Meri Pehchaan Client Integration Document v1.1
Meri Pehchaan Client Integration Document v1.1
Meri Pehchaan Client Integration Document v1.1
JanParichay
Submitted by
DOCUMENT CONTROL
DOCUMENT NAME: Client Integration Document for Pehchaan.
DOCUMENT ID REFERENCE:
AUTHORIZATION:
Prepared By Reviewed By Reviewed By Authorized By
Name: Akshay Name: Prashant Name: Amit Kumar Name: Seema
Dhama Sharma Khanna
Designation: Sr. Designation: Project Designation: Scientist C Designation:
Content Writer Manager Scientist G
VERSION HISTORY:
Issue Date Effective Date Description
11-07-2022 V1.0
DISTRIBUTION LIST:
The following persons hold the copies of the documents; all amendments and updates to the document
must be distributed to the distribution list.
S.No. Name Location Document type
1 Amit Kumar NIC, New Delhi Soft copy
2 All Clients Soft copy
CONFIDENTIAL:
This document contains restricted information pertaining to the National Informatics Centre. The
access level for the document is specified above. The addressee should honor this access right by
preventing intentional or accidental access outside the access scope.
DISCLAIMER:
This document is solely for the information of the National Informatics Centre and should not be
used, circulated, quoted or otherwise referred to for any other purpose, nor included or referred to
in whole or in part in any document without our prior written consent.
TABLE OF CONTENTS
Terms Meaning
Client Token / Local The identifier generated by the Jan Parichay-Meri Pehchaan
Token Id application after successful user authentication which is used to
identify usersession per application.
Browser Id Unique key to identify browser (set as a cookie in user’s
browser)
Encrypted String The string contains user attributes (JSON format) encrypted with
the service API key. Refer to Annexure C for UserAttribute
details.
Client Service Home URL Home URL of the client service.
Session Id The unique key that identifies a user’s pre-login session (set as
a cookie in user’s browser)
Post Login Session Id The unique key that identifies a user’s logged in session (set as
a cookie in user’s browser)
BACKGROUND
Jan Parichay is a single sign-on application designed to integrate NIC services under a single
authentication domain. It is a centralized session and user authentication service in which one set
of login credentials can be used to access multiple applications. The service authenticates user one
on one designated platform, enabling the user to use a plethora of services without having to log
in and logout each time. Once the user login to the Jan Parichay, all the services that comply with
the integration of JanParichay will be auto-logged in by sharing its session. It authenticates the user
forall the services and does authorization based on the rights given to the user so it eliminates
further authentication/authorization prompts when the user switches services during the same
session.
INTRODUCTION
Clients interested in availing the service of the e-Authentication framework should initially
integrate their service with Jan Parichay.
Client Integration Framework enables Jan Parichay to provide secure access to respective
backend services through a well-defined gateway service that is consistent across all
backend services, regardless of the service implementation.
As a part of the framework, various services will be able to integrate with Jan Parichay
through offered Application Programming Interfaces (API) Web Service Interfaces
smoothly and conveniently without affecting the existing architecture of the running
services.
PRE-REQUISITE
1. Auth Key - A 32 digit alphanumeric key generated per client application (client service)
Integrated with Jan Parichay. The service API key is used to encrypt data shared between
Jan Parichay and the client application as well as used to generate Hash based message
Authentication Code (HMAC).
2. Rest Auth Id - A 10 digit numeric key generated per client application (client service)
integrated with Jan Parichay. Rest Auth Id is used to map Service API key per client
application.
3. AES IV - An initialization vector (IV) is an arbitrary number that can be used along with a
secret key for data encryption.
4. Service Id – A random key which uniquely identify a service.
LOGIN PROCESS
Redirect Call
Service
Homepage
1. When the user tries to access the client service (https://vahan.nic.in/), the service should
check for service session validation by looking at the session cookie for the respective
client service domain.
a) If the service found the required session cookies, the user should be redirected to
the Service Home page.
b) If the service does not found the required session cookies or the session cookies
found are already invalidated previously by the server, the client service web server
should redirect the user to the Jan Parichay URL (As mentioned below).
https://JAN
URL PARICHAY_URL/v1/api/login?sid=ServiceId&tid=TimeToLive&
cs=ClientSignature&string=EncryptedClientSessionId
Note
1. Client Signature (cs) is created by calling the HMAC Generator API (refer to
Additional Framework/API Section) and this API will generate the Hash of the
following string
“JanParichay”+tid+“https://JANPARICHAY_URL/v1/api/login”+sid
Ex: JanParichay1622544184996https://JANPARICHAY_url/v1/api/login5674523190
2. If Jan Parichay doesn’t found any user session, the user will be asked for the credentials
followed by the Two-step verification (if enabled) on the Jan Parichay login page. After
successful user authentication, Jan Parichay calls HTTP redirect to the landing page of the
registered client service (As mentioned below) with Server Handshaking Id.
