CapturedUserPasswordFilter
Makes an AM password available to IG in the following steps:
-
Checks for the presence of the SessionInfoContext context, at
${contexts.amSession}
.-
If the context is not present, or if
sunIdentityUserPassword
isnull
, the CapturedUserPasswordFilter collects session info and properties from AM. -
If the context is present and
sunIdentityUserPassword
is notnull
, the CapturedUserPasswordFilter uses that value for the password.
-
-
The CapturedUserPasswordFilter decrypts the password and stores it in the CapturedUserPasswordContext, at
${contexts.capturedPassword}
.Supported with AM 5 and later versions, and with AM 6 and later versions when the
AES
keyType is used to decrypt the password.
Usage
{
"name": string,
"type": "CapturedUserPasswordFilter",
"config": {
"amService": AmService reference,
"keySecretId": configuration expression<secret-id>,
"keyType": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"ssoToken": runtime expression<string>
}
}
Properties
"amService"
: AmService reference, required-
The AmService heap object to use for the password. See also AmService.
This filter is compatible with AM version 5.5 or higher. If
version
is not set, the default version is AM 5 and an error is thrown. "keySecretId"
: configuration expression<secret-id>, required-
The secret ID for the key required decrypt the AM password.
"keyType"
: configuration expression<enumeration>, optional-
Algorithm to decrypt the AM password. Use one of the following values:
-
DES
for DES/ECB/NoPadding -
AES
AES for JWT-based AES_128_CBC_HMAC_SHA_256 encryption, available from AM 6. For more information, see AES_128_CBC_HMAC_SHA_256 in the IETF JSON Web Algorithms.
Default:
DES
-
"secretsProvider"
: SecretsProvider reference, optional-
The SecretsProvider object to query for the JWT session signing or encryption keys. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, see Default Secrets Object.
"ssoToken"
: runtime expression<string>, required-
Location of the AM SSO token.
Default:
${request.cookiesAmService-ssoTokenHeader'][0].value}
, whereAmService-ssoTokenHeader
is the name of the header or cookie where the AmService expects to find SSO tokens.
Examples
The following example route is used to get login credentials from AM in Get Login Credentials From AM.
{
"name": "04-replay",
"condition": "${find(request.uri.path, '^/replay')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"url": "http://openam.example.com:8088/openam/"
}
},
{
"name": "CapturedUserPasswordFilter",
"type": "CapturedUserPasswordFilter",
"config": {
"ssoToken": "${contexts.ssoToken.value}",
"keySecretId": "aes.key",
"keyType": "AES",
"secretsProvider": "SystemAndEnvSecretStore-1",
"amService": "AmService-1"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${true}",
"credentials": "CapturedUserPasswordFilter",
"request": {
"method": "POST",
"uri": "http://app.example.com:8081/login",
"form": {
"username": [
"${contexts.ssoToken.info.uid}"
],
"password": [
"${contexts.capturedPassword.value}"
]
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}