- Introducing Deskpro
- Creating Your Helpdesk
- Launching Your Helpdesk
- Importing Data
- Managing and Deleting Personal Data
- Email Accounts
- Ticket Fields
- Automating the Helpdesk
- CRM and usergroups
- Multi-Branded Portals
- Editing Templates
- Deskpro Apps
Authentication and SSO
- Agent and user authentication
- Understanding SSO options
- Auto agent
- Grant usergroup
- Multiple usersources
- Filtering a usersource
- Importing user data
- Active Directory setup
- Azure AD SAML Setup
- LDAP setup
- JSON Web Token setup
- SAML setup
- Database auth setup
- OneLogin setup
- Okta setup
- Google+ setup
- Wiacts Nopassword setup
- OpenID Connect setup
- Agent Interface Options
- Anti-Abuse Options
- Exporting Data
- Billing and Licensing
JSON Web Token setup
You may want to authorize users or agents with credentials from a web-based service that your company has developed: your intranet/extranet, or an app or service you provide.
The way to implement this is using Deskpro’s support for JSON Web Token (JWT) authentication.
JWT is a token-based method of securely transferring authentication claims between two servers: in our case, a claim that your system has approved the user and they should be allowed access to Deskpro. The claim is encoded in a compact token. The token is cryptographically signed, so Deskpro knows the claim is genuine. It doesn’t contain the user’s password, just a confirmation of their identity and for how long the claim is valid.
To set up JWT, you install the Deskpro JWT authentication app, and provide it with the URL of a page that can tell Deskpro if the user is authenticated.
If you are using Deskpro On-Premise, it’s important that you enable SSL on your helpdesk before installing the JWT app.
JWT is a fairly straightforward method to implement, with libraries available in the major web development languages.
JWT authentication overview
When Deskpro verifies a user/agent with JWT, the sequence of events is as follows:
- Deskpro directs the browser to a remote login URL which indicates a page you have developed where your service can verify users, with an HTTP GET “return” parameter.
- The page at the URL authenticates the user; the details of how this happens are entirely down to you.
- If the user is authenticated, the system generates a JWT token containing the user’s ID, email and name, and returns the browser back to the “return” URL specified in step 1, with the JWT token encoded in a “jwt” GET parameter.
- Deskpro can verify the JWT token using a shared secret that you have entered
JWT implementation details
We suggest you consult jwt.io for links to JWT libraries and information, including a debugging tool.
There is PHP example code available on our GitHub repository showing a working example implementation.
The JWT token must include the following claims:
- ID (a unique ID for the user on your service; this will not be used for the agent/user ID in DeskPRO)
- name (or first_name and last_name)
For security, you should also include these claims as per the JWT specification:
- iat (the time the token was issued)
- exp (the time the token expires e.g. iat + 5 minutes)
- jti (a unique identifier for the token).
Configuring Deskpro to use JWT
Once you have implemented JWT:
Install and enable the Deskpro JWT app from Agents > Auth & SSO or CRM > Auth & SSO, depending on whether you want to authenticate agents or users.
Enter the Remote Login URL where you service will authenticate users.
Enter the JWT Secret Code: this is an arbitrary secret you use to encode your JWT tokens. It must match between your tokens and the JWT auth app.
Configure the Authentication and SSO. You need to specify an Agent Logout Redirect URL where the agent is sent when they log out.
Click Save and then Test Settings to check that your implementation is working.
Automatically redirect logged in users
When configuring the remote login URL, you can specify which page users are returned to after they authenticate. By default, users will be returned to your Deskpro home page. You are able to change this by appending the Remote login URL with some return information.
The above example would redirect users authenticated through JWT to the new ticket submission page.