LTPA and JTW SSO support authentication filter

[utle]

No description provided.

[utle]

https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_config_jwt_sso.html
After the procedure 1.
2. Optional: Configure the Authentication Filter.
You can use authnFilter to define which request will be use JWT SSO for authentication.

For more information on configuring the authentication filter, see Authentication Filters link.
jwtSso now support authentication filter and add sample.

<jwtSso cookieName="myjwt" jwtBuilderRef="myBuilder" authFilterRef="myAuthFilter"/>

<authFilter id="myAuthFilter">
         <requestUrl id="myRequestUrl" urlPattern="/SimpleServlet" matchType="contains"/>
</authFilter>

Also add a following nore:

Note
When the jwtSso-1.0 feature is enabled and the<jwtSso> does not have the authFilterRef attribute, all requests access protected resources that have LTPA cookie is used the jwtSso authentication.

[utle]

In the LTPA SSO article we also need to add the authFilter just like the JWT article

[utle]

https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_ltpa.html
After the procedure 1.
2. Optional: Configure the Authentication Filter.
You can use authnFilter to define which request will be use LTPA SSO for authentication.

For more information on configuring the authentication filter, see Authentication Filters link.
LTPA SSO now support authentication filter and add sample.

<ltpa keysFileName="yourLTPAKeysFileName.keys" keysPassword="keysPassword" expiration="120" authFilterRef="myAuthFilter"/>

<authFilter id="myAuthFilter">
         <requestUrl id="myRequestUrl" urlPattern="/SimpleServlet" matchType="contains"/>
</authFilter>

Also add a following nore:

Note
If the<ltpa>element is either omitted or not configured with an authFilterRef attribute, all requests to access protected resources that have the LTPA cookie will be used LTPA SSO authentication.

[utle]

https://openliberty.io/docs/21.0.0.3/authentication-filters.html
Open Liberty supports authentication filters for various authentication mechanisms, including JSON Web Tokens, Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), and Social Media Login.
Change to:
Open Liberty supports authentication filters for various authentication mechanisms, including JSON Web Tokens, Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), LTPA and JWT Single Sign-On and Social Media Login.

https://openliberty.io/docs/21.0.0.3/reference/feature/appSecurity-3.0.html
In Specify LTPA keys should we have a sample for configure the authFitler?

[chirp1]

Notes:

• For https://openliberty.io/docs/21.0.0.3/reference/feature/appSecurity-3.0.html:
  Add in the config snippet for LTPA that Ut mentions in an earlier comment in this issue. It starts with "<ltpa keysFileName=...". Include any supporting info for the config snippet that Ut gives for LTPA.

• For https://www.openliberty.io/docs/latest/reference/feature/jwtSso-1.0.html:
  Add in the config snippet for JWT SSO that Ut mentions in an earlier comment in this issue. It starts with "<jwtSso cookieName=....". Include any supporting info for the config snippet that Ut gives for JWT SSO.

• Instead of putting updates in the KC topics, link from those KC topics to the appropriate OL topics. Add wording to the KC topics about the filters so that the user knows what the links to the OL topics are for.

• Pull any relevant information in the KC topics to Open LIberty topics.

[ManasiGandhi]

@utle Thanks for providing relevant information for the updates that need to be added to the OL topics. I have a some questions:

• Here you say, 'When the jwtSso-1.0 feature is enabled and the element is either omitted or not configured with an authFilterRef attribute' what is the element that you are referring to? Is it the jwtsso element?" If so, how can we omit the jwtsso element when it is already enabled? Is omitting the element an option available?
• Here you say, ""If theelement is either omitted or not configured". However, when the Application Security feature is enabled, Lightweight Third Party Authentication (LTPA) is enabled by default. , in that case how can we omit the LTPA element? Is omitting the ltpa element an option available?
• Authentication filter topic- Do you need this topic to be updated with examples for jwtsso and ltpa, besides the update you mentioned here?

[utle]

@ManasiGandhi

• When the jwtSso-1.0 feature is enabled and the<jwtSso> element does not have the authFilterRef attribute, all requests access protected resources that have LTPA cookie is used the jwtSso authentication.
• If Application Security feature is enabled and the <ltpa> element does not have an authFilterRef attribute, all requests to access protected resources that have the LTPA cookie will be used LTPA SSO authentication.
• No need for examples.

