Overview
This article provides an overview of JSON Web Token (JWT) as a method for secure information transmission and its use in Single Sign-On (SSO) for web applications and APIs, specifically within the Influitive platform.
Information
The following sections outline the introduction to JWT, the setup process, requirements, and the authentication flow for implementing JWT SSO with Influitive.
Introduction
JSON Web Token (JWT) defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is commonly used for authentication and authorization purposes in web applications and APIs. If you have a customized Identity Provider that can issue JWT on behalf of users, you can use that as your Single Sign-On option in Influitive.
Setup
SSO Endpoint URL - This is the URL we send the user to when authenticating for Influitive.
SSO Sign out URL - This is the URL where you would like the advocate to sign out (optional).
JWT Public Key - This is the Public key that is used to validate the token, your IT team will generate this token for you.
JWT Algorithm - We support various algorithms to sign your JWT, ensure the Public key is generated using the same Algorithm as you select here.
Requirements
When you configure your JWT token, Influitive expects certain claims or fields to be included in the Payload to properly authenticate the user:
- email (required)
- name (required)
- role (required, must be either admin or advocate)
- exp - (required) an expiry field used to indicate when this token expires and can no longer be used
- title (optional, added to the user's profile on creation only)
- company_name (optional, added to the user's profile on creation only)
- language (optional, added to the user's profile on creation only)
Authentication Flow
- A user navigates to your hub and wants to gain access. The request is redirected to the Identity Provider to handle authentication.
- If the user is not already logged on to the IdP site or if re-authentication is required, the IDP asks for credentials (e.g., ID and password) and the user logs on.
- The authentication system generates a JWT request containing the relevant user data.
- The user is redirected to the Influitive endpoint (https://subdomain.influitive.com/users/authorize?infl_jwt=<your-token-here>) with the JWT payload.
- *Note* The JWT generated by your SSO Provider should go into the infl_jwt parameter.
- Influitive then parses the user details from the JWT payload and grants the user a session.
Note: Configuring JWT SSO as Admin only is not currently supported.
FAQ
What is JWT and how is it used in SSO?
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. In the context of SSO, JWT is used to securely transmit user authentication data between the Identity Provider and the service provider, in this case, Influitive.
What are the requirements for a JWT token in Influitive?
Influitive requires the JWT token to include claims such as email, name, role, and exp (expiry). Optional claims like title, company_name, and language can also be included for user profile creation.
How does the authentication flow work with JWT SSO?
The authentication flow involves the user being redirected to the Identity Provider for authentication, the generation of a JWT with user data, and then redirection to the Influitive endpoint with the JWT payload for session creation.