UAG (Unified Access Gateway) supports the JSON Web Token (JWT) validation. You can configure the JSON web token settings to validate a SAML artifact issued by Workspace ONE Access during single sign-on to Horizon and to support the Horizon protocol redirect feature when the UAG is used with Horizon Universal Broker.
The Workspace ONE Access issues a JWT wrapped Horizon SAML artifact when the Wrap Artifact in JWT check box is enabled in the Workspace ONE Access Horizon configuration. This allows UAG to block authentication attempts unless a trusted JWT is supplied with the SAML artifact authentication attempt.
In both the use cases, you must specify the JWT settings to permit the UAG to trust the issuer of the JWT tokens received.
Use a dynamic public key URL for the JWT settings so that the UAG automatically maintains the latest public keys for this trust. You must only use static public keys if the UAG cannot access the dynamic public key URL.
The following procedure describes the JSON web token settings configuration:
- In the admin UI Configure Manually section, click Select.
- Under Advanced Settings, select the JWT Settings gearbox icon.
- In the JWT Settings window, click Add.
- In the Account Settings window, enter the following information:
Option Default and Description Name A name to identify this setting for validation. Issuer The JWT issuer values as specified in the issuer claim in the incoming token to be validated.
By default, the value of this field is set to the Name field.Note: Issuer is configured only for the Universal Broker protocol redirect use case.
Dynamic Public key URL
Enter the URL for dynamically fetching public key.
Public key URL thumbprints Enter the list of public key URL thumbprints. If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits. For example, sha1= C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3. Trusted Certificates
Click '+' to select a certificate in PEM format and add to the trust store. Click "-" to remove a certificate from the trust store. By default, the alias name is the filename of the PEM certificate. To provide a different name, edit the alias text box.
Public key refresh interval
The time interval in seconds at which the public key is fetched from the URL periodically.
Static Public KeysNote: If a dynamic public key URL is not available, set a static public key.Click + to select and add a public key to use for JWT validation.
The file must be in PEM format.
- Click Save.
The details of the parameters are listed under JWT Settings.