FranchiseBlast has implemented single sign-on (SSO) with a few different third-party systems. If you have similar requirements, please contact your customer success representative to discuss your needs.
At a high-level, FranchiseBlast supports two different types of SSO implementations:
- An authenticated user in FranchiseBlast is sent to another system, and we'd want the user to become authenticated in that other system so they don't have to login
- An authenticated user is in another system, and you'd like to send them to be authenticated in FranchiseBlast without having to login
We have done the first type of implementation for third parties such as SmarterU but this article will focus more on sending people to FranchiseBlast from your third party system. Typically this would be an enterprise-level system or mobile app that your users are already using and you'd like to transfer them to FranchiseBlast to view audit scores.
SSO via JWT
If you'd like to use the following single sign on technique, you will need to discuss the implementation details with our staff and we'll given you a partner code and a secret key.
Assuming you have a user logged in as email@yourfranchise.com in your system, you can redirect them to FranchiseBlast by sending them to this web address:
https://{franchise}.franchiseblast.com/sso_redirect?partner={partner}&token={token}
Where the parameters are:
- {franchise} is the FranchiseBlast subdomain that we have configured for you. You can use admin (admin.franchiseblast.com) if you'd just want the standard FranchiseBlast theme. Otherwise, it's best to use your own subdomain.
- {partner} is a partner code we'll assign to you
- {token} is a JWT that is signed with your secret key
To illustrate, lets assume:
- {franchise} is admin
- {partner} is partner
- {token} is eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InN1cHBvcnRAZnJhbmNoaXNlYmxhc3QuY29tIiwicmVkaXJlY3RfdG8iOiJodHRwczovL2FkbWluLmZyYW5jaGlzZWJsYXN0LmNvbS9TdXJ2ZXkvQW5zd2VyLzEyMzQ1NiJ9.aC-DZ_UqvVngNdRq1tVivqH9MBFNYI_zj0a9POReyZg
- and your secret key is 12345678901234567890123456789012
If you click on the hyperlink on the token above, you will see it broken down into parts based on the JWT standard. The first part explains the algorithms used by the token, the second is the payload (the message we will be parsing) and the third part is the signature to ensure your payload is valid and originated from someone who knows the secret key.
In the payload portion of the token above, you will find this JSON payload:
{
"email": "support@franchiseblast.com",
"redirect_to": "https://admin.franchiseblast.com/admin/Survey/Answer/123456"
}The email parameter is the email of the user you'd like to authenticate in FranchiseBlast and the redirect_to parameter indicates where you'd like us to send the user after a successful authentication. If the redirect_to parameter is not present, we will redirect the user to the FranchiseBlast dashboard.
For security purposes, certain type of administrators will not be be allowed to sign-in this way. Furthermore, you can obviously only sign in to a user that's associated to your account/franchise as determined by our staff when we generate your partner code and secret key.
Any failed attempts will simply redirect the user to the login page.