HANDSHAKING PROCESS
Jan Parichay
Client
API
1. After receiving the Server Handshaking Id, the client service should take the string from
the above URL and call the below-mentioned Handshaking API.
Request Parameters
Sample Request
http://JAN
PARICHAY_CLIENT_URL/handshake?handshakingId=ServerHandshakingId&sid=Service
Id
Note
1. Success Response HTTP Status- 202 Accepted
2. Server Handshaking Id used in the above URL is received from Jan Parichay
Jan Parichay
Client
API
1. Token validation is one of the mandatory API of the Jan Parichay application as it validates
the user session throughout the Jan Parichay integrated services. If the user logout from
any of the client service other client services of Jan Parichay will not get to know that the
client has been logged out until or unless the client service has performed the token
validation.
2. Every time the user performs any functionality on client service, the client service must call
the below mentioned Rest API to validate the user session.
Request Parameters
http://JAN PARICHAY_CLIENT_URL/isTokenValid?clientToken=ClientToken&sid
=ServiceId&sessionId=6B1F1ECD-624B-D701-2980-
AF4DC93DEA60&browserId=125A72 DF-19FF-CED0-E084-25DB3A7B0655
Note
(A) Success Response HTTP Status- 202 Accepted
Attributes Remarks
Status API Response Status
tokenValid Token Status
Sample Response Payload
{
"status":"success", "tokenValid":"true"
}
Note
1. Response status can be either "success" or "failure"
2. "tokenValid" key value is either "true" or "false"
LOGOUT PROCESS
Logout
Callback API
Jan Parichay
Client
API
1. On clicking the Logout button on client service, the client service should first clear its session
and call logout URL.
https://JAN
URL PARICHAY_URL/v1/salt/api/client/logout?clientToken=ClientTok
en&sid=ServiceId&sessionId=SessionId&browserId=BrowserId&u
a=UserAgent&tid=TimeToLive&cs=ClientSignature
Note
1. Client Signature (cs) is created by calling the HMAC Generator API (refer to
Additional Framework/API Section) and this API will generate the Hash of the
following string
“JanParichay”+tid+“https://JANPARICHAY_URL/v1/salt/api/client/logout”
+clientToken+sid+sessionId
Ex: JanParichay1622544184996https://JANPARICHAY_url/v1/salt/api/client/logout
02KHfU5XvGWs3i1ZaCxMxVy4hBFPEGs95674523190D1xCGuyfHPTpz5gpFK7
YXXgemLB91xcr11
2. If API is unreachable the client service should show the “Internal Server Error”
page to the user instead of redirecting back to Jan Parichay. In this case, refer to Jan
Parichay support for help.
2. The client service may also choose to call Jan Parichay logout API followed by re-direct URL.
Request Parameters
Sample Request
http://JAN
PARICHAY_CLIENT_URL/logoutAll?clientToken=ClientToken&sid=ServiceId&sess
ionId=6B1F1ECD-624B-D701-2980-AF4DC93DEA60&browserId=125A72 DF-
19FF-CED0-E084-25DB3A7B0655
Note
(A) Success Response HTTP Status- 202 Accepted
Attributes Remarks
status API response status
message Standard message
{
"status":"success",
"message":"Respective
message"
}
Note:
(A) Response status can be either "success" or "failure"
3. To validate the user session throughout the integrated services, Jan Parichay also uses Logout
Callback API provided by the Client Service. It sets a callback function to inform all the
integrated client services that the user has been logged out from one of the client services.
a) To use logout Callback API, client service needs to call the above Jan Parichay logout API
(provided in point 2).
b) Client should also create an API and expose it to Jan Parichay. Through this API, Jan
Parichay will inform the client service to end their session as Jan Parichay session has been
already logged out.
