JWT Single sign-on is a mechanism that allows you to authenticate users in your systems and subsequently tell Onset that the user has been authenticated.
This article describes how to enable JWT single sign-on configurations that can be used to authenticate your users.
How JWT SSO works
Once you enable SSO, sign-in requests are routed to a sign-in page external to Onset.
Steps of the JWT SSO authentication process:
An unauthenticated user navigates to your Onset Page.
The Onset recognizes that SSO is enabled and the user is not authenticated.
Onset redirects the visitor to your provided URL. Example: https://mycompany.com/onset/sso.
A page on the remote server authenticates the user using your organization's proprietary sign-in process.
The authentication system creates/signs a JWT token with the secret generated in your Onset Admin Panel.
The authentication system redirects the user to the following Onset endpoint with the JWT token in the URL:
Onset validates the signed JWT token and then grants the user a session.
As you can see, this process relies on browser redirects and passing signed messages using JWT. The redirects happen entirely in the browser; there is no direct connection between Onset and your systems.
Requirements for enabling JWT SSO
As you can see from the steps above, for JWT SSO to work correctly, you must implement steps 4-6. To avoid downtime, we suggest you have all requirements before enabling the JWT SSO protection.
Login URL - The remote login URL where unauthenticated visitors should be redirected when they attempt to access your Onset page.
Signed JWT Token - Your authentication properly mints JWT tokens and redirects the authenticated user to appropriate /api/jwt endpoint.
Propogate Redirects (nice to have) - Your authentication server appends the redirect_uri URL with the JWT token when redirecting the user back to Onset.
When Onset redirects a visitor to your remote login page, it appends a redirect_uri URL parameter. The parameter contains the URL that Onset will send the user after your system has authenticated them.
Whether you pass in the redirect_uri parameter or not is optional, but we recommend it for the best user experience.