First name/last name sharing

A very simple solution is in place for providing the website with the last name/first name of the contact if they are logged in: the identity provider (IDP) creates a domain cookie with the last name/first name of the contact; this cookie makes this information available for the website if it is deployed in the same domain.

The data is in globally encoded JSON url format.

This way, the website may display in javascript (therefore maintaining the ability to cache the page and assure a good performance) "Welcome Vincent Larchet".

The domain to which this cookie is attached is the domain common to the organisation's website and the purchase funnel, and its name follows the following schema:

stx_contact_{Institution code}_{Sales channel code}_v1

Parameter	Contents
individualTitle	User title
individualFirstname	User first name
individualLastname	User last name
nickname	User nickname
lang	User language
~~timestamp~~	Login date, not used
expires	Session expiration date, in ISO 8601 format.
additionalData a. contactNumber b. email	Additional Data They are encrypted and are not used as part of the SSO.

The data in additionalData are encrypted as follows:

be K a randomly selected unique encryption key
be M the JSON object containing contactNumber and email, in UTF-8 coding
the K key is encrypted with the RSA algorithm with the website public key. This makes up the "key" data
the M message is encrypted by the AES algorithm using the K key. This makes up the "data" information
the M message is transformed by a hash function using the SHA-1 algorithm. This result is signed (encrypted) with the S-360 private key. This makes up the "digest" data which will be used for verifying that the cookie has been correctly generated by S-360
Finally, the additionalData field contains the JSON object that includes the data "key", "digest" and "data", each of them with Base64 encoding.

Details:

RSA algorithm: ECB mode, PKCS1 padding.
AES algorithm: ECB mode, PKCS5 padding.