Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Authentication

Authentication is the process or action of verifying the identity of a user or process. For example, it might be seen as an ID card claiming who the caller is to a system.

Microsegmentation Console authentication is based on JSON Web Tokens (JWT). JWTs are an open, industry standard method for representing claims securely between two parties. These tokens are issued by the Microsegmentation Console as long as it can verify the provenance. Microsegmentation supports various sources of authentication.

NOTE

The token is used with almost all API requests to the Microsegmentation Console.

Supported authentication schemes out of the box:

Requires configuration:

Authentication Sources

The Microsegmentation Console will use identification bits from any of these third party providers (referred to as realms) to verify the requester is who he claims to be. If the verification succeeds, the Microsegmentation Console issues a signed JWT containing the verified claims.

For all subsequent requests, when the caller bearing the token makes any API calls to the Microsegmentation Console, it knows it can trust the claims and can start verifying the call is authorized.

Example of issued tokens:

{
  "data": {
    "account": "acme",
    "email": "fgottlieb@acme.com",
    "id": "5c770dca5feaa30001e9a3d8",
      "organization": "acme",
      "realm": "vince"
   },
 "exp": 1555520079,
 "iat": 1555515879,
 "iss": "https://api.microsegmentation.acme.com",
 "realm": "Vince",
 "sub": "acme"
}
{
 "aud": "https://api.microsegmentation.acme.com",
 "data": {
   "account": "1234567890",
   "arn": "arn:aws:sts::1234567890:assumed-role/aporeto/i-0def01b1b215bbd1",
   "organization": "1234567890",
   "partition": "aws",
   "realm": "awssecuritytoken",
   "resource": "assumed-role/aporeto/i-deadbeef12345",
   "resourcetype": "assumed-role",
   "rolename": "aporeto",
   "rolesessionname": "i-deadbeef12345",
   "service": "sts",
   "userid": "DJSANFFGHJDSGHDGJ:i-deadbeef12345"
 },
 "exp": 1542747287,
 "iat": 1542657287,
 "iss": "midgard.https://api.microsegmentation.acme.com",
 "realm": "AWSSecurityToken",
 "sub": "arn:aws:sts::1234567890:assumed-role/aporeto/i-deadbeef12345"
}
{
 "aud": "https://api.microsegmentation.acme.com",
 "data": {
   "email": "1234567890-compute@developer.gserviceaccount.com",
   "instanceid": "6214533999523912251",
   "instancename": "myinstance",
   "organization": "myproject",
   "projectid": "myproject",
   "projectnumber": "6115181755542",
   "realm": "gcpidentitytoken",
   "zone": "us-central1-c"
 },
 "exp": 1545185071,
 "iat": 1545095071,
 "iss": "https://api.microsegmentation.acme.com",
 "realm": "GCPIdentityToken",
 "sub": "myproject"
}
{
 "data": {
   "account": "acme",
   "aud": "md6GgsAZz58xseExGoIEyKqhS0Xu5lsi",
   "id": "acme",
   "iss": "https://dev-byp7k6-2.auth0.com/",
   "organization": "acme",
   "provider": "Auth0",
   "realm": "oidc",
   "sub": "auth0|5cb138ec3fb74710869425df"
 },
 "exp": 1555602493,
 "iat": 1555512493,
 "iss": "https://api.microsegmentation.acme.com",
 "realm": "OIDC",
 "sub": "acme"
}