Secret labels
PingOne Advanced Identity Cloud uses these labels to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.
For instructions on using these secret labels, refer to Use ESVs for signing and encryption keys.
|
The term secret IDs is being phased out in favor of secret labels but you might come across instances of secret ID in the documentation and in the UI until the terminology change is complete. |
OAuth 2.0 and OpenID Connect provider secrets
Encrypt client-side OAuth 2.0 tokens
This table shows the label for the secret to encrypt client-side access tokens:
| Secret label | Algorithms |
|---|---|
|
A128CBC-HS256 |
Sign client-side OAuth 2.0 tokens
This table shows the labels for the secrets to sign client-side access tokens:
| Secret label | Algorithms |
|---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
HS256 |
|
PS256 |
Authenticate OAuth 2.0 clients
The secret label mappings used to authenticate OAuth 2.0 clients:
| Secret label | Default alias | Algorithms |
|---|---|---|
|
||
|
||
|
||
|
(1) Map the am.applications.oauth2.client.identifier.secret dynamic secret label to override the OAuth 2.0
client’s Client secret property, where identifier is the value of the Secret Label
Identifier set in the client configuration.
(2) Map the am.applications.oauth2.client.identifier.jwt.public.key dynamic secret label to override the
OAuth 2.0 client’s Client JWT Bearer Public Key, where identifier is the value of the
Secret Label Identifier set in the client configuration.
(3) Map the am.applications.oauth2.client.identifier.mtls.trusted.cert dynamic secret label to override the
OAuth 2.0 client’s mTLS Self-Signed Certificate, where identifier is the value of the
Secret Label Identifier set in the client configuration.
(4) Map the am.applications.oauth2.client.identifier.id.token.enc.public.key dynamic secret label to
override the OAuth 2.0 client’s Client ID Token Public Encryption Key, where identifier is the value of the
Secret Label Identifier set in the client configuration.
Sign remote consent requests
This table shows the labels for the secrets to sign remote consent requests:
| Secret label | Algorithms |
|---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
RS256 |
If you select an HMAC algorithm for signing consent requests (HS256, HS384, or HS512),
PingOne Advanced Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store.
Decrypt remote consent responses
This table shows the label for the secret to decrypt remote consent responses:
| Secret label | Algorithms |
|---|---|
|
RSA-OAEP-256 |
If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, PingOne Advanced Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store.
OAuth 2.0 example remote consent service
This table shows the labels for the secrets for the example remote consent service:
| Secret label | Algorithms |
|---|---|
|
RS256 |
|
RSA-OAEP-256 |
Secret label mappings for salting hashes
The secret label for salting hashes in OAuth 2.0 and OIDC flows.
| Secret label | Default alias | Algorithms |
|---|---|---|
|
Use this secret label to override Subject Identifier Hash Salt in the provider configuration.
This secret can’t be rotated.
Decrypt OIDC request parameters
This table shows the labels for secrets to decrypt OIDC request parameters:
| Secret label | Algorithms |
|---|---|
|
RSA with PKCS#1 v1.5 padding |
|
RSA with OAEP with SHA-1 and MGF-1 |
|
RSA with OAEP with SHA-256 and MGF-1 |
For confidential clients,
if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir),
PingOne Advanced Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.
The following use the Client Secret:
-
Signing ID tokens with an HMAC algorithm
-
Encrypting ID tokens with AES or direct encryption
-
Encrypting parameters with AES or direct encryption
Store only one secret in the Client Secret field.
For details about encryption options, refer to the OIDC specification.
Sign OIDC tokens
This table shows the labels for secrets to sign OIDC tokens and backchannel logout tokens:
| Secret label | Algorithms(1) |
|---|---|
|
ES256 |
|
ES384 |
|
ES512 |
|
PS256 |
|
EdDSA with SHA-512 |
For confidential clients, if you select an HMAC algorithm for signing ID tokens
(HS256, HS384, or HS512), PingOne Advanced Identity Cloud uses the Client Secret from the
profile instead of an entry from the secret store.
