Throughout this document, “user” is a Cloud 66 customer and “partner” is a Cloud 66 integration partner.
You will need a partner account with Cloud 66 to use this integration. Please contact email@example.com to setup a partner account.
User integration API
This API is used to add a partner’s service to the user’s account automatically.
An example of this is the addition of a new cloud vendor to a user’s Cloud 66 account without user’s manual intervention.
User integration API has three steps:
- Redirect from Cloud 66 website to Partner website
- Provisioning of service on the partner side and addition to user’s account.
- Redirect from partner’s website to Cloud 66 website.
Redirecting to Partner’s website
Cloud 66 user sees an integration option on his dashboard and clicks on it. He is redirected to the partner’s website with the following payload:
- uid A unique ID of the user
- email user email address
- callback The URL to redirect the user back when the provisioning is done on the partner side.
Once the user is redirected to partner’s website, the partner will try to provision an new account for the user or locate an existing one based on the email of the user. Depending on the outcome the partner can make an API call to Cloud 66 to add the provisioned information about the user to his Cloud 66 account. This could be the API keys of a cloud vendor or the project UID for an exception handling service.
Each partner is given a unique API endpoint. If you don’t have your partner endpoint, please contact firstname.lastname@example.org
You can make an HTTP POST to the partner integration API with the following payload:
- link_uid The UID sent to the partner in the original redirect.
- user_email User email. Should be the same as the one in the original redirect.
Any other partner specific payload will be here.
|403||link_uid is missing|
|403||user_email is missing|
|403||invalid user_email (invalid email or not enough privileges to accept this integration by this user).|
|403||xxx is already linked to this account|
|200||service added (integration successful)|
|403||integration specific errors|
Single Sign-on (SSO)
Cloud 66 provides a simple solution to allow partner customers use their Cloud 66 login credentials to identify themselves. To enable SSO, partners need to contact email@example.com. Once the partner account is established you will received a partner
PROVIDER name which can be used as follows:
Step 1 - Call Cloud 66 SSO endpoint
First step is to redirect user to Cloud 66 to make sure they are logged in (or let them log in if they are not). Users should be redirectd to
https://app.cloud66.com/sso/signin/PROVIDER. You need to replace
PROVIDER with the your unique partner name which will be given to you after partner registration.
Step 2 - Cloud 66 Authenticates
After the redirect, Cloud 66 will authenticate the user as the user might be already logged in or it might need to login.
Step 3 - Redirect back to partner
Once the user is authenticated, the user will be redirected back the partner’s site. The redirect URL will be the one provided by the partner at the point of registration.
To ensure the authenticity of the redirect, the partner has to check the payload of the callback. The payload will have the following fields:
MultiPasses are json hashes encrypted with strong AES encryption. They are typically passed as cookie values, URL params, or HTTP header values, depending on how the individual service chooses to implement it. The fields available in multipass are as follows:
name: user’s name
expires: time when this multipass expires. (1 minute in future).
multipass is encrypted with the first 16 characters of provider’s UID.
Here is a Ruby implementation of multipass.
signature is a SHA256 hash of the second 16 characters of provider’s UID and the multipass.
Provider needs to recalculate the multipass and signature and check its authenticity using the same method. Once the authenticity of the callback is established, provider can use the data encrypted in the multipass.
If a partner requires specific permissions over a user’s account, they can use the Cloud 66 oAuth2 API instead or in addition to the SSO method above.