--- title: Map and rotate secrets description: Several AM features require secrets for signing, encryption, and mTLS authentication. For each requirement, AM has a specific secret label. component: pingam version: 8.1 page_id: pingam:security:secret-mapping canonical_url: https://docs.pingidentity.com/pingam/8.1/security/secret-mapping.html keywords: ["Security", "Setup & Configuration"] page_aliases: ["security-guide:secret-mapping.adoc"] section_ids: create-mappings: Map secrets in keystore, HSM, or Google KMS/GSM secret stores rotate_secrets_in_keystore_and_hsm_secret_stores: Rotate secrets in keystore and HSM secret stores creating-mappings-FS: Map secrets in file system secret volumes rotate-secrets-FS: Rotate and retire secrets in file system secret volumes secret-label-mappings: Secret label default mappings general-default-secret-labels: General attestation-secret-IDs: Attestation certificates authentication-default-secret-IDs: Authentication device-storage-secret-labels: Encrypted device storage services httpclient-secret-labels: Http Client service iot-default-secret-IDs: IoT oauth2-default-secret-IDs: OAuth 2.0 and OpenID Connect oauth2-provider-default-secret-IDs: As provider oidc-social-registration-secret-IDs: As client/relying party of the Social Identity Provider service policy-config-service-default-secret-IDs: Policy Configuration service push-notification-service-default-secret-IDs: Push Notification service saml2-default-secret-IDs: SAML 2.0 uma-secret-labels: UMA user-self-service-secret-labels: User self-service agents-default-secret-IDs: Web agents and Java agents --- # Map and rotate secrets Several AM features require secrets for signing, encryption, and mTLS authentication. For each requirement, AM has a specific *secret label*. To provide AM with the correct secret, map one or more aliases from the secret stores you configure to each secret label. These mappings let you specify the active secrets, and rotate them when they expire or become compromised. For a list of secret labels and their default mappings, refer to [Secret label default mappings](#secret-label-mappings). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In previous AM releases, *secret labels* were referred to as *secret IDs*. This term is being phased out in favor of *secret label* but you might come across instances of *secret ID* in the documentation and in the UI until the terminology change is complete. | AM uses *active secrets* for signature generation, encryption, verification, and decryption. AM uses *non-active secrets* for signature verification and decryption. For example, if you map several aliases for signing OAuth 2.0 client-side tokens, new tokens are signed with the active secret, and incoming tokens are verified against both the active and the non-active secrets. | | | | - | ------------------------------------------------------------------ | | | Only one secret can be active for a specific secret label mapping. | You can rotate a non-active secret to become an active secret (while the old secret remains valid). You can also retire a secret if it's no longer considered secure. ## Map secrets in keystore, HSM, or Google KMS/GSM secret stores 1. To map secrets in a global secret store, go to Configure > Secret Stores. To map secrets in a realm-specific secret store, go to Realms > *realm name* > Secret Stores. 2. Click the store that contains the secrets you want to map. 3. On the Mappings tab, click Add Mapping. 4. From the Secret Label drop-down list, select the secret label you want to associate with an alias. For information about the different secret label mappings, refer to [Secret label default mappings](#secret-label-mappings). 5. Enter any Alias and click the add ([icon: plus, set=fa]) icon. You can add as many aliases as necessary. The first alias in the list determines the active secret. AM uses active secrets for signature generation and encryption. AM uses non-active secrets for signature verification and decryption. 6. When you have completed the mappings, click Create. ## []() ## Rotate secrets in keystore and HSM secret stores 1. To rotate secrets in a global secret store, go to Configure > Secret Stores. To rotate secrets in a realm-specific secret store, go to Realms > *realm name* > Secret Stores. 2. Click the store that contains the secrets you want to rotate. 3. On the Mappings tab, add a new secret alias, if necessary. 4. Drag and drop to change the order of aliases, and set the active secret. 5. If a secret is no longer secure, retire it by clicking the delete ([icon: times, set=fa]) icon. