Single sign-on is a mechanism that allows your site to pass information about your users to Pandium and tells Pandium that the user has been authenticated. Pandium uses that information to securely display your users’ specific integration configurations without an extra login. To provide the most seamless experience, we suggest you embed us via an iframe in your application.
A JSON Web Token (JWT) is a technique that can be used for single sign-on (SSO) between your application and Pandium.
Before your site can be enabled for SSO via JWT with Pandium, you will need to reach out to the Pandium support and exchange the below:
A shared secret supplied by Pandium. This is used to sign the JWT, and helps Pandium ensure the requests come from you and you alone.
If you will be embedding a Pandium Marketplace in your application (our recommend approach), then we will also need the domain of the application that will serve as the iframe's parent. Pandium needs this for CORS purposes.
Your application will need to direct your users to a url that looks like below: https:/imp.pandium.io/?tenant=<signed_jwt_token>
With this, Pandium will take the token and display either a list of all integrations that the user can install or if only one integration is present, then the tenant configuration for that integration.
Pandium customers usually embedded this URL as an iframe in their applications or pop-out to a new tab or window.
Creating the Signed JSON Web token
You will need to build a JWT containing the users’ data in a backend service.
JWTs are made of 3 parts separated by a period (.). Each piece is base64Url encoded which then gets assembled to look like below: