To implement SSO between Kayako and your application in PHP you will need a PHP JWT implementation. We recommend to use PHP-JWT.

Checking for SSO request

In your controller's login code, just before you redirect the user back, check for the returnto argument as follows:

if (array_key_exists('returnto', $_REQUEST)) {
    header('Location: ' ...);

The presence of the returnto argument indicates, that the login request was received from Kayako and you need to generate the JWT token and pass it back to the URL, that is specified in this argument.

Generating JWT token

The main part of the JWT token is called payload. To generate the payload you will need at least $user_email and $user_name, and $shared_secret (which is shared with Kayako):

$payload = array(
    'iat'   => time(),
    'jti'   => md5($shared_secret . ':' . time()),
    'email' => $user_email,
    'name'  => $user_name

If the corresponding data are available for users in your application, it is recommended, that you also specify values for other claims.

When ready, use PHP-JWT to generate the token as follows:

use \Firebase\JWT\JWT;
$token = JWT::encode($payload, $shared_secret, 'HS256');

This code will generate the header and signature parts of the token and will format it accordingly.

Redirecting back to Kayako

When ready, the JWT token should be passed back to Kayako as a part of the returnto URL as follows:

header('Location: ' . $_REQUEST['returnto'] . '&jwt=' . $token);