Web-login token

Restriction: OAuth authentication is the preferred method for authentication and the only option available to new MQL API applications. All other traditional methods — including Web-login authentication — are deprecated, and companies using the other methods will be transitioned to OAuth. Contact Medallia for assistance.

Web-login token authentication allows a user to access Medallia Web reporting directly from the API-using application without requiring the user to sign-in to Medallia Web reporting. Typically the application requires the user to authenticate with a username and password to access the application. That application might present a graph showing the latest trend of the satisfaction scores. Next to the graph the application presents a hyperlink to Medallia Web reporting to allow the user to perform more in-depth analysis. Because the user already provided username and password, it is unnecessary for the user to provide those credentials one more time for Medallia Web reporting.

Note: The reason for the token is to avoid showing the username and password in clear text as part of the hyperlink, because this would be a security vulnerability. Such a link would not have a time limit. Browsers keep track of which URLs have been visited in the past, and thus another person with access to the same computer could look at the browser history and extract the user's username and password.

This can be solved by generating an auto-login token. The high-level steps are:

  1. Calculate the MD5 hash of the string "user=username"
  2. Make a timestamp of the current time in GMT in the format +%Y%m%d%H%M%S
  3. Create the token "ts=timestamp,hash=hash"
  4. Triple DES encrypt the token using IV and key generated from the MD5 of the user's password
  5. Generate a URL like
    https://edemo.medallia.com/mainstreet/logonSubmit.do?user=username&token=encrypted_token&alMethod=API