SSOe OAuth: Token Introspect Service and Secure Token Service (STS)
These services are necessary for VA.gov API service to verify the Access Token obtained on successul login through SSOe OAuth. This verification is required to authorize API requests from the client (currently the VA Mobile App).
Overview and Terminology
SSOe is operated by the VA Identity and Access Management (IAM) team - the same team that operates MVI. SSOe and MVI are independent systems (one might be up or down separately from the other) but they do interact with one another.
This integration relates to the OAuth signin pattern provided by SSOe.
This service provides partners implementing an OAuth client or resource server the ability to access the Introspect endpoint to validate the access token and obtain a full set of user traits.
STS Access Token Exchange (future)
This SSOi token service offers a capability where partners can be authorized to exchange an OAuth access token for a STS SAML token.
For Introspect and UserInfo, the following endpoint pattern is used:
https:// <env> .fed.eauth.va.gov:444/ <contextroot> /sps/oauth/oauth20/ <endpoint name>
We are configured to use ContextRoot=
We currently do not integrate with the
The fully qualified endpoint URLs for the Introspect service are as follows:
The Secure Token Service uses a different pattern.
The fully qualified endpoint URLs for the STS service are as follows:
Secure Token Exchange:
PKI Certificates are required for access to the STS and Introspect endpoints.
The current dev/staging certificate is named
The current production certificate is named
The private key is stored in AWS Parameter Store under
The Public Key for the certificate has been added to the SSOe KeyStore.
This cert was acquired from the VA PKI team. See here for how to get internal certs from the VA.
You should be able to test that the certificate is functioning by running some curl commands from a fwdproxy instance.
curl -v --cert /etc/pki/tls/certs/vagov-mobile-app-api-server-lowers.pem --key /etc/pki/tls/private/vagov-mobile-app.key https://int.fed.eauth.va.gov:444/oauthe/sps/oauth/oauth20/introspect # NOTE: without the cert and key flags you should get an html page with an error indicating the client ssl failure # with the approved cert and key you should get a 400 bad request (we aren't providing valid request we are just checking ssl client certs and connectivity) curl -v --cert /etc/pki/tls/certs/vagov-mobile-app-api-server-lowers.pem --key /etc/pki/tls/private/vagov-mobile-app.key https://int.services.eauth.va.gov:9301/STS/ReguestSecurityToken # NOTE: without the cert and key we should see an error in the ssl handshake # with approved cert and key we should see a successful ssl handshake and a soap response
Known External Dependencies
Outage Status and Maintenance Windows
Service Level Agreement
IAM has a 24x7 on call rotation for production SSOe issues.
Per communications from IAM team:
If VA.gov notices a Prod issues and needs IAM support the best escalation path is to create a SNOW ticket and ask for it to be assigned to ‘AcS Tier 3’.
Linda Lotier (Engility)
IAM Engineering Resource
Prashant Mukadam (By Light)
VA Mobile team:
Ad Hoc Engineer
Ad Hoc Engineer
Ad Hoc Engineer
Help and feedback
Create an issue ticket to suggest changes to this page