Pylon supports two authentication methods for portal and knowledge base login for your customers - passwordless and JWT Single Sign On (SSO). These settings can be configured in the Workspace tab in your Pylon settings page.
Pylon requires that the users logging in must already be registered as contacts within Pylon, otherwise the login will fail.
Pylon has a setting to automatically create contacts using the user's email domain to match them to the appropriate account.
📄 Do contacts have to be created in Pylon to login to the portal?
Our default authentication method allows users to input their email, and perform a no-password login using a one-time passcode sent to their email.
From there, they’ll be redirected to their customer portal only if they have access to the portal.
Single Sign-On (SSO) allows users to log into different applications securely and quickly. Pylon uses the JSON Web Token (JWT) protocol for sign on.
Token Required Attributes
iat
: Token Issue Time. The token will not be accepted after 60 seconds (1 minute).
email
: email address of the user performing the login. Pylon uses this field to map to the user in the Pylon system.
aud
: Token Audience. Must be the value https://portal.usepylon.com
iss
: Issuer. Must be the base URL of the remote login url, discussed below. This must contain a trailing slash /
.
e.g. For remote login url https://your.domain.com/callback
, the issuer should be https://your.domain.com/
Token Optional Attributes
account_id
: Account ID. If a contact has not been created, Pylon can create one during the user's first log in. You can optionally provide an account ID. Otherwise, Pylon will use email domain matching to identify the user.
Pylon supports the following Signing Algorithms for JWT:
HMAC SHA-256: HS256
HMAC SHA-384: HS384
HMAC SHA-512: HS512
No other algorithms are supported (eg RSA SHA-256 or ECDSA P-256 SHA-256)
To enable this for your customers, Pylon will need some information:
Remote Login URL: If enabled, an unauthenticated user will be redirected to this URL to perform a login.
During your user's authentication flow, Pylon will include a redirect_uri
query parameter with this redirect. After the user has authenticated with your system, you must redirect the user to this URL, with the JWT as a query param under the key access_token
.
Note that the URL contains an existing query param, you can simply append &access_token=<token>
to redirect_uri
to compose the URL.
Remote Logout URL, Optional: When the user performs a signout, they’ll also be redirected to this URL, allowing the user to be logged out of other systems.
Shared Secret: This secret is used to sign the JWT before sending it to Pylon, ensuring that the JWT is from a trusted source. You must keep this secure.
More details on adjusting visibility of articles after setting up customer authentication are available here.