Zowe’s Single Sign-On (SSO) capabilities simplify access to mainframe resources while maintaining robust security. A range of authentication methods are available both for Zowe extenders (developers integrating services) as well as Zowe end-users. Detailed guidance on implementing authentication, including configuring security settings, verifying tokens, and handling authorization are available at Zowe Docs.
For this blog, we’ll take a look at authentication methods available to both Zowe extenders and Zowe end-users.
Authentication Methods for Zowe Extenders
Zowe extenders can integrate their services with the API Mediation Layer (API ML) through the following authentication methods which leverage the common External Security Managers (ESMs): RACF, ACF2, Top Secret
-
JSON Web Tokens (JWT): Services can be configured to accept JWTs issued by the Zowe Authentication and Authorization Service (ZAAS). JWTs enable stateless authentication, reducing the need for repeated credential verification and improving performance. This is the recommended authentication method in the Zowe ecosystem.
-
SAF IDT: System Authorization Facility Identity Tokens (SAF IDT) leverage mainframe security mechanisms to authenticate users. This method provides integration with the external security managers ensuring compatibility with existing mainframe access controls. SAF IDT is primarily useful in environments where mainframe security products are already in place.
-
PassTickets: PassTickets are time-sensitive, encrypted authentication tokens that allow users to access services without transmitting passwords. They provide an added layer of security by preventing password reuse and exposure, but also require proper synchronization with SAF and may introduce operational complexity in certain configurations.
-
Zowe Authentication and Authorization Service (ZAAS) Client: ZAAS is a Java library that provides a simplified interface for authentication tasks, such as obtaining and managing JWTs and PassTickets, without requiring detailed knowledge of REST API calls. This approach streamlines security implementations by reducing dependencies and abstracting complex authentication processes. As with any library, developers must ensure proper configuration and management to maintain security and functionality.
For a deeper dive into implementing these methods, see Single Sign-On Integration for Extenders in Zowe Docs.
Authentication Methods for Zowe Users
End-users accessing Zowe services also have a range of methods that can be leveraged for authentication. Zowe documentation on Using Single Sign-On covers authentication setup, session management, troubleshooting, and integration with enterprise identity providers, all to assist users optimize their login experience. Each method has its own advantages:
-
JSON Web Tokens (JWT): After an initial authentication, users receive a JWT that provides access to multiple services without requiring repeated logins. This approach enhances user experience and scalability, as JWTs eliminate the need for session management. Note that JWTs are bearer tokens, whereby proper expiration and revocation mechanisms must be enforced to prevent misuse.
-
Client Certificates: Users can authenticate by presenting a valid client certificate issued by a trusted Certificate Authority (CA). This method strengthens security by eliminating password-based authentication, reducing the risk of credential theft. Zowe v3 now offers an internal API ML mapper default which facilitates the direct mapping of client certificates to user identities within the System Authorization Facility (SAF), eliminating the need for external mapping services.
-
Personal Access Tokens (PAT): PATs are long-period authentication tokens that allow users to access specific services without needing to enter credentials repeatedly. PATs are particularly useful for automation and API integrations, but also requires organizations to have strict policies in place to revoke or rotate tokens when necessary.
-
OpenID Connect (OIDC): Authenticating with OIDC in Zowe allows users to log in using tokens issued by an external OIDC provider, facilitating SSO across both mainframe and distributed systems. This method enhances security and user convenience by leveraging standardized identity protocols. Note that the internal API Mediation Layer (API ML) mapper can also be leveraged with this authentication method.
For more details on these user authentication methods, consult the Zowe documentation on Using Single Sign-On.
Conclusion
Zowe provides a range of authentication methods for both extenders and users, ensuring flexibility in securing mainframe access. By choosing the right method, organizations can optimize security, performance, and user experience while maintaining compliance with enterprise policies.