Hi Joao,
For an OIDC definition, the metadata file is available at:
/<runtime junction>/sps/oauth/oauth20/metadata/<definition name>This points to a JWKS endpoint where public certificates are available:
/<runtime junction>/sps/oauth/oauth20/jwks/<definition name>If I remember correctly, this JWKS endpoint publishes all the public certificates that are present in the keystore referenced in the definition (default is rt_profile_keys).
For JWT support in the STS, there's a JWKS endpoint at:
/<runtime junction>/sps/jwks(in my system I had to add an ACL to this endpoint to open it up for access).
If these endpoints don't have the URL required by your service providers (they might be hard-coded to want a .well-known URL) then you can perform a URL mapping using transformation rules in the Reverse Proxy.
There isn't a published endpoint for SAML certificates (it's not a core part of the SAML specification) but there's nothing to stop you from hosting a statically created JWKS or metadata document on the Reverse Proxy or a backend server.
While I was searching for information on this I found a Blog by our developer
@Leo Farrell which documents some of this in more depth:
https://community.ibm.com/community/user/security/blogs/leo-farrell/2019/06/04/isam-jwks-endpoint
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Wed May 05, 2021 02:03 PM
From: Joao Goncalves
Subject: ISAM Certificate endpoints
If I am using a certificate to sign documents, like SAML, JWT, and more. How can I provide an ISAM URL where users can obtain the public certificate that is in a ISVA SSL keystore?
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
------------------------------