How to Use the JWT Authentication Scheme

The JWT authentication scheme works with any web application such as Google, Salesforce, or any other Authorization Provider. This example explains how to configure stmndr to use the JWT authentication scheme in a sample web application. It also explains how JWT authentication works in authenticating and authorizing a user who requests access to a protected resource. The sample web application is a simple login form that lets you authenticate and authorize a user using JWT authentication scheme.
casso1283
The JWT authentication scheme works with any web application such as Google, Salesforce, or any other Authorization Provider. This topic explains how to configure 
CA Single Sign-on
 to use the JWT authentication scheme in a web application and how JWT authentication works in authenticating and authorizing a user who requests access to a protected resource. As an example, a sample web application is provided along with this topic. The sample web application is a simple login form that lets you authenticate and authorize a user using JWT authentication scheme.
 Use the provided sample web application only to understand and test how JWT works. Do not implement it in a production environment.
Perform the following steps to configure 
CA Single Sign-on
 and the sample web application:
 
 
Complete the Prerequisites
Complete the following steps before you proceed with the configurations:
  1. Install and configure 
    CA Single Sign-on
    .
  2. Ensure that the user exists in the user store that is configured with 
    CA Single Sign-on
    .
  3. Deploy a servlet container in the sample web application. This example uses Tomcat.
  4. Configure an initial login authentication method to authenticate the user. The sample web application does not cover the initial user login authentication.
Configure 
CA Single Sign-on
 
Configure JWT Authentication Scheme
Configure the authentication scheme from Administrative UI.
 
Follow these steps
:
  1. Log in to 
    Administrative UI
    .
  2. Select 
    Infrastructure
    Authentication
    .
  3. Select 
    Authentication 
     
    Schemes
    .
  4. Select 
    Create Authentication 
     
    Scheme
    .
  5. Enter the 
    Name
     and 
    Description
     for the authentication scheme.
  6. Select the
     JSON Web Token Template
     from the 
    Authentication Scheme Type
     drop-down and enter the 
    Protection Level
     in the 
    Scheme Common Setup
     section.
  7. Enter 
    HMAC Shared Key
     as 
    THIS-IS-A-SECRET-WITH-MORE-THAN-256-BITS
    .
  8. Confirm the HMAC Shared Keys using the 
    HMAC Confirm Shared Keys
     option.
  9. Ensure that the 
    Disable SMSESSION Cookie Generation
     option is cleared. 
  10. Select 
    Submit
    .
    The authentication scheme is saved and can be assigned to a realm.
Protect a Resource Using JWT Authentication Scheme
Assign the JWT authentication scheme to the realm that you prepared for protection as part of prerequisites. Note the URL of the protected resource for the next configuration step.
Configure the Sample Web Application
Configure the sample web application to support the JWT authentication scheme.
Install and Configure Tomcat
 
Follow these steps
:
  1. Download the Tomcat installer from https://tomcat.apache.org/download-90.cgi.
  2. Run the installer and install Tomcat.
  3. Copy the folder of JWT_Sample_Application, the sample web application that you downloaded in 
    Step 3
     of the 
    Complete the Prerequisites
     section, into the Tomcat web apps folder.
  4. Restart Tomcat.
  5. Verify that you can access the sample web application at http://Tomcat_server_name:Tomcat_port/JWT_SAMPLEAPP/.
Configure Sample Web Application in Tomcat
 
Follow these steps
:
  1. Stop Tomcat.
  2. Navigate to \webapps\JWT_SAMPLEAPP\WEB-INF\classes and open the config.properties file.
  3. Set the 
    CA_SSO_TARGET_URL
     field in the file to the URL of the resource that you protected with the JWT authentication scheme in the following format:
    http://
    Access_Gateway_hostname
    .ca.com/sample/app/basic/
  4. Restart Tomcat.
Test Access to Sample Web Application
 
Follow these steps
:
  1. Access the following URL to test access to the same web application:
    http://
    Tomcat_server_name
    :
    Tomcat_port
    /JWT_Sample_Application
  2. Enter the login credentials of the user who is present in the user store that is configured with 
    CA Single Sign-on
    .
  3. Log in to the web application.
    If the authentication is successful, user is given access to the protected resource.
How JWT Authentication Scheme Works
The following process explains how the JWT authentication scheme authenticates and authorizes to generate SMSESSION:
  1. User enters login credentials.
  2.  
    CA Single Sign-on
     invokes the SSOProxyServlet.java file in which the constructor is set to HMAC Shared Secret to determine the Protected Target URL.
    Note
    : You can use a custom HMAC shared secret. Update the value in this file and compile it.
  3. The doPost method of the servlet receives the login credentials of the user.
    Note
    : The sample web application only retrieves the initial login authentication login credentials. Ensure that you have configured an authentication method to perform the authentication. 
  4. The servlet prepares JWT with the claim set and applies the HMAC signature.
  5. The servlet serializes the token into a string and sends the token to 
    CA Single Sign-on
     inside the HTTP Header to CA Access Gateway.
  6. The servlet then obtains the SM_Session token and redirects the user to the target URL.
The generated JWT can be used with an Authorization Provider.