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * For Google KMS and Google GSM secret stores, map only *one* secret to each secret label. Manage key rotation in the Google Cloud KMS key ring or Google Secret Manager. * Some features have a signing algorithm or encryption algorithm configuration option, and a corresponding rotatable secret for signing, encryption and verification. AM may enforce that the signature being verified was signed with the same algorithm specified in the configuration. Therefore, rotation between secrets with different algorithm types is not supported. | ## Map secrets in file system secret volumes To map secret labels to files, follow these steps: 1. In the directory configured as the secret store, for example, `/am/secrets`, create the required files to store your secrets. Use the tables in [Secret label default mappings](#secret-label-mappings) for guidance. For example, to create a mapping for the Web and Java agents' OAuth 2.0 provider, create a file called `am.global.services.oauth2.oidc.agent.idtoken.signing`. You can also create mappings for secret store-specific secrets, such as the keystore secret store password, the keystore secret store entry password, or the HSM guice key. These mappings don't require specific secret labels. For example, you can create a file called `mykeystorepassword`, and then configure it in the Store password secret label field of your keystore secret store. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Secret labels and the filenames of file system secrets have the following constraints:- They can only include alphanumeric characters and periods (`.`). - They can't start or end with a period, or have more than one period in a row. - Depending on the configuration of the secret store, you may be able to add the filename extension to a secret filename; for example, `.txt`. - Secret filenames can include a version suffix to support secret rotation; for example, `.vversion` where `version` is a positive integer. Learn more about configuring the version suffix in [Create a file system secret volume](secret-stores.html#create-file-system-secret-volumes). | 2. Store the relevant secret value in each file. The format of the secret value depends on the configuration of the secret store. For example, if the File Format is `Encrypted text`, you must encode the secret value with AM's encryption key. > **Collapse: How do I encode secrets with AM's encryption key?** > > Use the https\://am.example.com:8443/am/encode.jsp page to encode the secret, then add the encoded value to the secret file. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Secrets must not contain trailing newline characters. If you are using the `echo` command to add secrets to a file, append the `-n` option. For example:```bash $ echo -n AQICmX1ntZv3XETMgDo+0zFynC8UMGJgop+K > am.global.services.oauth2.oidc.agent.idtoken.signing ``` | ## Rotate and retire secrets in file system secret volumes File system secrets can include a version suffix that lets you maintain multiple versions of a secret. With multiple secret versions, you can rotate and retire secrets, as necessary. Define the version suffix in the [file system secret volume configuration](secret-stores.html#create-file-system-secret-volumes). For example, specifying a version suffix of `.v` lets you append `.vversion` to secret files, where `version` is any positive integer. With a version suffix of `.v` AM would recognize the following secrets as *valid secrets*: `secret.name.v1`, `secret.name.v2`, `secret.name.v3`. This lets you rotate secrets with no disruption in service. To retire a secret, make sure you have a new version of the secret, then delete that secret version from the file system. ## Secret label default mappings The following sections list the secret labels used by the AM features and their default mappings, if any. ### General > **Collapse: PEM decryption password** > > The following table shows the secret label in which you can store the password used to decrypt password-encrypted PEM files. > > Encode the password using the `https://am.example.com:8443/am/encode.jsp` page. > > | Secret label | Default alias | Algorithms | > | ------------------------------------------ | ------------- | ------------------------- | > | `am.global.services.secret.pem.decryption` | | Encode using `encode.jsp` | > **Collapse: Encrypt client-side sessions** > > The following table shows the secret label mapping to use when encrypting [client-side](../am-sessions/client-based-sessions.html) sessions: > > | Secret label | Default alias | Algorithms | > | ---------------------------------------------------------- | ------------- | ---------- | > | `am.global.services.session.clientbased.encryption.RSA` | | RS256 | > | `am.global.services.session.clientbased.encryption.AES`(1) | `aestest` | AES256 | > | `am.global.services.session.clientbased.encryption`(2) | `test` | RS256 | > > (1) This secret label replaces the legacy Encryption Symmetric AES Key configuration property (under Configure > Global Services > Sessions > Advanced). If you set both the configuration property *and* the secret label mapping, the mapping takes precedence. > > (2) This secret label is deprecated