Skip to main content
Skip table of contents

Lighthouse SSOi Oauth

SSOi OAuth: Token Introspect Service

These services are necessary for Lighthouse services to verify the Access Token obtained on successul login through SSOi OAuth. This verification is required to authorize API requests from client applications to various Lighthouse APIs.

Overview and Terminology

SSOi is operated by the VA Identity and Access Management (IAM) team - the same team that operates MPI. SSOi and MPI are independent systems (one might be up or down separately from the other) but they do interact with one another.

This integration relates to the OAuth signin pattern provided by SSOi.

Introspect Service

This service provides partners implementing an OAuth client or resource server the ability to access the Introspect endpoint to validate the access token and obtain a full set of user traits.

Integration Endpoints

For Introspect and UserInfo, the following endpoint pattern is used: https:// <env> .fed.eauth.va.gov:444/ <contextroot> /sps/oauth/oauth20/ <endpoint name>

We are configured to use ContextRoot=oauthi

The fully qualified endpoint URLs for the Introspect service are as follows:

  • Introspect

    • iDEV: https://int.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

    • SQA: https://sqa.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

    • PREPROD: https://preprod.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

    • PROD: https://fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

Required Configuration

VA signed certificates are required for access to the Introspect endpoint.

  • The current certificates are named lighthouse-ssoi-oauth-{env}-cert.pem.

  • The private key is stored in AWS Parameter Store under /dvp/<env>/ssoi-oauth-key

  • The Public Key for the certificate is added to the SSOi truststore.

You should be able to test that the certificate is functioning by running some curl commands from a fwdproxy instance.

CODE
curl -v --cert /etc/pki/tls/certs/lighthouse-ssoi-oauth-dev-cert.pem --key /etc/pki/tls/private/lighthouse-ssoi-oauth-dev.key https://int.fed.eauth.va.gov:444/oauthi/sps/oauth/oauth20/introspect

# NOTE: without the cert and key flags you should get an html page with an error indicating the client ssl failure
#       with the approved cert and key you should get a 400 bad request (we aren't providing valid request we are just checking ssl client certs and connectivity)

Known External Dependencies

n/a

Troubleshooting

n/a

Outage Status and Maintenance Windows

Service Level Agreement

TBD

Escalation Procedure

IAM has a 24x7 on call rotation for production SSOi issues.

Per communications from IAM team:

If VA.gov notices a Prod issues and needs IAM support the best escalation path is to create a SNOW ticket and ask for it to be assigned to ‘AcS Tier 3’.

Contacts

IAM Team:

Role

Name

E-mail

Architect

Damien DeAntonio

Damien.DeAntonio@va.gov

Architect

Perry Vessels

Perry.Vessels@va.gov

IAM Contact

Linda Lotier (Engility)

Linda.Lotier@va.gov

IAM Engineering Resource

Prashant Mukadam (By Light)

Prashant.Mukadam@va.gov

Project Manager

LeeAnne Branum

LeeAnne.Branum@va.gov

Lighthouse team:

Role

Name

E-mail

Product Manager

Shawnee Petrosky

shawnee.blair@va.gov

Lighthouse Sr Engineer

Beau Grantham

beau.grantham@va.gov

Lighthouse Engineer

Derek Brown

derek.brown5@va.gov


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.