Single Sign On with JSON Web Token
Written by Diego Selzlein
Updated at October 18th, 2023, by Amanda Stançani
Helpjuice supports authenticating users via Single Sign On with JWT. It works like this:
- The user chooses to authenticate through SSO
- Helpjuice redirects the user to your website where they can authenticate with a user/password
- Your website generates a JSON Web Token using the shared key Helpjuice provides and redirects the user with the token back to Helpjuice
- Helpjuice decodes the token and authenticates the user with the email you provided
- If the user is a new one, we will create a new Internal Viewer user account for him
To set it up, go to your Account Settings > Single Sign On with JWT
Then fill in the form:
JWT Fields
These are the fields that Helpjuice will use from your JSON Web Token:
| Field | Required? | Description |
| jti | yes | This field contains a unique token ID generated by your website. Helpjuice will use it to prevent replay attacks. |
| iat | yes | This field has to contain the token creation time in milliseconds since Unix epoch. Helpjuice will only accept tokens up to 3 minutes old. |
| yes | The authenticated user's email so Helpjuice can identify the user. | |
| first_name | no | The user's first name. |
| last_name | no | The user's last name |
In order to debug issues with your token, use https://jwt.io. It provides a tool to parse your token and show you if it's using the right layout.
Signing Users In
When Helpjuice redirects a user to your login page, it will append a parameter to the URL called service and set it to helpjuice, like: https://my.website.com/login?service=helpjuice. This may be useful for you to identify the service and properly configure the authentication token layout.
Upon successful authentication, you need to sign the generated token with the Shared Secret Helpjuice provides you in that Settings page. Then you need to redirect them to https://helpjuice.com/jwt/YOUR_SUBDOMAIN?jwt=YOUR_ENCODED_TOKEN.
Redirection after sign-in
If the user was trying to access a restricted page when we sent him to your server for login, we also append a query parameter called fallback_url set to the original request URL, like: https://my.website.com/login?service=helpjuice&fallback_url=https://yourdomain.helpjuice.com/article-url.
Your server should send the value of this field back to Helpjuice in the fallback_url query parameter, like: https://helpjuice.com/jwt/YOUR_SUBDOMAIN?jwt=YOUR_ENCODED_TOKEN&fallback_url=https://yourdomain.helpjuice.com/article-url.
If you don't send the fallback_url parameter back to Helpjuice, we wil try to redirect using session cookie values, and, if that isn't possible, we will redirect the user based on the configuration in the User Behavior & Tracking settings page.
Signing Users Out
After signing a user out, Helpjuice will redirect them to the Logout URL you provided (if present).