Implement SSO, SAML bridge, SSL, and HTTPS

This guide shows customer portal teams how to connect enterprise identity and secure transport when embedding Aura Home with the customer-side SDK.

Aura Home validates OIDC/JWT tokens. SAML customers should bridge SAML sign-in into an OIDC/JWT token before passing identity to the SDK.

Implementation Overview

PortalUser signs in to the customer portal.

IdPEnterprise provider issues or bridges identity.

SDKgetToken returns an OIDC/JWT token.

RuntimeAura Home receives the token by browser messaging.

BackendIssuer, audience, signature, and expiry are validated.

Prerequisites

The customer portal is already served over HTTPS.
The Aura Home runtime URL is HTTPS and reachable from the customer browser.
The customer identity provider can issue OIDC/JWT tokens directly, or can bridge SAML sessions to OIDC/JWT tokens.
Cadisa and the customer have agreed the OIDC issuer, client ID, allowed runtime origin, and allowed parent portal origin.

1. Configure Portal SSO

The customer portal should authenticate the user before Aura Home is opened. The SDK then supplies a short-lived OIDC/JWT token through auth.getToken. Tokens must not be placed in query strings, HTML attributes, CSS variables, local storage examples, or logs.

import { AuraHome } from "@aura-home/sdk";

const aura = AuraHome.init({
  container: "#aura-home",
  baseUrl: "https://aura.customer-domain.com/",
  allowedOrigin: "https://aura.customer-domain.com",
  sdkHost: "portal.customer-domain.com",
  auth: {
    mode: "oidc",
    getToken: async () => {
      const session = await customerPortal.getCurrentSession();
      return session.idToken;
    }
  },
  sections: {
    chat: true,
    profile: true,
    navbar: false,
    footer: false
  }
});

Token Requirements

Requirement	Purpose
`iss`	Must match the issuer configured for the Aura Home runtime.
`aud`	Must match the expected client ID or audience.
`sub`	Stable user identifier from the customer identity provider.
`email`	Recommended for user display and customer support workflows.
`exp`	Required so expired tokens can be rejected.

2. Implement a SAML Bridge

If the customer uses SAML, keep the raw SAML assertion inside the customer identity layer. The customer IdP, identity gateway, or backend should exchange the SAML-authenticated session for an OIDC/JWT token that Aura Home can validate.

// The customer signs in with SAML through the enterprise IdP.
// The identity gateway exchanges that SAML session for an OIDC/JWT token.
// Aura Home receives the JWT/OIDC token, not the raw SAML assertion.

const samlSession = await enterpriseIdentity.requireSamlSession();

const oidcToken = await identityGateway.exchangeSamlForOidc({
  sessionId: samlSession.id,
  audience: "aura-home",
  requestedClaims: ["sub", "email", "name"]
});

AuraHome.init({
  container: "#aura-home",
  baseUrl: "https://aura.customer-domain.com/",
  allowedOrigin: "https://aura.customer-domain.com",
  auth: {
    mode: "oidc",
    getToken: async () => oidcToken.idToken
  }
});

SAML Bridge Checklist

Do not send SAML assertions to the browser iframe.
Use a backend or identity gateway to exchange SAML state for an OIDC/JWT token.
Configure Aura Home backend validation for the bridge issuer and audience.
Keep token lifetimes short and refresh through the portal identity layer.

3. Prepare SSL Certificates

SSL/TLS certificates are configured in the customer hosting, CDN, load balancer, or reverse proxy layer. The Aura Home SDK does not install or renew certificates.

# Customer DNS example
portal.customer-domain.com  A      203.0.113.10
aura.customer-domain.com    CNAME  customer-aura-runtime.example.net
assets.customer-domain.com  CNAME  customer-cdn.example.net

# Certificate coverage
portal.customer-domain.com
aura.customer-domain.com
assets.customer-domain.com

# Validation checks
curl -I https://portal.customer-domain.com
curl -I https://aura.customer-domain.com
openssl s_client -connect aura.customer-domain.com:443 \
  -servername aura.customer-domain.com

Certificate Requirements

Use certificates trusted by standard browsers.
Cover the portal domain, Aura Home runtime domain, and hosted asset domains.
Enable automatic renewal before certificate expiry.
Serve the complete certificate chain from the edge.

4. Use HTTPS for the Full Embed Path

Production integrations should use HTTPS for the host page, SDK bundle, Aura Home runtime, identity calls, stylesheet URLs, image assets, and API connections. Mixed content can cause browsers to block the embed or prevent authentication from completing.

<div id="aura-home"></div>

<script type="module">
  import { AuraHome } from "@aura-home/sdk";

  AuraHome.init({
    container: "#aura-home",
    baseUrl: "https://aura.customer-domain.com/",
    allowedOrigin: "https://aura.customer-domain.com",
    sdkHost: "portal.customer-domain.com"
  });
</script>

Content Security Policy Example

Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://cdn.customer-domain.com;
  frame-src https://aura.customer-domain.com;
  connect-src 'self' https://aura.customer-domain.com https://idp.customer-domain.com;
  style-src 'self' https://assets.customer-domain.com;

5. Launch Validation

Check	Expected Result
Open `baseUrl` in a browser tab	The Aura Home runtime loads over HTTPS.
Open customer portal page	No browser mixed-content warnings appear.
Call `auth.getToken`	A short-lived OIDC/JWT token is returned.
Inspect token claims	Issuer and audience match the Aura Home runtime configuration.
Embed Aura Home	The iframe loads and the SDK emits `ready` or `loaded`.
Review logs	No raw tokens, SAML assertions, passwords, or secrets are logged.

Troubleshooting

Symptom	Likely Cause	Fix
Iframe is blocked	Portal origin is not allowed or CSP is too strict.	Allow the Aura Home runtime in `frame-src` and confirm approved parent origins.
Auth fails with 401	Missing, expired, or invalid token.	Refresh the token and confirm issuer, audience, expiry, and signature.
SAML login works but Aura Home is anonymous	SAML was not bridged into OIDC/JWT for the SDK.	Exchange the SAML session for an OIDC/JWT token and return it from `getToken`.
Browser reports mixed content	One asset or endpoint is loaded over HTTP.	Move all SDK, runtime, API, stylesheet, and identity URLs to HTTPS.
Certificate warning appears	Missing SAN, expired cert, or incomplete chain.	Reissue or renew the certificate and serve the full chain from the edge.