accessmanagerssojwt

This configuration is required when using the plugin AccessManager_Sso_Jwt.

  • Documentation

  • YAML Format

  • XML Format

Fill relevant inputs (blue boxes) and click the blue bars on the left to copy XML configuration snippets.
<accessManagerSsoJwtConfiguration
<keyLoader
<keyStorePath
>
required
string

Path to the Java keystore file with the public key used for JWT validation.

</keyStorePath>
<keyStoreType
>
optional
string

Type of the keystore. One of Java supported keystore types (JKS/JCEKS/PKCS12). Usually 'JKS'.

</keyStoreType>
<keyStorePassword
>
optional
string

Password used to unlock the keystore.

</keyStorePassword>
>
required

Configuration of a keystore for JWT encryption validation. A named public key from the keystore configured here is used to validate the JWT encryption.

</keyLoader>
<tokenCookieName
>
optional
string

If a JWT will be submitted via cookie its name can be configured here. A JWT can be placed in a bearer token in the Authentication header, as the value of a query parameter called 'access_token' or passed as a cookie.

</tokenCookieName>
Choice: Choose only ONE of the following
<jwtValidation
<configurationPreset
xsd:string
adamas
WTP
Medienportal
>
optional
</configurationPreset>
<verificationKeyAlias
>
required
string
</verificationKeyAlias>
<maxTokenValiditySpanInSeconds
>=1
xsd:long
>
optional
</maxTokenValiditySpanInSeconds>
<maxIssuedAtValiditySpanInSeconds
>=1
xsd:long
>
optional
</maxIssuedAtValiditySpanInSeconds>
<allowedAudiences
<audience
>
optionalmax. unbounded
string
</audience>
>
optional
</allowedAudiences>
>
optional

Optional JWT validation option when using a named preconfigured configuration preset ('configurationPreset') in special customer environments. Alternatively look at the `genericJwtValidation` below.

</jwtValidation>
<genericJwtValidation
<configurationPreset
xsd:string
adamas
WTP
Medienportal
>
optional
</configurationPreset>
<verificationKeyAlias
>
required
string

Alias of the public key in the configured keystore (see: element `keyloader`) to use for JWT validation and decryption.

</verificationKeyAlias>
<claims
<claim
validation
required
=
xsd:string
required
optional

If validation is required and if the claim is missing in the token, then the token will be rejected. If it's optional then all other validations will be performed only if claim is in the token.

<shortName
>
required
string

Name of the claim to validate. For example `nbf`. For public claims only this field is required

</shortName>
<name
>
optional
string

Human-readable name.

</name>
<type
xsd:string
StringOrURI
StringList
NumericDate
JSON
>
optional

The type of claim content.

</type>
<allowedValues
<value
>
requiredmax. unbounded
string
</value>
>
optional

Can be used for `StringOrURI` or `StringList` type of claims: For `StringOrURI` validation fails if value of claim in token is not any of values given here in configuration. For `StringList` validation fails if any value in token is not in list of values given here in configuration. For example in roles claim we want to make sure authentication server can only give user one of view-map roles and not for example the Admin role which is possible to do with `requiredValues`

</allowedValues>
<requiredValues
<value
>
requiredmax. unbounded
string
</value>
>
optional

Can be used for `StringOrURI` or `StringList` type of claims: For StringOrURI validation fails if value of claim in token is not any of values given here in configuration. For StringOrURI it works the same as `allowedValues` For StringList validation fails if no value of claim in token is equal to any of values given here in configuration. A good example is the aud public claim.

</requiredValues>
>
requiredmax. unbounded
</claim>
>
optional

List of claim validation rules for claims which should be checked before using the JWT. If user wants to declare validation for a public claim, they may only put `shortName`. For private claims, one has to declare name and type. Public claims that are always required are: iss, sub, exp, nbf. They cannot be declared as optional here. This only configures a set of validation rules. For a mapping of claims to cadenza groups and user properties see elements `groupMapping` and `propertyMapping`.

</claims>
<timeSpanValidation
<timeSpan
<claim1
>
required
string

ShortName of the first claim to compare.

</claim1>
<claim2
>
required
string

ShortName of the second claim to compare

</claim2>
<spanInSeconds
>=1
xsd:long
>
required

The token will be rejected if the time between both claims is larger than this value.

</spanInSeconds>
>
requiredmax. unbounded
</timeSpan>
>
optional

Optional validation rules for timespans between time attributes in the claims of a JWT. Usable to validate time attributes like expiration (exp), not-before (nbf) and issued-at (iat) of a JWT. Validation includes a time difference in seconds between two time attributes in the token. If both claims are optional and not in the token validation will be ignored

</timeSpanValidation>
>
optional

Generic JWT Validation option suitable for projects without a named preconfigured configuration ('configurationPreset'). Use to configure checks on JWTs that are performed before they are used.

</genericJwtValidation>
Choice End
<groupMapping
Choice: Choose only ONE of the following
<claim
>
required
token

The token claim name where the values are read from.

</claim>
<claimPath
>
required
string

A JsonPath expression into the token content to define where the values are read from.

