Identity Cloud

Secret IDs

Identity Cloud uses these IDs to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.

For instructions on using these secret IDs, refer to Use ESVs for signing and encryption keys.

General secrets

PEM decryption password

This table shows the ID for the symmetric encryption key to decrypt certificates, keys, and passwords in Privacy Enhanced Mail (PEM) format.

Secret ID Algorithms

am.global.services.secrets.pem.decryption

Encrypt client-side sessions

This table shows the ID for the secret to encrypt client-side sessions:

Secret ID Algorithms

am.global.services.session.clientbased.encryption

RS256

Sign client-side sessions

This table shows the ID for the secret to sign client-side sessions:

Secret ID Algorithms

am.global.services.session.clientbased.signing

RS256
ES256
ES384
ES512

OAuth 2.0 and OpenID Connect provider secrets

JWT authenticity signing

This table shows the ID for the secret to sign OAuth 2.0 and OpenID Connect (OIDC) JSON Web Tokens (JWTs):

Secret ID Algorithms

am.services.oauth2.jwt.authenticity.signing

HS256
HS384
HS512

This key signs the following tokens and requests:

  • OIDC tokens for Web and Java Agents.

  • OIDC tokens signed with an HMAC algorithm.

  • Macaroon access and refresh tokens.

  • Consent requests to remote consent agents signed with an HMAC algorithm.

Encrypt client-side OAuth 2.0 tokens

This table shows the ID for the secret to encrypt client-side access tokens:

Secret ID Algorithms

am.services.oauth2.stateless.token.encryption

A128CBC-HS256

Sign client-side OAuth 2.0 tokens

This table shows the IDs for the secrets to sign client-side access tokens:

Secret ID Algorithms

am.services.oauth2.stateless.signing.ES256

ES256

am.services.oauth2.stateless.signing.ES384

ES384

am.services.oauth2.stateless.signing.ES512

ES512

am.services.oauth2.stateless.signing.HMAC

HS256
HS384
HS512

am.services.oauth2.stateless.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

Decrypt OIDC request parameters

This table shows the IDs for secrets to decrypt OIDC request parameters:

Secret ID Algorithms

am.services.oauth2.oidc.decryption.RSA1.5

RSA with PKCS#1 v1.5 padding

am.services.oauth2.oidc.decryption.RSA.OAEP

RSA with OAEP with SHA-1 and MGF-1

am.services.oauth2.oidc.decryption.RSA.OAEP.256

RSA with OAEP with SHA-256 and MGF-1

For confidential clients, if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.

The following use the Client Secret:

  • Signing ID tokens with an HMAC algorithm

  • Encrypting ID tokens with AES or direct encryption

  • Encrypting parameters with AES or direct encryption

Store only one secret in the Client Secret field.

For details about encryption options, refer to the OIDC specification.

CA certificates for mTLS client authentication

This table shows the ID of the trusted CA certificate for mTLS client authentication:

Secret ID Algorithms

am.services.oauth2.tls.client.cert.authentication

Social identity client secrets

Decrypt ID tokens

This table shows the ID for the secret to decrypt ID tokens and userinfo endpoint JWTs when Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret ID Algorithms

am.services.oauth2.oidc.rp.idtoken.encryption

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Sign JWTs and objects

This table shows the ID for the secret to sign JWTs and objects when Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret ID Algorithms

am.services.oauth2.oidc.rp.jwt.authenticity.signing

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Certificates for mTLS client authentication

This table shows the ID of the trusted CA or self-signed certificate for mTLS client authentication when Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret ID Algorithms

am.services.oauth2.tls.client.cert.authentication

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Web and Java agent secrets

Sign agent JWTs

This table shows the ID for the secret to sign the JWTs issued to Web and Java agents:

Secret ID Algorithms

am.global.services.oauth2.oidc.agent.idtoken.signing

RS256
RS384
RS512

Authentication secrets

Secure journey state data

This table shows the ID for the secret to encrypt sensitive data in the secure state of an authentication journey:

Secret ID Algorithms

am.authn.trees.transientstate.encryption

AES 256-bit

SAML 2.0 secrets

Encrypt SAML 2.0 session storage JWTs

This table shows the ID for the secret to encrypt the JWTs SAML 2.0 creates in session storage:

Secret ID Algorithms

am.global.services.saml2.client.storage.jwt.encryption

A256GCM

Sign SAML 2.0 metadata

This table shows the ID for the secret to sign SAML 2.0 metadata:

Secret ID Algorithms

am.services.saml2.metadata.signing.RSA

RSA SHA-256

SAML 2.0 signing and encryption

This table shows the IDs for the secrets to sign and encrypt SAML 2.0 elements:

Secret ID Algorithms

am.default.applications.federation.entity.providers.saml2.idp.encryption

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.idp.signing

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.encryption

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.sp.signing

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

(1) This algorithm is for compatibility purposes only; do not use it.

You can specify a custom secret ID for each hosted SAML 2.0 entity provider in a realm, which creates new secret IDs. These secret IDs can be unique to a provider, or shared by multiple providers.

For example, you can add a custom secret ID identifier named mySamlSecrets to a hosted identity provider. Identity Cloud dynamically creates the following IDs for the provider’s signing and encryption secrets:

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.signing

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption

Identity Cloud looks up the secrets with the custom secret ID identifiers. If unsuccessful, Identity Cloud looks up the secrets with the default secret IDs.

Copyright © 2010-2023 ForgeRock, all rights reserved.