and will be removed in a future release. Use the algorithm-specific secret labels in this table instead. These secret labels make it easier to configure and rotate secrets. > **Collapse: Sign client-side sessions** > > The following table shows the secret label mapping to use when signing [client-side](../am-sessions/client-based-sessions.html) sessions: > > | Secret label | Default alias | Algorithms | > | -------------------------------------------------------- | ------------------ | ----------------------- | > | `am.global.services.session.clientbased.signing.RSA` | | RS256 | > | `am.global.services.session.clientbased.signing.ES256` | | ES256 | > | `am.global.services.session.clientbased.signing.ES384` | | ES384 | > | `am.global.services.session.clientbased.signing.ES512` | | ES512 | > | `am.global.services.session.clientbased.signing.HMAC`(1) | `hmacsigningtest` | HMAC | > | `am.global.services.session.clientbased.signing`(2) | `rsajwtsigningkey` | RS256 ES256 ES384 ES512 | > > (1) This secret label replaces the legacy Signing HMAC Shared Secret configuration property (under Configure > Global Services > Sessions > Advanced). If you set both the configuration property *and* the secret label mapping, the mapping takes precedence. > > (2) This secret label is deprecated and will be removed in a future release. Use the algorithm-specific secret labels in this table instead. These secret labels make it easier to migrate and rotate secrets. If you set this secret label *and* an algorithm-specific secret label, the algorithm-specific label takes precedence. > **Collapse: mTLS certificate for the CRL cache server** > > The secret label mapping to encrypt the certificate used to authenticate to the CRL cache server. > > Learn more about CRL caching in [Certificate revocation list caching](../setup/deployment-configuration-reference.html#security-revocation). > > | Secret label | Default alias | Algorithms | > | ------------------------------------------ | ------------- | ---------- | > | `am.servers.crl.cache.directory.mtls.cert` | | | > **Collapse: HTTP client proxy password secret** > > The secret label mapping for the HTTP client proxy password used to authenticate HTTP outbound requests. > > | Secret label | Default alias | Algorithms | > | ------------------------------------------- | ------------- | ---------- | > | `am.servers.httpclienthandler.proxy.secret` | | | > **Collapse: WebAuthn Metadata** > > AM verifies the FIDO metadata blob signature against secrets mapped to this secret label. > > | Secret label | Default alias | Algorithms | > | ---------------------------------------------------------------------- | ------------- | ---------- | > | `am.authentication.nodes.webauthn.fidometadataservice.rootcertificate` | | | ### Attestation certificates > **Collapse: Google hardware attestation root certificate** > > This table shows the ID for the Google hardware attestation root certificate. > > This certificate is used to confirm the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage. > > Refer to [Verifying hardware-backed key pairs with Key Attestation](https://developer.android.com/training/articles/security-key-attestation#root_certificate) in the Android developer documentation. > > | Secret label | Default alias | Algorithms | > | ------------------------------------------- | ------------- | ----------- | > | `am.services.attestation.google.public.key` | | RSA / X.509 | ### Authentication > **Collapse: Persistent cookie nodes** > > The following table shows the secret label mappings used to encrypt and sign persistent cookies for the [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/8.1/set-persistent-cookie.html) and [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/persistent-cookie-decision.html): > > | Secret label | Default alias | Algorithms | > | ----------------------------------------------------------------- | ------------- | ------------------------ | > | `am.authentication.nodes.persistentcookie.encryption` (1) | `test` | RSA (at least 2048 bits) | > | `am.authentication.nodes.persistentcookie.identifier.signing` (2) | | | > > (1) The `am.authentication.nodes.persistentcookie.encryption` label overrides the value for Persistent Cookie Encryption Certificate Alias in the [Core authentication attributes](../am-authentication/authn-core-settings.html). > > (2) Map the `am.authentication.nodes.persistentcookie.identifier.signing` dynamic secret label to override the HMAC Signing Key node property, where identifier is the value of the HMAC Signing Key Secret Label Identifier. