Secret ID default mappings

The following groups contain the secret IDs used by the AM features, and their default mappings, if any. Expand the categories for additional information about where or how the mappings are used.

General

PEM decryption password

This table shows the secret ID in which you can store the password used to decrypt password-encrypted PEM files.

Encode the password using the https://openam.example.com:8443/openam/encode.jsp page.

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.global.services.secret.pem.decryption`		Encode using `encode.jsp`

am.global.services.secret.pem.decryption

Encode using encode.jsp

Encrypt client-side sessions

This table shows the secret ID mapping to use when encrypting client-side sessions:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.global.services.session.clientbased.encryption`	`test`	RS256

am.global.services.session.clientbased.encryption

test

RS256

To use AES-based encryption algorithms, log into the AM admin UI, select Configure > Global Services > Sessions > Advanced, and configure the secret in the Encryption Symmetric AES Key field.

Sign client-side sessions

This table shows the secret ID mapping to use when signing client-side sessions:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.global.services.session.clientbased.signing`	`rsajwtsigningkey`	RS256 ES256 ES384 ES512

am.global.services.session.clientbased.signing

rsajwtsigningkey

RS256
ES256
ES384
ES512

To use HMAC-based signing algorithms, log into the AM admin UI, select Configure > Global Services > Sessions > Advanced, and configure the secret in the Signing HMAC Shared Secret field.

OAuth 2.0 and OpenID Connect as provider

JWT authenticity signing

This table shows the secret ID mapping used to sign several OAuth 2.0 and OpenID Connect-related JWTs:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.jwt.authenticity.signing`	`hmacsigningtest`	HS256 HS384 HS512

am.services.oauth2.jwt.authenticity.signing

hmacsigningtest

HS256
HS384
HS512

This key is used to sign the following tokens and requests:

OpenID Connect tokens for Web and Java Agents.
OpenID Connect tokens that are signed with an HMAC algorithm.
Macaroon access and refresh tokens.
Consent requests to remote consent agents that are signed with an HMAC algorithm.

Encrypt client-side OAuth 2.0 tokens

This table shows the secret ID mapping used to encrypt client-side access tokens:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.stateless.token.encryption`	`directentest`	A128CBC-HS256

am.services.oauth2.stateless.token.encryption

directentest

A128CBC-HS256

Sign client-side OAuth 2.0 tokens

This table shows the secret ID mappings used to sign client-side access tokens:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.stateless.signing.ES256`	`es256test`	ES256
`am.services.oauth2.stateless.signing.ES384`	`es384test`	ES384
`am.services.oauth2.stateless.signing.ES512`	`es512test`	ES512
`am.services.oauth2.stateless.signing.HMAC`	`hmacsigningtest`	HS256 HS384 HS512
`am.services.oauth2.stateless.signing.RSA`	`rsajwtsigningkey`	PS256 PS384 PS512 RS256 RS384 RS512

am.services.oauth2.stateless.signing.ES256

es256test

ES256

am.services.oauth2.stateless.signing.ES384

es384test

ES384

am.services.oauth2.stateless.signing.ES512

es512test

ES512

am.services.oauth2.stateless.signing.HMAC

hmacsigningtest

HS256
HS384
HS512

am.services.oauth2.stateless.signing.RSA

rsajwtsigningkey

PS256
PS384
PS512
RS256
RS384
RS512

Sign remote consent requests

This table shows the secret ID mappings used to sign remote consent requests:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.applications.agents.remote.consent.request.signing.ES256`	`es256test`	ES256
`am.applications.agents.remote.consent.request.signing.ES384`	`es384test`	ES384
`am.applications.agents.remote.consent.request.signing.ES512`	`es512test`	ES512
`am.applications.agents.remote.consent.request.signing.RSA`	`rsajwtsigningkey`	RS256 RS384 RS512 PS256 PS384 PS512

am.applications.agents.remote.consent.request.signing.ES256

es256test

ES256

am.applications.agents.remote.consent.request.signing.ES384

es384test

ES384

am.applications.agents.remote.consent.request.signing.ES512

es512test

ES512

am.applications.agents.remote.consent.request.signing.RSA

rsajwtsigningkey

RS256
RS384
RS512
PS256
PS384
PS512

If you select an HMAC algorithm for signing consent requests (HS256, HS384, or HS512), the value of the Remote Consent Service secret property is used, instead of an entry from the secret stores.

