Symantec SiteMinder

 View Only

Tech Tip : CA Single Sign-On JWT Authentication Scheme support for Forms Login page (FCC) using Web Agent

By BalaKishore Gaddam posted May 03, 2019 12:22 AM

  

Summary:

   JWT authentication is supported from CA SSO 12.8 release. It is supported with Access Gateway and SDK only, but not with web agents.  This document provides how to use custom FCC for JWT authentication.  Custom Web Forms (FCC) with JWT authentication gives the seamless integration login experience with web applications.

 

Pre-Requisite:

   CA SSO 12.8+ Policy Server which supports JWT authentication Scheme.

Any version of Web Agent or Access gateway, (This blog is prepared by testing the flow using 12.52 SP1 CR 09 Webagent GA Build)

Using the Custom Form Page(FCC login page).

 

Advantages:

  • JWT authentication scheme can be supported using custom FCC for browser-based application.
  • Leveraging custom FCC with JWT authentication scheme helps to continuing web agent
  • Since JWT token can be posted in FCC, redirects are possible with JWT authentication scheme. 

High-Level Flow description:

   User access a servlet page and provides his/her user credentials. Client application generates a JWT token and posts JWT token to FCC page with POST request.

Agent fetches JWT token and sends to JWT authentication scheme. After successful authentication, FCC page generates SMSession cookie. Client application sets the cookie in the  browser and redirects to the target page.

Instructions:

Below steps explains details in configuring JWT authentication and other perquisites in the product.

 

Below is Step by Step Implementation details:

 

  1. Create an Agent, ACO and UserDirectory, Domain.
  2. Create a JWT authentication Scheme.

 

JWT auth Scheme supported secret value for HMAC signing. Following screenshot shows how to configure JWT auth Scheme in SiteMinder

3. Protect Endpoint with JWT auth Scheme

 

Sample resource protected with JWT authentication scheme

 

4. Web-Agent or Access Gateway configurations. 

Create a FCC File and place the file in \win64\samples\forms\jwtloginpage.fcc (attached sample FCC file)

sample file placed at blog  https://community.broadcom.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=99942818-07ed-4115-8468-caaa4ae151ba&forceDialog=0 

Screenshot for fcc file :

 

 

5. In the FCC file, add the below code snippet with SMAltCreds Field mapping an HTML input field.

@username=%USER%

@smretries=0

@smaltcreds=%JWTTOKEN%

                          <input type="text" name="JWTTOKEN" id="JWTTOKEN" >                

            Find sample FCC file in the attachment.

 

  

6.Create sample files and servlet that posts JWT token to form page (attached JWTDemo.zip) 
https://community.broadcom.com/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=daa40392-1248-4307-850b-8b10e8a8e034&forceDialog=0

7. Demo application:   Demo  "Webapplication" that sends JWT token to form page

  1. JWT Demo Code zip file is attached 
  2. Attached application is a very simplified version of implementation which accepts FCC URL, JWT Protected URL and JWT token in properties file "config.properties" present under "jwtdemo\WEB-INF\classes\config.properties"
  3. For simplicity of servlet code, JWT token is also read from the property file. 

8. Access home page of  “webapplication”    

 

DEMO application screenshot.

Access home page of "webapplication". say(jwtdemo). User gets redirected to login page which takes username.

Login page which takes dummy user. Posts a username to servlet.

 

Servlet posts a JWT token to FCC page, once its successful. Servlet redirects the  user to target page. Target page can be seen having SM related Headers.

 

 

Attached is source code for servlet, it would need HttpClient library which posts the JWT token,
Attachments are placed at blog https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=8f9cf13d-ab15-4804-82be-2d4c75a6d2fe&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=librarydocuments

0 comments
45 views