For the ColdFusion 2023 release, we are adding 2 important security enhancements: JSON Web Tokens (JWT) and SAML/LDAP support for ColdFusion Administrator login.

JSON Web Tokens

JWT are  an open source standard used to allow client/server communication in a secure way. They are designed to ease the burden on authentication services, especially in Microservices based architectures. In fact, ColdFusion supports 3 related technologies: JWT (JSON Web Tokens), JWS (JSON Web Signatures), and JWE (JSON Web Encryption).

As an example, if you wished to generate a signed JWT in CFML, you could use the following code:

keypairval = getKeyPairfromkeystore({
“keystore”=”#ExpandPath(‘.keys/file.keystore’)#”,
“keystoreAlias”=”contentKey”
“keystorePassword”=” password “,
“keypairPassword”=”password”
})
payload_jws={
“iss” = “a”,
“sub” = “b”,
“aud” = “user”,
“exp” = “#DateAdd(“n”, 30, now())#”,
“iat”=”#DateAdd(“n”, -30, now())#”
}
algo={
“algorithm” = “RS256”,
“generateIssuedAt”= true,
“generateJti”=true
}
output = CreateSignedJWT(text,k.getPrivate(),c)
res = VerifySignedJWT(output,payload_jws.getPublic(),c)>
writeDump(res)

For more on the JWT feature, please see our documentation here:
https://helpx.adobe.com/coldfusion/using/coldfusion-json-web-tokens.html

ColdFusion Administrator login via SAML or LDAP

In addition to JWT improving your secure communications via code, we’re also adding a quality of life improvement to your ColdFusion Administrator login. One issue that has come up a lot is that ColdFusion Administrator passwords require an additional password list, which can add difficulty to onboarding/offboarding programmers and DevOps folks that need access to the server. When you have multiple servers in different places, it can get especially difficult to maintain control of access, which traditionally has led to insecure practices.

In CF2023 we are adding the ability to control access to your ColdFusion Administrator via either LDAP or SAML authentication. Both methods allow you to use systems already in place for authentication and user control and apply them to your ColdFusion Administrator access control architecture, saving time and improving security by avoiding security anti-patterns.

When using SAML for authentication, you can apply either individual or group permissions, while SAML allows for individual permissions only. However, both SAML and LDAP allow you to select the portions of the site that users are authenticated to access, further tightening down security by following the “least rights” patterns of access.

In addition to setup via the Administrator GUI, we have also added a set of Administrator API endpoints which allow you to do fully scripted/code/CLI based setup of your SAML or LDAP security architecture.

For full details on all of the new API endpoints, features and instructions on how to set up both LDAP and SAML authentication, please see our documentation here: https://helpx.adobe.com/coldfusion/using/integrate-saml-ldap-coldfusion-administrator.html