</claimPath>
Choice End
<staticMapping
>
optionalmax. unbounded

A simple/static mapping from fixed token claim values to corresponding Cadenza group names. The simple group mapping will map the given group from the token (`claimValue`) to the group in cadenza (`groupName`).

claimValue
optional
=
token
groupName
optional
=
token
</staticMapping>
<dynamicMapping
>
optional
boolean

Dynamic group mapping can be used, if the names in the token and in Cadenza are identical. If the token contains groups 'A' and 'B', then the user in cadenza will get the cadenza groups 'A' and 'B', if they exist.

Default: false

</dynamicMapping>
>
optional

Configuration of the group mapping between token claims and Cadenza-defined groups.

</groupMapping>
<propertyMapping
<property
>
requiredmax. unbounded

Configuration of a single property mapping from token claim to Cadenza user property.

name
optional
=
token

The property name by which the information shall be accessible by means of user variable if it is present in the ID token.

Choice: Choose only ONE of the following
<claim
>
required
token

The token claim name where the values are read from.

</claim>
<claimPath
>
required
string

A JsonPath expression into the token content to define where the values are read from.

</claimPath>
Choice End
</property>
>
optional

Configuration of the property mapping between token claims and Cadenza user properties.

</propertyMapping>
>
required
</accessManagerSsoJwtConfiguration>
This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. 
cadenzaconfig:
  settings:
    accessmanagerssojwt:
      keyLoader:
        keyStorePath: "text"
        keyStoreType: "text"
        keyStorePassword: "text"
      tokenCookieName: "text"
      jwtValidation:
        configurationPreset: "adamas"
        verificationKeyAlias: "text"
        maxTokenValiditySpanInSeconds: 25
        maxIssuedAtValiditySpanInSeconds: 25
        allowedAudiences:
        - "text"
        - "text"
      genericJwtValidation:
        configurationPreset: "adamas"
        verificationKeyAlias: "text"
        claims:
        - validation: "required"
          shortName: "text"
          name: "text"
          type: "StringOrURI"
          allowedValues:
          - "text"
          - "text"
          requiredValues:
          - "text"
          - "text"
        - validation: "required"
          shortName: "text"
          name: "text"
          type: "StringOrURI"
          allowedValues:
          - "text"
          - "text"
          requiredValues:
          - "text"
          - "text"
        timeSpanValidation:
        - claim1: "text"
          claim2: "text"
          spanInSeconds: 25
        - claim1: "text"
          claim2: "text"
          spanInSeconds: 25
      groupMapping:
        claim: "text"
        claimPath: "text"
        staticMapping:
        - claimValue: "text"
          groupName: "text"
        - claimValue: "text"
          groupName: "text"
        dynamicMapping: true
      propertyMapping:
      - name: "text"
        claim: "text"
        claimPath: "text"
      - name: "text"
        claim: "text"
        claimPath: "text"

Filename: accessmanagerssojwt-config.xml

This is a generated sample file with fake data and all the possible options shown, refer to the Documentation tab for what combinations are valid and what is required or not. 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<accessManagerSsoJwtConfiguration>
  <keyLoader>
    <keyStorePath>text</keyStorePath>
    <keyStoreType>text</keyStoreType>
    <keyStorePassword>text</keyStorePassword>
  </keyLoader>
  <tokenCookieName>text</tokenCookieName>
  <jwtValidation>
    <configurationPreset>adamas</configurationPreset>
    <verificationKeyAlias>text</verificationKeyAlias>
    <maxTokenValiditySpanInSeconds>25</maxTokenValiditySpanInSeconds>
    <maxIssuedAtValiditySpanInSeconds>25</maxIssuedAtValiditySpanInSeconds>
    <allowedAudiences>
      <audience>text</audience>
      <audience>text</audience>
    </allowedAudiences>
  </jwtValidation>
  <genericJwtValidation>
    <configurationPreset>adamas</configurationPreset>
    <verificationKeyAlias>text</verificationKeyAlias>
    <claims>
      <claim validation="required">
        <shortName>text</shortName>
        <name>text</name>
        <type>StringOrURI</type>
        <allowedValues>
          <value>text</value>
          <value>text</value>
        </allowedValues>
        <requiredValues>
          <value>text</value>
          <value>text</value>
        </requiredValues>
      </claim>
      <claim validation="required">
        <shortName>text</shortName>
        <name>text</name>
        <type>StringOrURI</type>
        <allowedValues>
          <value>text</value>
          <value>text</value>
        </allowedValues>
        <requiredValues>
          <value>text</value>
          <value>text</value>
        </requiredValues>
      </claim>
    </claims>
    <timeSpanValidation>
      <timeSpan>
        <claim1>text</claim1>
        <claim2>text</claim2>
        <spanInSeconds>25</spanInSeconds>
      </timeSpan>
      <timeSpan>
        <claim1>text</claim1>
        <claim2>text</claim2>
        <spanInSeconds>25</spanInSeconds>
      </timeSpan>
    </timeSpanValidation>
  </genericJwtValidation>
  <groupMapping>
    <claim>text</claim>
    <claimPath>text</claimPath>
    <staticMapping claimValue="text" groupName="text"/>
    <staticMapping claimValue="text" groupName="text"/>
    <dynamicMapping>true</dynamicMapping>
  </groupMapping>
  <propertyMapping>
    <property name="text">
      <claim>text</claim>
      <claimPath>text</claimPath>
    </property>
    <property name="text">
      <claim>text</claim>
      <claimPath>text</claimPath>
    </property>
  </propertyMapping>
</accessManagerSsoJwtConfiguration>