PingAM 8.0.0

Amster Jwt Decision node

PingAM

The Amster Jwt Decision node lets AM authenticate Amster connections using SSH keys.

The Amster client signs the JWT using a local private key. AM verifies the signature using the list of public keys in the authorized_keys file. Specify the path to the authorized_keys file in the node configuration.

If the entry in the authorized keys file contains a from parameter, only connections originating from a qualifying host are permitted.

Find more information in Private key connections in the Amster documentation.

Compatibility

Product Compatible?

PingOne Advanced Identity Cloud

No

PingAM (self-managed)

Yes

Ping Identity Platform (self-managed)

Yes

Inputs

The node reads the NONCE_STATE_KEY from the Amster client.

Dependencies

None.

Configuration

Property Usage

Authorized Keys

Location of the authorized_keys file used to validate remote Amster connections.

This file has the same format as an OpenSSH authorized_keys file.

Outputs

This node doesn’t change the shared state.

Outcomes

True

The journey follows this outcome if the node can validate the incoming private key against the public keys in the authentication_keys file. Successful authentication creates an amAdmin session in AM.

False

The journey follows this outcome if the node can’t validate the incoming private key against the public keys in the authentication_keys file, either because the incoming key is invalid, or because the authentication_keys file is inaccessible.

Errors

If the node can’t read the authorized_keys file, it returns the error AmsterJwtDecisionNode: Could not read authorized keys file filename.

Examples

This node is used only by the amsterService authentication tree:

journey amster service
Changing or removing this tree could prevent Amster from connecting to AM.