JSON Web Token Authentication for CA SSO Authentication

Layer7 API Gateway
supports JSON Web Token (JWT) as one of the authentication types for CA SSO authentication. This feature enables Gateway to send JWT token for authentication against CA SSO.The following use cases show different ways of using the JWT token and use this token for authentication against CA SSO:
For the following uses cases, JWT payload is constructed by extracting the username after authenticating with any identity provider.
  • Http basic authentication using CA Single Sign-On assertions
  • Certificate based client authentication using CA Single Sign-On assertions
  • SAML token authentication using CA Single Sign-On assertions
  • Kerberos token authentication using CA Single-On assertions
JSON Web TokenJSON Web Token (JWT) is a standard (RFC 7519) which are used for authentication and information exchange to securely transmit data between parties. A JWT can be signed, encrypted, or both. The information in a JWT is encoded as a JSON object.A signed JWT contains the following three parts separated by dots (.).
  • Header
  • Payload
  • Signature
  • Header:
    Header is the first part of the token. The header typically consists of two parts: the type of token (JWT), and the signature algorithm used for signing the token (RS256). Another field Kid (Key ID) is used to mention the certificate alias used for signing the token.
  • Payload:
    Payload is the second part of the token. The payload contains the claims for authenticating CA SSO. Sub (subject), exp (expiration time) and iat (Timestamp when the JWT was issued) are some of the reserved claims.
  • Signature:
    Signature is the third part of the token. To create the signature part, you must take the encoded header, the encoded payload, a secret. The token is signed by the algorithm that is specified in the header.
The sample of signed JWT is as follows:
aaa.rrr.ttt
Where,
  • aaa: specifies the header part.
  • rrr: Specifies the payload part.
  • ttt: Specifies the signature part.
Example:
eyJ0eXBlIjoiSldUIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJzaXRlbWluZGVyIiwiZXhwIjoxNTA3NTI4NTcxLCJpYXQiOjE1MDc1MjEzNzF9.sos5ni4Xnl17FuUqE1ui-jTePP_daCJS37YwTl0-3qOsRB_hIWZ1npyaqPSh0LCAv1nZTj10-4MTBw8Yvxt3pqsxuGGIKWexgv-m9eivQ-PnJyD3Hoay-WwwiMgRyZ5zQ8FdchujwM3Y0JHXczLX3pVD7CY3RSlpLcbOkUXAskcBCyEup8-Vw9SCbhUPkLKPS7SP5IfuZsK6-DApGz87YRLnLvz2xzTS-kk-UqezQGdmK_xeVUtUI2VoW_mKtJXBZiELtjFLwRzvBkpF7tqv3UpOwItkF2sk8RTJzXtvJHoBS6NsAPNQr3Vz9HTlIjqXntfgIC2UYgZK-ryFPth_Yg
Header:
eyJ0eXBlIjoiSldUIiwiYWxnIjoiUlMyNTYifQ
is the header part of the JWT token. If you decode the header part, the output appears as
{"type":"JWT","alg":"RS256"}.
Payload:
eyJzdWIiOiJzaXRlbWluZGVyIiwiZXhwIjoxNTA3NTI4NTcxLCJpYXQiOjE1MDc1MjEzNzF9
is the payload part of the JWT token. If you decode the payload part from the above example, the output appears as:
{"sub":"
siteminder
","exp":1507528571,"
iat
":1507521371}.
Signature:
sos5ni4Xnl17FuUqE1ui-
jTePP_daCJS37YwTl0-3qOsRB_hIWZ1npyaqPSh0LCAv1nZTj10-4MTBw8Yvxt3pqsxuGGIKWexgv-m9eivQ-PnJyD3Hoay-
WwwiMgRyZ5zQ8FdchujwM3Y0JHXczLX3pVD7CY3RSlpLcbOkUXAskcBCyEup8-Vw9SCbhUPkLKPS7SP5IfuZsK6-DApGz87YRLnLvz2xzTS-kk-
UqezQGdmK_xeVUtUI2VoW_mKtJXBZiELtjFLwRzvBkpF7tqv3UpOwItkF2sk8RTJzXtvJHoBS6NsAPNQr3Vz9HTlIjqXntfgIC2UYgZK-ryFPth_Yg
is the signature part of the JWT token. The signed hash data is generated by using encoded header, encoded payload. This token is signed by the algorithm that is mentioned under header 'arg' field.