Configuring preauthentication
To configure preauthentication
- Log in to BMC Helix SSO Admin Console.
- In the left navigation panel of the Add Realm or Edit Realm page, click Authentication.
- From the Authentication Type list, select PREAUTH.
- In the User ID Claim Name field, enter the name of the JWT entry to be used for user identification.
- Select a process to validate JWTs:
- To use a certificate, in the Certificate field, copy the certificate of the server that signs the JWT. The certificate must be in Privacy Enhanced Mail (PEM) format.
- To use a JWKS URI, in the JWKS URI field, copy the set of public keys issued by a trusted third party. The URI must use HTTP or HTTPS protocols; for example, https://login.microsoftonline.com/common/discovery/v2.0/keys
- (Optional) In the Validation expression field, enter the SpEL validation expression, which amplifies the basic check of JWT claims. Use this expression to provide an additional layer of security, specifically when JWT claims are issued by third-party providers. For more details, see the How the test SpEL pattern works section.
- (Optional) Test the SpEL validation expression with expected JWTs. To do so, as an administrator, navigate to Service > SpEL Test. In the Expression field, enter the expression. In the Value field, enter a test value (JWT). Click Test to confirm that your JWT is valid before BMC Helix SSO creates a session
- (Optional) To allow an originating application to open a target application through iframe, in the ALLOW-FROM Domain(s) field, enter the name of the originating application.
- Specify the target server as follows:
- * - wildcard. Allowed for all domains.
- hostname - Allowed for specified domain, ignoring port.
- hostname:port - Allowed for exact match host:port.
- proto://hostname:port - Allowed for exact match host:port.
- Click Save.
How the test SpEL pattern works
A validation expression is a SpEL expression where #jwt is a keyword that means JWT, which is used for logging in. By using this keyword, you can obtain two objects: header (#jwt.header()) and claims (#jwt.claims()), which are Map<String, Object> Java objects.
For example, you need to validate the following JWT:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBbGxlbiIsIm5hbWUiOiJEYXZpZCBBbGxlbiIsImVtYWlsIjoiZGF2aWQuYWxsZW5AZXhhbXBsZS5jb20iLCJhdWQiOlsiaHR0cDovL2V4YW1wbGUuY29tIl0sImlhdCI6MTIzNDU2Nzg5MCwiZXhwIjoxMjM0NTY3ODkwfQ.pjM3yEeNKaA3KJH4G16Fy_e7tSdDs99aqxcDv3DyGS9c__bMuKM0yOvPxvCQmT6L1z2iLCblD0pQjK3EgNI83rR71mjwwe_7BS683PaFIAU4CUS_YC0aw7ljmWTcV2UkEkvBlS8nmYzqo2Gone8K-eD1csj5JiO6Pgf7wmt8yCEgaWBqbMsYjJKU8wAXUE_8rbErlXIvIW25shnz-aehTsVRtfz5KcB2gkP_NL_N4KF8s5WRnegXiKkafBCdkcISdYDlqVp1EHAah4ivM8GGf11pALXOvyUteFdNTe655NsoiWJTwmWE4jrtvOJiL3l4EUDGyupj1DzR94J7SbpdgQ
The decoded header and payload of this JWT is as follows:
Header
"alg": "RS256",
"typ": "JWT"
}
Payload
"sub": "Allen",
"name": "David Allen",
"email": "david.allen@example.com",
"aud": ["http://example.com"],
"iat": 1234567890,
"exp": 1234567890
}
Let's say that you want to add extra checks for this JWT:
- It has an email claim.
- The email domain is example.com.
- The type of JWT is "JWT".
To implement these conditions, you need to customize the expression as follows:
After you click Test, True is returned, meaning that the expression is valid for the test JWT.
If False, your expression does not correspond to the JWT content and needs to be revisited.