Writing a client application that uses single sign-on

When you take advantage of the single sign-on mechanism, you expect users to log in by using the centralized login service before starting a client application. That is, a client application does not log in through the browser or by calling the ChannelSet.login method.

If you are using the LiveCycle single sign-on mechanism, configure the Remoting endpoint to use custom authentication, not basic. Otherwise, when using basic authentication, an authentication error causes a browser challenge, which you do not want the user to see. Instead, your application detects the authentication error and then displays a message instructing the user to log in using the centralized login service.

A client application accesses LiveCycle through a remoting endpoint by using the RemoteObject component, as the following example shows.

<?xml version="1.0"?> 
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"  
       backgroundColor="#FFFFFF"> 
 
      <mx:Script> 
         <![CDATA[ 
 
           import mx.controls.Alert; 
           import mx.rpc.events.FaultEvent; 
 
           // Prompt user to login on a fault.          
           private function faultHandler(event:FaultEvent):void 
           { 
            if(event.fault.faultCode=="Client.Authentication") 
            { 
                Alert.show( 
                    event.fault.faultString + "\n" + 
                    event.fault.faultCode + "\n" + 
                    "Please login to continue."); 
            } 
        } 
         ]]> 
      </mx:Script>          
     
      <mx:RemoteObject id="srv"  
          destination="product"  
          fault="faultHandler(event);"/> 
     
      <mx:DataGrid  
          width="100%" height="100%" 
          dataProvider="{srv.getProducts.lastResult}"/>  
 
      <mx:Button label="Get Data"  
          click="srv.getProducts();"/>  
     
</mx:Application>

Logging in as a new user while the Flex application is still running

An application built with Flex includes the authentication cookie with every request to a LiveCycle service. For performance reasons, LiveCycle does not validate the cookie on every request. However, LiveCycle does detect when an authentication cookie is replaced with another authentication cookie.

For example, you start a client application and while the application is active, you use the centralized login service to log out. Next, you can log in as a different user. Logging in as a different user replaces the existing authentication cookie with an authentication cookie for the new user.

On the next request from the client application, LiveCycle detects that the cookie has changed, and logs out the user. Therefore, the first request after a cookie change fails. All subsequent requests are made in the context of the new cookie and are successful.

Logging out

To log out of LiveCycle and invalidate a session, the authentication cookie must be deleted from the client’s computer. Because the purpose of single sign-on is to allow a user to log in once, you do not want a client application to delete the cookie. This action effectively logs out the user.

Therefore, calling the RemoteObject.logout method in a client application generates an error message on the client specifying that the session is not logged out. Instead, the user can use the centralized login service to log out and delete the authentication cookie.

Logging out while the Flex application is still running

You can start a client application built with Flex and use the centralized login service to log out. As part of the logout process, the authentication cookie is deleted. If a remoting request is made without a cookie, or with an invalid cookie, the user session is invalidated. This action is in effect a logout. The next time the client application attempts to connect to a LiveCycle service, the user is requested to log in.