--- title: Secret labels description: Advanced Identity Cloud uses these labels to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information. component: pingoneaic page_id: pingoneaic:am-reference:secret-id-mappings canonical_url: https://docs.pingidentity.com/pingoneaic/am-reference/secret-id-mappings.html keywords: ["ESV", "Encryption", "Secret Stores", "Federation", "OAuth 2.0", "OpenID Connect (OIDC)", "SAML 2.0"] page_aliases: ["reference:secret-id-mappings.adoc"] section_ids: oauth2-default-secret-labels: OAuth 2.0 and OpenID Connect provider secrets oidc-social-registration-secret-labels: Social identity client secrets agents-default-secret-labels: Web and Java agent secrets authentication-default-secret-labels: Authentication secrets saml2-default-secret-labels: SAML 2.0 secrets attestation-secret-labels: Attestation secrets encrypted-device-storage-secret-labels: Encrypted device storage services httpclient-secret-labels: Http Client service secrets policy-config-service-default-secret-labels: Policy Configuration service secrets push-notification-service-default-secret-labels: Push Notification service secrets webauthn-secret-labels: WebAuthn Metadata service secrets --- # Secret labels Advanced Identity Cloud uses these labels to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information. For instructions on using these secret labels, refer to [Use ESVs for signing and encryption keys](../tenants/esvs-signing-encryption.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The term *secret IDs* is being phased out in favor of *secret labels* but you might come across instances of *secret ID* in the documentation and in the UI until the terminology change is complete. | ## OAuth 2.0 and OpenID Connect provider secrets > **Collapse: Encrypt client-side OAuth 2.0 tokens** > > This table shows the label for the secret to encrypt [client-side](../am-oauth2/client-side-tokens.html) access tokens: > > | Secret label | Algorithms | > | ----------------------------------------------- | ------------- | > | `am.services.oauth2.stateless.token.encryption` | A128CBC-HS256 | > **Collapse: Sign client-side OAuth 2.0 tokens** > > This table shows the labels for the secrets to sign [client-side](../am-oauth2/client-side-tokens.html) access tokens: > > | Secret label | Algorithms | > | -------------------------------------------- | ----------------------------------- | > | `am.services.oauth2.stateless.signing.ES256` | ES256 | > | `am.services.oauth2.stateless.signing.ES384` | ES384 | > | `am.services.oauth2.stateless.signing.ES512` | ES512 | > | `am.services.oauth2.stateless.signing.HMAC` | HS256 HS384 HS512 | > | `am.services.oauth2.stateless.signing.RSA` | PS256 PS384 PS512 RS256 RS384 RS512 | > **Collapse: Authenticate OAuth 2.0 clients** > > The secret label mappings used to authenticate [OAuth 2.0 clients](../am-oauth2/oauth2-register-client.html): > > | Secret label | Algorithms | > | --------------------------------------------------------------------- | ---------- | > | `am.applications.oauth2.client.identifier.secret`(1) | | > | `am.applications.oauth2.client.identifier.jwt.public.key`(2) | | > | `am.applications.oauth2.client.identifier.mtls.trusted.cert`(3) | | > | `am.applications.oauth2.client.identifier.id.token.enc.public.key`(4) | | > > (1) Map the `am.applications.oauth2.client.identifier.secret` dynamic secret label to override the OAuth 2.0 client's Client secret property, where identifier is the value of the Secret Label Identifier set in the client configuration.\ > (2) Map the `am.applications.oauth2.client.identifier.jwt.public.key` dynamic secret label to override the OAuth 2.0 client's Client JWT Bearer Public Key, where identifier is the value of the Secret Label Identifier set in the client configuration.\ > (3) Map the `am.applications.oauth2.client.identifier.mtls.trusted.cert` dynamic secret label to override the OAuth 2.0 client's mTLS Self-Signed Certificate, where identifier is the value of the Secret Label Identifier set in the client configuration.