Single Sign-on (SSO)

Single Sign-on (SSO) is aimed at broadcasters who use MediaStore SDK-based solution (Checkout, My Account) with an external identity management system as the primary identity provider.


Good to know

SSO is a universal solution that can be used with any identity provider (Gigya, Okta, LoginRadius, or other internally developed systems), but middleware is required.

To omit middleware and integrate with a specific identity provider, it is possible to build a connector.

SSO simplifies a customer journey by allowing your customers to access MediaStore SDK features with a single identification even if they are authenticated with a third-party identity provider.

To achieve this, a broadcaster can generate a JWT on behalf of a customer without a need to pass credentials.

The SSO login process:

  1. A customer logs in using a third-party identity provider (e.g. Gigya, Okta, etc.).

  2. Once a customer is authenticated, middleware service makes an API call on behalf of the customer to /sso/auths endpoint. The endpoint makes it possible to generate JWT without providing the customer password but with publisherToken instead.

    Please note that this is an exception because, unlike other MediaStore SDK endpoints, this one requires publisherToken for authorization.

  3. Both the JWT access token and a refresh token are generated and returned to the middleware.

  4. JWT access token is used for API calls and subsequent auto-logins to MediaStore SDK.

See the example flow below.


Example Login Sequence Diagram