Processing the JSON Web Encryption (JWE) login response
Validate the encrypted response.
Overview
Your login configuration instructs Platform SSO how to receive and verify the login response from an identity provider (IdP).
If the HTTP response code is 200, the system decrypts the response body according to RFC 7516 Section 5.2, using JWE Compact Serialization. Use of the zip header isn’t supported. The system checks PartyUInfo for the Ephemeral Public Key in the response. PartyVInfo is the jwe_crypto.apv from the login request.
The following code sample provides an example of an encrypted login response JWE:
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache
Pragma: no-cache
Content-Type: application/platformsso-login-response+jwt; charset=utf-8
ewogI...luEngFor more information, see Creating a JSON Web Encryption (JWE) login response.
Validate the ID token
The id_token is a JSON Object Signing and Encryption (JOSE) object that the IdP signs using either RS256 or ES256 algorithms per RFC 7515 using compact serialization. The system retrieves the signing keys from the jwksEndpointURL.
The following table specifies the values that the system uses to validate the ID token:
Key | Value | Notes |
|---|---|---|
| The | Required. |
| Must match the Issuer. | Required. |
| Required. | |
| If present, must match the Clientid. | Required only if |
| Must be in past. | Required. |
| Must be in the future. | Required. |
| If present, must be in the past. | Optional. |
| The requested group membership for the user. | Optional. |
If validation succeeds, the system saves the response tokens to the keychain using the keychain data-protection attribute kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly and checks the Kerberos mapping.
For a group membership request, the system adds the user to the groups that the IdP supplies in the id_token, and it removes the user from the groups not returned. The system ignores groups that you didn’t specify in the Device Management profile.
For more information, see Configuring Device Management.