Identity Cloud

Secret labels

Identity Cloud uses these labels to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.

For instructions on using these secret labels, refer to Use ESVs for signing and encryption keys.

The term secret IDs is being phased out in favor of secret labels but you might come across instances of secret ID in the documentation and in the UI until the terminology change is complete.

OAuth 2.0 and OpenID Connect provider secrets

Encrypt client-side OAuth 2.0 tokens

This table shows the label for the secret to encrypt client-side access tokens:

Secret label Algorithms

am.services.oauth2.stateless.token.encryption

A128CBC-HS256

Sign client-side OAuth 2.0 tokens

This table shows the labels for the secrets to sign client-side access tokens:

Secret label Algorithms

am.services.oauth2.stateless.signing.ES256

ES256

am.services.oauth2.stateless.signing.ES384

ES384

am.services.oauth2.stateless.signing.ES512

ES512

am.services.oauth2.stateless.signing.HMAC

HS256
HS384
HS512

am.services.oauth2.stateless.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

Decrypt OIDC request parameters

This table shows the labels for secrets to decrypt OIDC request parameters:

Secret label Algorithms

am.services.oauth2.oidc.decryption.RSA1.5

RSA with PKCS#1 v1.5 padding

am.services.oauth2.oidc.decryption.RSA.OAEP

RSA with OAEP with SHA-1 and MGF-1

am.services.oauth2.oidc.decryption.RSA.OAEP.256

RSA with OAEP with SHA-256 and MGF-1

For confidential clients, if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.

The following use the Client Secret:

  • Signing ID tokens with an HMAC algorithm

  • Encrypting ID tokens with AES or direct encryption

  • Encrypting parameters with AES or direct encryption

Store only one secret in the Client Secret field.

For details about encryption options, refer to the OIDC specification.

Sign OIDC tokens

This table shows the labels for secrets to sign OIDC tokens and backchannel logout tokens:

Secret label Algorithms(1)

am.services.oauth2.oidc.signing.ES256

ES256

am.services.oauth2.oidc.signing.ES384

ES384

am.services.oauth2.oidc.signing.ES512

ES512

am.services.oauth2.oidc.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

am.services.oauth2.oidc.signing.EDDSA

EdDSA with SHA-512

For confidential clients, if you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store.

CA certificates for mTLS client authentication

This table shows the label of the trusted CA certificate for mTLS client authentication:

Secret label Algorithms

am.services.oauth2.tls.client.cert.authentication

Social identity client secrets

Decrypt ID tokens

This table shows the label for the secret to decrypt ID tokens and userinfo endpoint JWTs when Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.oidc.rp.idtoken.encryption

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Sign JWTs and objects

This table shows the label for the secret to sign JWTs and objects when Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.oidc.rp.jwt.authenticity.signing

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Certificates for mTLS client authentication

This table shows the label of the trusted CA or self-signed certificate for mTLS client authentication when Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.tls.client.cert.authentication

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Web and Java agent secrets

Sign agent JWTs

This table shows the label for the secret to sign the JWTs issued to Web and Java agents:

Secret label Algorithms

am.global.services.oauth2.oidc.agent.idtoken.signing

RS256
RS384
RS512

Authentication secrets

Secure journey state data

This table shows the label for the secret to encrypt sensitive data in the secure state of an authentication journey:

Secret label Algorithms

am.authn.trees.transientstate.encryption

AES 256-bit

SAML 2.0 secrets

Sign SAML 2.0 metadata

This table shows the label for the secret to sign SAML 2.0 metadata:

Secret label Algorithms

am.services.saml2.metadata.signing.RSA

RSA SHA-256

SAML 2.0 signing and encryption

This table shows the labels for the secrets to sign and encrypt SAML 2.0 elements:

Secret label Algorithms

am.default.applications.federation.entity.providers.saml2.idp.encryption

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.idp.signing

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.encryption

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.sp.signing

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

(1) This algorithm is for compatibility purposes only; do not use it.

You can specify a custom secret label for each hosted SAML 2.0 entity provider in a realm, which creates new secret labels. These secret labels can be unique to a provider, or shared by multiple providers.

For example, you can add a custom secret label identifier named mySamlSecrets to a hosted identity provider. Identity Cloud dynamically creates the following IDs for the provider’s signing and encryption secrets:

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.signing

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption

Identity Cloud looks up the secrets with the custom secret label identifiers. If unsuccessful, Identity Cloud looks up the secrets with the default secret labels.

Attestation secrets

Google hardware attestation root certificate

This table shows the label for the Google hardware attestation root certificate, which is used to increase confidence that the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage.

Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.

Secret label Algorithms

am.services.attestation.google.public.key

RSA / X.509

Policy Configuration service secrets

Certificates for the Policy Configuration service

This table shows the labels for secrets to encrypt the certificate used to authenticate Policy Configuration service connections:

Secret label Algorithms(1)

am.services.oauth2.oidc.signing.ES256

am.services.oauth2.oidc.signing.ES384

ES384

am.services.oauth2.oidc.signing.ES512

ES512

am.services.oauth2.oidc.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

am.services.oauth2.oidc.signing.EDDSA

EdDSA with SHA-512

For confidential clients, if you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store.

Push Notification service secrets

Sign the Push Notification service access key

This table shows the label for secrets to sign the Amazon Simple Notification Service access key used by the Push Notification service.

The secret label mapping overrides the SNS Access Key Secret set in the service configuration.

Secret label Algorithms

am.services.pushnotification.sns.accesskey.secret

Copyright © 2010-2024 ForgeRock, all rights reserved.