CapturedUserPasswordFilter
Makes an AM password available to IG in the following steps:
-
Checks for the presence of the SessionInfoContext context, at
${contexts.amSession}.-
If the context is not present, or if
sunIdentityUserPasswordisnull, the CapturedUserPasswordFilter collects session info and properties from AM. -
If the context is present and
sunIdentityUserPasswordis notnull, the CapturedUserPasswordFilter uses that value for the password.
-
-
The CapturedUserPasswordFilter decrypts the password and stores it in the CapturedUserPasswordContext, at
${contexts.capturedPassword}.
Usage
{
"name": string,
"type": "CapturedUserPasswordFilter",
"config": {
"amService": AmService reference,
"keySecretId": configuration expression<secret-id>,
"keyType": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"ssoToken": runtime expression<string>,
"key": configuration expression<string> //deprecated
}
}Properties
"amService": AmService reference, required-
The AmService heap object to use for the password. See also, AmService.
"keySecretId": configuration expression<secret-id>, required-
The secret ID for the key required decrypt the AM password.
"keyType": configuration expression<enumeration>, required-
Algorithm to decrypt the AM password. Use one of the following values:
-
AESAES for JWT-based AES_128_CBC_HMAC_SHA_256 encryption. For more information, see AES_128_CBC_HMAC_SHA_256 in the IETF JSON Web Algorithms. -
DESfor DES/ECB/NoPaddingThis value is deprecated, and considered unsecure. For more information, refer to Deprecation.
-
"secretsProvider": SecretsProvider reference, optional-
The SecretsProvider object to query for the JWT session signing or encryption keys. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, see Default secrets object.
"ssoToken": runtime expression<string>, required-
Location of the AM SSO token.
Default:
${request.cookiesAmService-ssoTokenHeader'][0].value}, whereAmService-ssoTokenHeaderis the name of the header or cookie where the AmService expects to find SSO tokens. "key": configuration expression<string>, required-
This property is deprecated and is not considered secure. Use keySecretIdinstead. For more information, refer to Deprecation.Base64 encoded key value to decrypt the AM password.
Examples
The following example route is used to get login credentials from AM in Get login credentials from AM.
{
"name": "04-replay",
"condition": "${find(request.uri.path, '^/replay')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"url": "http://am.example.com:8088/openam/"
}
},
{
"name": "CapturedUserPasswordFilter",
"type": "CapturedUserPasswordFilter",
"config": {
"ssoToken": "${contexts.ssoToken.value}",
"keySecretId": "aes.key",
"keyType": "AES",
"secretsProvider": "SystemAndEnvSecretStore-1",
"amService": "AmService-1"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${true}",
"credentials": "CapturedUserPasswordFilter",
"request": {
"method": "POST",
"uri": "http://app.example.com:8081/login",
"form": {
"username": [
"${contexts.ssoToken.info.uid}"
],
"password": [
"${contexts.capturedPassword.value}"
]
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}