\ > (4) Map the `am.applications.oauth2.client.identifier.id.token.enc.public.key` dynamic secret label to override the OAuth 2.0 client's Client ID Token Public Encryption Key, where identifier is the value of the Secret Label Identifier set in the client configuration. > **Collapse: Sign remote consent requests** > > This table shows the labels for the secrets to sign remote consent requests: > > | Secret label | Algorithms | > | ------------------------------------------------------------- | ----------------------------------- | > | `am.applications.agents.remote.consent.request.signing.ES256` | ES256 | > | `am.applications.agents.remote.consent.request.signing.ES384` | ES384 | > | `am.applications.agents.remote.consent.request.signing.ES512` | ES512 | > | `am.applications.agents.remote.consent.request.signing.RSA` | RS256 RS384 RS512 PS256 PS384 PS512 | > > If you select an HMAC algorithm for signing consent requests (`HS256`, `HS384`, or `HS512`), Advanced Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store. > **Collapse: Decrypt remote consent responses** > > This table shows the label for the secret to decrypt remote consent responses: > > | Secret label | Algorithms | > | ------------------------------------------------------- | ------------ | > | `am.services.oauth2.remote.consent.response.decryption` | RSA-OAEP-256 | > > If you select an algorithm other than RSA-OAEP-256 for decrypting consent responses, Advanced Identity Cloud uses the Remote Consent Service secret, not an entry from the secret store. > **Collapse: OAuth 2.0 example remote consent service** > > This table shows the labels for the secrets for the example remote consent service: > > | Secret label | Algorithms | > | -------------------------------------------------------- | ------------------------------------- | > | `am.services.oauth2.remote.consent.response.signing.RSA` | RS256 RSA (at least 2048 bits) | > | `am.services.oauth2.remote.consent.request.encryption` | RSA-OAEP-256 RSA (at least 2048 bits) | > **Collapse: Secret label mappings for salting hashes** > > The secret label for salting hashes in OAuth 2.0 and OIDC flows. > > | Secret label | Algorithms | > | ---------------------------------------------- | ---------- | > | `am.services.oauth2.provider.hash.salt.secret` | | > > Use this secret label to override Subject Identifier Hash Salt in the provider configuration. > > This secret can't be rotated. > **Collapse: Decrypt OIDC request parameters** > > This table shows the labels for secrets to decrypt OIDC request parameters: > > | Secret label | Algorithms | > | ------------------------------------------------- | ------------------------------------ | > | `am.services.oauth2.oidc.decryption.RSA1.5` | RSA with PKCS#1 v1.5 padding | > | `am.services.oauth2.oidc.decryption.RSA.OAEP` | RSA with OAEP with SHA-1 and MGF-1 | > | `am.services.oauth2.oidc.decryption.RSA.OAEP.256` | RSA with OAEP with SHA-256 and MGF-1 | > > For *confidential clients*, if you select an AES algorithm (`A128KW`, `A192KW`, or `A256KW`) or the direct encryption algorithm (`dir`), Advanced Identity Cloud uses the Client Secret from the profile, not an entry from the secret store. > > The following use the Client Secret: > > * Signing ID tokens with an HMAC algorithm > > * Encrypting ID tokens with AES or direct encryption > > * Encrypting parameters with AES or direct encryption > > Store only one secret in the Client Secret field. > > For details about encryption options, refer to the [OIDC specification](https://openid.net/specs/openid-connect-core-1_0.html). > **Collapse: Sign OIDC tokens** > > This table shows the labels for secrets to sign OIDC tokens and backchannel logout tokens: > > | Secret label | Algorithms(1) | > | --------------------------------------- | ----------------------------------- | > | `am.services.oauth2.oidc.signing.ES256` | ES256 | > | `am.services.oauth2.oidc.signing.ES384` | ES384 | > | `am.services.oauth2.oidc.signing.ES512` | ES512 | > | `am.services.oauth2.oidc.signing.RSA` | PS256 PS384 PS512 RS256 RS384 RS512 | > | `am.services.oauth2.oidc.signing.EDDSA` | EdDSA with SHA-512 | > > For *confidential clients*, if you select an HMAC algorithm for signing ID tokens (`HS256`, `HS384`, or `HS512`), Advanced Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store. > **Collapse: CA certificates for mTLS client authentication** > > This table shows the label of the trusted CA certificate for mTLS client authentication: > > | Secret label | Algorithms | > | --------------------------------------------------- | ---------- | > | `am.services.oauth2.tls.client.cert.authentication` | | ## Social identity client secrets > **Collapse: Decrypt ID