Agent Single Sign On (SSO) via JWT and SAML 2.0: An Overview

Last Updated -

See also: 

Prerequisites

  1. Business Plan
  2. An identity provider (a hosted or custom solution) that supports JWT or SAML 2.0.

Overview

Desk.com now supports Agent Single Sign On (SSO) via JWT (JSON Web Token) and SAML 2.0 (Security Assertion Markup Language) to allow your agents to access Desk using a compatible identity provider (IdP). From Wikipedia, benefits of using SSO include:
 
  • Reducing password fatigue from different user name and password combinations.
  • Reducing time spent re-entering passwords for the same identity.
  • Reducing IT costs due to lower number of IT help desk calls about passwords.
JWT is a widely-adopted open standard and provides a flexible framework for creating custom SSO solutions. From JWT.io, “[JWT] is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS).”

SAML is a XML-based open standard data format for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP) such as Desk.com.


Authentication with SSO

Once you configure your Desk.com site to allow Agent SSO, login requests will be routed to the remote login URL that you’ve specified. The SSO authentication process follows these steps:
 
  1. An agent will access your login page at https://yourcompany.desk.com/login/new.
  2. Depending on how you’ve configured your site, if the user is not already authenticated they will either be redirected to the remote login URL for authentication or will have the option to “Login with X” where X is your Authentication Service Name from the Desk login screen.
  3. After the user enters their credentials, if using JWT, the IdP should POST to https://yourcompany.desk.com/auth/jwt with the JWT payload. If using SAML, the IdP validates that user’s identity and then constructs a message containing information about that user to send back to Desk at https://yourcompany.desk.com/auth/saml/acs.
  4. Desk.com then parses the information, does a lookup on the user’s email address and logs the user in. Great success!

Setting up Agent SSO

For more information on how to setup SSO via JWT or SAML, please see these detailed articles: