of 3

Documentation

Unblu 7 (latest)

The Unblu Cloud allows you to use single sign-on (SSO) for your agents, visitors, or both. This article describes the different mechanisms used.

This article discusses single sign-on in the Unblu Cloud.. For information on authentication in self-hosted and on-premises installations, see Authentication in self-hosted and on-premises installations.

Agent SSO

Agents are typically employees of your organization. As such, their details are often already stored in a directory service or identity provider of some kind. It makes sense to leverage this fact and link authentication for the Unblu Cloud to your organization’s directory service.

Unblu offers agent SSO based on OpenID Connect.

Requirements

To support SSO on the Unblu Cloud, your identity provider (IDP) must meet the requirements listed below.

  • We use either the access token or the ID token to extract the user information from the JWT claims.

  • When you use an access token, it presented must be provided as one of the following:

  • The user attributes of your agents must be supplied in the claims agreed upon with Unblu. If a claim doesn’t provide Unblu user role information, the user roles must be managed in Unblu, for example via the Account Configuration interface.

  • API clients must first acquire an access token using the OAuth 2.0 Client Credentials grant type. The client should then present Unblu with a valid access token in an Authorization: Bearer <token> HTTP header.

You should limit the validity of the access tokens presented to the Unblu Cloud to a relatively short period, for example 1 hour.

If the initial access token obtained from your identity provider includes a refresh token, you should set its validity to 10 hours. Unblu will use the refresh token to obtain a new access token when the initial access token expires.

It is strongly recommended that you provide refresh tokens to ensure a smooth user experience.

Visitor SSO

For visitors, the Unblu UI is typically embedded as a widget in your website. Since OpenID Connect relies on browser redirects, this means Unblu must use an alternative authentication mechanism to avoid an unsatisfactory experience for your users.

Visitor SSO works as follows:

  1. Your application must issue a JWT signed with a private key and send it to Unblu from the visitor’s browser. The corresponding public key must be accessible to Unblu in the JSON Web Key (JWK) format wrapped in a JWK Set. You can rotate the keys regularly: Unblu will attempt to load any unknown key.

  2. Unblu sets a session cookie authenticating all requests from the visitor’s browser until either the session expires or an explicit logout occurs.

Some browsers, notably Safari, block third-party cookies. Visitor SSO must therefore run on the same second-level domain as your host application. To this end, Unblu configures a dedicated subdomain of your domain, such as https://unblu.yourcompany.com, in the Unblu Cloud. There are two additional steps required for the subdomain to work:

  • Add a record to your DNS server to resolve the subdomain to the IP address of the Unblu Cloud.

  • You must provide Unblu with a valid SSL/TLS certificate for the subdomain. Alternatively, the certificate may be issued by Let’s Encrypt.

Implementation

An implementation tutorial with code samples is available at unblu.github.io/unblu-visitor-sso-sample.

API authentication example

The example below shows the two steps required for API authentication. It first uses curl to call https://idp.yourcompany.com/token to acquire an access token. The call provides a username and password for authentication, and specifies that the grant type should be client_credentials.

Provided authentication is successful, the server issues an access token and returns it in a JSON object in the body of a 200 HTTP response. The server’s response is piped into jq which then extracts the value with the name access_token.

The second use of curl calls an endpoint of the Unblu Web API, passing the access token retrieved before to the Unblu server in an Authorization: Bearer <token> HTTP header.

CLIENT_ID="unblu-api-access"
CLIENT_SECRET="very-secret"
ACCESS_TOKEN=$(\
    curl -s -X POST https://idp.yourcompany.com/token \
    --user $CLIENT_ID:$CLIENT_SECRET \
    -H 'content-type: application/x-www-form-urlencoded' \
    -d 'grant_type=client_credentials' | jq --raw-output '.access_token' \
 )
echo $ACCESS_TOKEN
curl -s -H "Authorization: Bearer $ACCESS_TOKEN" -v https://unblu.yourcompany.com/unblu/rest/v3/authenticator/getCompactUser
Cloud visitor SSO example
Figure 1. Visitor SSO in the Unblu Cloud