Layer 7 Access Management

Expand all | Collapse all

JWT Auth scheme - SM_USER field is giving full DN instead of sub claim (userID) from JWT token.

Jump to Best Answer
  • 1.  JWT Auth scheme - SM_USER field is giving full DN instead of sub claim (userID) from JWT token.

    Posted 05-24-2019 06:21 AM

    Hi Folks,

    Please help, We need just userID as part of SM_USER response header where as it is giving us full DN value in SM_USER. Any reason, why?

    We are using Auth webservices with CA Access Gateway 12.82 and CA SSO 12.82..

    Any help is much appreciated.. this is a blockage for our important release to the existing applications which only expects userID as part of SM_USER header but not DN.

     

    Sample Request: curl -k -X POST -H "accept: application/json" -H "content-type: application/json" --data @jwt.data https://spshostname/authazws/AuthRestService/login/nexo/cg_jwtuid

     

    Request Body of jwt.data : Contains Signed JWT token as part of binary credentials.

     

    { "binaryCreds": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6InNtb2lkY3NpZ25pbmcifQ.ew0KInN1YiI6InNzb2RlbW84IiwNCiAiYXV0aF90aW1lIjogMTU1ODYzOTM2OSwNCiAgImlz cyI6ICJodHRwczovL3Nwc3BvYy1kaXQubmouYWRwLmNvbSIsDQogICJleHAiOiAxNTU4NjM5NDg5LA0KICAiaWF0IjogMTU1ODYzOTM2OSwNCiAgICJlbWFpbCI6ICJtYXNjbUBhZHAuY29tIg0KfQ.LefwEc gZMbAJGt0grwj7suHDMRYTe-qitRlnrVywIHRvRkgPtSyELjkqiNRO91mFYh8-QCuIj8qd35sf88bF0LQ4RXQ1XeQjS-4P2uPK3I-r4VKLoQ2bZ-NWZrlg5at6JlzL90QgundNAaILotpN3YCxcSyGwYE3dN2 kgm-dMZEz3J5YLw35luFsI1pirFs5VTIqS4afHLFxXwe47fLnHS4YJ2ChEzkTQwFuKbvYdGEXiW9j97kqgGRk9JxEERG6qptBioRPdKGGi4PTZhKfLHv_zaFrnLIN94g1rx8u2EDZbJFFzXTd1NFXCLm6nDoj 6NfqTuz3JLkHUNB8BklgLg", "password": "", "userName": "", "action": "POST" }

     

    Fyi, Decoded JWT token:

    { "sub": "ssodemo8", "auth_time": 1558639369, "iss": "https://spshostname", "exp": 1558639489, "iat": 1558639369, "email": "csantho@yahoo.com" }

     

    Response: You can see from the below response in bold that, SM_USER","value":"uid=ssodemo8,ou=Users,o=ssodemo01,ou=clients,o=test.com, which I expected it to be just ssodemo8.

