Single Sign-On (Legacy)


The authentication solution offered by Duda provides a true Single Sign-On user experience. The user will begin by logging in to the DudaPro Partners Site. Once the login is successful, the user will be able to access the Duda editor without any additional authentication. The Single Sign-On will be achieved using HMAC-SHA1 encryption based on the private key shared between the Partners Site and Duda. Here is the process:

  • The user logs into the Partner's website and clicks on a link to access the mobile editor.
  • The Partner opens a new browser window/tab (or embeds an IFrame into an existing page), passing the set of predefined parameters (see below) in the URL, including the HMAC-SHA1 based signature.
  • Duda reads the parameters, validates the HMAC-SHA1 signature, identifies the user and allows the user to work with the tool in the scope of a browser session.
  • Upon successful login, the user lands up on the page defined within the URL.

HMAC-SHA1 Authentication Details

The security of the authentication solution will be based on the following elements shared by the Partner and Duda:

  1. A secret key shared and maintained only between the Partner and Duda.
  2. Set of URL request parameters passed as part of the request redirecting the user to Duda.
  3. HMAC-SHA1 signature encryption logic.

Secret Key

  • The secret key will be generated and shared securely between the Partner and Duda. The key can be found inside of your Duda account under the API section.
  • The security key will be of 128-bit length represented by 32 chars HEX string, i.e.1a6db9c4f4cc5c870ff813290f961507 or 249ef41fcf9dbc935399296929594b43
  • Duda reads the parameters, validates the HMAC-SHA1 signature, identifies the user and allows the user to work with the tool in the scope of a browser session.
  • Upon successful login, the user lands up on the page defined within the URL.

Request Parameters

When the user is redirected to the DM tool, the URL request must contain the following parameters:

dm_sig_site String Site name – the unique site identifier used during site creation
dm_sig_user String Account name (usually E-Mail) of the sub-user account you are trying to SSO into. This was used during account creation.
dm_sig_partner_key 6 chars HEX String i.e. 6d00f Partner identifier key. This is a unique and secret key to the partner and can be found inside of the dashboard API section.
dm_sig_timestamp Number i.e. 1291050919 equivalent to (2010-11-29 17:15:19Z) Time at which the signature was generated. The time will be in UNIX time format, i.e. number of seconds elapsed since Universal Time (UTC) of January 1, 1970 (epoch). Used to validate that the signature has not been expired. Make sure you are generating this at time of SSO attempt.
dm_sig String The HEX string representing the signature value of HMAC-SHA1 encryption. See below of how to generate this value.

Signature Validation/Generation

In order to verify that the request came from the trusted party, the signature generation (your side) and validation (our side) should share the same algorithm logic. To generate/validate the signature:

  1. Make a list of all parameters that start with “dm_sig_” sorted in reverse alphabetical order.
  2. Create name/value pair strings for each entry in the list, removing the "dm_sig...". For example, “dm_sig_site” becomes “site=examplesite_name”
  3. Concatenate all name/value pairs together, to form a string like "...timestamp=1378904651site=examplesite_name..."
  4. Prepend secret key to the beginning of the string.
  5. HMACSHA1 the entire string using the secret key. The result should be sent as the dm_sig parameter.


Given the following parameters, we will construct our SSO attempt:

  • Time Stamp = 1378904651 (should normally be generated at time of SSO request)
  • Account Name =
  • Site Name = examplesite_name
  • Secret Key = 5eebe8de321dce05cb6b39fb2d5d9a9d
  • Partner Key = fA4dSQ

The generated signature should match:


Using all of this information, we can construct our URL that will permit SSO:


SSO Implementation in PHP

01 <?php
02 //Set editor custom domain
03 $editor_url = '{Your Custom Editor Domain}';
04 //Set SSO Parameters
05 $dm_sig_site = '{Site Name you want to Login to}';
06 $dm_sig_user = '{Account Name you are logging in}';
07 $dm_sig_partner_key = '{Secret Partner Key}';
08 $dm_sig_timestamp = date_timestamp_get(date_create());
09 $secret_key = '{Secret SSO Key}';
10 //Concatenate sso strings so it can be encrypted
11 $dm_sig_string =$secret_key.'user='.$dm_sig_user.'timestamp='.$dm_sig_timestamp.'site='.$dm_sig_site.'partner_key='.$dm_sig_partner_key;
12 //Encrypt values
13 $dm_sig = hash_hmac('sha1', $dm_sig_string, $secret_key);
14 //Create SSO link
15 $sso_link = 'http://'.$editor_url.'/home/site/'.$dm_sig_site.'?dm_sig_partner_key='.$dm_sig_partner_key.'&dm_sig_timestamp='.$dm_sig_timestamp.'&dm_sig_user='.$dm_sig_user.'&dm_sig_site='.$dm_sig_site.'&dm_sig='.$dm_sig;
16 //Print SSO link
17 echo $sso_link;
18 ?>

Priority Phone Support

English phone support is available 18 hours a day,
Monday through Friday, 3am to 9pm (EST).

United States +1 866-776-1550 3am to 9pm (Eastern)
United Kingdom +44 (0)800-011-9071 8am to 2am (London)
France +33 (0)9-75-18-84-74 9am to 3am (Paris)
Israel +972 (0)3-720-8922 10am to 4am (Jerusalem)
Australia +61 (0)2-8880-9166 7pm to 1pm (Sydney)
To schedule a call in French, Portuguese, Hebrew or Russian, please email us at

Please Log in as a DudaPro

Priority Phone Support is available exclusively to DudaPros. Log in to your DudaPro account now to see our international support numbers.

Log In
Not a DudaPro? Start a free trial now!