Enabling Single Sign-on
The Predis.ai SDK enables you to implement SSO for your users. If you have a user already logged in to your website it is recommended to implement the SSO so that your users are automatically logged in to Predis.ai editor.
How it Works?
- Your user logs in to your website.
- A Predis.ai SSO token is generated to identify the user. This happens on the server side using the SSO key provided.
- The generated SSO token is passed in the config (as
embedToken
) when creating an object from Predis.ai SDK.
Generating SSO JWT token on the server
A Predis.ai SSO Token is a JWT Token that stores data about the user and is signed with your unique Predis.ai SSO Key.
Python code to generate the JWT
- Install the library
pip install pyjwt
- Generate a JWT
jwt_token = jwt.encode({"aud": YOUR_APP_ID, "user_id": USER_ID},
SSO_KEY,
algorithm='HS256')
JWT Payload
Payload for the JWT should be as follows:
{
"aud": "your_app_id", // App ID obtained from the Predis.ai account
"user_id": "user_id" // email or any unique id of your user
}
The payload contains the following parameters:
aud
String. The unique app ID.
user_email
String. A unique id for the user.
Note about security
The SSO data is passed as an encoded token, know as a JWT (JSON Web Token) in the URL - the token is an alphanumeric string about 150 characters long. The token is signed using a special key (Predis.ai SSO Key) that is unique to each account and only the account administrators have access to it. The data passed in the token is a user_id and app_id - no passwords are passed, encoded or otherwise. The token is then decoded by the Predis.ai servers and the signature is checked to verify the token was signed by the Predis.ai SSO Key associated with the account. If the token was not signed with the correct key the SSO login will fail.