Enterprise Single Sign On with JWT

Mojo Helpdesk supports JWT (JSON Web Token), which is a mechanism that allows you to provide single sign-on (SSO) for your helpdesk using a secured exchange of user authentication data. When Enterprise Single Sign On with JWT is setup, the users will be able to login to the helpdesk only through a proprietary authentication process (outside Mojo Helpdesk). #### How JWT for Mojo works When a user visits your Mojo Helpdesk, and clicks on the login link, he will be redirected to the Identity Provider's login system, which will authenticate the user, construct a JWT token with the user's data, send the token back to Mojo, at which point Mojo will decode the token, extract the user's data and login the user in the helpdesk. ![](/images/mojo-jwt-sso.png) #### Configuring JWT JWT needs to be configured on your Mojo Helpdesk, and a software code needs to be written on the Identity Provider side that will handle the login request from Mojo, authenticate the user, generate a token with user's data, and return it back to Mojo. On Mojo Helpdesk side you have to specify two fields: - **Remote Login URL** - this is the url to where the user will be redirected when is trying to login in Mojo Helpdesk. That URL should be the Mojo Integration entry point of your Identity Provider - **Shared secret** - any string, that will be used to decode the JWT token that is coming from the Identity Provider. The Identity Provider should use the same secret when encoding the token. On Identity Provider side you have to use the following: - The url to which to send the generated token - **https://`your-helpdesk-domain`/jwt/consume?token=XXX** (XXX is the generated token) - The supported attributes in the JWT payload: - **iat** - _required_. The time the token was generated, this is used to help ensure that a given token gets used shortly after it's generated. The value must be the number of seconds since UNIX epoch. Mojo treat tokens as expired if they are more than 2 minutes old. Make sure to configure NNTP or similar on your servers. - **email** - _required_. Email of the user being signed in, used to uniquely identify the user in Mojo. - **first_name** - _optional_ - **last_name** - _optional_ Example token preparation in Ruby: require 'jwt' jwt_payload = { :email => 'some@email.com', :first_name => 'John', :last_name => 'Smith', :iat => Time.now.to_i} token = JWT.encode jwt_payload, "mysupersecret"
Published on: 2016-11-10 See other articles in SSO (Single Sign On).