Single Sign-On in Legacy Packages

As of August 1, 2019, Marketing Cloud has removed the ability to create legacy packages. All new packages are enhanced packages.

The Marketing Cloud provides the authentication context of the logged-in user and account using a JSON Web Token (JWT - pronounced "JOT"). The single sign-on (SSO) flow uses a JWT-based version of the IDP-Initiated Form Post SAML 2.0 flow. JWT transfers claims between two parties using JavaScript Object Notation (JSON) that is Base64URL encoded and signed using the HMAC SHA-256 algorithm.

When your application is called, Marketing Cloud posts the encoded JWT to the login endpoint defined in the installed package. The JWT lets your application know which Marketing Cloud account and user is calling the API.

Marketing Cloud posting encoded JWT to your app.

The following libraries provide support for generating a JWT (JSON Web Token):

Ruby: ruby-jwt (by progrium)
Python: pyjwt (by progrium)
Java: jsontoken
node.js: node-jwt-simple (by hokacca)
PHP: jwt (by luciferous)
.NET: jwt (by johnsheehan)

If none of these libraries suits your needs, create your own. Details of the JWT format are in the draft JWT specification.