Your suggested change has been received. Thank you.

Administration
API Reference
Release Notes

All

All
CipherTrust Manager
CipherTrust Application Data Protection (CADP)
CipherTrust Application Key Management (CAKM)
CipherTrust Batch Data Transformation (BDT)
CipherTrust Cloud Key Management (CCKM)
CipherTrust Data Discovery and Classification (DDC)
CipherTrust Data Protection Gateway (DPG)
CipherTrust Database Protection (CDP)
CipherTrust Intelligent Protection (CIP)
CipherTrust Integrations
CipherTrust Migrations
CipherTrust RESTful Data Protection (CRDP)
CipherTrust Transparent Encryption (CTE)
CipherTrust Transparent Encryption Userspace (CTE-U)
CipherTrust Secrets Management (CSM)
CipherTrust Vaulted Tokenization (CT-V)
CipherTrust Vaultless Tokenization (CT-VL)
CTE-Linux
CTE-Windows
CTE-AIX
CTE-K8s
CTE-U
Crypto Command Center
Data Protection on Demand
Luna Cloud HSM
Luna Network HSM
Luna PCIe HSM
Luna USB HSM
OneWelcome Identity Platform
ProtectApp LUKS
ProtectServer 2 HSM
ProtectServer 3 HSM
SafeNet Trusted Access (STA)
SafeNet MobilePASS+
SafeNet MobilePASS+ for Android
SafeNet MobilePASS+ for Chrome
SafeNet MobilePASS+ for macOS
SafeNet MobilePASS+ for iOS
SafeNet MobilePASS+ for WatchOS
SafeNet MobilePASS+ for Windows
SafeNet Synchronization Agent
SafeNet Logging Agent
SafeNet Agent for FreeRADIUS
SafeNet Agent for NPS
SafeNet Agent for Windows Logon
SafeNet Authentication Service Private Cloud Edition (SAS PCE)
SafeNet Remote Logging Agent
SafeNet Keycloak Agent
SafeNet IDPrime Virtual (IDPV)
SafeNet FIDO Key Manager
SafeNet FIDO Key Manager for Android
SafeNet FIDO Key Manager for iOS
SafeNet FIDO Key Manager for Windows

Configure CRDP with identity providers

Configure AWS as IdP

Please Note:

Administration
CRDP Workflow
Quick Start
Alternative Deployment Methods
- Deploy CRDP in Kubernetes Environment (without Helm Chart)
- Deploy CRDP as a Standalone Container
Advanced Topics
- Concepts
- Environment Variables
- CRDP Logging
- Authorization using JWT Verification
- Performance Metrics
- JWKS URL
- Behavior on Container Shutdown
- Upgrade CRDP
Tasks
- Perform operations using APIs
- Change key manager
- Change application
- Configure User for Access Policy
- Deploy CRDP on custom port
- Change TLS settings between application and CRDP
- Manually renew client certificate
- View logs in Kubernetes environment
- Monitoring CRDP health
- Configure CRDP with identity providers
  - Configure AWS as IdP
  - Configure Azure AD as IdP
  - Configure GCP as IdP
Examples
- Protect data
- Reveal data
- Bulk protect
- Bulk reveal
Troubleshooting

CRDP
Administration
Tasks
Configure CRDP with identity providers
Configure AWS as IdP

Configure AWS as IdP

This article provides the steps required to set up Amazon Cognito as an Identity Provider (IdP), which would be helpful for creating applications that require JWT verification.

Requirements

An active AWS account
Access to the Cognito service to get the JWT token

Creating the JWT Token

Go to the Amazon Cognito console. If prompted, enter your AWS credentials.
Click Create user pool.
Authentication providers screen appears. Select Cognito user pool under Provider types, check Email under Cognito user pool sign-in options, and click Next.
Password policy screen appears. Select Cognito defaults under Password policy mode, select No MFA under MFA enforcement, keep the default options under User account recovery, and click Next.
Configure sign-up experience screen appears. Keep all the default options, select name and other attributes in Additional required attributes under Required attributes, and click Next.
Configure message delivery screen appears. Select Send email with Cognito in Email and click Next.
Integrate your app screen appears. Enter the User pool name, check Use the Cognito Hosted UI under Hosted authentication pages.
In the Domain section, select Use a Cognito domain, and enter the domain name.
In the Initial app client section, enter the App client name, and select Generate a client secret under Client secret.
Enter the URL https://oauth.pstmn.io/v1/callback under Allowed callback URLs and select authentication flows as ALLOW_USER_PASSWORD_AUTH under Advanced app client settings.
In the Identity providers section, select identity providers as Cognito user pool, select OAuth 2.0 grant types as Authorization code grant and Implicit grant under OAuth 2.0 grant types. Select OIDC scopes as OpenID, Phone, and Email under OpenID Connect scopes, and click Next.
Review and create page appears. Review all your settings and click Create user pool.
Click the newly created pool and select the User tab, and click Create user.
In the User Information section, enter the email address, check Mark email address as verified, set a password for the user, and click Create user.
Select the App Integration tab on the pool detailed information page and click App client name.
Go to the Hosted UI section and click View Hosted UI.
Sign up page appears. Enter the email address and password, which you have set earlier, and you will be prompted to change the password. After changing the password, the message Your call is authenticated appears, which means authentication is completed.
Open Postman and create a new request. Select OAuth 2.0 under Authorization Type and select Request URL under Add authorization data to.
Go to the Configure New Token section, fill the necessary fields, and click Get New Access Token. It will ask for credentials. After entering the correct credentials, Authentication complete screen appears, which will disappear automatically after 5 seconds, and will generate the required tokens id_token, access_token or refresh_token. The id_token is required as JWT.
- Token Name: Provide any token name.
- Grant Type: Select Authorization code or Implicit.
- Callback URL: Enter the value https://oauth.pstmn.io/v1/callback.
- Auth URL: /oauth2/authorize.
- Access Token URL: /oauth2/token.
- ClientID: Copy the value from App client information page.
- Client Secret: Copy the value from App client information page.
- Scope: Keep it as empty.
- State: Keep it as empty.
- Client Authentication: Select Send as Basic Auth Header.
  Note
  For Grant Type as Implicit, the Access Token URL and Client Secret options are not required, rest are the same.
Decode the id_token using https://jwt.io/, you will get the issuer name in the iss field of the payload. Copy the kid from the header section, go to newly created pool information page, click Token signing key URL to get the list of JWK keys, and search for the kid. After getting the used JWK key, convert it into the PEM format using https://8gwifi.org/jwkconvertfunctions.jsp. These fields are required while setting up the CRDP application.

Calling the CRDP APIs

Create a CRDP application with JWT verification enabled on the CipherTrust Manager using the public key and issuer, which you got in the above steps. Create a protection policy, access policy, and user sets, which will be used in the CRDP APIs.
Select the Authorization tab, select Type as Bearer Token, and enter the value of JWT token.
Run the CRDP APIs to get the response.

On this page

Requirements
Creating the JWT Token
Calling the CRDP APIs

CRDP

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Support
Legal
- End User License Agreement
- Disclaimer

© Copyright 2019-2025, Thales Group

+1 410-469-1651 supportportal.thalesgroup.com

Suggest A Change

Thank you! Your suggestion has been submitted.

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

There are some errors in your form.

Your Name This field is required

Your Email This field is required

How can we improve this content? This field is required

Print

Suggest An Edit

Download this Page

Download Project

Copy Link

Copy Link

Copy Link