Applies To:
Show VersionsOAuth Bearer Single Sign-On Method
Overview: Configuring SSO OAuth Bearer using passthrough
You can configure OAuth Bearer SSO as passthrough to use the JSON Web Token (JWT) received from the client. The OAuth scope check authenticates the client, and sends the received token to the backend server.
Before you start, you need to have created an access policy, access profile, and a virtual server to meet your needs. Here we configure OAuth Bearer SSO using the passthrough option for the token source.
Creating an OAuth bearer SSO configuration for passthrough
For example, to use OAuth Bearer SSO, you need an access profile, access policy, and a virtual server. The access profile being used in this configuration must contain an OAuth Bearer SSO configuration. The virtual server needs to specify the access profile.
Example access policy configuration using passthrough
Here is an example access policy configured using passthrough. The JWT token received from the client is used, it goes through the OAuth scope check, and if the check is successful, the received JWT token is sent to the backend server.
Overview: Configuring SSO OAuth Bearer to create JWT
You can configure OAuth Bearer SSO to create, sign, and send a JSON Web Token (JWT) to backend applications that require an access token.
- Create claims for the JWT, as needed
- Create a JSON Web Key (JWK) configuration
- Create an OAuth Bearer SSO configuration
- Associate the OAuth Bearer configuration with the access profile
- Use AAA (AD query), SAML, or other authentication method in the access policy
- Assign the access profile to the virtual server
Before you start, you need to have created an access policy, access profile, and a virtual server to meet your needs. Here we add the OAuth Bearer SSO configuration to your environment.
About OAuth Bearer SSO
Bearer tokens are tokens that OAuth 2.0 uses to authorize clients to access protected resources.
OAuth Bearer SSO provides a JSON Web Token (JWT) in the form of a bearer token to the backend resource server. You can configure OAuth Bearer SSO as passthrough (where the JWT received from the client is used), or have APM generate and sign the JWT token for the backend SSO.
Configuring JWT claims
Configuring JSON web keys (JWKs)
Creating an OAuth bearer SSO configuration to create JWT
OAuth Bearer SSO configuration settings
These settings are available when you create an OAuth Bearer SSO configuration.
General Properties for OAuth Bearer SSO configuration
Setting | Value | Additional Information |
---|---|---|
Name | Name of the SSO configuration. | The name must begin with a letter, or underscore, and contain only letters, numbers, underscores, dashes, and periods. Maximum length including the partition name is 225 characters. Avoid using global reserved words in the name, such as all, delete, disable, enable, help, list, none, show, or None. |
SSO Method | Displays the type of SSO configuration. | Cannot be changed. |
Headers | Header name-value pairs to send with the SSO method. | Available when you select Advanced from the General Properties list. |
Send Token | Specifies when to send the token (for OAuth Bearer). |
Specify Always to always send the token. Specify On 4xx Response to send the token when you receive a 4xx response from the server; select On 400, On 401, and/or On 403. The system first forwards the user's HTTP request to the web server without inserting the token. If the server requests authentication by responding with a 4xx status code (that is enabled), the system retries the request with the token. |
Log Settings | Specifies which log settings to use for the access event logs. By default, the log settings specified in the access profile are used. | You can create custom log settings or use the default-log-settings for this SSO configuration. Click + to create custom settings. |
Passthrough OAuth Bearer SSO configuration settings
These are the settings to use when the bearer token is retrieved from another source.
Setting | Value | Additional Information |
---|---|---|
Token Source | Specifies Passthrough to indicate that the user has a token from another source. | Default value |
OAuth Server | Specifies the OAuth server that provided the token. | Required value |
Generate JWT OAuth Bearer SSO configuration settings
These are the settings to use when the system generates and signs the OAuth bearer token. For this configuration, you need to have created a JWK key configuration and optional JWT claims.
Setting | Value | Additional Information |
---|---|---|
Token Source | Specifies Generate JWT to indicate that you want the system to create a JWT access token. | The system creates a JWT token and sends it to the backend server as an OAuthBearer token. |
Issuer | Specifies the issuer of the JWT. | This must be a URI and it is mandatory. For example, https://authserver/oauth2. |
Subject | Specifies what the token is intended for. | The value can be a string, URI, or session variable, such as %{session.assigned.uuid}. |
Enable Token Cache | When selected, stores the token in cache for the session and reuses it; enabling the cache provides increased performance. | When cleared, the token is generated for every request. |
Access Token Lifetime | Specifies the number of minutes a JWT access token is considered valid. | The default is 5 minutes. |
Ignore Expired Certificate Validation | When selected, the certificate is used for signing a JWT access token even if it is expired. | When cleared, the system sends an error message if the certificate has expired. |
Signing Key | Specifies a JSON web key (JWK) configuration for signing the token. | It is mandatory. You can create JWKs in | .
Audience | Specifies the audience claim for which the JWT access token is intended. | This is a list of values. Each value in this list can be a string, URI, or session variable. For example, https://newapp. |
Scope | Specifies one or more space-separated scope strings (using the ASCII character set) or session variables. | For example, openid phone email. |
JWT Claims | Specifies a list of claims that define additional information that you want to transmit as part of the JWT access token. | You can create claims in | .
Adding OAuth bearer SSO to an access profile
Example access policy configurations generating JWTs
Here is an example access policy using an OAuth scope check. If the check is successful, an AD Query retrieves more user data. Then, SSO generates the JWT access token with the retrieved infromation and sends it to the backend server.
Here is an example access policy configured with an AAA agent. It goes through the OAuth scope check. If the check is successful, an AD Query retrieves more user data. Then, SSO generates the JWT token with the retrieved infromation and send to the backend server.
Here is an access policy configured with a SAML SP agent. SAML authentication retrieves the SAML2.0 bearer token and validates.
Adding the access profile to the virtual server
You associate the access profile with the virtual server so that the system can apply the profile to incoming traffic.