Lighthouse SSOi Oauth

SSOi OAuth: Token Introspect Service

These services are necessary for Lighthouse services to verify the Access Token obtained on successul login through SSOi OAuth. This verification is required to authorize API requests from client applications to various Lighthouse APIs.

Overview and Terminology

SSOi is operated by the VA Identity and Access Management (IAM) team - the same team that operates MPI. SSOi and MPI are independent systems (one might be up or down separately from the other) but they do interact with one another.

This integration relates to the OAuth signin pattern provided by SSOi.

Introspect Service

This service provides partners implementing an OAuth client or resource server the ability to access the Introspect endpoint to validate the access token and obtain a full set of user traits.

Integration Endpoints

For Introspect and UserInfo, the following endpoint pattern is used: https:// <env> .fed.eauth.va.gov:444/ <contextroot> /sps/oauth/oauth20/ <endpoint name>

We are configured to use ContextRoot=oauthi

The fully qualified endpoint URLs for the Introspect service are as follows:

Introspect
- iDEV: https://int.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect
- SQA: https://sqa.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect
- PREPROD: https://preprod.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect
- PROD: https://fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

Required Configuration

VA signed certificates are required for access to the Introspect endpoint.

The current certificates are named lighthouse-ssoi-oauth-{env}-cert.pem.
The private key is stored in AWS Parameter Store under /dvp/<env>/ssoi-oauth-key
The Public Key for the certificate is added to the SSOi truststore.

You should be able to test that the certificate is functioning by running some curl commands from a fwdproxy instance.

CODE

curl -v --cert /etc/pki/tls/certs/lighthouse-ssoi-oauth-dev-cert.pem --key /etc/pki/tls/private/lighthouse-ssoi-oauth-dev.key https://int.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

# NOTE: without the cert and key flags you should get an html page with an error indicating the client ssl failure
#       with the approved cert and key you should get a 400 bad request (we aren't providing valid request we are just checking ssl client certs and connectivity)

Known External Dependencies

n/a

Troubleshooting

n/a

Outage Status and Maintenance Windows

IAM Status Page/Dashboard

Service Level Agreement

TBD

Escalation Procedure

IAM has a 24x7 on call rotation for production SSOi issues.

Per communications from IAM team:

If VA.gov notices a Prod issues and needs IAM support the best escalation path is to create a SNOW ticket and ask for it to be assigned to ‘AcS Tier 3’.

Contacts

IAM Team:

Role	Name	E-mail
Architect	Damien DeAntonio	Damien.DeAntonio@va.gov
Architect	Perry Vessels	Perry.Vessels@va.gov
IAM Contact	Linda Lotier (Engility)	Linda.Lotier@va.gov
IAM Engineering Resource	Prashant Mukadam (By Light)	Prashant.Mukadam@va.gov
Project Manager	LeeAnne Branum	LeeAnne.Branum@va.gov

Lighthouse team:

Role	Name	E-mail
Product Manager	Shawnee Petrosky	shawnee.blair@va.gov
Lighthouse Sr Engineer	Beau Grantham	beau.grantham@va.gov
Lighthouse Engineer	Derek Brown	derek.brown5@va.gov

Help and feedback

Suggest content changes to this page.
Submit new Platform Website content.
Get help from the Platform Support Team in Slack.
Submit a feature idea to the Platform.