Specifying Nevis SecToken format and its usage restrictions and signer key
SecTokens may be of different formats (versions), contain additional (site-dependent) optional attributes, and their use may be restricted to specific SSO domains or even applications. The configuration construct that defines these topics is called TokenAssembler.
The following TokenAssembler is defined as initial specification at installation time. It contains all sensitive, authentication-related attributes. The "CSSO-1.0" XML format and the SecToken are generated, by default, for all SSO domains. The key used for signing is a reference to the "KeyStore" section.
<TokenAssembler name="DefaultTokenAssembler">
<Selector default="true"/>
<TokenSpec version="CSSO-1.0" ttl="7200" useGmt="true" algorithm="SHA256withRSA">
<field src="session" key="ch.nevis.session.sessid" as="sessid"/>
<field src="session" key="ch.nevis.session.userid" as="userid"/>
<field src="session" key="ch.nevis.session.authlevel" as="authLevel"/>
<field src="session" key="ch.nevis.session.esauthid" as="esauthid"/>
<field src="session" key="ch.nevis.session.entryid" as="entryid"/>
<!-- generic fields -->
<field src="session" key="ch.nevis.session.domain" as="domain"/>
</TokenSpec>
<!-- reference to signer to use -->
<Signer key="DefaultSigner"/>
</TokenAssembler>
The SecToken generated from this specification may look as follows (order of the attributes is not guaranteed, and the token is emitted without indenting and newlines):
<secToken version="CSSO-1.0" signTime="20030117084708Z" ttl="7200">
<attr>
<userid>user1</userid>
<sessid>I1bzufYY6ATY7cGLBR8X36TIBrqNM=</sessid>
<authLevel>auth.weak</authLevel>
<esauthid>I1</esauthid>
<entryid>reverseproxy1.adnovum.ch</entryid>
<field name="domain">SSO1</field>
</attr>
<signature alg="SHA256withRSA" fingerPrint="F1:A3:DF:D1:F5:0D:C0:25:10:E6:34:DF:17:80:D2:E6">
...
</signature>
</secToken>
To add further TokenAssemblers used in specific cases, selector elements may be added to this TokenAssembler specification as follows:
<Selector domain="SampleSSO"/>
<Selector resource="/sample"/>
If you want to specify several values for a given selector type, specify one selector for each value. For example, if you want to specify two domains ("SampleSSO1" and "SampleSSO2"), define them as follows:
<Selector domain="SampleSSO1"/>
<Selector domain="SampleSSO2"/>
The caller (e.g., nevisProxy) passes a domain and/or resource information to hint at which security token is required.
Refer to the chapters "Integration of the nevisAuth Authentication Service" and "Configuring User Authentication" in the nevisProxy reference guide for the reverse proxy's view of this topic.