Single sign-on (SSO)

When you receive feedback, you should know who gave it (free user, paid user, or enterprise customer). But more importantly, you want to inform them what you do with their feedback.

For this, we need to gather their email address to contact them, and it would be logical if users could log in again when they have additional feedback or questions.

For this reason, ProductLift has user accounts, and people can sign up for a new account and leave feedback.

When you want users to avoid creating a new account (people may forget passwords), you have two options.

  1. Sign in via social media account. This is ready out of the box for Twitter, Facebook, Github, and Google
  2. Sign in via your server using the account that they already have (aka single sign-on)

In this article, we are going to set up #2.

How single sign-on works in ProductLift
  1. You generate a token on your server and sign it
  2. You send the user to ProducLift using the token
  3. The user is automatically logged into ProductLift using the account details you provided

JWT Tokens

We use a secure protocol called JSON Web Token (JWT) to enable SSO to transfer user authentication data from your system to ProductLift. JWT is open, simple, and with solid community support. You can read more about it on the IETF website, and you'll be able to find a large number of open-source implementations for most languages.

Step 1: Get your SSO secret

You should create a JWT token on your end using the SSO secret that we provide.

You can find your SSO secret at Settings > Single Sign On.

Step 2: Generate a token

Generate a JWT SSO token on your end and sign it with your SSO secret. You can find several examples of creating a token on the  IETF website.

The contents should look something like this:

$payload = [
            'email' => $user->email,
            'uid' => $user->id,
            'name' => $user->name,
						// 'avatar_url' => '',
            // 'segment_1' => $plan,
            // 'company' => 'ABC',
            // 'segment_1' => pricing plan (e.g ltd, subscription, free)
            // segment_2-10

$token = JWT::encode($payload, $private_key, 'HS256');

Explaining the fields in the payload:

Required data
  • email = your users email
  • uid = the unique ID for this user in your product (this will be used to identify the user)
  • name = the visible name of the user

Optional data
  • avatar_url = image url to the avatar of the user
  • company = company name of the user
  • segment_1 to segment_10 = fields to segment users, for example based on MRR or plan type.

Keep in mind
  • If the user already has an account in your ProductLift portal, we will re-use that based on the email that you provided. We assume that you verified the email of your user.
  • For better security, we don't provide SSO login for admin users. They can regularly log in to the portal.
  • Company and segment fields are not yet visible in ProductLift, but any data that is loaded in them will be saved.
  • JWT tokens are readable by anyone, so don't add secret data in the payload. Though, they can only be verified by people with your SSO secret.
  • Our privacy statement is automatically agreed, so you need to add ProductLift to your privacy statement.

Step 3: Apply the token

When you have the token, you can apply it easily by adding ?sso=TOKEN to any url of your portal.

For example: