO Attributes

Then, depending on whether they are logged in or out you can use these login/logout links in your views

https://websignon.warwick.ac.uk/origin/slogin?providerId=PROVIDERID&target=TARGET
https://websignon.warwick.ac.uk/origin/logout?target=TARGET

Where PROVIDERID is the unique identifier that you will get after registering your service (the first step on this page), and TARGET should be the URL you want to return the user to after logging in or out (typically the URL of the page that the link is on, or otherwise some other landing page).

If a page requires a logged in user then you can do an HTTP redirect to send the user straight to the login link. Normally, if you redirect here and they are already signed in to Web-sign on they will be sent straight back (which is a convenient part of Single Sign-on if they have signed in elsewhere already). If you need to actually deny access (because for example, a signed-in student is trying to request a staff page) you can add the query parameter error=permdenied to the login URL, and this will force the user to the login screen.

The POST request to Websignon is checked by an IP whitelist so if you haven't registered as above then you'll be returned a 403 response