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | To read the persistent cookies generated by the [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/8.1/set-persistent-cookie.html), configure the [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/persistent-cookie-decision.html) to use the same signing key secret label. | > **Collapse: Encrypt authentication tree secure state data** > > The following table shows the secret label mapping used to encrypt sensitive data stored in the secure state of an authentication tree: > > | Secret label | Default alias | Algorithms | > | ------------------------------------------ | --------------- | ----------- | > | `am.authn.trees.transientstate.encryption` | `directenctest` | AES 256-bit | > **Collapse: Sign authentication requests** > > The secret label mappings for the HMAC secret used to sign and verify the authentication token (`authID`): > > | Secret label | Default alias | Algorithms | > | ------------------------------ | ----------------- | ---------- | > | `am.authn.authid.signing.HMAC` | `hmacsigningtest` | | > > This mapping overrides the randomly-generated core authentication attribute, `Organization Authentication Signing Secret`. > > You can map multiple secrets to this label to enable secret rotation. AM signs the authentication token with the *active* secret but checks all mapped secrets when verifying the authentication token signature. Therefore, if you rotate the active secret while an authentication request is in progress, the returned authentication token can still be verified. > > If you *delete* the secret that was used to sign an authentication token, the `authID` returned in the authentication request can't be verified and authentication fails. > **Collapse: Authentication nodes** > > The dynamic secret labels for authentication nodes, where identifier is defined in the node configuration: > > | Node | Secret label | > | ------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------- | > | [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/8.1/set-persistent-cookie.html) | `am.authentication.nodes.persistentcookie.identifier.signing` | > | [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/persistent-cookie-decision.html) | `am.authentication.nodes.persistentcookie.identifier.signing` | > | [OTP SMS Sender node](https://docs.pingidentity.com/auth-node-ref/8.1/otp-sms-sender.html) | `am.authentication.nodes.otp.sms.identifier.password` | > | [OTP Email Sender node](https://docs.pingidentity.com/auth-node-ref/8.1/otp-email-sender.html) | `am.authentication.nodes.otp.mail.identifier.password` | > | [LDAP Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/ldap-decision.html) | `am.authentication.nodes.ldap.decision.mtls.identifier.cert` | > | [WebAuthn Registration node](https://docs.pingidentity.com/auth-node-ref/8.1/webauthn-registration.html) | `am.authentication.nodes.webauthn.truststore.identifier` | > | [Certificate Validation node](https://docs.pingidentity.com/auth-node-ref/8.1/certificate-validation.html) | `am.authentication.nodes.certificate.validation.mtls.identifier.cert` | > | [RADIUS Decision node](https://docs.pingidentity.com/auth-node-ref/8.1/radius-decision.html) | `am.authentication.nodes.radius.identifier.secret` | > | [Custom authentication node](../auth-nodes/build-install-nodes.html#proc-build-install-custom-node) | `am.authentication.nodes.customauth.identifier.secret` | ### Encrypted device storage services > **Collapse: Encrypt device storage services** > > The secret label mappings for services that use encrypted device storage. > > These mappings override the encryption keys set in the service configuration. > > | Service | Secret label | > | --------------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | > | [Device ID Service](../setup/services-configuration.html#global-deviceidservice) | `am.services.deviceid.encryption` | > | [Device Binding Service](../setup/services-configuration.html#global-devicebindingservice) | `am.services.devicebinding.encryption` | > | [Device Profile Service](../setup/services-configuration.html#global-deviceprofilesservice) | `am.services.deviceprofile.encryption` | > | [WebAuthn Profile Encryption Service](../setup/services-configuration.html#global-authenticatorwebauthnservice) | `am.services.authenticatorwebauthn.encryption` | > | [ForgeRock Authentication (OATH) Service](../setup/services-configuration.html#global-authenticatoroathservice) | `am.services.authenticatoroath.encryption` | > | [ForgeRock Authentication (PUSH) Service](../setup/services-configuration.html#global-authenticatorpushservice) | `am.services.authenticatorpush.encryption` | ### Http Client service > **Collapse: HTTP client mTLS certificates** > > The following table shows the secret label mappings for CA certificates used by the [httpclient](../am-scripting/script-bindings.html#common-httpclient) script binding to secure HTTP requests. > > | Secret label | Default alias | Algorithms | > | ------------------------------------------------------------------- | ------------- | ---------- | > | `am.services.httpclient.mtls.clientcert.identifier.secret`(1) | | | > | `am.services.httpclient.mtls.servertrustcerts.identifier.secret`(2) | | | > > (1) Map