Enabling single sign on for clients via JWT token configuration
Enabling single sign on for clients via JWT token configuration
As a system programmer, you can customize how JWT authentication is performed, the service that provides the JWT authentication token, whether it's possible to refresh JWT token and other characteristics of JWT for consumption.
SAF as an Authentication provider
By default, the API Gateway uses z/OSMF as an authentication provider. It is possible to switch to SAF as the authentication provider instead of z/OSMF. The intended usage of SAF as an authentication provider is for systems without z/OSMF. If SAF is used and the z/OSMF is available on the system, the created tokens are not accepted by z/OSMF. Use the following procedure to switch to SAF.
- Open the
zowe.yaml
configuration file. - Find or add the property
components.gateway.apiml.security.auth.provider
and set the value tosaf
. - Restart Zowe.
Authentication requests now utilize SAF as the authentication provider. API ML can run without z/OSMF present on the system.
Also see the following properties:
-
apiml.security.auth.tokenProperties.expirationInSeconds
This property is relevant only when the JWT is generated by the API Mediation Layer and specifies to the time before expiration. -
components.gateway.apiml.security.auth.zosmf.ServiceId
This parameter specifies the z/OSMF service id used as authentication provider. The service id is defined in the static definition of z/OSMF. The default value iszosmf
.
Enabling a JWT token refresh endpoint
Enable the /gateway/api/v1/auth/refresh
endpoint to exchange a valid JWT token for a new token with a new expiration date. Call the endpoint with a valid JWT token and trusted client certificate. When using the z/OSMF authentication provider, enable API Mediation Layer for PassTicket generation and configure the z/OSMF APPLID.
For more information, see Configure Passtickets
-
Open the file
zowe.yaml
. -
Configure the following properties:
-
components.gateway.apiml.security.allowtokenrefresh: true
Add this property to enable the refresh endpoint. -
components.gateway.apiml.security.zosmf.applid
If you use z/OSMF as an authentication provider, provide a validAPPLID
. The API ML generates a passticket for the specifiedAPPLID
and subsequently uses this passticket to authenticate to z/OSMF. The default value in the installation of z/OSMF isIZUDFLT
.
-
-
Restart Zowe.