About JWT Mappings

A JSON Web Token (JWT; pronounced ‘jot’) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. If Trust Protection Platform trusts the certificate used to sign the JWT, it trusts the identity information (claim) provided in the JWT.

JWT mappings are a way to tell Trust Protection Platform which issuers to trust, and how to map identity information in the claim to identities in Trust Protection Platform. This is a crucial part of the authentication process.

In addition to the general JWT mappings, you can also map Active Directory (AD) accounts to a JWT. This involves adding the AD user to the access management API integration and configuring the Access Management Snapin on either an admin’s workstation or the TPP server. After these steps, you will be able to map to AD users when setting up a JWT mapping.

JWT Mappings operate in tandem with the central proxy configurations set at the root of the Platforms tree. See About using an HTTP proxy.

Want to know more? Learn about JSON web tokens in this Wikipedia article. Equivalent functionality is available in the WebSDK. See OAuth JWT mapping endpoints for details.

JWT mappings tell Trust Protection Platform which issuers to trust, and how to map identity information in the claim to identities in Trust Protection Platform.

Map AD Accounts to JWT

Mapping Active Directory (AD) accounts to a JWT mapping involves the following steps:

Method 1: Use an Admin's workstation

  1. Add the AD user to the access management API integration.

  2. Install VenafiMMC.msi on the Admin's workstation.

  3. Launch mmc.exe and add the Venafi Access Management Snapin.

Method 2: Use the TPP Server

  1. Add the AD user to the access management API integration.

  2. Launch mmc.exe on the TPP server.

  3. Add the Access Management Snapin.

After following either of these methods, you will be able to map to AD users when setting up a JWT mapping.

Add a new JWT mapping

  1. In the Venafi Configuration Console or the Access Management snap-in, click the JWT Mappings node.

  2. In the Actions panel, click Add New Mapping....

  3. Use the following table to help you set the required settings.

    Field descriptions
    Order Name

    Description

    1

     

    The name of the application

    2

     

    The Issuer URI to be trusted for this mapping

    3

    (Audience) Field

    The name of the JWT field indicating the audience.

    You can click the Load JWT button if you want to paste in an existing JWT to automatically set these values.

    4

    (Audience) Must Match

    The value that the audience field must match for the token to be accepted.

    6

    (Subscriber) Field

    The name of the JWT field indicating the identity owning the token

    7

    (Subscriber) Map to

    Select an identity for a token issued for this mapping.

    NOTE  This field is evaluated as a RegEx (regular expression), not as a string.

    8

    (Subscriber) Extract identity

    The regular expression to use to obtain the identity from the Subscriber Field. The first group matching the expression is used to determine the identity.

  4. Click Add.

Edit an existing JWT mapping

  1. In the Venafi Configuration Console or the Access Management snap-in, click the JWT Mappings node.

  2. Click on a JWT mapping in the list.

  3. In the Actions panel, click Properties.

  4. Modify the JWT's mapping settings, as desired.

    A table with descriptions for each filed is available in the previous section.

  5. Click OK.

Delete a JWT mapping

  1. In the Venafi Configuration Console or the Access Management snap-in, click the JWT Mappings node.

  2. Click on a JWT mapping in the list.

  3. In the Actions panel, click Delete....

  4. [Conditional] If a confirmation modal appears, click Yes.