the `am.services.httpclient.mtls.clientcert.identifier.secret` dynamic secret label to the certificate to be used by the `httpclient` script binding when making HTTP requests. The identifier is the value of the Client Certificate Secret Label Identifier set in the HTTP Client service configuration. > > (2) Map the `am.services.httpclient.mtls.servertrustcerts.identifier.secret` dynamic secret label to the truststore of certificates that verify the server certificate. The identifier is the value of the Server Trust Certificate Secret Label Identifier set in the HTTP Client service configuration. > **Collapse: HTTP client proxy connection** > > The following table shows the secret label mappings used by the [httpclient](../am-scripting/script-bindings.html#common-httpclient) script binding to route HTTP requests through a proxy connection. > > | Secret label | Default alias | Algorithms | > | --------------------------------------------------- | ------------- | ---------- | > | `am.services.httpclient.proxy.identifier.secret`(1) | | | > > (1) Map the `am.services.httpclient.proxy.identifier.secret` dynamic secret label to the secret to be used by the `httpclient` script binding when making HTTP requests. The identifier is the value of the Proxy Secret Label Identifier set in the HTTP Client service configuration. ### IoT > **Collapse: IoT trusted JWT issuer** > > The following table shows the secret label mapping that the IoT service uses when configured as a trusted OAuth 2.0 JWT issuer: > > | secret label | Default alias | Algorithms | > | ------------------------------------ | ----------------- | ---------- | > | `am.services.iot.jwt.issuer.signing` | `hmacsigningtest` | HS256 | > **Collapse: IoT certificate verification** > > The following table shows the secret label mapping for the CA certificate that the [Register Thing node](https://docs.pingidentity.com/auth-node-ref/8.1/self-managed/register-thing.html) uses to verify the X.509 digital certificate included in the proof-of-possession JWT: > > | Secret label | Default alias | Algorithms | > | ----------------------------------- | ------------- | ---------- | > | `am.services.iot.cert.verification` | | | ### OAuth 2.0 and OpenID Connect #### As provider > **Collapse: JWT authenticity signing** > > The following table shows the secret label mapping used to sign several OAuth 2.0 and OpenID Connect-related JWTs: > > | Secret label | Default alias | Algorithms | > | --------------------------------------------- | ----------------- | ----------------- | > | `am.services.oauth2.jwt.authenticity.signing` | `hmacsigningtest` | HS256 HS384 HS512 | > > | | | > | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | > | | This key is used to sign the following tokens and requests:- OpenID Connect tokens for web and Java agents. > > - OpenID Connect tokens that are signed with an HMAC algorithm. > > - Macaroon access and refresh tokens. > > - Consent requests to remote consent agents that are signed with an HMAC algorithm. | > **Collapse: Encrypt client-side OAuth 2.0 tokens** > > This table shows the secret label mapping used to encrypt [client-side](../am-oauth2/stateless-stateful-tokens.html#client-side-tokens) access tokens: > > | Secret label | Default alias | Algorithms | > | ----------------------------------------------- | --------------- | ------------- | > | `am.services.oauth2.stateless.token.encryption` | `directenctest` | A128CBC-HS256 | > **Collapse: Sign client-side OAuth 2.0 tokens** > > This table shows the secret label mappings used to sign [client-side](../am-oauth2/stateless-stateful-tokens.html#client-side-tokens) access tokens: > > | Secret label | Default alias | Algorithms | > | -------------------------------------------- | ------------------ | ----------------------------------- | > | `am.services.oauth2.stateless.signing.ES256` | `es256test` | ES256 | > | `am.services.oauth2.stateless.signing.ES384` | `es384test` | ES384 | > | `am.services.oauth2.stateless.signing.ES512` | `es512test` | ES512 | > | `am.services.oauth2.stateless.signing.HMAC` | `hmacsigningtest` | HS256 HS384 HS512 | > | `am.services.oauth2.stateless.signing.RSA` | `rsajwtsigningkey` | PS256 PS384 PS512 RS256 RS384 RS512 | > **Collapse: Authenticate OAuth 2.0 clients** > > The secret label mappings used to authenticate [OAuth 2.0 clients](../am-oauth2/oauth2-register-client.html): > > | Secret label | Default alias | Algorithms | > | --------------------------------------------------------------------- | ------------- | ---------- | > | `am.applications.oauth2.client.identifier.secret`(1) | | | > | `am.applications.oauth2.client.identifier.jwt.public.key`(2) | | | > | `am.applications.oauth2.client.identifier.mtls.trusted.cert`(3) | | | > | `am.applications.oauth2.client.identifier.id.token.enc.public.key`(4) | | | > > (1) Map the `am.applications.oauth2.client.identifier.secret` dynamic secret