Getting Account Information in SSOs

Some SSO flows require account information. There are two different methods to gather account information.

Using the extension flags

In the extension.py file, some commented-out lines relate to sending accounts in the incoming SSO request.

# These flags control what additional information is sent in the request
# SEND_USER_INFO will send additional information about the end user when true
# SEND_USER_INFO = True
#
# These flags control what accounts, if any, should be sent in the request.
# SEND_ACCOUNT_INFO = False  # This flag is typically used with an account picker page that renders before the SSO
# SEND_DEP_ONLY_ACCOUNTS = False
# SEND_VIEW_ONLY_ACCOUNTS = False
# SEND_WDL_ONLY_ACCOUNTS = False
# SEND_DEP_VIEW_ACCOUNTS = False
# SEND_DEP_WDL_ACCOUNTS = False
# SEND_VIEW_WDL_ACCOUNTS = False
# SEND_DEP_VIEW_WDL_ACCOUNTS = False

These values represent the default values that are used at install time. Uncommenting the lines will cause the installer to use the value in the extension instead of the default value.

The first flag controls whether or not the end user’s information is included in the incoming request. This information will be included in the self.online_user object.

Note

The self.online_user is an instance of the SSOUser class, and not the OnlineUser class. This is a distinction made to show that the requests shape and information provided will differ between the extensions types.

SSO User

Online User

The remainder of the flags control what accounts are sent in the incoming request. These flags are based on the access level the end user has in relation to the account. For instance, if flag SEND_DEP_ONLY_ACCOUNTS is set to true (SEND_DEP_ONLY_ACCOUNTS = True), only the users accounts with an access level of 1 will be sent to the SSO. The below snippet shows the flags in a state where all of the users accounts will be sent to the SSO.

# These flags control what additional information is sent in the request
# SEND_USER_INFO will send additional information about the end user when true
# SEND_USER_INFO = True
#
# These flags control what accounts, if any, should be sent in the request.
# SEND_ACCOUNT_INFO = False  # This flag is typically used with an account picker page that renders before the SSO
SEND_DEP_ONLY_ACCOUNTS = True
SEND_VIEW_ONLY_ACCOUNTS = True
SEND_WDL_ONLY_ACCOUNTS = True
SEND_DEP_VIEW_ACCOUNTS = True
SEND_DEP_WDL_ACCOUNTS = True
SEND_VIEW_WDL_ACCOUNTS = True
SEND_DEP_VIEW_WDL_ACCOUNTS = True

Note

Similar to the self.online_user note above, the self.account_list object is a list of SSOAccount objects, and not Account objects, like they are in online extensions. This is a distinction made to show that the requests shape and information provided will differ between the extensions types.

SSO Account

Account

Requesting accounts from the SSO extension

The account information in the incoming request is just a snap shot of all the account values. In the case where the information is insufficient for the use case, an HQ call can be made to fill in the information gaps. The suggested method is the GetUserAccountListAndDetails module method. It is also suggested that the UseCurrentDetails detail type is used in this context. This detail type will pull the end users account list from the current session information, rather than doing a fresh account list request to the database and/or core.