Setting Up Customer Self-Service Single Sign-On (SSO)

Setting Up Customer Self-Service Single Sign-On (SSO)

Single sign-on (SSO) allows users to log into your Internet Banking website, click a link to Customer Self-Service (CSS), and then be automatically directed to CSS without being prompted to log into each system.

This procedure is written for the person or team developing your Internet Banking website application. To set up single sign-on, you must add code to your Internet Banking application to access the Servicing Director Service database, and then link to ILSWebUtil.dll to create an encrypted URL.  


  1. Verify your Internet Banking application server has network access to the Servicing Director SQL server.
  2. We recommend that you create a SQL login account to access the Servicing Director SQL server. This account should have a minimum of read access to the following tables in the Service database:
  • Borrower
  • BorrowerEmailAddress
  • Property 

  1. You must identify a user's last name, SSN, zip code, and loan ID in your Internet Banking application.
  1. Once you have the user information, you can determine the user's CSS credentials by running the following query:

    SELECT  BEA.UserName, BEA.Password

    FROM    BorrowerEmailAddress    AS BEA 

    JOIN    Borrower                AS B   

    ON      BEA.LoanID          = B.LoanID

    AND     BEA.BorrowerID      = B.BorrowerID

    AND     BEA.AssmRecCounter  = B.AssmRecCounter

    AND     B.LastName  = @LastName

    AND     B.TaxIDNumber = @SSN  --this is an unformatted tax id number, no spaces

    JOIN    Property AS P

    ON      B.LoanID = P.LoanID --this must include leading zeros to equal 10 characters

    AND     LEFT(P.Zip, 5) = @ZipCode   --this is an unformatted 5 digit zip 

    WHERE   BEA.LoanID = @LoanID

  1. Consider the following when writing this code:
    1. The parameters in the query above must match exactly with the values in the Servicing Director Service database each time your application queries the database to ensure the current values are used.
    2. Consider cases where the user does not have a CSS profile. In these cases, the CSS UserName returned in the query results will be , and the user should be redirected to the new user registration page. (/ILSWeb/NewUser/AccountInformation.aspx).
    3. The CSS ILSWebUtil.dll can change in future releases. Verify that the latest copy from each CSS release is copied to your Internet Banking application server. The CSS ILSWebUtil.dll is located on both the CSS Web server and CSS Web Application server.
    4. In most cases, your users will only access CSS through your Internet Banking website. If this is true for your institution, go to Step 4. However, if your institution allows users to access CSS outside of your Internet Banking website, a user will need to enter credentials to log onto CSS. If a user forgets both their password and the answers to their security questions, they cannot reset their password. In these cases, the user would need to call someone at your institution to reset their CSS profile. After resetting a CSS profile, the CSS UserName remains valid and the password is cleared. Results from the query will include a password that is , so your Internet Banking application should redirect the user to the CSS Profile Setup page (/ILSWeb/AccountManagement/BorrowerProfile.aspx), where they can set up their password.
  2. Obtain a URL with encrypted credentials. Pass the following parameters to the BuildCredentialURL function in ILSWebUtil.dll (located in ILSWeb/Bin):

http://YourInstitution

username

password

the session ID (can be a constant if you want your URL to be the same regardless of session)
The URL returned will look similar to: https://YourInstitutionDomain/internallogon.aspx?cred=<encrypted credentials> 

Redirect the user to the InternalLogOn page on the Internet Banking application server using the URL returned in Step 5. For example:

//sessionID can be any string (constant or session dependent)

//username and password are retrieved from the Service database

String LoginURL = EncryptDecryptStrings. BuildCredentialURL (https://YourServerName/ILS/ILSWeb,username, password, sessionID);

LoginURL += "&sid="+sessionID;

//Results in a URL, for example:

http://loalhost/ILS/ILSWeb/InternalLogon.aspx?cred=SomeEncryptedString&sid=123456789

Response.Redirect(LoginURL); //This could be combined with the above line, but it is separated for clarity in this example.

ArticleNumber:

000044987