Because the HMAC secret is shared between AM and the remote consent client, a malicious user compromising the client could potentially create tokens that AM would trust. To protect against misuse, AM also signs the token using a non-shared signing key configured in the am.services.oauth2.jwt.authenticity.signing secret ID.

Decrypt remote consent responses

This table shows the secret ID mapping used to decrypt remote consent responses:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.remote.consent.response.decryption`	`test`	RSA-OAEP-256

am.services.oauth2.remote.consent.response.decryption

test

RSA-OAEP-256

If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, the value of the Remote Consent Service secret property is used, instead of an entry from the secret stores.

OAuth 2.0 example remote consent service

This table shows the secret ID mappings used for the example Remote Consent Service:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.remote.consent.response.signing.RSA`	`rsajwtsigningkey`	RS256 RSA (at least 2048 bits)
`am.services.oauth2.remote.consent.request.encryption`	`selfserviceenctest`	RSA-OAEP-256 RSA (at least 2048 bits)

am.services.oauth2.remote.consent.response.signing.RSA

rsajwtsigningkey

RS256
RSA (at least 2048 bits)

am.services.oauth2.remote.consent.request.encryption

selfserviceenctest

RSA-OAEP-256
RSA (at least 2048 bits)

Decrypt OpenID Connect request parameters

This table shows the secret ID mappings used to decrypt OpenID Connect request parameters:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.oidc.decryption.RSA1.5`	`test`	RSA with PKCS#1 v1.5 padding
`am.services.oauth2.oidc.decryption.RSA.OAEP`	`test`	RSA with OAEP with SHA-1 and MGF-1
`am.services.oauth2.oidc.decryption.RSA.OAEP.256`	`test`	RSA with OAEP with SHA-256 and MGF-1

am.services.oauth2.oidc.decryption.RSA1.5

test

RSA with PKCS#1 v1.5 padding

am.services.oauth2.oidc.decryption.RSA.OAEP

test

RSA with OAEP with SHA-1 and MGF-1

am.services.oauth2.oidc.decryption.RSA.OAEP.256

test

RSA with OAEP with SHA-256 and MGF-1

For confidential clients, if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), the value of the Client Secret field in the OAuth 2.0 Client is used as the secret, instead of an entry from the secret stores.

The following signing and encryption algorithms use the Client Secret field to store the secret:

Signing ID tokens with an HMAC algorithm
Encrypting ID tokens with AES or direct encryption
Encrypting parameters with AES or direct encryption

Store only one secret in the Client Secret field; AM will use different mechanisms to sign and encrypt depending on the algorithm. For more information, see the OpenID Connect Core 1.0 specification.

CA Certificates in mTLS client authentication

This table shows the secret ID mapping used to store the CA certificates AM should trust during mTLS client authentication:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.tls.client.cert.authentication`

am.services.oauth2.tls.client.cert.authentication

Decrypt ID tokens

This table shows the secret ID mapping to support decryption of ID tokens and userinfo endpoint data in JWT format when AM is configured as a relying party of the Social Identity Provider Service:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.oidc.rp.idtoken.encryption`	`test`

am.services.oauth2.oidc.rp.idtoken.encryption

test

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret ID mapping, see User self-registration.

Sign JWTs and objects

This table shows the secret ID mapping that AM uses to sign JWTs and objects, when configured as a relying party of the Social Identity Provider Service:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.oidc.rp.jwt.authenticity.signing`	`rsajwtsigningkey`

am.services.oauth2.oidc.rp.jwt.authenticity.signing

rsajwtsigningkey

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret ID mapping, see User self-registration.