CA certificates for mTLS client authentication
This table shows the label of the trusted CA certificate for mTLS client authentication:
| Secret label | Algorithms |
|---|---|
|
Social identity client secrets
Decrypt ID tokens
This table shows the label for the secret to decrypt ID tokens and userinfo endpoint JWTs
when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:
| Secret label | Algorithms |
|---|---|
|
Consult the |
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Sign JWTs and objects
This table shows the label for the secret to sign JWTs and objects when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:
| Secret label | Algorithms |
|---|---|
|
Consult the |
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Certificates for mTLS client authentication
This table shows the label of the trusted CA or self-signed certificate for mTLS client authentication when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:
| Secret label | Algorithms |
|---|---|
|
Consult the |
The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.
For details, refer to Social authentication.
Web and Java agent secrets
Sign agent JWTs
This table shows the label for the secret to sign the JWTs issued to Web and Java agents:
| Secret label | Algorithms |
|---|---|
|
RS256 |
Authentication secrets
Secure journey state data
This table shows the label for the secret to encrypt sensitive data in the secure state of an authentication journey:
| Secret label | Algorithms |
|---|---|
|
AES 256-bit |
SAML 2.0 secrets
Sign SAML 2.0 metadata
This table shows the label for the secret to sign SAML 2.0 metadata:
| Secret label | Algorithms |
|---|---|
|
RSA SHA-256 |
SAML v2.0 signing and encryption
The following table shows the secret label mappings used to sign and encrypt SAML v2.0 elements, and to enable mTLS authentication between entity providers:
| Secret label | Default alias | Algorithms |
|---|---|---|
|
|
RSA with PKCS#1 v1.5 padding |
|
|
RSA SHA-1(1) |
|
|
RSA with PKCS#1 v1.5 padding |
|
|
RSA SHA-1(1) |
|
||
|
(1) This algorithm is for compatibility purposes only. Avoid its use.
(2) For artifact resolution requests only, the SP uses the certificates mapped to this secret label for mTLS
authentication to the remote IDP. These certificates are exported with <KeyDescriptor use="signing"> in the SP metadata.
(3) The SP uses the certificate mapped to this secret label for basic authentication. If you set a Secret Label
Identifier, and PingOne Advanced Identity Cloud finds a mapping to am.applications.federation.entity.providers.saml2.identifier
.basicauth, PingOne Advanced Identity Cloud uses this secret and ignores the value of the Password field. For basic authentication,
there is no default secret label for the realm, or globally.
You can specify a custom Secret Label Identifier for each SAML v2.0 entity provider in a realm. PingOne Advanced Identity Cloud generates new secret labels that can be unique to the provider, or shared by multiple providers.
For example, you could add a custom secret label identifier named mySamlSecrets to a hosted identity provider. PingOne Advanced Identity Cloud then dynamically creates the following secret labels, which the hosted identity provider uses for signing and encryption:
-
am.applications.federation.entity.providers.saml2.mySamlSecrets.signing -
am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption
PingOne Advanced Identity Cloud attempts to look up the secrets with the custom secret label identifier. If unsuccessful, PingOne Advanced Identity Cloud looks up the secrets using the default secret labels.
Attestation secrets
Google hardware attestation root certificate
This table shows the label for the Google hardware attestation root certificate, which is used to increase confidence that the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage.
Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.
| Secret label | Algorithms |
|---|---|
|
RSA / X.509 |
Policy Configuration service secrets
Certificates for the Policy Configuration service
This table shows the labels for secrets to encrypt the certificate used to authenticate Policy Configuration service connections:
| Secret label | Algorithms(1) |
|---|---|
|
|
|
ES384 |
|
ES512 |
|
PS256 |
|
EdDSA with SHA-512 |
For confidential clients, if you select an HMAC algorithm for signing ID tokens
(HS256, HS384, or HS512), PingOne Advanced Identity Cloud uses the Client Secret from the
profile instead of an entry from the secret store.
Push Notification service secrets
Sign the Push Notification service access key
This table shows the label for secrets to sign the Amazon Simple Notification Service access key used by the Push Notification service.
The secret label mapping overrides the SNS Access Key Secret set in the service configuration.
| Secret label | Algorithms |
|---|---|
|