Secret ID default mappings
The following groups contain the secret IDs used by the AM features, and their default mappings, if any. Expand the categories for additional information about where or how the mappings are used.
General
PEM decryption password
This table shows the secret ID in which you can store the password used to decrypt password-encrypted PEM files.
Encode the password using the https://openam.example.com:8443/openam/encode.jsp
page.
Secret ID | Default Alias | Algorithms |
---|---|---|
|
Encode using |
Encrypt client-side sessions
This table shows the secret ID mapping to use when encrypting client-side sessions:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RS256 |
To use AES-based encryption algorithms, log into the AM admin UI, select Configure > Global Services > Sessions > Advanced, and configure the secret in the Encryption Symmetric AES Key field.
Sign client-side sessions
This table shows the secret ID mapping to use when signing client-side sessions:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RS256 |
To use HMAC-based signing algorithms, log into the AM admin UI, select Configure > Global Services > Sessions > Advanced, and configure the secret in the Signing HMAC Shared Secret field.
OAuth 2.0 and OpenID Connect as provider
JWT authenticity signing
This table shows the secret ID mapping used to sign several OAuth 2.0 and OpenID Connect-related JWTs:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
HS256 |
This key is used to sign the following tokens and requests:
|
Encrypt client-side OAuth 2.0 tokens
This table shows the secret ID mapping used to encrypt client-side access tokens:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
A128CBC-HS256 |
Sign client-side OAuth 2.0 tokens
This table shows the secret ID mappings used to sign client-side access tokens:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
ES256 |
|
|
ES384 |
|
|
ES512 |
|
|
HS256 |
|
|
PS256 |
Sign remote consent requests
This table shows the secret ID mappings used to sign remote consent requests:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
ES256 |
|
|
ES384 |
|
|
ES512 |
|
|
RS256 |
If you select an HMAC algorithm for signing consent requests ( Because the HMAC secret is shared between AM and the remote consent client,
a malicious user compromising the client could potentially create tokens that AM would trust.
To protect against misuse, AM also signs the token using a non-shared signing key
configured in the |
Decrypt remote consent responses
This table shows the secret ID mapping used to decrypt remote consent responses:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RSA-OAEP-256 |
If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, the value of the Remote Consent Service secret property is used, instead of an entry from the secret stores. |
OAuth 2.0 example remote consent service
This table shows the secret ID mappings used for the example Remote Consent Service:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RS256 |
|
|
RSA-OAEP-256 |
Decrypt OpenID Connect request parameters
This table shows the secret ID mappings used to decrypt OpenID Connect request parameters:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RSA with PKCS#1 v1.5 padding |
|
|
RSA with OAEP with SHA-1 and MGF-1 |
|
|
RSA with OAEP with SHA-256 and MGF-1 |
For confidential clients, if you select an AES algorithm ( The following signing and encryption algorithms use the Client Secret field to store the secret:
Store only one secret in the Client Secret field; AM will use different mechanisms to sign and encrypt depending on the algorithm. For more information, see the OpenID Connect Core 1.0 specification. |
CA Certificates in mTLS client authentication
This table shows the secret ID mapping used to store the CA certificates AM should trust during mTLS client authentication:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
OAuth 2.0 and OpenID Connect as client/relying party of the social identity provider service
Decrypt ID tokens
This table shows the secret ID mapping to support decryption of ID tokens and userinfo
endpoint data
in JWT format when AM is configured as a relying party of the Social Identity Provider Service:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
The public key is exposed in the /oauth2/connect/rp/jwk_uri.
For more information about the algorithms supported, and how to configure this secret ID mapping, refer to Social authentication.
Sign JWTs and objects
This table shows the secret ID mapping that AM uses to sign JWTs and objects, when configured as a relying party of the Social Identity Provider Service:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
The public key is exposed in the /oauth2/connect/rp/jwk_uri.
For more information about the algorithms supported, and how to configure this secret ID mapping, refer to Social authentication.
CA Certificates in mTLS Client Authentication with AM as relying party
This table shows the secret ID mapping used to store CA or self-signed certificates AM uses for mTLS client authentication when configured as a relying party of the Social Identity Provider Service:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
The public key is exposed in the /oauth2/connect/rp/jwk_uri.
For more information about the algorithms supported, and how to configure this secret ID mapping, refer to Social authentication.
Web agents and Java agents
Sign agent JWTs
This table shows the secret ID mapping used to sign the JWTs provided to Web and Java agents:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RS256 |
Authentication
Encrypt authentication trees' secure state data
This table shows the secret ID mapping used to encrypt sensitive data stored in the secure state of an authentication tree:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
AES 256-bit |
SAML v2.0
Encrypt SAML v2.0 session storage JWTs
This table shows the secret ID mapping used to encrypt the JWTs SAML v2.0 creates in session storage:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
A256GCM |
Sign SAML v2.0 metadata
This table shows the secret ID mapping used to sign SAML v2.0 metadata:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RSA SHA-256 |
SAML v2.0 signing and encryption
This table shows the secret ID mappings used to sign and encrypt SAML v2.0 elements:
Secret ID | Default Alias | Algorithms |
---|---|---|
|
|
RSA with PKCS#1 v1.5 padding |
|
|
RSA SHA-1(1) |
|
|
RSA with PKCS#1 v1.5 padding |
|
|
RSA SHA-1(1) |
(1) This algorithm is for compatibility purposes only, and its use should be avoided.
You can specify a custom secret ID identifier for each hosted SAML v2.0 entity provider in a realm, which creates new secret IDs. These secret IDs can be unique to the provider, or shared by multiple providers. For example, you could add a custom secret ID identifier named mySamlSecrets to a hosted identity provider. AM dynamically creates the following secret IDs, which the hosted identity provider uses for signing and encryption:
AM will attempt to look up the secrets with the custom secret ID identifier. If unsuccessful, AM will look up the secrets using the default secret IDs. |