The Scrivito SDK offers easy-to-use IAM-backed visitor authentication. This allows developers to build apps with the following features:

• Visitor login
• Additional, protected content for logged-in users
• Mandatory visitor login for the entire app (e.g. intranet)

Furthermore, the new visitor authentication offers APIs for accessing details such as the name and email address of the current visitor.

Visitor authentication with IAM also includes improved support for custom identity providers (via OpenId Connect).

For admins and editors, there’s a guide available on how to restrict pages to logged-in visitors.

With Scrivito, authentication supports two types of users:

1. Website visitors who can log in to a Scrivito web app in order to access (additional) content or manage their own user data, for example. This guide is about how to implement support for IAM-based visitors in your Scrivito web application.
   
   
2. Editors who can log in to the Scrivito UI and may have varying additional permissions there to edit or review content, etc. Editors can be regarded as “extended” visitors. See also Managing Users, Teams, and Working Copy Collaborators.

You can add visitors to your website via the JustRelate Console in the “Visitors” section.

If the navigation of your Console doesn’t include a “Visitors” section, please have it enabled by our Scrivito Support.

IAM is JustRelate’s central Identity and Access Management service. It provides a secure, state-of-the-art login service for users, i.e., editors and visitors, of applications built with JustRelate platform solutions such as Scrivito.

IAM also supports custom IdPs which you can set up in the JustRelate Console. IAM automatically handles authentication via such IdPs.

See Setting Up Identity Providers for Your Website for further details.

To implement IAM visitor authentication, a single-page applications (SPA) needs to:

1. Set up a proxy for authentication requests
2. Handle visitor authentication and logout
3. Determine the login state or access the user data of the logged-in visitor (optional)

The app needs to be enabled to reach https://api.justrelate.com/iam/auth/* from its own base domain. Requests should be forwarded using the following pattern:

https://mydomain.com/auth → https://api.justrelate.com/iam/auth

This forwarding allows the browser-based application to authenticate against IAM and set a session cookie, avoiding issues related to 3rd-party cookies.

For a customer frontend application running, for example, on www.mydomain.com, a proxy is required. When forwarding requests to api.justrelate.com/iam/auth, your proxy needs to set the X-JR-Auth-Location header to pass the URL under which the proxy operates to api.justrelate.com, for example:

X-JR-Auth-Location: https://mydomain.com/auth

For IAM to accept the location, i.e. the URL, it must have been whitelisted as a “trusted origin”. You can configure trusted origins for your JustRelate account in the JustRelate Console.

Please note that, for security reasons, IAM only accepts https locations.

Custom proxy locations can be used as well. However, as the Scrivito SDK assumes that /auth is the default proxy location, custom proxy locations need to be made known to the Scrivito SDK via Scrivito.configure({ iamAuthLocation }), in addition to the proxy configuration on the server.

For local development, IAM can be integrated into the frontend development setup using a local proxy.

Setting up such a proxy can be done using your local dev server, e.g. Vite or webpack.

To trigger the login procedure, or to ensure that the user is actually logged in, call Scrivito.ensureUserIsLoggedIn.

This API determines whether the user is logged in. If this is not the case, it automatically redirects the browser to the IAM log-in page. If the user is already logged in, nothing happens.

A website offering the option to log in can call this API method after a log-in button was clicked. A website requiring visitors to log in could call this method when the app initializes, for example.

To trigger a logout, call Scrivito.logout. A web app could call this method after a logout button was clicked, for example. A custom returnTo URL can be provided. Otherwise, a generic logout page is shown. If you use your own IdP, you can also configure a URL for logging out.

To determine the log-in state in order to display or hide content, or activate some other logic, specifically for logged-in users, Scrivito.isUserLoggedIn is available.

To obtain information about the currently logged in user, call Scrivito.currentUser.

A logged-in visitor automatically has access to content protected by means of the standard (“logged_in”) visibility category, “Available to logged-in users”.