tokens** > > This table shows the label for the secret to decrypt ID tokens and `userinfo` endpoint JWTs when Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service: > > | Secret label | Algorithms | > | ----------------------------------------------- | ------------------------------------------------------------ | > | `am.services.oauth2.oidc.rp.idtoken.encryption` | Consult the `.well-known` endpoint of the identity provider. | > > The public key is exposed at the [/oauth2/connect/rp/jwk\_uri](../am-oidc1/managing-rp-jwk_uri.html) endpoint. > > For details, refer to [Social authentication](../self-service/social-registration.html). > **Collapse: Sign JWTs and objects** > > This table shows the label for the secret to sign JWTs and objects when Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service: > > | Secret label | Algorithms | > | ----------------------------------------------------- | ------------------------------------------------------------ | > | `am.services.oauth2.oidc.rp.jwt.authenticity.signing` | Consult the `.well-known` endpoint of the identity provider. | > > The public key is exposed at the [/oauth2/connect/rp/jwk\_uri](../am-oidc1/managing-rp-jwk_uri.html) endpoint. > > For details, refer to [Social authentication](../self-service/social-registration.html). > **Collapse: Certificates for mTLS client authentication** > > This table shows the label of the trusted CA or self-signed certificate for mTLS client authentication when Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service: > > | Secret label | Algorithms | > | --------------------------------------------------- | ------------------------------------------------------------ | > | `am.services.oauth2.tls.client.cert.authentication` | Consult the `.well-known` endpoint of the identity provider. | > > The public key is exposed at the [/oauth2/connect/rp/jwk\_uri](../am-oidc1/managing-rp-jwk_uri.html) endpoint. > > For details, refer to [Social authentication](../self-service/social-registration.html). ## Web and Java agent secrets > **Collapse: Sign agent JWTs** > > This table shows the label for the secret to sign the JWTs issued to Web and Java agents: > > | Secret label | Algorithms | > | ------------------------------------------------------ | ----------------- | > | `am.global.services.oauth2.oidc.agent.idtoken.signing` | RS256 RS384 RS512 | ## Authentication secrets > **Collapse: Secure journey state data** > > This table shows the label for the secret to encrypt sensitive data in the secure state of an authentication journey: > > | Secret label | Algorithms | > | ------------------------------------------ | ----------- | > | `am.authn.trees.transientstate.encryption` | AES 256-bit | > **Collapse: Secret label mappings for persistent cookie nodes** > > The following table shows the secret label mappings used to encrypt and sign persistent cookies for the [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/latest/set-persistent-cookie.html) and [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/latest/persistent-cookie-decision.html): > > | Secret label | Algorithms | > | ----------------------------------------------------------------- | ------------------------ | > | `am.authentication.nodes.persistentcookie.encryption` (1) | RSA (at least 2048 bits) | > | `am.authentication.nodes.persistentcookie.identifier.signing` (2) | | > > (1) The `am.authentication.nodes.persistentcookie.encryption` label overrides the value for Persistent Cookie Encryption Certificate Alias in the [Core authentication attributes](../am-authentication/realm-auth-config.html). > > (2) Map the `am.authentication.nodes.persistentcookie.identifier.signing` dynamic secret label to override the HMAC Signing Key node property, where identifier is the value of the HMAC Signing Key Secret Label Identifier. > > | | | > | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | > | | To read the persistent cookies generated by the [Set Persistent Cookie node](https://docs.pingidentity.com/auth-node-ref/latest/set-persistent-cookie.html), configure the [Persistent Cookie Decision node](https://docs.pingidentity.com/auth-node-ref/latest/persistent-cookie-decision.html) to use the same signing key secret label. | > **Collapse: Secret label mappings for RADIUS nodes** > > The [RADIUS Decision node](https://docs.pingidentity.com/auth-node-ref/latest/radius-decision.html) secures