CapturedUserPasswordFilter
Makes an AM password available to IG in the following steps:
Checks for the presence of the SessionInfoContext context, at
${contexts.amSession}.If the context is not present, or if
sunIdentityUserPasswordisnull, the CapturedUserPasswordFilter collects session info and properties from AM.If the context is present and
sunIdentityUserPasswordis notnull, the CapturedUserPasswordFilter uses that value for the password.
The CapturedUserPasswordFilter decrypts the password and stores it in the CapturedUserPasswordContext, at
${contexts.capturedPassword}.
Supported with AM 5 and later versions, and with AM 6 and later versions when the AES keyType is used to decrypt the password.
Usage
{
"name": string,
"type": "CapturedUserPasswordFilter",
"config": {
"amService": AmService reference,
"keySecretId": configuration expression<secret-id>,
"keyType": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"ssoToken": runtime expression<string>
}
}Properties
"amService": AmService reference, requiredThe AmService heap object to use for the following properties:
agent, the credentials of the IG agent in AM. When the agent is authenticated, the token can be used for tasks such as getting the user's profile, making policy evaluations, and connecting to the AM notification endpoint.url, the URL of an AM service to use for session token validation and authentication.amHandler, the handler to use when communicating with AM to validate the token in the incoming request.realm: Realm of the IG agent in AM.version: The version of the AM server.
This filter is compatible with AM version 5.5 or higher. If
versionis not set, the default version is AM 5 and an error is thrown.See also, "AmService".
"keySecretId": configuration expression<secret-id>, requiredThe secret ID for the key required decrypt the AM password.
For information about supported formats for
secret-id, see secret-id."keyType": configuration expression<enumeration>, optionalAlgorithm to decrypt the AM password. Use one of the following values:
DESfor DES/ECB/NoPaddingAESAES for JWT-based AES_128_CBC_HMAC_SHA_256 encryption, available from AM 6.For more information, see AES_128_CBC_HMAC_SHA_256 in the IETF JSON Web Algorithms.
Default:
DES"secretsProvider": SecretsProvider reference, optionalThe SecretsProvider object to query for the JWT session signing or encryption keys. For more information, see "SecretsProvider".
Default: The route's default secret service. For more information, see "Default Secrets Object".
"ssoToken": runtime expression<string>, requiredLocation of the AM SSO token.
Default:
${request.cookies['AmService-ssoTokenHeader'][0].value}, whereAmService-ssoTokenHeaderis the name of the header or cookie where the AmService expects to find SSO tokens.
Examples
The following example route is used to get login credentials from AM in Getting Login Credentials From AM.
{
"name": "04-replay",
"condition": "${matches(request.uri.path, '^/replay')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"url": "http://openam.example.com:8088/openam/"
}
},
{
"name": "CapturedUserPasswordFilter",
"type": "CapturedUserPasswordFilter",
"config": {
"ssoToken": "${contexts.ssoToken.value}",
"keySecretId": "aes.key",
"keyType": "AES",
"secretsProvider": "SystemAndEnvSecretStore-1",
"amService": "AmService-1"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${true}",
"credentials": "CapturedUserPasswordFilter",
"request": {
"method": "POST",
"uri": "http://app.example.com:8081/login",
"form": {
"username": [
"${contexts.ssoToken.info.uid}"
],
"password": [
"${contexts.capturedPassword.value}"
]
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}