Purpose of this document is to demonstrate how the Out of the Box "JSON Web Token Authentication" need to be setup and tested.
Release : 12.8.05
Component : SITEMINDER -POLICY SERVER
In the official documentation, there are links to download the necessary files.
Setup a dedicated Windows Server for this demo.
Install JRE 8 or above for tomcat.
Install tomcat 9
Extract the sample application zip file in a temporary folder.
"JWT_Sample_Application" folder will be extracted.
Open "JWT_Sample_Application\WEB-INF\classes\config.properties" file in notepad.
Update the "CA_SSO_TARGET_URL" value to "http://<your_SPS_Server_FQHN>/sample/app/basic/"
For example, "http://sps-02.kimlabs.net/sample/app/basic/"
Note that "HTTP" is used in this sample. Once you get this working, you can use "HTTPS" but will require importing certificate chain into the tomcat.
Copy the "JWT_Sample_Application" folder to tomcat's "webapps" folder.
Restart Tomcat service.
You will need Access Gateway, Policy Server and AdminUI pre-configured.
Logon to AdminUI and create "JSON Web Token Authentication" AuthScheme.
As documented, you need to do the following.
1. Select "JSON Web Token Template"
2. Set Protection Level (default 5)
3. HMAC Shared Key "THIS-IS-A-SECRET-WITH-MORE-THAN-256-BITS"
4. Clear "Disable SMSession Cookie Generation"
5. Create Component and protect using the AuthScheme created above.
6. Create a rule for GET and POST method.
7. Create a policy to authorize users.
8. Your Access Gateway proxy rule should have been configured to forward the connection to a backend resource.
In this sample, following URLs are used.
All the setup is complete and ready to test.
1. Access the sample application "http://apps.kimlabs.net:8080/JWT_Sample_Application"
2. At the login page, submit the username and password of an existing user that would be authorized by the configured policy.
3. SMSESSION cookie will be set at the "http://apps.kimlabs.net:8080/JWT_Sample_Application" URL and get redirected to the CA_SSO_TARGET_URL defined in the config.properties
1. After submitting user credential, only a blank page is displayed.
A) You might have specified an HTTPS URL in the config.properties file. Sample Application need to POST the Authorization header to the CA_SSO_TARGET_URL but out of the box there is no certificate chain imported in the tomcat to trust the desitation certificate. You will need to create a java keystore and define it in tomcat settings.
2. Getting HTTP 401 at the destination URL
A) You might be testing with "http://localhost:8080/JWT_Sample_Application". Please use FQHN.
A) The JWT Token might be missing or invalid. (This may be network side issue)
3. Getting HTTP 403 at the destination URL
A) You have not created the rules(GET and POST) and Policy to authorize the user.