Unified Access Gateway supports the JSON Web Token (JWT) validation. You can configure the JSON web token consumer settings to validate a SAML artifact issued by Workspace ONE Access during single sign-on to Horizon and to support the Horizon protocol redirect feature when the Unified Access Gateway is used with Horizon Universal Broker.

The Workspace ONE Access issues a JWT wrapped Horizon SAML artifact when the Wrap Artifact in JWT check box is enabled in the Workspace ONE Access Horizon configuration. This allows the Unified Access Gateway appliance to block authentication attempts unless a trusted JWT is supplied with the SAML artifact authentication attempt.

In both the use cases, you must specify the JWT settings to permit the Unified Access Gateway to trust the issuer of the JWT tokens received.

Use a dynamic public key URL for the JWT consumer settings so that the Unified Access Gateway automatically maintains the latest public keys for this trust. You must only use static public keys if the Unified Access Gateway cannot access the dynamic public key URL.

The following procedure describes the JSON web token consumer settings configuration:

Procedure

  1. In the admin UI Configure Manually section, click Select.
  2. Under Advanced Settings, select the JWT Settings gearbox icon.
  3. In the JWT Settings window, click either Add JWT Consumer or Add JWT Producer.
    If adding a JWT Consumer, enter the following details:
    Option Default and Description
    Name A name to identify this setting for validation.
    Issuer Enter the case-sensitive JWT issuer value that is present in the issuer claim of the incoming token to be validated.

    By default, the value of this field is set to the Name field.

    Note: Issuer is configured only when Unified Access Gateway is used with Horizon Cloud Service.
    Dynamic Public key URL

    Enter the URL for dynamically fetching the public key.

    A public key can either be a single public key or a JSON Web Key Set (JWKS) format.

    With the JWKS format, multiple JSON Web Key (JWK) format public keys can be obtained for validating the JWT.

    Each JWK has a unique identifier (kid) and this identifier is present in the JWT provided to Unified Access Gateway. Using this identifier, Unified Access Gateway identifies the public key to be used.

    Public key URL thumbprints Enter the list of public key URL thumbprints. If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits.
    Trusted Certificates
    • To select a certificate in the PEM format and add to the trust store, click +.
    • To remove a certificate from the trust store, click -.
    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate.

    Public key refresh interval

    The time interval in seconds at which the public key is fetched from the URL periodically.

    Static Public Keys Click + to select and add a public key to use for JWT validation.

    The file must be in PEM format.

    Note: If a dynamic public key URL is not available, set a static public key.
    If adding a JWT Producer, enter the following details:
    Option Default and Description
    Name A JWT producer name to identify this setting for validation.
    Issuer Enter the case-sensitive JWT issuer value to be specified in the produced JWT's issuer claim that is to be sent to recipient.

    By default, the value of this field is set to the Name field.

    JWT Signing Certificate Type

    Select the valid certificate types for JWT signing from the drop-down menu. The options are:

    • PEM:
      • Private Key: Click Select and browse to the private key file for the certificate in PEM format.
      • Certificate Chain: Click Select and browse to the certificate chain file in PEM format.
    • PFX:
      • Upload PFX: Click Select and browse to the JWT signing certificate in PFX format.
      • Password: Enter the password of PFX certificate.
      • Alias: Enter the alias of PFX certificate if there are multiple certificates present in the certificate store.

    JWT Signing Private Key

    Click Select and browse to the private key for the certificate in PEM format used for JWT signing.

    JWT Signing Certificate Chain

    Click Select and browse to the certificate chain in PEM format used for JWT signing.
    Configure Encryption Public Key Settings

    The encryption key (static or dynamic) is used to encrypt the JWT produced by Unified Access Gateway.

    Turn on this toggle to configure encryption public key URL for fetching the public key dynamically from the URL.

    Turn off this toggle to upload static encryption public keys.

    Dynamic Public key URL

    Enter the URL for dynamically fetching the public key.

    A public key can either be a single public key or a JSON Web Key Set (JWKS) format.

    With the JWKS format, multiple JSON Web Key (JWK) format public keys can be obtained for validating the JWT.

    Each JWK has a unique identifier (kid) and this identifier is present in the JWT provided to Unified Access Gateway. Using this identifier, Unified Access Gateway identifies the public key to be used.

    Public key URL thumbprints Enter the list of public key URL thumbprints. If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits.
    Trusted Certificates
    • To select a certificate in the PEM format and add to the trust store, click +.
    • To remove a certificate from the trust store, click -.
    • To provide a different name, edit the alias text box.

      By default, the alias name is the filename of the PEM certificate. You can add a maximum of 64 trusted certificate files.

    Public key refresh interval

    The time interval in seconds at which the public key is fetched from the URL periodically.

    The default value is 3600 (1 hour).

    If this is set to 0, the public key(s) is fetched from the URL exactly once.

    Static Public Keys Click + to select and add a public key to use for JWT encryption.

    The file must be in PEM format.

    Note: If a dynamic public key URL is not available, set a static public key.
  4. Click Save.

Results

The details of the parameters are listed under JWT Settings.