label to override the OAuth 2.0 client's Client secret property, where identifier is the value of the Secret Label Identifier set in the client configuration. (2) Map the `am.applications.oauth2.client.identifier.jwt.public.key` dynamic secret label to override the OAuth 2.0 client's Client JWT Bearer Public Key, where identifier is the value of the Secret Label Identifier set in the client configuration. (3) Map the `am.applications.oauth2.client.identifier.mtls.trusted.cert` dynamic secret label to override the OAuth 2.0 client's mTLS Self-Signed Certificate, where identifier is the value of the Secret Label Identifier set in the client configuration. (4) Map the `am.applications.oauth2.client.identifier.id.token.enc.public.key` dynamic secret label to override the OAuth 2.0 client's ID Token Encryption Public Key, where identifier is the value of the Secret Label Identifier set in the client configuration. > **Collapse: Sign remote consent requests** > > This table shows the secret label mappings used to sign remote consent requests: > > | Secret label | Default alias | Algorithms(1) | > | ------------------------------------------------------------- | ------------------ | ----------------------------------- | > | `am.applications.agents.remote.consent.request.signing.ES256` | `es256test` | ES256 | > | `am.applications.agents.remote.consent.request.signing.ES384` | `es384test` | ES384 | > | `am.applications.agents.remote.consent.request.signing.ES512` | `es512test` | ES512 | > | `am.applications.agents.remote.consent.request.signing.RSA` | `rsajwtsigningkey` | RS256 RS384 RS512 PS256 PS384 PS512 | > > (1) If you select an HMAC algorithm for signing consent requests (HS256, HS384, or HS512), the value of the Remote Consent Service secret property is used, instead of an entry from the secret stores. > > Because the HMAC secret is shared between AM and the remote consent client, a malicious user compromising the client could create tokens that AM would trust. To protect against misuse, AM also signs the token using a non-shared signing key configured in the `am.services.oauth2.jwt.authenticity.signing` secret label. > **Collapse: Decrypt remote consent responses** > > This table shows the secret label mapping used to decrypt remote consent responses: > > | Secret label | Default alias | Algorithms(1) | > | ------------------------------------------------------- | ------------- | ------------- | > | `am.services.oauth2.remote.consent.response.decryption` | `test` | RSA-OAEP-256 | > > (1) If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, the value of the Remote Consent Service secret property is used, instead of an entry from the secret stores. > **Collapse: OAuth 2.0 example Remote Consent service** > > This table shows the secret label mappings used for the example Remote Consent service: > > | Secret label | Default alias | Algorithms | > | -------------------------------------------------------- | -------------------- | ------------------------------------- | > | `am.services.oauth2.remote.consent.response.signing.RSA` | `rsajwtsigningkey` | RS256 RSA (at least 2048 bits) | > | `am.services.oauth2.remote.consent.request.encryption` | `selfserviceenctest` | RSA-OAEP-256 RSA (at least 2048 bits) | > **Collapse: Salt hashes** > > The secret label for salting hashes in OAuth 2.0 and OIDC flows. > > | Secret label | Default alias | Algorithms | > | ---------------------------------------------- | ------------- | ---------- | > | `am.services.oauth2.provider.hash.salt.secret` | | | > > Use this secret label instead of setting Subject Identifier Hash Salt in the provider configuration. > > This secret can't be rotated. > **Collapse: Decrypt OIDC request parameters** > > This table shows the secret label mapping used to decrypt OIDC request parameters: > > | Secret label | Default alias | Algorithms(1) | > | ------------------------------------------------- | ------------- | ------------------------------------ | > | `am.services.oauth2.oidc.decryption.RSA1.5` | `test` | RSA with PKCS#1 v1.5 padding | > | `am.services.oauth2.oidc.decryption.RSA.OAEP` | `test` | RSA with OAEP with SHA-1 and MGF-1 | > | `am.services.oauth2.oidc.decryption.RSA.OAEP.256` | `test` | RSA with OAEP with SHA-256 and MGF-1 | > > (1) The following applies to confidential clients only: > > If you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), the value of the Client Secret field in the OAuth 2.0 Client is used as the secret instead of an entry from the secret stores. > > The following signing and encryption algorithms use the Client Secret field to store the secret: > > * Signing ID tokens with an HMAC algorithm > > * Encrypting ID tokens with AES or direct encryption > > * Encrypting parameters with AES or direct encryption > > Store only one secret in the Client Secret field; AM will use different mechanisms to sign and encrypt depending on the algorithm, as