3. ● JWT SSO is an authentication protocol used to authenticate the user based on
the JWT token.
● The application relies on the JWT token and uses the JWT token as the
source of authentication in the SSO flow.
What is JWT SSO?
3
4. Simply because, simplicity!
1. Work with simple redirections
2. Easy to process from the application
Once the application receives the JWT token,
1. Verify the JWT token.
2. Get the user claims.
3. Provision the user if the user does not exist.
4. Let the user sign in to the application.
But why?
4
7. 1. The JWT Token - Mandatory
The JWT token which includes the
user claims signed with shared secret
1. Return to URL - Optional
URL to redirect the user after the successful authentication.
1. Error URL - Optional
URL to redirect the user in case of an error occurred in the application,
when processing the authentication response received from the IDP.
What the application expects?
7
8. The application require to send the values as URL query parameters.
https://applicationdomain.com/jwt?jwt={payload}
&return_to={return_to_url}
&error_url={error_url}
How it expects?
8
11. 1. Enable SSO to the application using JWT
2. Retrieve Site URL (SSO endpoint)
⦿ The URL to redirect the user with the JWT token after the successful authentication
3. Obtain the API Key (Shared secret)
⦿ The key to sign the JWT token
1. Enable JWT SSO on the application
11
12. 2. Get the JWT SSO Connector
12
1. Get the connector from WSO2 IS Connector Store
2. Add it to dropins directory
3. Enable /identity endpoint
⦿ [[resource.access_control]]
context="/identity(.*)"
secure="false"
http_method="GET"
17. 1. A simple way to implement SSO without proper specifications with some
security concerns!
⦿ The application must validate the JWT token against the JWT signature
⦿ The token must be accepted by the application for authentication within the
specified time period considering the exp claim.
⦿ The token must only be used once to authenticate the user by invalidating the token
using the jti claim.
2. Work with simple redirections.
3. Supported by miniOrange.
Conclusion
17