Appearance
Authentication API
Authenticate with Northeastern SSO
Redirects to (or returns) a Northeastern SSO URL to begin user authentication process
plaintext
GET /api/v2/loginRequest Parameters
| Body Parameters | Type | Required | Description |
|---|---|---|---|
| no_follow_redirect | Bool | No | Set value to true to get a JSON object returned with SSO Login URL. Default bahavior returns a 302 Redirect. |
Success Responses
no_follow_redirect: false (default)
HTTP/1.3 302 Found
Location: https://neuidmsso.neu.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest={TOKEN}&RelayState=https://get.cbord.com/northeastern/full/login.php?mobileapp=1no_follow_redirect: true
json
{
"sso_url": "https://neuidmsso.neu.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest={TOKEN}&RelayState=https://get.cbord.com/northeastern/full/login.php?mobileapp=1",
"message": "Login Flow Started"
}Failure Responses
`no_follow_redirect` set to non-Boolean value
json
{
"message": "Parameter 'no_follow_redirect' set to non-boolean value"
}Details
Authentication Redirect URL Chain & Additional Details
- https://neuidmsso.neu.edu/idp/profile/SAML2/Redirect/SSO?SAMLRequest=
{TOKEN}&RelayState=https://get.cbord.com/northeastern/full/login.php?mobileapp=1 - ... (Northeastern SSO Authentication URLs)
- https://get.cbord.com/northeastern/full/mobileapp_login_validator.php?sessionId=
{SESSION_ID}
NOTE
SESSION_ID is a UUIDv4 string which CBORD uses as session tokens for the GET Mobile Application. The initial SESSION_ID token is a valid SESSION_ID and the page will say "validated", however if you arbitrarily replace that UUIDv4 token it seemingly will still say "validated" despite the new token not being valid, unsure why that is.
Closing Sessions
Closes a session using
SESSION_ID
plaintext
POST /api/v2/closeSessionRequest Parameters
| Body Parameters | Type | Required | Description |
|---|---|---|---|
session_id | string | YES | session_id to close. |
Success Response
json
{
"response": true,
"exception": null
}Renewing Sessions
Renews
SESSION_IDtokens usingDEVICE_IDandPINifSESSION_IDis expired, else returns the sameSESSION_ID.
plaintext
POST /api/v2/authRequest Parameters
TIP
Providing the existing or last known session_id can help cut down on unnecessary sessions. Each time you create a new session, the old session is not automatically closed, and session_id tokens don't expire for a couple days.
| Body Parameters | Type | Required | Description |
|---|---|---|---|
device_id | string | YES | UUIDv4 identifer for each device |
pin | number(4) | YES | 4-digit PIN set upon login. Also used in case of not being able to use biometrics to authenticate in GET Mobile App |
session_id | string | NO | If configured, will attempt to validate Session and if valid, returns same session_id, else creates a new session using device_id and pin |
Success Response
json
{
"response": "{SESSION_ID}",
"exception": null
}Failure Reponse
9510: Device Marked As Lost
TIP
Usually this just means the device was never registered to a User Account. I assume a lost device returns the same error code.
json
{
"response": null,
"exception": "9510|Device marked as lost"
}9504: Invalid PIN
TIP
This occurs when the device_id does exist, but the pin is wrong.
json
{
"response": null,
"exception": "9504|Invlaid pin login credentials."
}NOTE
No, that's not a spelling error on my part. That's the exact response CBORD provides when the device_id exists, but the PIN is wrong.