all conversations between Advanced Identity Cloud and the RADIUS server with the secret mapped to this secret label: > > | Secret label | Algorithms | > | -------------------------------------------------- | ---------- | > | `am.authentication.nodes.radius.identifier.secret` | | ## SAML 2.0 secrets > **Collapse: Sign SAML 2.0 metadata** > > This table shows the label for the secret to sign SAML 2.0 metadata: > > | Secret label | Algorithms | > | ---------------------------------------- | ----------- | > | `am.services.saml2.metadata.signing.RSA` | RSA SHA-256 | > **Collapse: SAML 2.0 signing and encryption** > > The following table shows the secret label mappings used to sign and encrypt SAML 2.0 elements, and to enable mTLS authentication between entity providers: > > | Secret label | Algorithms | > | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | > | `am.default.applications.federation.entity.providers.saml2.idp.encryption` | RSA with PKCS#1 v1.5 padding RSA with OAEP | > | `am.default.applications.federation.entity.providers.saml2.idp.signing` | RSA SHA-1(1) ECDSA SHA-256 ECDSA SHA-384 ECDSA SHA-512 RSA SHA-256 RSA SHA-384 RSA SHA-512 DSA SHA-256 | > | `am.default.applications.federation.entity.providers.saml2.sp.encryption` | RSA with PKCS#1 v1.5 padding RSA with OAEP | > | `am.default.applications.federation.entity.providers.saml2.sp.signing` | RSA SHA-1(1) ECDSA SHA-256 ECDSA SHA-384 ECDSA SHA-512 RSA SHA-256 RSA SHA-384 RSA SHA-512 DSA SHA-256 | > | `am.default.applications.federation.entity.providers.saml2.sp.mtls`(2) | | > | `am.applications.federation.entity.providers.saml2.identifier.basicauth`(3) | | > > (1) This algorithm is for compatibility purposes only. Avoid its use. > > (2) For artifact resolution requests only, the SP uses the certificates mapped to this secret label for mTLS authentication to the remote IDP. These certificates are exported with `` in the SP metadata. > > (3) The SP uses the certificate mapped to this secret label for basic authentication. If you set a Secret Label Identifier, and Advanced Identity Cloud finds a mapping to `am.applications.federation.entity.providers.saml2.identifier .basicauth`, Advanced Identity Cloud uses this secret and ignores the value of the Password field. For basic authentication, there is no *default* secret label for the realm, or globally. > > You can specify a custom Secret Label Identifier for each SAML 2.0 entity provider in a realm. Advanced Identity Cloud generates new secret labels that can be unique to the provider, or shared by multiple providers. > > For example, you could add a custom secret label identifier named *mySamlSecrets* to a hosted identity provider. Advanced Identity Cloud then dynamically creates the following secret labels, which the hosted identity provider uses for signing and encryption: > > * `am.applications.federation.entity.providers.saml2.mySamlSecrets.signing` > > * `am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption` > > Advanced Identity Cloud attempts to look up the secrets with the custom secret label identifier. If unsuccessful, Advanced Identity Cloud looks up the secrets using the default secret labels. ## Attestation secrets > **Collapse: Google hardware attestation root certificate** > > This table shows the label for the Google hardware attestation root certificate, which is used to increase confidence that the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage. > > Refer to [Verifying hardware-backed key pairs with Key Attestation](https://developer.android.com/training/articles/security-key-attestation#root_certificate) in the Android developer documentation. > > | Secret label | Algorithms | > | ------------------------------------------- | ----------- | > | `am.services.attestation.google.public.key` | RSA / X.509 | ## Encrypted device storage services > **Collapse: Secret label mappings for encrypted device storage services** > > The secret label mappings for services that use encrypted device storage. > > These mappings override the encryption keys set in the service configuration. > > | Service | Secret label | > | ----------------------------------------------------------------------------------------------------- | ---------------------------------------------- | > | [Device ID Service](services-configuration.html#realm-deviceidservice) | `am.services.deviceid.encryption` | > | [Device