explained in the OpenID Connect Core 1.0 errata set 1 specification. > **Collapse: Sign OIDC tokens** > > The following table shows the secret label mapping used to sign OIDC ID tokens and backchannel logout tokens: > > | Secret label | Default alias | Algorithms(1) | > | --------------------------------------- | ------------------ | ----------------------------------- | > | `am.services.oauth2.oidc.signing.ES256` | `es256test` | ES256 | > | `am.services.oauth2.oidc.signing.ES384` | `es384test` | ES384 | > | `am.services.oauth2.oidc.signing.ES512` | `es512test` | ES512 | > | `am.services.oauth2.oidc.signing.RSA` | `rsajwtsigningkey` | PS256 PS384 PS512 RS256 RS384 RS512 | > | `am.services.oauth2.oidc.signing.EDDSA` | | EdDSA with SHA-512 | > > (1) The following applies to confidential clients only: > > If you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), the Client Secret property value in the OAuth 2.0 Client is used as the HMAC secret instead of an entry from the secret stores. > > Since the HMAC secret is shared between AM and the client, a malicious user compromising the client could potentially create tokens that AM would trust. Therefore, to protect against misuse, AM also signs the token using a non-shared signing key configured in the `am.services.oauth2.jwt.authenticity.signing` secret label. > **Collapse: CA certificates used in mTLS client authentication** > > This table shows the secret label mapping used to store the CA certificates AM should trust during mTLS client authentication: > > | Secret label | Default alias | Algorithms | > | --------------------------------------------------- | ------------- | ---------- | > | `am.services.oauth2.tls.client.cert.authentication` | | | #### As client/relying party of the Social Identity Provider service > **Collapse: Decrypt ID tokens** > > This table shows the secret label mapping to support decryption of ID tokens and `userinfo` endpoint data in JWT format when AM is configured as a relying party of the Social Identity Provider Service: > > | Secret label | Default alias | Algorithms | > | ----------------------------------------------- | ------------- | ------------------------------------------------------------ | > | `am.services.oauth2.oidc.rp.idtoken.encryption` | `test` | Consult the `.well-known` endpoint of the identity provider. | > > The public key is exposed in the [/oauth2/connect/rp/jwk\_uri](../am-oidc1/managing-rp-jwk_uri.html). > > For more information about the algorithms supported, and how to configure this secret label mapping, refer to [Social authentication](../am-authentication/social-registration.html). > **Collapse: Sign JWTs and objects** > > This table shows the secret label mapping that AM uses to sign JWTs and objects when configured as a relying party of the Social Identity Provider Service: > > | Secret label | Default alias | Algorithms | > | ----------------------------------------------------- | ------------------ | ------------------------------------------------------------ | > | `am.services.oauth2.oidc.rp.jwt.authenticity.signing` | `rsajwtsigningkey` | Consult the `.well-known` endpoint of the identity provider. | > > The public key is exposed in the [/oauth2/connect/rp/jwk\_uri](../am-oidc1/managing-rp-jwk_uri.html). > > For more information about the algorithms supported, and how to configure this secret label mapping, refer to [Social authentication](../am-authentication/social-registration.html). > **Collapse: CA certificates used in mTLS client authentication (RP)** > > The following table shows the secret label mapping used to store CA or self-signed certificates AM uses for mTLS client authentication when configured as a relying party of the Social Identity Provider service: > > | Secret label | Default alias | Algorithms | > | ---------------------------------------------------- | ------------- | ------------------------------------------------------------ | > | `am.services.oauth2.mtls.client.cert.authentication` | | Consult the `.well-known` endpoint of the identity provider. | > > The public key is exposed in the [/oauth2/connect/rp/jwk\_uri](../am-oidc1/managing-rp-jwk_uri.html). > > For more information about the algorithms supported, and how to configure this secret label mapping, refer to [Social authentication](../am-authentication/social-registration.html). ### Policy Configuration service > **Collapse: Policy Configuration service** > > The secret label mappings to encrypt the certificate used to authenticate Policy Configuration service connections: > > | Secret label | Default alias | Algorithms | > | ------------------------------------------- | ------------- | ---------- | > | `am.policy.configuration.service.mtls.cert` | | | ### Push Notification service > **Collapse: Push Notification service** > > The secret label mapping for the Amazon Simple Notification Service access key used by the Push Notification