Mindtickle

miniOrange SSO (Single Sign-on) provides secure autologin to all your apps in cloud or on-premise, from any mobile platform including iPhone, Android.It quickly increases security of information and resources for your Mindtickle app without worrying about time for initial set up or future upgrades.

Why Single Sign-On?

• miniOrange SSO has inbuilt integration with Legacy Apps such as Active Directory , Siteminder, Unix, RADIUS and also comes with support for OpenID, OAuth, SAML, JWT(Json Web Token), ADFS and WSFED protocols.

• Support for remote Logins such as Radius VPN, Website Protection, ADFS, Windows, Citrix.

• You login to one cloud app and you don't need to authenticate separately to the rest of them.

Single sign-On with JWT(Json Web Token)

• What is JWT(Json Web Token)?

  JSON Web Token (JWT) is a JSON-based open standard for passing claims between parties in web application environment. The tokens are designed to be compact, URL-safe and usable especially in web browser single sign-on (SSO) context. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider. The tokens can also be authenticated and encrypted.

  JWT for Mindtickle single sign-on has three parts seperated by a .,each section is created differently. Three parts are -

  1. Header : The header carries 2 parts - declaring the type, which is JWT and the hashing algorithm to use (HMAC SHA256 in this case). { "typ": "JWT", "alg": "HS256" }
  
  2. Payload : The payload will carry the bulk of JWT, also called the JWT Claims. This is where we put the information that we want to transmit and other     information about token. Registered claims are as follows -
  

  iss: The issuer of the token
  sub: The subject of the token
  aud: The audience of the token
  exp: This will define the expiration in NumericDate value.
  nbf: Defines the time before which the JWT MUST NOT be accepted for processing
  iat: The time the JWT was issued. Can be used to determine the age of the JWT
  jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed.

  { "iss": "miniorange", "exp": 1300819380, "name": "Abc Xyz", "admin": true }
  3. Signature : The third part of JSON Web Token is signature. This signature is made up of a hash of header, payload, secret.
  var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'secret'); The secret is the signature held by the server.



• Why JWT(Json Web Token) single sign-on(sso)?

  Using a JSON Web Token for Mindtickle single sign-on offers many advantages over API keys(often used for single sign-on):

  • Granular Security: API Keys provide an all-or-nothing access. JSON Web Tokens can provide much finer grained control.
  • Decentralized Issuance: API keys depend on a central storage and a service to issue them. JSON Web Tokens can be "self-issued" or be completely externalized, opening interesting scenarios as we will see below.
  • Debuggability: API keys are opaque random strings. JSON Web Tokens can be inspected.
  • Expiration Control: API keys usually don't expire unless you revoke them. JSON Web Tokens can (and often do) have an expiration.