Request Parameters
{"BrowserId":"","ClientToken":"","ServiceId":"","SessionId":"","UserAgent":""}
Note: Clients may either use Logout Callback API or Token Validation API to validate the session.
TIMEOUT PROCESS
Redirect Call
Jan Parichay
Client
API
1. The session timeout for Jan Parichay is 12 hours. However, each client service can also
have its own session timeout.
2. If there is a session timeout of the client service, the client service should redirect the user
to the Jan Parichay password page via URL.
https://JAN
URL PARICHAY_URL/v1/salt/api/client/timeout?sid=ServiceId&tid=Ti
meToLive&cs=ClientSignature
Note
1. Client Signature (cs) is created by calling the HMAC Generator API and this API
will generate the Hash of the following string
“JanParichay”+tid+“https://JANPARICHAY_URL/v1/salt/api/client/timeout” +sid
Ex:JanParichay1622544184996https://JANPARICHAY_url/v1/salt/api/client/tim
eout5674523190
2. If API is unreachable the client service should show the “Internal Server Error”
page to the user instead of redirecting back to Jan Parichay. In this case, refer to Jan
Parichay support for help.
3. The client may also choose to call timeout API followed by re-direct URL.
Request Parameters
Sample Request
http://JAN
PARICHAY_CLIENT_URL/timeout?clientToken=ClientToken&sid=test&sessionId=6B1F
1ECD-624B-D701-2980-AF4DC93DEA60&browserId=125A72 DF-19FF-CED0-
E084-25DB3A7B0655&ua=UserAgent
Note
(A) Success Response HTTP Status- 202 Accepted
Attributes Remarks
Status API response status
Message Standard message
Sample Response Payload
{
"status":"success",
"message":"Respective
message"
Note:
(A) Response status can be either "success" or "failure"
ADDITIONAL FRAMEWORK/API
HMAC GENERATOR
Hash-based Message Authentication Code (HMAC) generator uses Algorithms and secret key
to generate the HMAC
Request Body
Attribute Data Type Required Remarks
HmacString String Yes Message Body
Note: Port is configurable
Request Body
{
"HmacString":"Jan Parichay18147832"
}
{
"status":"success",
"message":"Success message",
"data":{"signature":"HMAC
Sign"}
}
ENCRYPTION
Advanced Encryption Standard (AES) generator uses Algorithms with secret key and
initialization vector to generate the encrypted string.
Note: Port is configurable
Sample Request
"AESString":"Jan Parichay18147832"
}
Attributes Remarks
{
"status":"success",
"message":"Success message",
"data":{"signature":"Encrypted"
}
}
DECRYPTION
Advanced Encryption Standard (AES) generator uses Algorithms with secret key and
initialization vector to decrypt the encrypted string.
Note: Port is Configurable
Sample Request
"EncryptedString":"sahdbhbshsah"
}
Attributes Remarks
{
"status":"success",
"message":"Success message",
"data":{"signature":"Decrypted"
}
}
Client Framework is packaged for deployment to support both Linux and Windows environments
including container platform. The following deployment packages are available,
1. Win64 Executable (JanParichayClient.exe)
2. Linux Executable (JanParichayClient)
3. Docker Image
The service is configured using the JSON configuration file (config.json). The configuration
parameters are given below:
Parameter Description
ClientServicePort The port on which the service is configured
within the application/web server.
This port must not be exposed outside the local
server.
LogLevel INFO/DEBUG
Note:
1. Executable file and config.json should be in the same directory
2. JAN PARICHAY CLIENT URL formed using ClientServiceHost:ClientServicePort as
mentioned in the above table
For Ex: 0.0.0.0:8082
Make sure the configuration file config.json is in the same folder as that of the JanParichay client
service
Linux
Set executable permission in Linux environment
chmod +x JanParichayClient
Windows
Run JanParichayClient.exe to start the service
ANNEXURE A
Sr. Requirements
No.
1. Name of the Service
*Name of the client application
2. Single Login/Multiple Login
*Single login services can be accessed only in Single browser at a time while multiple login
services can be accessed in multiple browsers (e.g. Chrome and Mozilla) at a time
3. Enforce Multi-Factor Authentication
Yes/No
*Should all users enforced for Multi-factor authentication by client service or not.
