Symantec Access Management

 View Only
  • 1.  Access Token as JWT

    Posted Nov 25, 2019 04:55 AM
    Hi,

    Are there any plans within Siteminder to provide the access token as a JWT token as more vendors do (like Okta, KeyCloak, ).

    Thanks,
    Bert


  • 2.  RE: Access Token as JWT

    Broadcom Employee
    Posted Nov 25, 2019 03:04 PM
    Bert, Take a look at this, is this what you're looking for? Note that Single Sign-On authenticates JWTs either by generating an SMSESSION or without generating an SMSESSION.

    JSON Web Token (JWT) Authentication Scheme

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/json-web-token-jwt-authentication-scheme.html

    Take care.


  • 3.  RE: Access Token as JWT

    Posted Nov 26, 2019 03:00 AM
    Hi Vijay,

    No, this is not what I meant. In the attached document is about step 1 where the client sends a JWT as a authorization bearer header.

    The background is that when you develop an application it consists usually of a (angular) frontend that call several different API backend services. The frontend handles the OIDC flows (code grant or implicit) and receives in the end an ID-token and an Access token. To access the backend API's the frontend calls these backend API's with the Access token as an authorization bearer header and that authorizes API access.

    Now, Siteminder provides the access token as an opaque token, which basically is a reference, a string of characters. It means that each API backend needs to call the introspection endpoint on the Siteminder Access Gateway to validate the access token e.g. expiration time. This could overflood the gateway and it requires availability.

    What other vendors do, like KeyCloak and Okta, they provide the Access token as a JWT token, similar to the ID-token, that aleady contains all the information like expiration time, group memberships etc. It is a self-contained token. It means that each API backend does not need to call the introspection endpoint each time and it could even work in a offline mode. 

    Hence my question if Siteminder will provide this feature. The OIDC spec does not mandate any format of the access token but providing it as a JWT token provides lots of advantages. 

    Thanks,
    Bert



  • 4.  RE: Access Token as JWT

    Posted May 14, 2020 03:35 PM
    Hi, I have the same question, nobody have an answer to that?
    Thx


  • 5.  RE: Access Token as JWT
    Best Answer

    Broadcom Employee
    Posted May 15, 2020 02:50 AM
    Hi Marc

    At this moment, SiteMinder does not produce access toke or Id token as JWT format. It only accepts JWT as authentication scheme. When SiteMinder integrates with Layer7 API Gateway, it can generate JWT token. (SiteMinder session is passed to Layer7 API Gateway, and Layer 7 API Gateway generate access token or Id token in JWT format).

    Access token in JWT format is our roadmap, but the date is not confirmed. When we support this feature, we are going to share it in the community site.

    Kind regards

    B.K.