Adding a JWT Provider

Follow the steps below to add a JWT Header or Parameter SSO Provider.

  1. In the Administration application, expand User Management and click SSO Config. Anzo displays the Single Sign On screen, which lists any existing providers. For example:

  2. Click the Add SSO Config button and select JWT Provider. Then choose JWT Header Provider or JWT Parameter Provider, depending on the type of authentication that is used. The Create screen for that type of provider is displayed. For example:

  3. Configure the required properties and any optional settings as needed. The lists below describe the properties for JWT Header and Parameter providers.

    Header

    • Title: This property sets the name for the connection that you are creating.
    • Description: This property can be used to provide a brief description of the provider configuration.
    • Enable on matched container ID: This property sets the list of container IDs to match. This provider will be active if the request container ID matches one of the listed container IDs. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Header Prefix: This property can be used to specify the header prefix if one is used.
    • Header Name: This property can be used to specify the header name.
    • Signing Secret: This property specifies the secret with which the token is signed.
    • Key Algorithm: This property can be used to specify the signing algorithm that is used for the key.
    • Encryption Algorithm: This property can be used to specify the encryption algorithm that is used to sign or encrypt the tokens.
    • Encryption Method: This property can be used to specify encryption method that is used for encrypted tokens.
    • Encryption Secret: This property can be used to specify the secret that is used for encrypted tokens.
    • Enable on match regex: This property can be used to define regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If this field is blank, the provider will be active by default.
    • Disable on match regex: This property can be used to define regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If this field is blank, the provider will be active by default.
    • User Identifier: This property specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If an email attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: This property can be used to define a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If a username attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between user names stored by the SSO provider and names returned by the directory server.
    • User Template Replacement: This property can be used to define a replacement user template to use if there are variations found by User Template regex.
    • Use username directly: This property controls whether the identity provider directly authenticates a user by validating a username and password or by validating an assertion about the user’s identity as defined by a separate identity provider.
    • Skip CSRF check: This property controls whether to perform or skip a cross-site request forgery (CSRF) check.
    • LDAP domain: This property identifies the LDAP domain to use for user lookup.
    • LDAP email property: This property defines the LDAP email property to use to find the associated user's dn. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Principal Template: This property can be used to define the template to use for populating roles and returning user URIs.

    Parameter

    • Title: This property sets the name for the connection that you are creating.
    • Description: This property can be used to provide a brief description of the provider configuration.
    • Enable on matched container ID: This property sets the list of container IDs to match. This provider will be active if the request container ID matches one of the listed container IDs. Click the field and select a container ID from the drop-down list. To specify multiple IDs, click the field again and select another value. To remove a container from the list, click the X on the right of the container name.
    • Parameter Name: This property specifies the header parameter name.
    • Supports GET request: This property controls whether GET requests are supported using the token.
    • Supports POST request: This property controls whether POST requests are supported using the token.
    • Signing Secret: This property specifies the secret with which the token is signed.
    • Key Algorithm: This property can be used to specify the signing algorithm that is used for the key.
    • Encryption Algorithm: This property can be used to specify the encryption algorithm that is used to sign or encrypt the tokens.
    • Encryption Method: This property can be used to specify encryption method that is used for encrypted tokens.
    • Encryption Secret: This property can be used to specify the secret that is used for encrypted tokens.
    • Enable on match regex: This property can be used to define regular expression rules for matching request URLs to enable. To add a rule, type an expression in the field and click Add. This provider will be active if the request URL matches any of the supplied expressions. If this field is blank, the provider will be active by default.
    • Disable on match regex: This property can be used to define regular expression rules for matching request URLs to disable. To add a rule, type an expression in the field and click Add. This provider will be inactive if the request URL matches any of the supplied expressions. If this field is blank, the provider will be active by default.
    • User Identifier: This property specifies the SSO provider attribute, such as email or username, to use for looking up users in the directory server.
    • Email Template regex: If an email attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between email addresses stored by the SSO provider and email addresses returned by the directory server.
    • Email Template Replacement: This property can be used to define a replacement email template to use if there are variations found by Email Template regex.
    • User Template regex: If a username attribute was specified as the User Identifier, this property can be used to specify a regular expression to use for identifying variations between user names stored by the SSO provider and names returned by the directory server.
    • User Template Replacement: This property can be used to define a replacement user template to use if there are variations found by User Template regex.
    • Use username directly: This property controls whether the identity provider directly authenticates a user by validating a username and password or by validating an assertion about the user’s identity as defined by a separate identity provider.
    • Skip CSRF check: This property controls whether to perform or skip a cross-site request forgery (CSRF) check.
    • LDAP domain: This property identifies the LDAP domain to use for user lookup.
    • LDAP email property: This property defines the LDAP email property to use to find the associated user's dn. For example, http://openanzo.org/ontologies/2008/07/Anzo#ldapEmailInfo.
    • Principal Template: This property can be used to define the template to use for populating roles and returning user URIs.
  4. When you have finished configuring properties, click Save to save the provider setup.