[chirp1]

Epic for this ID issue: OpenLiberty/open-liberty#10091

[ManasiGandhi]

Also refer #3892 and #3000

[ManasiGandhi]

@utle I made updates to the following topics per your comments in the issue,

https://draft-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/appSecurity-3.0.html

https://draft-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/jwtSso-1.0.html

[dmuelle]

Content review

For both these examples, it should be more clear specifically what the filter does. Does it filter how the JWT is created? which requests are processed by jwt sso?

Configure an authentication filter

• I think the example title should be more user focused, rather than feature focused. The title should reflect the user goal rather than the feature name. So it should say what the filter does- something along the lines of "Configure only certain requests to be processed by JWT SSO" Or "Filter certain requests to be processed by JWT SSO". See the authfilter examples on the spengo and social Login features for examples.

• You can configure an authentication filter to secure requests for accessing protected resources that are used with JWT SSO for authentication I think this sentence could be more concise and clear- it's hard to tell what the authfilter does. Does this mea n if a request contains a JWT, the jwt is only used if the request also meets the criteria in the filter? As written, it's hard to tell whether with JWT SSO for authentication applies to requests or resources. It should be more clear specifically what a user can achieve by configuring the filter.

• "The jwtSso feature supports authentication filters." should use the text name, not the code name of the feature, But i think this sentence is also redundant- the example itself shows that the feature supports the filter

• For more information on configuring an authentication filter, see Authentication filters.--->
  For more information, see Authentication filters.

• If the jwtSso feature is enabled but jwtSso element does not include the authFilterRef attribute, all requests to access the protected resources that have a JWT cookie are used for the JWT SSO authentication
  For consistency, use the text name of the feature, not the code name. Also, the sentence is not clear- do the resources have the cookie or the requests? What does "are used for the JWT SSO authentication" refer to? The requests or the cookie? It's not clear.

Configure an authentication filter (appSecurity)

• see previous comments, similar edits are needed for this example

[dmuelle]

As is, the examples tell you that you can set a filter, but why you would want to or what happens when you do is not clear. Since the examples are so similar (which is ok), my comments for jwtSso apply to LTPA too. I think the basic pattern is:

• a request for protected resources comes in
• LTPA or JWT SSO is configured as an auth mechanism
• an auth filter is configured
• if the request meets the criteria that is configured in the filter ref, the request is processed by the auth mechanism (LTPA, JWT)
  You might need to check that with the SME, but if correct, i think you could convey it in a sentence or two. As it is now, phrases like " are used with JWT SSO for authentication" make it unclear what actually happens.

[utle]

@dmuelle It's corrected ... also, I think we need to mention if auth filter is not configured which is the current behavior

[ManasiGandhi]

@dmuelle I worked on your review https://draft-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/jwtSso-1.0.html

[ManasiGandhi]

Also, here is the draft link to the App security topic with updates for LTPA https://draft-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/appSecurity-3.0.html

[dmuelle]

Both look good except for the final sentence:

"If the jwtSso feature is enabled but jwtSso element does not include the authFilterRef attribute, all requests to access the protected resources that have a JWT cookie are used for the JWT SSO authentication."
--->
If the JSON Web Token Single Sign-On feature is enabled but no authentication filter is configured, all requests that include a JWT cookie are processed by JWT SSO authentication.

If the ltpa element does not specify the authFilterRef attribute, all requests to access the protected resources that have an LTPA cookie are used for the LTPA SSO authentication.
--->
If the ltpa element does not specify the authFilterRef attribute, all requests that include an LTPA cookie are processed by LTPA SSO authentication.

[ManasiGandhi]

@dmuelle Here are the updated links

App securtiy- https://draft-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/appSecurity-3.0.html
jwtSso- https://draft-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/jwtSso-1.0.html

[dmuelle]

looks good, just need to add monospace formatting as discussed via slack

[ManasiGandhi]

https://docs-staging-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/appSecurity-3.0.html
https://docs-staging-openlibertyio.mybluemix.net/docs/21.0.0.4/reference/feature/jwtSso-1.0.html