Enterprise Single Sign On with JWT

Mojo Helpdesk supports JWT (JSON Web Token), which is a mechanism that allows single sign-on (SSO) for Mojo Helpdesk using a secured exchange of user authentication data.
When Enterprise Single Sign On with JWT is setup, users will be able to login to the help desk only through a proprietary authentication process (outside Mojo Helpdesk).

How JWT for Mojo works

When a user visits your Mojo Helpdesk, and clicks on the login link, he will be redirected to the Identity Provider's login system, which will authenticate the user, construct a JWT token with the user's data, send the token back to Mojo, at which point Mojo will decode the token, extract the user's data and login the user in the helpdesk.



Configuring JWT

JWT needs to be configured on your Mojo Helpdesk, and a software code needs to be written on the Identity Provider side that will handle the login request from Mojo, authenticate the user, generate a token with user's data, and return it back to Mojo.
On Mojo Helpdesk side two fields need to be configured:

  • Remote Login URL - URL to where the user will be redirected when is trying to login in Mojo Helpdesk. This URL should be the Mojo Integration entry point of the Identity Provider
  • Shared secret - any string, that will be used to decode the JWT token that is coming from the Identity Provider. The Identity Provider should use the same secret when encoding the token.

The Identity Provider needs to be configured as follows:

  • The URL to which to send the generated token - https://your-helpdesk-domain/jwt/consume?token=XXX (XXX is the generated token)
  • The supported attributes in the JWT payload:
    • iat - required. The time the token was generated, this is used to help ensure that a given token gets used shortly after it's generated. The value must be the number of seconds since UNIX epoch. Mojo treats tokens as expired if they are more than 2 minutes old. Make sure to configure NNTP or similar on your servers.
    • email - required. Email of the user being signed in, used to uniquely identify the user in Mojo.
    • first_name - optional
    • last_name - optional

Example token preparation in Ruby:

require 'jwt'

 jwt_payload = { email:['some@email.com](mailto:'some@email.com)', first_name: 'John', last_name: 'Smith', iat:[Time.now.to](http://Time.now.to)_i }
 token = JWT.encode jwt_payload, "mysupersecret"