Unified Access Gateway supports the JSON Web Token (JWT) validation. You can configure the JSON web token consumer settings to validate a SAML artifact issued by Workspace ONE Access during single sign-on to Horizon and to support the Horizon protocol redirect feature when the Unified Access Gateway is used with Horizon Universal Broker.

The Workspace ONE Access issues a JWT wrapped Horizon SAML artifact when the Wrap Artifact in JWT check box is enabled in the Workspace ONE Access Horizon configuration. This allows the Unified Access Gateway appliance to block authentication attempts unless a trusted JWT is supplied with the SAML artifact authentication attempt.

In both the use cases, you must specify the JWT settings to permit the Unified Access Gateway to trust the issuer of the JWT tokens received.

Use a dynamic public key URL for the JWT consumer settings so that the Unified Access Gateway automatically maintains the latest public keys for this trust. You must only use static public keys if the Unified Access Gateway cannot access the dynamic public key URL.

The following procedure describes the JSON web token consumer settings configuration:


  1. In the admin UI Configure Manually section, click Select.
  2. Under Advanced Settings, select the JWT Settings gearbox icon.
  3. In the JWT Settings window, click Add JWT Consumer.
  4. In the JWT Consumer Settings window, enter the following information:
    Option Default and Description
    Name A name to identify this setting for validation.
    Issuer Enter the case-sensitive JWT issuer value that is present in the issuer claim of the incoming token to be validated.

    By default, the value of this field is set to the Name field.

    Note: Issuer is configured only when Unified Access Gateway is used with Horizon Cloud Service.
    Dynamic Public key URL

    Enter the URL for dynamically fetching the public key.

    A public key can either be a single public key or a JSON Web Key Set (JWKS) format.

    With the JWKS format, multiple JSON Web Key (JWK) format public keys can be obtained for validating the JWT.

    Each JWK has a unique identifier (kid) and this identifier is present in the JWT provided to Unified Access Gateway. Using this identifier, Unified Access Gateway identifies the public key to be used.

    Public key URL thumbprints Enter the list of public key URL thumbprints. If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits. For example, sha1= C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3.
    Trusted Certificates
    • To select a certificate in the PEM format and add to the trust store, click +.
    • To remove a certificate from the trust store, click -.
    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate.

    Public key refresh interval

    The time interval in seconds at which the public key is fetched from the URL periodically.

    Static Public Keys Click + to select and add a public key to use for JWT validation.

    The file must be in PEM format.

    Note: If a dynamic public key URL is not available, set a static public key.
  5. Click Save.


The details of the parameters are listed under JWT Settings.