--- title: CapturedUserPasswordFilter description: Makes an AM password available to PingGateway in the following steps: component: pinggateway version: 2026 page_id: pinggateway:reference:CapturedUserPasswordFilter canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/CapturedUserPasswordFilter.html revdate: 2026-01-05 section_ids: CapturedUserPasswordFilter-usage: Usage CapturedUserPasswordFilter-properties: Properties CapturedUserPasswordFilter-moreinfo: More information --- # CapturedUserPasswordFilter Makes an AM password available to PingGateway in the following steps: * Checks for the presence of the SessionInfoContext context, at `${contexts.amSession}`. * If the context isn't present, or if `sunIdentityUserPassword` is `null`, the CapturedUserPasswordFilter collects session info and properties from AM. * If the context is present and `sunIdentityUserPassword` isn't `null`, the CapturedUserPasswordFilter uses that value for the password. * The CapturedUserPasswordFilter decrypts the password and stores it in the CapturedUserPasswordContext, at `${contexts.capturedPassword}`. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In PingOne Advanced Identity Cloud and from AM 7.5, the password capture and replay feature can optionally manage the replay password through AM's secret service. The secret label for the replay password must be `am.authentication.replaypassword.key`.For backward compatibility, if a secret isn't defined, is empty, or can't be resolved, AM manages the replay password through the AM system property `am.authentication.replaypassword.key`. | ## Usage ```json { "name": string, "type": "CapturedUserPasswordFilter", "config": { "amService": AmService reference, "keySecretId": configuration expression, "secretsProvider": SecretsProvider reference, "ssoToken": runtime expression } } ``` ## Properties * `"amService"`: *AmService [reference](preface.html#definition-reference), required* The AmService heap object to use for the password. See also, [AmService](AmService.html). * `"keySecretId"`: *configuration expression<[secret-id](preface.html#definition-enumeration)>, required* The secret ID for the key required decrypt the AM password. This secret ID must point to a [CryptoKey](../security-guide/keys.html#secret-types) whose algorithm is AES. * `"secretsProvider"`: *SecretsProvider [reference](preface.html#definition-reference), required* The [SecretsProvider](SecretsProvider.html) to query for secrets to decrypt the user password. * `"ssoToken"`: *runtime expression<[string](preface.html#definition-string)>, required* Location of the AM SSO token. Default: `${request.cookiesAmService-ssoTokenHeader'][0].value}`, where `AmService-ssoTokenHeader` is the name of the header or cookie where the AmService expects to find SSO tokens. ## More information [org.forgerock.openig.openam.CapturedUserPasswordFilter](../_attachments/apidocs/org/forgerock/openig/openam/CapturedUserPasswordFilter.html) [org.forgerock.openig.openam.CapturedUserPasswordContext](../_attachments/apidocs/org/forgerock/openig/openam/CapturedUserPasswordContext.html) [CapturedUserPasswordContext](CapturedUserPasswordContext.html) [SessionInfoFilter](SessionInfoFilter.html)