Single Sign-on (SSO)

Single Sign-on (SSO) is aimed at broadcasters who use MediaStore SDK-based solution (Checkout, My Account) with an external identity management system as the primary identity provider.

📘

Good to know

SSO is a universal solution that can be used with any identity provider (Gigya, Okta, LoginRadius, or other internally developed systems), but middleware is required.

To omit middleware and integrate with a specific identity provider, it is possible to build a connector.

SSO simplifies a customer journey by allowing your customers to access MediaStore SDK features with a single identification even if they are authenticated with a third-party identity provider.

To achieve this, a broadcaster can generate a JWTJWT - JWT (JSON Web Token) - open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. In Cleeng, JWT payload contains: customerId, publisherId, expiration date. JWT is valid for 15 minutes and after that time a refresh token mechanism can be used. on behalf of a customer without a need to pass credentials.

The SSO login process:

  1. A customer logs in using a third-party identity provider (e.g. Gigya, Okta, etc.).

  2. Once a customer is authenticated, middleware service makes an API call on behalf of the customer to /sso/auths endpoint. The endpoint makes it possible to generate JWTJWT - JWT (JSON Web Token) - open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. In Cleeng, JWT payload contains: customerId, publisherId, expiration date. JWT is valid for 15 minutes and after that time a refresh token mechanism can be used. without providing the customer password but with publisherToken instead.

    Please note that this is an exception because, unlike other MediaStore SDK endpoints, this one requires publisherToken for authorization.

  3. Both the JWT access token and a refresh token are generated and returned to the middleware.

  4. JWT access token is used for API calls and subsequent auto-logins to MediaStore SDK.

See the example flow below.

Example Login Sequence DiagramExample Login Sequence Diagram

Example Login Sequence Diagram


Did this page help you?