1. Security Administration Guide
  2. JWT Authentication Flow

JWT Authentication Flow

For authentication with a JWT, the following must take place:

  • The public key certificate used for token generation by the third party must be provided.

  • You must store this certificate in a secure PKCS12 keystore (.p12) and upload it to the EnterpriseOne HTML Server.

  • You must configure the EnterpriseOne HTML Server with the keystore name, keystore password, and certificate alias.

  • Principal passed in the JWT must match the EnterpriseOne user ID.

  • You must configure the EnterpriseOne HTML Server as a trusted node through a single sign-on trust configuration.

The following image shows the authentication flow in an environment in which JWT is used for authentication.

This image is described in surrounding text.

The following steps describe the AIS authentication flows:

  1. A third party authentication provider generates a JWT with private key.
  2. The JWT is sent in the Bearer header of an AIS token request. (Stateless requests are also supported).
  3. The JWT is forwarded to the EnterpriseOne HTML Server by the AIS Server in the Bearer if login is required, and the AIS Server is configured to allow a JWT.
  4. The JWT is validated against the public key, the token timeout is validated, and the principal (user) is extracted from the JWT payload. A PSToken is generated for that user and sent for authorization by the Security Server (EnterpriseOne Enterprise Server).
  5. The Security Server checks the PS token with SSO node trust, and then an authorization response is returned to the EnterpriseOne HTML Server.
  6. The authorization response is returned to the AIS Server. The PS Token is included in the response.
  7. The authorization response is returned to the AIS client (third-party). If passed, for a token request the response includes an AIS token.

(Release 9.2.5.4 and later) The following steps describe the HTML authentication flows:

1. A third party authentication provider generates a JWT with private key.

2a. The JWT is sent in the access token URL parameter of the HTML server (E1Web Client) URL.

3a. The JWT is forwarded to the EnterpriseOne HTML by the browser through the URL parameter.

4. The JWT is validated against the public key, the token timeout is validated, and the principal (user) is extracted from the JWT payload. A PSToken is generated for that user and sent for authorization by the Security Server (EnterpriseOne Enterprise Server).

5. The Security Server checks the PS token with SSO node trust, and then an authorization response is returned to the EnterpriseOne HTML Server.

6a. The authorization response is returned to the browser, and user is logged in to the Web Client or the login has failed.

7. The authorization response is returned to the AIS client (third-party). If passed, for a token request the response includes an AIS token.