JWT signers
A JWT (JSON Web Token) signer is a mechanism used to facilitate secure, token-based authentication based on JWTs from an external Identity Provider (IdP).
- Purpose: They're typically used when integrating NetFoundry with a third-party IdP system, such as a Single Sign-On (SSO) solution or an external user database. The IdP issues a JWT to the user, and the JWT Signer configuration tells the controller how to cryptographically verify that the incoming token is genuine.
- Function: This allows the controller to accept authorization credentials issued by external services without requiring those services to directly manage the identity's certificate or private key.
External ID
An external ID is a unique identifier stored on a NetFoundry identity that links it to a corresponding user in your IdP. When a user authenticates with a JWT, the controller compares a claim from that token (like an email address or username) against the external ID on the identity to confirm they match.
You configure which JWT claim to use when setting up a JWT signer. Common options are the user's primary email or username, but you can also specify a custom claim. The external ID must be unique across all identities in your network.
This mapping is what allows SSO and SCIM-provisioned users to authenticate without manually managing certificates or enrollment tokens for each identity.
Console reference
JWT signers table
The JWT Signers tab manages trust relationships with external Identity Providers (IdPs). This allows the controller to validate tokens issued by third-party systems.
| Column | Description |
|---|---|
| Name | The unique name given to the external JWT signer. |
| Issuer | The value of the iss (issuer) claim in the JWT, identifying the entity that issued the token. |
| Audience | The intended recipient of the token, used to verify the token was meant for this network. |
| Enabled | A status indicator showing if the controller is currently accepting tokens from this signer. |
| Created At | The date and time the signer configuration was added. |
| ID | The unique, system-assigned ID (UUID) for the signer. |