Elsevier Developer Portal

Ticketed URL

Ticketed URL Overview

Ticketed URL is a secure authentication link from an organization's intranet or library website to ScienceDirect or Scopus. This link provides secured access to ScienceDirect or Scopus without the need for an additional username and password. Setup is relatively painless, but requires coding from the implementing organization.

What Elsevier provides:

Answers to questions regarding Ticketed URL initial setup and support
Two unique security tokens (an 'originID' and md5 'SALT') for use in client-side Ticketed URL code

What the integrator (or their consultant) provides:

Hosting for their website and the website itself
Code for generating the Ticketed URL
Maintenance and support of their code

These 'basic steps' make up the process for creation of a Ticketed URL:

Pick a ScienceDirect or Scopus URL to land on after authentication. (e.g. the ScienceDirect homepage https://www.sciencedirect.com)
URL encode that link
generate a GMT timestamp
md5 hash this information along with the custom tokens we provide you
append that hash to the base URL.

The finished product looks like this:

https://www.sciencedirect.com/user/ticketedUrl?_ob=TicketedURL&_origin=0000&_originUser=abc&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221160442&_version=1&md5=ba14ce234a1be6c28b1459a9a6c8ce2b

In addition:

The resulting link is valid for 5 minutes.
Keep the code for generating Ticketed URLs and their md5 hash secure server side and out of browser-side code or the address bar.

Ticketed URL Syntax

This is a Ticketed URL:

https://www.sciencedirect.com/user/ticketedUrl?_ob=TicketedURL&_origin=[ORIGIN_ID]&_originUser=[USER_ID]&_target=[ScienceDirect_Target_URL]&_ts=[UTC_TIME_STAMP]&_version=[version]&md5=[MD5 value]

Each variable explained:

Variable	Required	Definition
_ob	Yes	Always set this to "TicketedURL". It tells ScienceDirect or Scopus to authenticate using Ticketed URL.
_origin	Yes	The Origin ID: a unique identifier provided by Elsevier and associated to a customer account record in ScienceDirect's access management system. Notes: '_origin' cannot be more than 100 characters. Should not contain URL Reserved characters.
_originUser	Optional	The Origin User ID: A unique identifier representing a userID in a partner's intranet or website. Passing in _originUser allows personal profile creation on ScienceDirect. Leaving this parameter blank results in an anonymous login to ScienceDirect or Scopus. Notes: '_originUser' cannot be more than 100 characters. Should not contain URL Reserved characters. This can be any alphanumeric string. Keep values globally unique (e.g. appending domain name or similar).
_target	Yes	The ScienceDirect or Scopus URL users land on after authentication.
_ts	Yes	A time stamp. Details: The time stamp should be UCT (Universal Coordinated Time). The time stamp is valid for 5 minutes (enforced within ScienceDirect and Scopus). The format is 'YYYYMMDDHHMMSS'
_version	Yes	Ticketed URL uses salt values for generation of trusted MD5 hashes (see Section 3. Creating the link). Include the version of the salt value (also supplied by Elsevier) in the URL, but not the salt itself.
md5	Yes	The MD5 hash generated from the URL's query portion and the Elsevier provided salt. This assures the validity of the "ticketed URL" and its association to the partner site's credentials.

Ticketed URL Generation Details

About MD5

Ticketed URL employs MD5 (Message-Digest algorithm 5) hashing. Widely used in security-related applications, MD5 functions are common (see https://en.wikipedia.org/wiki/MD5).
Generating a valid Ticketed URL requires calculation of the MD5 hash and insertion of it into the md5 variable of the complete Ticketed URL. This section describes the required string for MD5 hashing in Elsevier's Ticketed URL, and where to insert the hash in the final Ticketed URL.
Ticketed URLs require the MD5 parameter. Ticketed URLs without the MD5 parameter go directly to the ScienceDirect home page without authentication into the partner account.