4. Force Multi-Factor Authentication
Yes/No
*Should all users forced for Multi-factor authentication by client service or not
5. Service Description
*A small description of the service which will be shown on the hover of the application
logo
6. Department Name
*Name of the Department the application belongs
7. Client Service Home URL
*Landing URL of the client application. User will be redirected back to this URL after
successful authentication from Jan Parichay
8. Client Service Login URL
*Login page URL of the client service. User will be redirected to this URL in case of any
error while accessing the service
9. Client Service Logout URL
*A re-direct Logout URL of the client service
10. Enforce Multi-Factor Authentication per user (If yes, mention user details as per
below format)
Primary mail Id, Role (Admin/HR/Department Head/Manager/Other), Multi-Factor
Authentication (Yes/No)
13. Is the application security audit cleared (Only for Production Environment)
Yes/No
If yes, share the Security Audit Certificate
14. Enforce Geofencing
Geofencing per user: Yes/No
Note: In case of adding any new parameter, kindly contact Jan Parichay support (Refer
Annexure D).
ANNEXURE B
Note: In case, IP or Port doesn’t respond, ask Network or Firewall team to check respectively.
13.126.134.109
janparichaystag.meripehchaan.gov.in 3.6.1.236
13.235.201.65
Staging
apijanparichaystag.meripehchaan.gov.in 65.2.115.161
65.1.163.97
janparichay.meripehchaan.gov.in 52.66.159.237
13.126.138.174
Production
65.0.150.218
apijanparichay.meripehchaan.gov.in 43.204.48.64
43.204.208.212
ANNEXURE C
Key Value
firstName First Name
lastName Last Name
Email Email
mobileNo Mobile No
designation Designation
address Address
status User Account Status
userId User Id
parichayId Jan Parichay Id
ip IP
browserId Browser Id
ua User Agent
sessionId Post Login Session Id
clientToken Client Token
loginId Login Id
serviceAccessTime Time at which user accessed the service
verificationParameters User Role (If service has required)
Note: In case of adding any new parameter, kindly contact Jan Parichay support (Refer
Annexure D).
ANNEXURE D
VoIP 7494
Email Id [email protected]
ANNEXURE E
a) ClientToken
b) ServiceId
c) SessionId
d) UserAgent
e) BrowserId
Example: {"BrowserId":"","ClientToken":"","ServiceId":"","SessionId":"","UserAgent":""}
a) Signature
b) TTL
Step 3: Signature is created by calling the HMAC Generator API and this API will generate
the Hash of the following string
1605533336176http://JanParichaytesting1.dev.nic.in/logouttest.php8076123F37A50E
5D7F2447BDA702BA02B00C843B698844CCC747C51C08767E41E46C3C9D7E3A1892
6FF7CD1EBD89DEE28B141627DC39BB3E8BCAF9D09C5461CAservice1user.nknsp
@nic.in7B4D5923-7033-4439-C197-5FEB341224F48760AC52-AB5D-B11B-6F02-
2829260D445D
Here,
o 1605533336176 is Current Timestamp in microseconds (ttl).
o http://Jan Parichaytesting1.dev.nic.in/logouttest.php is Logout API URL.
o 8076123F37A50E5D7F2447BDA702BA02B00C843B698844CCC747C51C0876
7E41E463C9D7E3A18926FF7CD1EBD89DEE28B141627DC39BB3E8BCAF9D0
9C5461CA is Client Token
o service1 is Servicename
o [email protected] is Username
o 7B4D5923-7033-4439-C197-5FEB341224F4 is SessionID
o 8760AC52-AB5D-B11B-6F02-2829260D445D is BrowserID
https://JAN PARICHAY_API_URL/v1/serviceplus/user/registration
URL
Header Parameters:
Note
Signature is created by calling the HMAC Generator API (refer toAdditional
Framework/API Section) and this API will generate the Hash of the following
String:
“JanParichay”+TTL+“https://JANPARICHAY_API_URL/v1/serviceplus/user/registration
”+ServiceId+Username+Password
Ex: JanParichay1622544184996https://api.janparichay.staging.nic.in
/v1/serviceplus/user/registrationServicePlusprashnat.nknsp@janparichay.gov.injksadjksdhskahdjkah
djahsdjksahdkjhaskd
Request Parameters:
Attribute Data Type Required Remarks
ServiceId String Yes Message Body
Username String Yes Message Body
Password String Yes Message Body
Request Body
{
"ServiceId":"",
"Username":"",
"Password":"",
}
{
"status":"success",
"message":"Successfully
registered"
}