Binding Service](services-configuration.html#realm-devicebindingservice) | `am.services.devicebinding.encryption` | > | [Device Profile Service](services-configuration.html#realm-deviceprofilesservice) | `am.services.deviceprofile.encryption` | > | [WebAuthn Profile Encryption Service](services-configuration.html#realm-authenticatorwebauthnservice) | `am.services.authenticatorwebauthn.encryption` | > | [ForgeRock Authentication (OATH) Service](services-configuration.html#realm-authenticatoroathservice) | `am.services.authenticatoroath.encryption` | > | [ForgeRock Authentication (PUSH) Service](services-configuration.html#realm-authenticatorpushservice) | `am.services.authenticatorpush.encryption` | ## Http Client service secrets > **Collapse: HTTP client mTLS certificates** > > The following table shows the secret label mappings for CA certificates used by the [httpclient](../am-scripting/script-bindings.html#common-httpclient) script binding to secure HTTP requests. > > | Secret label | Algorithms | > | ------------------------------------------------------------------- | ---------- | > | `am.services.httpclient.mtls.clientcert.identifier.secret`(1) | | > | `am.services.httpclient.mtls.servertrustcerts.identifier.secret`(2) | | > > (1) Map the `am.services.httpclient.mtls.clientcert.identifier.secret` dynamic secret label to the certificate to be used by the `httpclient` script binding when making HTTP requests. The identifier is the value of the Client Certificate Secret Label Identifier set in the HTTP Client service configuration. > > (2) Map the `am.services.httpclient.mtls.servertrustcerts.identifier.secret` dynamic secret label to the truststore of certificates that verify the server certificate. The identifier is the value of Server Trust Certificate Secret Label Identifier set in the HTTP Client service configuration. > **Collapse: HTTP client proxy connection** > > The following table shows the secret label mappings used by the [httpclient](../am-scripting/script-bindings.html#common-httpclient) script binding to route HTTP requests through a proxy connection. > > | Secret label | Algorithms | > | --------------------------------------------------- | ---------- | > | `am.services.httpclient.proxy.identifier.secret`(1) | | > > (1) Map the `am.services.httpclient.proxy.identifier.secret` dynamic secret label to the secret to be used by the `httpclient` script binding when making HTTP requests. The identifier is the value of the Proxy Secret Label Identifier set in the HTTP Client service configuration. ## Policy Configuration service secrets > **Collapse: Certificates for the Policy Configuration service** > > This table shows the labels for secrets to encrypt the certificate used to authenticate Policy Configuration service connections: > > | Secret label | Algorithms(1) | > | --------------------------------------- | ----------------------------------- | > | `am.services.oauth2.oidc.signing.ES256` | | > | `am.services.oauth2.oidc.signing.ES384` | ES384 | > | `am.services.oauth2.oidc.signing.ES512` | ES512 | > | `am.services.oauth2.oidc.signing.RSA` | PS256 PS384 PS512 RS256 RS384 RS512 | > | `am.services.oauth2.oidc.signing.EDDSA` | EdDSA with SHA-512 | > > For *confidential clients*, if you select an HMAC algorithm for signing ID tokens (`HS256`, `HS384`, or `HS512`), Advanced Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store. ## Push Notification service secrets > **Collapse: Sign the Push Notification service access key** > > This table shows the label for secrets to sign the Amazon Simple Notification Service access key used by the Push Notification service. > > The secret label mapping overrides the SNS Access Key Secret set in the service configuration. > > | Secret label | Algorithms | > | --------------------------------------------------- | ---------- | > | `am.services.pushnotification.sns.accesskey.secret` | | ## WebAuthn Metadata service secrets > **Collapse: WebAuthn Metadata** > > The [WebAuthn Metadata service](services-configuration.html#webauthn-metadata-service) verifies the FIDO metadata blob signature against secrets mapped to this secret label. > > | Secret label | Algorithms | > | ---------------------------------------------------------------------- | ---------- | > | `am.authentication.nodes.webauthn.fidometadataservice.rootcertificate` | |