These services are necessary for VA.gov API service to verify the Access Token obtained on successul login through SSOe OAuth. This verification is required to authorize API requests from the client (currently the VA Mobile App).

Overview and Terminology

SSOe is operated by the VA Identity and Access Management (IAM) team - the same team that operates MVI. SSOe and MVI are independent systems (one might be up or down separately from the other) but they do interact with one another.

This integration relates to the OAuth signin pattern provided by SSOe.

Introspect Service

This service provides partners implementing an OAuth client or resource server the ability to access the Introspect endpoint to validate the access token and obtain a full set of user traits.

STS Access Token Exchange (future)

This SSOi token service offers a capability where partners can be authorized to exchange an OAuth access token for a STS SAML token.

Integration Endpoints

For Introspect and UserInfo, the following endpoint pattern is used: https:// <env> .fed.eauth.va.gov:444/ <contextroot> /sps/oauth/oauth20/ <endpoint name>

We are configured to use ContextRoot=oauthe

We currently do not integrate with the userinfo endpoint.

The fully qualified endpoint URLs for the Introspect service are as follows:

  • Introspect

    • iDEV: https://int.fed.eauth.va.gov:444/oauthe/sps/oauth/oauth20/introspect

    • SQA: https://sqa.fed.eauth.va.gov:444/oauthe/sps/oauth/oauth20/introspect

    • PREPROD: https://preprod.fed.eauth.va.gov:444/oauthe/sps/oauth/oauth20/introspect

    • PROD: https://fed.eauth.va.gov:444/oauthe/sps/oauth/oauth20/introspect

The Secure Token Service uses a different pattern.

The fully qualified endpoint URLs for the STS service are as follows:

  • Secure Token Exchange:

    • iDEV: https://int.services.eauth.va.gov:9301/STS/ReguestSecurityToken

    • SQA: https://sqa.services.eauth.va.gov:9301/STS/ReguestSecurityToken

    • PREPROD: https://preprod.services.eauth.va.gov:9301/STS/ReguestSecurityToken

    • PROD: https://services.eauth.va.gov:9301/STS/ReguestSecurityToken

Required Configuration

PKI Certificates are required for access to the STS and Introspect endpoints.

  • The current dev/staging certificate is named Mobile_App_API_Server_Lowers.cer.

  • The current production certificate is named Mobile_App_API_Server.cer.

  • The private key is stored in AWS Parameter Store under /dsva-vagov/vets-api/<env>/mobile_app_api_key

  • The Public Key for the certificate has been added to the SSOe KeyStore.

  • This cert was acquired from the VA PKI team. See here for how to get internal certs from the VA.

You should be able to test that the certificate is functioning by running some curl commands from a fwdproxy instance.

curl -v --cert /etc/pki/tls/certs/vagov-mobile-app-api-server-lowers.pem --key /etc/pki/tls/private/vagov-mobile-app.key https://int.fed.eauth.va.gov:444/oauthe/sps/oauth/oauth20/introspect
# NOTE: without the cert and key flags you should get an html page with an error indicating the client ssl failure
#       with the approved cert and key you should get a 400 bad request (we aren't providing valid request we are just checking ssl client certs and connectivity)

curl -v --cert /etc/pki/tls/certs/vagov-mobile-app-api-server-lowers.pem --key /etc/pki/tls/private/vagov-mobile-app.key https://int.services.eauth.va.gov:9301/STS/ReguestSecurityToken
# NOTE: without the cert and key we should see an error in the ssl handshake
#       with approved cert and key we should see a successful ssl handshake and a soap response
CODE

Known External Dependencies

n/a

Troubleshooting

n/a

Outage Status and Maintenance Windows

Service Level Agreement

TBD

Escalation Procedure

IAM has a 24x7 on call rotation for production SSOe issues.

Per communications from IAM team:

If VA.gov notices a Prod issues and needs IAM support the best escalation path is to create a SNOW ticket and ask for it to be assigned to ‘AcS Tier 3’.

Contacts

IAM Team:

Role

Name

E-mail

Architect

Damien DeAntonio

Damien.DeAntonio@va.gov

Architect

Perry Vessels

Perry.Vessels@va.gov

IAM Contact

Linda Lotier (Engility)

Linda.Lotier@va.gov

IAM Engineering Resource

Prashant Mukadam (By Light)

Prashant.Mukadam@va.gov

Project Manager

LeeAnne Branum

LeeAnne.Branum@va.gov

VA Mobile team:

Role

Name

E-mail

Product Manager

Ayush Chakravarty

ayush@adhocteam.us

Ad Hoc Engineer

Jonathan Julian

jonathan@adhocteam.us

Ad Hoc Engineer

Patrick Saxton

patrick.saxton@adhocteam.us

Ad Hoc Engineer

Alastair Dawson

alastair@adhocteam.us