Show/Hide Toolbars

Thereforeā„¢ Help

 

 

Use Case:

 

The customer already has an authentication infrastructure or wants the Thereforeā„¢ Portal to be integrated with their own portal. If a user is already authenticated in the customer portal, it should not be required to authenticate again for Thereforeā„¢, hence having a SSO experience in between different applications. The customer portal application can then create such a custom token and use this to automatically log the user into Thereforeā„¢ with the provided user account. No additional login required.

 

1.Configuration in the Therefore Solution Designer

SD_T_AuthMeth_AdminTasks_JWT_001

 The following information needs to be populated in the respective fields:

 

 Issuer Id: must match the Issuer Id in the jwt token sent to Thereforeā„¢.

 Name: Any name can be given to the UI (only).

 Active: Enable or Disable a customer issuer.

 Secret/Certificate: Define a shared key or upload a .cer file for validation of the token.

 

Note

Note: Secrets are saved safely encrypted in the Thereforeā„¢ Database.

 

2.Custom JWT Token Payload:

 

{

Ā  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "Test AD",

Ā  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "testad@therefore.net",

Ā  "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname": "ADOS\\testad",

Ā  "aud": "<CustomerId>",

Ā  "nbf": 1547106872,

Ā  "exp": 1547108072,

Ā  "urn:oauth:scope": "therefore_user"

Ā  "iss": https://testissuer.therefore.net

}

Ā 

aud = CustomerId of the Therefore System

iss = Issuer Id ā€“ must match Therefore Configuration

urn:oauth:scope = scope of the token - values "therefore_user" (all user permissions) or "therefore_read" (read only)

 

Note

Note:

This key must be added as a shared key to the new custom issuer so it can be validated.

The minimal length for the pre-shared key is 32 characters

 

SD_T_AuthMeth_AdminTasks_JWT_002

 

 

3.Custom JWT Tokens can be used to authenticate users of Thereforeā„¢ in Web Client, Portal, API, WebAPI.

 

Note

Note: For security reasons JWT/OAuth Tokens must only be used with SSL (https://). Web Client, Portal: add a new query parameter ssoToken=<token> to any initial request to the Web Client or Portal.

 

 

Example (Web Client):

https://<server>/TWA/Client/Web/Viewer/Viewer.aspx?docno=349738&ssoToken=<token>

https://<server>/TWA/Portal/Portal.aspx?qNo=123&ssoToken=<token>

 

Example API:

string sToken = "<token>;

string sNodeInternal, sNodeFriendly;

TheServer s = new TheServer();

s.ConnectBearerToken(TheClientType.CustomApplication, sToken, "", "", "", true, TheConnectMode.NoLicenseMove, out sNodeInternal, out sNodeFriendly);

 

4.Special permissions can be defined for a token. Reference: Permissions for JWT tokens.

 

 

 

 

 

Test Walkthrough:

 

1.Create Test Tokens here: https://jwtbuilder.jamiekurtz.com/

SD_T_AuthMeth_AdminTasks_JWT_003

SD_T_AuthMeth_AdminTasks_JWT_004

2.Configure the issuer in Thereforeā„¢ Solution Designer.

SD_T_AuthMeth_AdminTasks_JWT_005

3.Use the token with any access option described above (Web Client, Portal, API, Web API).

 

Note

Always use ā€˜httpsā€™ to maintain higher levels of security.  E.g. https://localhost/TWA/Client/Web/Viewer/Viewer.aspx?docno=......