Typical use case and process logic

Users logging into your web site want to visit ScienceDirect and use content associated with your institution's account. You want your users to create personal profiles once logged into ScienceDirect. Use a Ticketed URL link for this, generated on-the-fly every time a user visits the page.
Start with the following:

An origin ID, provided by Elsevier. For this example, use 0000
The md5 salt, also provided by Elsevier. For this example, use 633!!t683.;te!Jqxoz52n(jcDDHWjGf
The version of your salt value. The default value is '1'.
A target URL of ScienceDirect (https://www.sciencedirect.com/journal/icarus). This authenticates users directly into the ScienceDirect web app.
An example userID 'abc'. Real user ids for a given user of your site replace this value for each individual's login .

Putting all these details together results in a URL that looks like this:

Original URL:  https://www.sciencedirect.com/user/ticketedUrl?_ob=TicketedURL&_origin=0000&_originUser=abc&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221160442&_version=1

Split this into two parts for purposes of calculating the md5 hash:

Base URL:  https://www.sciencedirect.com/user/ticketedUrl?
Query String:  _ob=TicketedURL&_origin=0000&_originUser=abc&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221160442&_version=1

For the MD5 calculation, right-append the salt value to the "query string". Hide the salt value from your users; it is a "shared secret" between you and Elsevier and needs secured away from in-the-clear transmission and viewing.
Right-appending the example salt to the query string looks like this:

_ob=TicketedURL&_origin=0000&_originUser=abc&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221160442&_version=1633!!t683.;te!Jqxoz52n(jcDDHWjGf

Run the combined query string and salt value through an MD5 algorithm. This is the resulting MD5 hash for the example combined string:

ba14ce234a1be6c28b1459a9a6c8ce2b

Append the md5 hash to the complete URL using parameter 'md5'. Do not include the salt value:

https://www.sciencedirect.com/user/ticketedUrl?_ob=TicketedURL&_origin=0000&_originUser=abc&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221160442&_version=1&md5=ba14ce234a1be6c28b1459a9a6c8ce2b

This is a complete Ticketed URL for authentication into ScienceDirect. Clicking the link logs user "abc" into the example ScienceDirect institutional account and allows user "abc" to create a personal profile. Ticketed URLs expire 5 minutes from the URL timestamp value. Authentication fails for any Ticketed URL submitted more than 5 minutes after its timestamp value.

Elsevier recommends two ways for embedding Ticketed URLS on a web site:

Generate the Ticketed URL when a page renders. Populate the target of a link with the new Ticketed URL.
Generate the Ticketed URL when a user clicks a link on your page (e.g. https://www.mysite.com/resources/sciencedirect/). Your server side code dynamically generates the ticketed URL "on click" and transparently re-directs the user to ScienceDirect using that ticketed URL. While more complex, this option makes it less likely that ticketed URLs expire before users click on them.

Ticketed URL Examples

With Origin User Id:

https://www.sciencedirect.com/user/ticketedUrl?_ob=TicketedURL&_origin=0000&_originUser=abc&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221170527&_version=1&md5=6fe584137f0a9a2e4e5a7cd287a547c6

Without Origin User Id:

https://www.sciencedirect.com/user/ticketedUrl?_ob=TicketedURL&_origin=0000&_originUser=&_target=https%3A%2F%2Fwww.sciencedirect.com%2Fjournal%2Ficarus&_ts=20101221170527&_version=1&md5=6d7d5ed6dd840e184dc96584499f4c3b

Full MD5 Calculation Example

This example script generates a Ticketed URL following the example process flow described in the previous section.

#!/usr/bin/perl

my $queryStr .= "_ob=TicketedURL";
$queryStr .= "&_origin=$origin";
$queryStr .= "&_originUser=$originUserId";
$queryStr .= "&_target=$targetURL";
my $timestamp =  strftime('%Y%m%d%H%M%S',gmtime);
$queryStr .= "&_ts=$timestamp";
$queryStr .= "&_version=$version";
my $md5Str = $queryStr;

my $md5 = Digest::MD5->new;
$md5->add($md5Str,$urlSalt);
my $digest = $md5->hexdigest;

$prefix .=$queryStr . "&md5=$digest";