External JWT Signers allow external identity providers to facilitate authentication with a network. External JWT Signers can be added as a static x509 certificate or via a JWKS endpoint. Authenticating clients can provide a JWT as a primary authentication mechanism to obtain an API Session. Additionally, the JWT can be required on all REST API calls if desired by using an Authentication Policy that requires it as a secondary factor.
Read more about JWT Signers
Access & Manage JWT Signers
You an access & manage the JWT Signers in the console by finding the icon on the left hand side navigation menu:
and then clicking on the "JWT Signers" tab on the top navigation menu:
Add JWT Signer
To add a new JWT Signer, click on the symbol at the top right of the page.
The new JWT Signer dialog will open:
Signer Name: Give the JWT Signer a name.
Issuer: The issuer defined within the JWT token.
Audience: The audience as define within the JWT token.
JWKS Endpoint: A JSON Web Key Set (JWKS) endpoint that returns a public key that can be used to validate the token signature.
Match JWT to Identity When:
- JWT Claim's: The field name within the external JWT used to identify the claim. Examples include "Subject" & "email"
- Identity's: Select if the field above is located in the ID or the External ID of the incoming JWT claim.
External Auth URL: The external authentication URL of the JWT signer.
Once you have created a new JWT Signer it can be assigned to a Authentication Policy