Added in 24.09.
Learn how to set up and configure JWT SSO for your community authentication.
You will learn:
- Configuration of JWT SSO authentication to the community
- Passing the JWT to the community from an IDP
- JWT SSO flow
JSON Web Token Single Sign-On (JWT SSO) serves as a mechanism for single sign-on and authenticates users using a JSON web token. Since the token is digitally signed, the information is verified and trusted. For more information, see JWT.
Features of JWT:
- Reduces password fatigue and tampering
- Allows the client to add uniform authentication policies
- Secure exchange of information
Prerequisite
Note: Contact Khoros Support to enable the community to use the JWT SSO.
You must have an Identity Provider (IDP) installed in the community.
Adding JWT File
To configure JWT SSO authentication, add the JWT SSO file to your Aurora Plugin (Community Git Repository).
You can add the JWT SSO configuration file named jwt.sso.json in the res > sso folder of your Git repository.
Here is an example jwt.sso.json file:
{
"signature": {
"algorithm": "HS256",
"keyProvider": {
"type": "secret"
}
},
"token": {
"parameterName": "jwt",
"issuer": "https://your.idp.com/issuer/uri",
"audience": "http://your.idp.com/audience/uri",
"subjectRequired": true,
"expirationRequired": true,
"clockSkew": 60
},
"claims": {
"ssoId": "sub",
"login": "login",
"email": "email"
}
}
JSON File Field Information
The table below describes the fields you can add to your jwt.sso.json file.
| Field Name | Required | Description | Possible Value(s) | Default | Example |
|---|---|---|---|---|---|
| signature | No | The Hash contains information needed to verify the JWT signature (JWS). | NA | NA | NA |
| signature/algorithm | No |
The Algorithm used to sign the JWT. This should map to the expected value of the alg header. |
HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 |
HS256 | "algorithm": "RS256" |
| signature/keyProvider | No | The Hash contains information needed to locate the key that is used to verify the signature. | NA | NA | NA |
| signature/keyProvider/type | No |
The Key Provider Type Possible types include: secret: The key is a shared secret which is configured by Khoros. file: The key is a public key, stored by Khoros in the community database, and is transmitted via a Khoros API call. jwks_url: The key is a JSON Web Key (JWK) that is a public key, stored and hosted by the Identity Provider (IDP), and is pulled into the community to use to verify the JWS via an HTTP GET call to a URL. |
secret jwks_url file |
secret | "type": "file" |
| signature/keyProvider/url | Yes (if type=jwks_url) |
This field should be included only if the type field is set to jwks_url. This is the URL to retrieve the JSON Web Key (JWK) from the JSON Web Key Store (JWKS). The URL request is expected to be made via HTTP GET call, and a response will be returned in the JWK Set Format. |
NA | NA | "url": "https://YOUR_IDP_URL/jwks/certs" |
| token | No | The Hash contains information to retrieve and validate the JWT. | NA | NA | NA |
| token/parameterName | No | The name of the request parameter from which the JWT will be retrieved. | NA | jwt | NA |
| token/issuer | No |
If this field is set, the issuer claim (iss header) in the JWT must have the same value and the issuer is required even if you didn’t set the issueRequired field.
|
NA | NA | NA |
| token/issuerRequired | No |
If this field is set, a valid issuer claim (iss header) is required in the JWT. You don't need to set this field if you have already set the issuer field.
|
NA | false | NA |
| token/audience | No |
If the audience claim (aud header) is set in the JWT, it must have this exact value. If this field is set, the issuer is required even if the issuerRequired field is not set.
|
NA | NA | NA |
| token/audienceRequired | No |
If an audience claim (aud header) is present, it must be set in the JWT. If the issuer field is set, this field is not required.
|
NA | false | NA |
| token/subject | No |
If the subject claim (sub header) is set in the JWT, it must have this exact value. If this field is set, the issuer is required even if the issuerRequired field is not set.
|
NA | NA | NA |
| token/subjectRequired | No |
If a subject claim (sub header) is present, it must be set in the JWT. You don't need to set this if you have already set the issuer field. |
NA | false | NA |
| token/expirationRequired | No | If set, a JWT must include an expiration time claim (exp header). | NA | false | NA |
| token/clockSkew | No | This sets the allowed number of seconds of clock skew when verifying the JWTs Not Before claim (nbf header) or expiration time claim (exp header). | NA | NA | NA |
| claims | No | NA | NA | 60 | NA |
| claims/ssoId | No | The field in the JWT Claims contains the user's SSO ID, which uniquely identifies the user in the Identity Provider's Data Store. | NA | external_id | NA |
| claims/login | No | The field name in the JWT Claims is used to retrieve the user's login/screen name. If your Aurora Community is set up to capture the screen name when the user initially signs in through SSO, then this field will not be used. | NA | login | NA |
| claims/email | No | The field name in the JWT Claims is used to retrieve the user’s email address. If your Aurora Community is set up to capture the email when the user initially signs in through SSO, then this field will |
ATLAS
Comments