Welcome to the Panopto Community

Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.

SOAP SHA-1 authenticate the user

yerram mahendrayerram mahendra Tyro
in API

We have an automated internal pipeline that connects to Panopto using External Provider authentication via the LogOnWithExternalProvider SOAP API (PublicAPI 4.2). This pipeline is scheduled to reclaim Panopto licenses for terminated employees by searching for users by email and removing them through the DeleteUsers API.

For authentication, we use a backend service account and generate an auth code using:

hash(userKey@hostname|application_key)

Recently, our pipeline started failing with the error: “Unable to authenticate the user.” Upon review, we noticed that the Panopto UI currently has “SHA-256 only” set to False. Our code was generating the auth code using SHA-256, but after switching to SHA-1, the authentication tested working again.

We have two questions:

  1. Could you please explain what “SHA-256 only = False” indicates in this context? Since the pipeline fails with SHA-256 but works with SHA-1, we would like to understand the expected behavior. If we change “SHA-256 only” to True in the UI, will SHA-256-based authentication work correctly, and would enabling that setting affect anything else in our Panopto configuration?
  2. If we continue using SHA-1 for this backend integration for now, are there any security, compatibility, or future support considerations we should be aware of? 

Answers

  • Adis HrnjicaAdis Hrnjica Whiz Kid

    Hi Yerram,

    Thank you for the detailed report. I've reviewed the behavior you described, and your findings are correct.

    For LogOnWithExternalProvider in PublicAPI 4.2, the expected auth code format is the legacy SHA-1-based format: SHA1(userKey@hostname|application_key) (with the hostname and application key lowercased as you noted).
    Because of that, SHA-256 auth codes are not expected to authenticate successfully for this specific SOAP login flow.

    Regarding the “SHA-256 only” option in the Panopto UI: that setting applies to SAML signing/verification behavior for identity provider configuration. It does not control the hash algorithm used by LogOnWithExternalProvider auth code validation in PublicAPI 4.2 SOAP. So changing that setting to True would not be expected to make SHA-256 auth codes work for this API call, and it may impact SAML-based sign-in behavior depending on your IdP configuration.

    Given your current integration, continuing with SHA-1 for this backend SOAP flow is the correct approach at this time. We recommend keeping standard controls in place (TLS, least-privilege service account, key rotation, and monitoring) while using this legacy authentication path.

    I hope this helps.

    Thanks,

    -Adis

Sign In or Register to comment.