CA Certificates in mTLS Client Authentication with AM as relying party

This table shows the secret ID mapping used to store CA or self-signed certificates AM uses for mTLS client authentication when configured as a relying party of the Social Identity Provider Service:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.oauth2.tls.client.cert.authentication`

am.services.oauth2.tls.client.cert.authentication

The public key is exposed in the /oauth2/connect/rp/jwk_uri.

For more information about the algorithms supported, and how to configure this secret ID mapping, see User self-registration.

Web agents and Java agents

Sign agent JWTs

This table shows the secret ID mapping used to sign the JWTs provided to Web and Java agents:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.global.services.oauth2.oidc.agent.idtoken.signing`	`rsajwtsigningkey`	RS256 RS384 RS512

am.global.services.oauth2.oidc.agent.idtoken.signing

rsajwtsigningkey

RS256
RS384
RS512

Authentication

Encrypt authentication trees' secure state data

This table shows the secret ID mapping used to encrypt sensitive data stored in the secure state of an authentication tree:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.authn.trees.transientstate.encryption`	`directenctest`	AES 256-bit

am.authn.trees.transientstate.encryption

directenctest

AES 256-bit

SAML v2.0

Encrypt SAML v2.0 session storage JWTs

This table shows the secret ID mapping used to encrypt the JWTs SAML v2.0 creates in session storage:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.global.services.saml2.client.storage.jwt.encryption`	`directentest`	A256GCM

am.global.services.saml2.client.storage.jwt.encryption

directentest

A256GCM

Sign SAML v2.0 metadata

This table shows the secret ID mapping used to sign SAML v2.0 metadata:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.services.saml2.metadata.signing.RSA`	`rsajwtsigningkey`	RSA SHA-256

am.services.saml2.metadata.signing.RSA

rsajwtsigningkey

RSA SHA-256

SAML v2.0 signing and encryption

This table shows the secret ID mappings used to sign and encrypt SAML v2.0 elements:

Secret ID Default Alias Algorithms

Secret ID	Default Alias	Algorithms
`am.default.applications.federation.entity.providers.saml2.idp.encryption`	`test`	RSA with PKCS#1 v1.5 padding RSA with OAEP
`am.default.applications.federation.entity.providers.saml2.idp.signing`	`rsajwtsigningkey`	RSA SHA-1⁽¹⁾ ECDSA SHA-256 ECDSA SHA-384 ECDSA SHA-512 RSA SHA-256 RSA SHA-384 RSA SHA-512 DSA SHA-256
`am.default.applications.federation.entity.providers.saml2.sp.encryption`	`test`	RSA with PKCS#1 v1.5 padding RSA with OAEP
`am.default.applications.federation.entity.providers.saml2.sp.signing`	`rsajwtsigningkey`	RSA SHA-1⁽¹⁾ ECDSA SHA-256 ECDSA SHA-384 ECDSA SHA-512 RSA SHA-256 RSA SHA-384 RSA SHA-512 DSA SHA-256

am.default.applications.federation.entity.providers.saml2.idp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.idp.signing

rsajwtsigningkey

RSA SHA-1⁽¹⁾
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.sp.signing

rsajwtsigningkey

RSA SHA-1⁽¹⁾
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

⁽¹⁾ This algorithm is for compatibility purposes only, and its use should be avoided.

You can specify a custom secret ID identifier for each hosted SAML v2.0 entity provider in a realm, which creates new secret IDs. These secret IDs can be unique to the provider, or shared by multiple providers.

For example, you could add a custom secret ID identifier named mySamlSecrets to a hosted identity provider.

AM dynamically creates the following secret IDs, which the hosted identity provider uses for signing and encryption:

am.applications.federation.entity.providers.saml2.mySamlSecrets.signing
am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption

AM will attempt to look up the secrets with the custom secret ID identifier. If unsuccessful, AM will look up the secrets using the default secret IDs.

Identity Cloud

Secret ID default mappings

General

OAuth 2.0 and OpenID Connect as provider

OAuth 2.0 and OpenID Connect as client/relying party of the social identity provider service

Web agents and Java agents

Authentication

SAML v2.0