Symantec Access Management

Tech Tip : CA Single Sign-On : OpenID Connect behavior

  • 1.  Tech Tip : CA Single Sign-On : OpenID Connect behavior

    Broadcom Employee
    Posted 11-29-2018 10:37 AM

    Question:


    We'd like to know if the following token issued by CA Single Sign-On
    is a JWT Signed Token.

     

    The first part of the decrypted token doesn't have the "typ" header
    and as such we'd like you to confirm that this token is a JWT.

     

    {
    kid: "65804645-989e-4833-8dd7-f17c7782ea00",
    alg: "RS256"
    }.

     

    {
    sub: "CN=myname,OU=myuser,O=myorganization",
    aud: "c11d5f88-3bba-4a66-8faf-58d6bbb8547z",
    mail: "myname@test.com",
    auth_time: 1540223760,
    iss: "https:\/\/mymachine.mydomain.com:9443",
    exp: 1540227660,
    permisos: "Rol2^Rol1",
    iat: 1540223760,
    nonce: "5zugzYdnoOoIKAxbxwqHmVoxFvtlLoeo8i8Hluvzsiie",
    nombre: "Name of myname"
    }.
    [signature]

     

    Answer:

     

    At first glance, the "typ" header is optional.

    JSON Web Token (JWT)

     

    "Use of this Header Parameter is OPTIONAL."

    https://tools.ietf.org/html/rfc7519#page-11

     

    The section :

    {
    kid: "65804645-989e-4833-8dd7-f17c7782ea00",
    alg: "RS256"
    }.

     

    is the jws header parameters given by CA Single Sign-On.

    CA SSO 12.8 is an Certified OpenID Connect
    implementation. Please refer below link for information.

     

    https://openid.net/certification/

     

    So CA SSO 12.8 is an Certified OpenID Connect implementation, as
    OpenID Connect 1.0 RFC already set that the ID Token confirm the JWT
    Signed and Encrypted contents in the Token.

     

    KB : KB000121501