service. The secret mapping overrides the SNS Access Key Secret set in the service configuration. > > | Secret label | Default alias | Algorithms | > | --------------------------------------------------- | ------------- | ---------- | > | `am.services.pushnotification.sns.accesskey.secret` | | | ### SAML 2.0 > **Collapse: Encrypt SAML 2.0 session storage JWTs** > > This table shows the secret label mapping used to encrypt the JWTs SAML 2.0 creates in session storage: > > | Secret label | Default alias | Algorithms | > | -------------------------------------------------------- | --------------- | ---------- | > | `am.global.services.saml2.client.storage.jwt.encryption` | `directenctest` | A256GCM | > **Collapse: Sign SAML 2.0 metadata** > > This table shows the secret label mappings used to sign SAML 2.0 metadata: > > | Secret label | Default alias | Algorithms | > | ---------------------------------------- | ------------------ | ----------- | > | `am.services.saml2.metadata.signing.RSA` | `rsajwtsigningkey` | RSA SHA-256 | > **Collapse: SAML 2.0 signing and encryption** > > The following table shows the secret label mappings used to sign and encrypt SAML 2.0 elements, and to enable mTLS authentication between entity providers: > > | Secret label | Default alias | Algorithms | > | --------------------------------------------------------------------------- | ------------------ | ------------------------------------------------------------------------------------------------------ | > | `am.default.applications.federation.entity.providers.saml2.idp.encryption` | `test` | RSA with PKCS#1 v1.5 padding RSA with OAEP | > | `am.default.applications.federation.entity.providers.saml2.idp.signing` | `rsajwtsigningkey` | RSA SHA-1(1) ECDSA SHA-256 ECDSA SHA-384 ECDSA SHA-512 RSA SHA-256 RSA SHA-384 RSA SHA-512 DSA SHA-256 | > | `am.default.applications.federation.entity.providers.saml2.sp.encryption` | `test` | RSA with PKCS#1 v1.5 padding RSA with OAEP | > | `am.default.applications.federation.entity.providers.saml2.sp.signing` | `rsajwtsigningkey` | RSA SHA-1(1) ECDSA SHA-256 ECDSA SHA-384 ECDSA SHA-512 RSA SHA-256 RSA SHA-384 RSA SHA-512 DSA SHA-256 | > | `am.default.applications.federation.entity.providers.saml2.sp.mtls`(2) | | | > | `am.applications.federation.entity.providers.saml2.identifier.basicauth`(3) | | | > > (1) This algorithm is for compatibility purposes only. Avoid its use. > > (2) For artifact resolution requests only, the SP uses the certificates mapped to this secret label for mTLS authentication to the remote IdP. These certificates are exported with `` in the SP metadata. > > (3) The SP uses the certificate mapped to this secret label for basic authentication. If you set a Secret Label Identifier, and AM finds a mapping to `am.applications.federation.entity.providers.saml2.identifier .basicauth`, AM uses this secret and ignores the value of the Password field. For basic authentication, there is no *default* secret label for the realm, or globally. > > You can specify a custom Secret Label Identifier for each SAML 2.0 entity provider in a realm. AM generates new secret labels that can be unique to the provider, or shared by multiple providers. > > For example, you could add a custom secret label identifier named *mySamlSecrets* to a hosted identity provider. AM then dynamically creates the following secret labels, which the hosted identity provider uses for signing and encryption: > > * `am.applications.federation.entity.providers.saml2.mySamlSecrets.signing` > > * `am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption` > > AM attempts to look up the secrets with the custom secret label identifier. If unsuccessful, AM looks up the secrets using the default secret labels. ### UMA > **Collapse: UMA persisted claims tokens** > > The secret label mappings to encrypt UMA persisted claims tokens (PCTs): > > | Secret label | Default alias | Algorithms | > | -------------------------------- | --------------- | ---------- | > | `am.services.uma.pct.encryption` | `directenctest` | | ### User self-service > **Collapse: User self-service** > > The secret label mappings to encrypt and sign the user self-service snapshot token. > > | Secret label | Default alias | Algorithms | > | ------------------------------------------ | -------------------- | ---------- | > | `am.services.selfservice.token.encryption` | `selfserviceenctest` | | > | `am.services.selfservice.token.signing` | `rsajwtsigningkey` | | ### Web agents and Java agents > **Collapse: Sign JWTs for Web and Java agents** > > The following table shows the secret label mapping used sign the JWTs provided to web and Java agents: > > | Secret label | Default alias | Algorithms | > | ------------------------------------------------------ | ------------------ | ----------------- | > | `am.global.services.oauth2.oidc.agent.idtoken.signing` | `rsajwtsigningkey` | RS256 RS384 RS512 |