    {"message":"Authentication Successful","resultCode":"LOGIN_SUCCESS","sessionToken":"dI4BfimtPPo+QTfGva9RYcHhOE3+EyFxC84fy58aqiFGVFusi9Y2dz1Vwabjh5BMpxrp50PsvcNFC3DlhFMOAd+c02bynmIzgm0/7nSw02cA0t9t1kbYdDgcENpCOtRUYjaqKT1goSZbAf60YyAMbzetGEuTm6/8uyQf1ZsPL5E6fX/V+mmZEOmOagEywCHXhbGQx0tMTXMk1s7CNtP+ecyXoJKpX15X5dOsMvcfW3gTvY3RPUni9GNlc5PwEtC82QTgdW7f3CTt25BlDJxhzOHX2q1LcPW0IFwknMiRCSRWSAdcgqcqpkyxqS1D3UH52NiLjn6BdpodW6iLIuZNWg4J8kLHwHDzKbAlqYBO7xY3uDJ5LQ1/Se4GGDHJRRX3wlCaBFZufwA/CK7W/3ftH5TEmC7nlogv8k4VOnj2jkCUOIa9LAshRjBgBFw2kLLel27CGq/mneICJz/GxWeZVCPoUML5JqSzEh7D4dVlEvderjHAV5jZvmHdOpBiheIAoMk8f6Ugc/c5iBxRI5qeCe+a/9uVi6r6Jhe4owRLxdfIg2gtvRr4cg9braCbMD9VMGdBnqKjnTcnQ4i0QuJZlF2wpifAQqlPMVOthvUlewM+3IgDkDGhTdPQbwBbQeU23giUlt11SGir/fuRUC6TIrIHLvNqR6fYHR+t31D6RlA7N1FNvwgQk3nUB5L9oGj7U6rRw94GiINP9mMLCsC6LAp6E3k3AsGYo8vgis4vVSiLWvHKofP0TQbO3J9aB7JwlUtGq/LQdGhCID9WrVxhop0tD5e/XmxQ457Nms3nmxYr/fGQSEikm3brWZL8NAilJNxWKC6MywPrqLDYSXMTS1wBEeTgFcVzqxH2MUaMT6120giRDjmVEk3jYe0I/U99nf4rRRgYHLuTGXtPNP8xHgqIDtuQl78KiTV9JC+HWIae234e27LrxjVs/bRUmvpNLdzo1QurNzWyudUqzMKaPJ7R67ImFxY5qQUZGC2YvGa9dX4Cupd6510nMXltTPMfedGFCmykxnzdZrOKm8O9xjONGN0BE3wGfZ29h0p6u2dXL2nB19LOc5RlNU0OH1Ij","authenticationResponses":{"response":[{"name":"SM_AUTHREASON","value":"0"},{"name":"testAccountID","value":""},{"name":"SM_SERVERIDENTITYSPEC","value":""},{"name":"SM_USERDN","value":"uid=ssodemo8,ou=Users,o=ssodemo01,ou=clients,o=test.com"},{"name":"SM_AUTHDIROID","value":"0e-39c23ba5-2a01-0018-0000-0de900000de9"},{"name":"SM_REALMOID","value":"06-0005d2cd-6464-1ce5-b88e-497d0b100000"},{"name":"SM_SERVERSESSIONID","value":"UqXz6leWhJxxr1xGa+2jSAxpUBI="},{"name":"mail","value":"csantho@yahoo.com"},{"name":"uid","value":"ssodemo8"},{"name":"SM_SESSIONDRIFT","value":"-1"},{"name":"testPersonID","value":""},{"name":"SM_UNIVERSALID","value":"ssodemo8"},{"name":"SM_AUTHDIRNAME","value":"ISIUsers"},{"name":"AUTHLEVEL","value":"5"},{"name":"SM_REALM","value":"ISIUsers_AuthZ_JWTUID_Standard"},{"name":"SM_USER","value":"uid=ssodemo8,ou=Users,o=ssodemo01,ou=clients,o=test.com"},{"name":"SM_TRANSACTIONID","value":"000000000000000000000000d675100b-6eea-5ce6f321-8467700-6dcc7a1e344"},{"name":"SM_AUTHDIRSERVER","value":"payxuserstore1.test.com,payxuserstore2.test.com,payxuserstore3.test.com,payxuserstore4.test.com,payxuserstore5.test.com,payxuserstore6.test.com,payxuserstore7.test.com,payxuserstore8.test.com,payxuserstore9.test.com,payxuserstore10.test.com,payxuserstore11.test.com,payxuserstore12.test.com,payxuserstore13.test.com,payxuserstore14.test.com,payxuserstore15.test.com,payxuserstore16.test.com"},{"name":"SM_TIMETOEXPIRE","value":"588844247"},{"name":"SM_SERVERSESSIONSPEC","value":"ZA97RbCGGjVaAs5fjjkx7o8Hb1nS/nsWtwT1mPHHx+JjGGDyxtb5wSwtkWYLVUFP8zwlTDFTotPk0kbKFetqN/LRwqP6/qfMTxk2HqhLNhBfqaOXRBxcHqXS1hHr/Sx00rsmRFN2Ek4FN51pGwU6TwFj7PtXfYN3WDytWhAxjl5zJ+acW1JS+nwuGJlPdPoPsk9k5Plri+8YYdh/8c6JrFyTvr9DvH7FbSiXNUx4PUkh0GTB8aKH0efh88ZqPMSNnm3dmi+wNghgdtnJDzPP9JsxsslybRPj1c2LbbC+wJdPWbybfFp9cEXIjBjIpIifTPfzzUC5szoQMh1ty4GeyltUQ5QoCvyE9+jkBx2UIsq2wRhhIdj9Pr58HU/SMvs+H/qTHJUK/UHTJc/Z0j86oK+hSHZxMG38Bu8wAXIbGaqQIOIVW2WfxHV7dSIwI/Go"},{"name":"SM_AUTHDIRNAMESPACE","value":"LDAP:"},{"name":"SM_AUTHTYPE","value":""},{"name":"SMSSOZONE","value":"SM"},{"name":"givenName","value":"ssodemo"}]}}

     

    Auth Scheme Def:

    User Directory Lookup definition:



  • 2.  RE: JWT Auth scheme - SM_USER field is giving full DN instead of sub claim (userID) from JWT token.
    Best Answer

    Posted 06-04-2019 12:18 PM

    Could you use "SM_UNIVERSALID" instead of the "SM_USER"? The value of SM_USER is authentication scheme dependent. For example, if you use form based authentication scheme, the standard login.fcc, the SM_USER is actually set to whatever the end user entered. as a result, someone could enter DeMo1 or demo1 and result in the SM_USER value as entered even though a case insensitive search over an LDAP user directory would result in the same user.

    SM_UNIVERSALID is however set on the User Directory definition.




  • 3.  RE: JWT Auth scheme - SM_USER field is giving full DN instead of sub claim (userID) from JWT token.

    Posted 06-04-2019 12:18 PM
    Could you use SM_UNIVERSALID instead of SM_USER? That is set on the User Directory definition. SM_USER is authentication scheme dependent.