Hi everyone,

I've followed this link and have successfully been able to authenticate using a JWT token that is passed on a junction. 
https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

I'm now wanting to see if there is a way to use different STS chains based on what the federation ID is. 

The fed-id-param seems to allow this but when I pass a request parameter it doesn't seem to make any difference. It always uses the value of default-fed-id.

# The Provider ID of the default OAuth federation. If a Provider ID is not
# provided in the request using the fed-id-param option, this provider ID will
# be used for OAuth requests. The Provider ID of a federation can be found on
# the federation properties page.
default-fed-id = urn:jwt:webseal
# The name of the request parameter that can be used to override the
# default-fed-id option configured above. By deleting this configuration
# option, you can enforce that the default fed id is always used.
fed-id-param = FederationId

For example:
curl -k -s -S https://myurl/myjunction/index.html?FederationId=urn:jwt:websealtest -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0ZGFtYSIsIm.example

This always uses the STS chain path for urn:jwt:webseal instead of urn:jwt:websealtest.

Am I not passing the request parameter correctly?

Thanks,
Scott



------------------------------
Scott Reichardt.
ISAM 9.0.6
------------------------------

Hello Scott,

That parameter does not work as expected when using OAUTH Authentication which is the default rule.

To get around this, I make a 'token router' javascript mapping rule that can be built into a trust chain :
https://github.com/IBM-Security/isam-support/blob/master/config-example/federation/ws-trust/mapping/token-router.js

You can use that in conjunction with the following OpenMic presentation to setup a trust chain that will allow you to both service the default OAUTH tokens as well as route to other trust chains.

Open Mic reference :
https://www.ibm.com/support/pages/webinar-replay-leveraging-json-web-tokens-ibm-security-access-manager-8-august-2019-presentation-attached

Hopefully between these two you'll be able to validate the different JWTs seamlessly as per your requirements.

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Mon November 18, 2019 12:30 PM
From: Scott Reichardt
Subject: fed-id-param

Hi everyone,

I've followed this link and have successfully been able to authenticate using a JWT token that is passed on a junction. 
https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

I'm now wanting to see if there is a way to use different STS chains based on what the federation ID is. 

The fed-id-param seems to allow this but when I pass a request parameter it doesn't seem to make any difference. It always uses the value of default-fed-id.

# The Provider ID of the default OAuth federation. If a Provider ID is not
# provided in the request using the fed-id-param option, this provider ID will
# be used for OAuth requests. The Provider ID of a federation can be found on
# the federation properties page.
default-fed-id = urn:jwt:webseal
# The name of the request parameter that can be used to override the
# default-fed-id option configured above. By deleting this configuration
# option, you can enforce that the default fed id is always used.
fed-id-param = FederationId

For example:
curl -k -s -S https://myurl/myjunction/index.html?FederationId=urn:jwt:websealtest -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0ZGFtYSIsIm.example

This always uses the STS chain path for urn:jwt:webseal instead of urn:jwt:websealtest.

Am I not passing the request parameter correctly?

Thanks,
Scott



------------------------------
Scott Reichardt.
ISAM 9.0.6
------------------------------

Thanks, Jack! Based on that I ended up simply modifying the jwt_at_common.js and routing based on the junction called (which is what my use case is):



------------------------------
Scott Reichardt
------------------------------

Original Message:
Sent: Mon November 18, 2019 12:30 PM
From: Scott Reichardt
Subject: fed-id-param

Hi everyone,

I've followed this link and have successfully been able to authenticate using a JWT token that is passed on a junction. 
https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

I'm now wanting to see if there is a way to use different STS chains based on what the federation ID is. 

The fed-id-param seems to allow this but when I pass a request parameter it doesn't seem to make any difference. It always uses the value of default-fed-id.

# The Provider ID of the default OAuth federation. If a Provider ID is not
# provided in the request using the fed-id-param option, this provider ID will
# be used for OAuth requests. The Provider ID of a federation can be found on
# the federation properties page.
default-fed-id = urn:jwt:webseal
# The name of the request parameter that can be used to override the
# default-fed-id option configured above. By deleting this configuration
# option, you can enforce that the default fed id is always used.
fed-id-param = FederationId

For example:
curl -k -s -S https://myurl/myjunction/index.html?FederationId=urn:jwt:websealtest -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0ZGFtYSIsIm.example

This always uses the STS chain path for urn:jwt:webseal instead of urn:jwt:websealtest.

Am I not passing the request parameter correctly?

Thanks,
Scott



------------------------------
Scott Reichardt.
ISAM 9.0.6
------------------------------