Skip to main content

 Glossary

A-Z glossary of PageSeeder concepts

Single Sign-On (SSO)

Single sign-on lets users sign in with a single ID to an external identity provider to authenticate with PageSeeder. The credentials are maintained by the external identity provider.

Since PageSeeder v6, you can register an external identity provider which supports Open ID and use the ID token to sign in to PageSeeder.

There are two authentication flows for SSO – in both cases:

  1. The user must authenticate with the external ID provider first to get an ID token used to authenticate the user on PageSeeder.
  2. PageSeeder creates a session and returns a session cookie to the browser.

Use the authentication flow that matches the requirements of your app.

SSO and OAuth

The purpose of Single Sign-On is to create a session on PageSeeder using credentials maintained by an external identity provider without having to sign in again. If the user is already signed-in with the external identity provider, that process is transparent to the user who can directly use PageSeeder.

If the user only interacts with an app, there is generally no need for a PageSeeder session. OAuth is better suited in that case and the app should use access tokens to make a request to the PageSeeder API.

In all cases, apps must be registered as clients on PageSeeder. For CORS headers to be sent, the client URI must also match the Website. 

Code authentication flow

This flow is used when the ID token is received or held by the client app. In that case, the app must first exchange the ID token for an authentication code. The authentication code can then be used by the browser to get the Session cookie.

Make sure your app is registered as a client and the Website is set as the client URI – PageSeeder only issues authentication codes to apps that are registered.

Code authentication flow

The user signs in with the external identity provider.

The sign-in process depends on the identity provider and might involve multiple steps and services that are not shown on the diagram.

At the end of the sign-in process, the identity provider returns an ID token to the client app.

The app can request an authentication code with the ID token from the external identity provider using the service /authenticate [POST] or /authenticate [GET] (POST is recommended) – the app must also supply its client ID.

If the keys for that provider are not in the cache or have expired, PageSeeder might request the metadata and public keys from the identity provider (optional).

If requested, the identity provider returns the JWKS so that PageSeeder can verify the signature (optional).

PageSeeder verifies the signature, validates the claims, looks up the member and checks the configuration.

If successful, PageSeeder creates an authentication code for that user and client only.

The app forwards the code to the user.

The user authenticates with PageSeeder using the authentication code.

If successful, PageSeeder authenticates the user, creates a new session and returns the session cookie for the browser to use.

Token authentication flow

The token authentication flow for when the client app is running on the browser.

Make sure your app is registered as a client and the Website is set as the client URI, otherwise, PageSeeder does not send the CORS headers necessary to make the authentication request.

Token authentication flow

The user signs in with the external identity provider.

The sign-in process depends on the identity provider and might involve multiple steps and services that are not shown on the diagram.

At the end of the sign-in process, the identity provider returns an ID token to the user.

The user can now sign in to PageSeeder using the ID token from the external identity provider using the service /authenticate [POST] or /authenticate [POST].

If the keys for that provider are not in the cache or have expired, PageSeeder might request the metadata and public keys from the identity provider (optional).

If requested, the identity provider returns the JWKS so that PageSeeder can verify the signature (optional).

PageSeeder verifies the signature, validates the claims, looks up the member and checks the configuration.

If successful, PageSeeder creates a session and returns the session ID in a Cookie for the browser .

Created on , last edited on