CapturedUserPasswordFilter
Makes an AM password available to PingGateway in the following steps:
-
Checks for the presence of the SessionInfoContext context, at
${contexts.amSession}
.-
If the context isn’t present, or if
sunIdentityUserPassword
isnull
, the CapturedUserPasswordFilter collects session info and properties from AM. -
If the context is present and
sunIdentityUserPassword
is notnull
, the CapturedUserPasswordFilter uses that value for the password.
-
-
The CapturedUserPasswordFilter decrypts the password and stores it in the CapturedUserPasswordContext, at
${contexts.capturedPassword}
.
In PingOne Advanced Identity Cloud and from AM 7.5, the password capture and replay feature
can optionally manage the replay password through AM’s secret service.
The secret label for the replay password must be
For backward compatibility, if a secret isn’t defined, is empty, or can’t be
resolved, AM manages the replay password through the AM system
property |
Usage
{
"name": string,
"type": "CapturedUserPasswordFilter",
"config": {
"amService": AmService reference,
"keySecretId": configuration expression<secret-id>,
"keyType": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"ssoToken": runtime expression<string>
}
}
Properties
"amService"
: AmService reference, required-
The AmService heap object to use for the password. See also, AmService.
"keySecretId"
: configuration expression<secret-id>, required-
The secret ID for the key required decrypt the AM password.
This secret ID must point to a CryptoKey` that matches the algorithm in
"keyType"
.Although secrets of type GenericSecret
are accepted, their usage is deprecated in this filter. For more information, refer to the Deprecated section of the Release Notes. "keyType"
: configuration expression<enumeration>, required-
Algorithm to decrypt the AM password. Use one of the following values:
-
AES
AES for JWT-based AES_128_CBC_HMAC_SHA_256 encryption. For more information, refer to AES_128_CBC_HMAC_SHA_256 in the IETF JSON Web Algorithms. -
DES
for DES/ECB/NoPaddingThis value is deprecated, and considered unsecure. For more information, refer to the Deprecated section of the Release Notes.
-
"secretsProvider"
: SecretsProvider reference, required-
The SecretsProvider to query for secrets to decrypt the user password.
"ssoToken"
: runtime expression<string>, required-
Location of the AM SSO token.
Default:
${request.cookiesAmService-ssoTokenHeader'][0].value}
, whereAmService-ssoTokenHeader
is the name of the header or cookie where the AmService expects to find SSO tokens.
Examples
The following example route is used to get login credentials from AM in Authenticate with credentials from AM.
{
"name": "04-replay",
"condition": "${find(request.uri.path, '^/replay')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore",
"config": {
"mappings": [
{
"secretId": "aes.key",
"format": {
"type": "SecretKeyPropertyFormat",
"config": {
"format": "BASE64",
"algorithm": "AES"
}
}
}
]
}
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"url": "http://am.example.com:8088/openam/"
}
},
{
"name": "CapturedUserPasswordFilter",
"type": "CapturedUserPasswordFilter",
"config": {
"ssoToken": "${contexts.ssoToken.value}",
"keySecretId": "aes.key",
"keyType": "AES",
"secretsProvider": "SystemAndEnvSecretStore-1",
"amService": "AmService-1"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${true}",
"credentials": "CapturedUserPasswordFilter",
"request": {
"method": "POST",
"uri": "http://app.example.com:8081/login",
"form": {
"username": [
"${contexts.ssoToken.info.uid}"
],
"password": [
"${contexts.capturedPassword.value}"
]
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}