SiteMinder Verification of other Application Generated Token

book

Article ID: 209348

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When configuraing Siteminder, one might like to know if Siteminder can
accept a JWT token with a specific kid bringing a public key.

 

Resolution

 

Siteminder provides JWT Authentication Scheme which can accept token
produced by Third-Party software.

For signature and encryption validation, SiteMinder can be configured
to use the value of the KID if this one's value is certificate alias (1). 

Note that kid is optional, and it should of a string format (2).

 

Additional Information

 

(1)

    JSON Web Token (JWT) Authentication Scheme (Release 12.8.03 and Later)

      SiteMinder supports JSON Web Token (JWT) template as an
      authentication scheme and accepts JWTs to authenticate and authorize
      a protected resource. The information in a JWT is encoded and
      securely transmitted as a JSON object that is digitally signed using
      JSON Web Signature (JWS). From Release 12.8.03, SiteMinder accepts a
      JWT request of the signed, or encrypted, or signed and encrypted
      format.

      JOSE Header

 A signed and encrypted JWT carries a header that is known as the
 JOSE header (JSON Object Signing and Encryption) that describes the
 algorithm, which used to process data contained in a JWT. JOSE
 header defines the following header parameters:

 Kid Key ID

 [...]

      9. (Optional) Select the Use JOSE Header KID as Certificate Alias.

 [...]

      Use JOSE Header KID as Certificate Alias for JWS Validation

 [...]

      Use JOSE Header KID as Certificate Alias for JWE Validation

 [...]

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme.html

(2)

    Reserved Header Parameter Names

      | Header    | JSON   | Header    |                                                   |
      | Parameter | Value  | Parameter | Header Parameter Semantic                         |
      | Name      | Type   | Syntax    |                                                   |
      |-----------+--------+-----------+---------------------------------------------------|
      | kid       | string | string    | The "kid" (key ID) header parameter is a hint     |
      |           |        |           | indicating which specific key owned by the signer |
      |           |        |           | should be used to validate the signature.         |
      |           |        |           | This allows signers to explicitly signal a change |
      |           |        |           | of key to recipients. Omitting this parameter     |
      |           |        |           | is equivalent to setting it to an empty string.   |
      |           |        |           | The interpretation of the contents of the "kid"   |
      |           |        |           | parameter is unspecified.                         |
      |           |        |           | This header parameter is OPTIONAL.                |

    https://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedHeaderParameterName