%session & passing credentials between ZenPages that reside on different healthshare servers

Question

Question

Carl Maklad · Jun 10

#Access control #Ensemble #HealthShare #InterSystems IRIS

Hi,

I will try to explain my problem. I have a Main ZenPage on one server that has 2 buttons: each button will launch a different ZenPage on a separate server in an iFrame. All 3 servers have the same user.

Currently, the user logs in to the Main ZenPage, but when they click either button to launch the other ZenPage on the separate server they get the login screen again to login to that server.

Is there anyway I can pass the credentials from the Main ZenPage to the child ZenPages, so that the user doesn't have to login again? Thanks.

Product version: IRIS 2023.1

$ZV: 2023.1

Discussion (3)1

Log in or sign up to continue

score 0 · Answer 1 · 2024-06-10T23:03:27-04:00

Hi Carl,

easiest way is to save the authorization to a global, have that global mapped via ECP to your child servers.
On the child servers create a ZAUTHENTICATE routine and implement delegated authentication. essentially you use this routine to check on connection open on the child server if the incoming connection is a valid request based on the auth global mapped from your primary server, then allow or deny.

score 0 · Answer 2 · 2024-06-11T07:49:02-04:00

Thank you so much Timo for your reply, but there lies my problem. What is it that I am saving? You see, the way the user logs in is via the Management Portal login screen, so - unless I am missing something - all I have access to is %session which only gives me access to Username & CSPSessionCookie among other things. I don't think I have access to the password. I was hoping to use one of the %session properties to pass to the other server, then use %session.login to login to the other server(s), but as mentioned before %session doesn't give me password - just Username. Thanks.

score 0 · Answer 3 · 2024-06-12T00:04:23-04:00

When you do Delegated Auth you add code to ZAUTHENTICATE that validates the request against what you want e.g. you grab userid from the incoming web session, or even content of the get parameters provided and validate it against a global that was mapped via ECP from your primary server, that global could save e.g. client ip and username.
Then you can assign a valid user in ZAUTHENTICATE for the incoming connection, no password needed.