PingOne Advanced Identity Cloud

Secret labels

PingOne Advanced Identity Cloud uses these labels to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.

For instructions on using these secret labels, refer to Use ESVs for signing and encryption keys.

The term secret IDs is being phased out in favor of secret labels but you might come across instances of secret ID in the documentation and in the UI until the terminology change is complete.

OAuth 2.0 and OpenID Connect provider secrets

Encrypt client-side OAuth 2.0 tokens

This table shows the label for the secret to encrypt client-side access tokens:

Secret label Algorithms

am.services.oauth2.stateless.token.encryption

A128CBC-HS256

Sign client-side OAuth 2.0 tokens

This table shows the labels for the secrets to sign client-side access tokens:

Secret label Algorithms

am.services.oauth2.stateless.signing.ES256

ES256

am.services.oauth2.stateless.signing.ES384

ES384

am.services.oauth2.stateless.signing.ES512

ES512

am.services.oauth2.stateless.signing.HMAC

HS256
HS384
HS512

am.services.oauth2.stateless.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

Authenticate OAuth 2.0 clients

The secret label mappings used to authenticate OAuth 2.0 clients:

Secret label Default alias Algorithms

am.applications.oauth2.client.identifier.secret(1)

am.applications.oauth2.client.identifier.jwt.public.key(2)

am.applications.oauth2.client.identifier.mtls.trusted.cert(3)

am.applications.oauth2.client.identifier.id.token.enc.public.key(4)

(1) Map the am.applications.oauth2.client.identifier.secret dynamic secret label to override the OAuth 2.0 client’s Client secret property, where identifier is the value of the Secret Label Identifier set in the client configuration.
(2) Map the am.applications.oauth2.client.identifier.jwt.public.key dynamic secret label to override the OAuth 2.0 client’s Client JWT Bearer Public Key, where identifier is the value of the Secret Label Identifier set in the client configuration.
(3) Map the am.applications.oauth2.client.identifier.mtls.trusted.cert dynamic secret label to override the OAuth 2.0 client’s mTLS Self-Signed Certificate, where identifier is the value of the Secret Label Identifier set in the client configuration.
(4) Map the am.applications.oauth2.client.identifier.id.token.enc.public.key dynamic secret label to override the OAuth 2.0 client’s Client ID Token Public Encryption Key, where identifier is the value of the Secret Label Identifier set in the client configuration.

Secret label mappings for salting hashes

The secret label for salting hashes in OAuth 2.0 and OIDC flows.

Secret label Default alias Algorithms

am.services.oauth2.provider.hash.salt.secret

Use this secret label to override Subject Identifier Hash Salt in the provider configuration.

This secret can’t be rotated.

Decrypt OIDC request parameters

This table shows the labels for secrets to decrypt OIDC request parameters:

Secret label Algorithms

am.services.oauth2.oidc.decryption.RSA1.5

RSA with PKCS#1 v1.5 padding

am.services.oauth2.oidc.decryption.RSA.OAEP

RSA with OAEP with SHA-1 and MGF-1

am.services.oauth2.oidc.decryption.RSA.OAEP.256

RSA with OAEP with SHA-256 and MGF-1

For confidential clients, if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), PingOne Advanced Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.

The following use the Client Secret:

  • Signing ID tokens with an HMAC algorithm

  • Encrypting ID tokens with AES or direct encryption

  • Encrypting parameters with AES or direct encryption

Store only one secret in the Client Secret field.

For details about encryption options, refer to the OIDC specification.

Sign OIDC tokens

This table shows the labels for secrets to sign OIDC tokens and backchannel logout tokens:

Secret label Algorithms(1)

am.services.oauth2.oidc.signing.ES256

ES256

am.services.oauth2.oidc.signing.ES384

ES384

am.services.oauth2.oidc.signing.ES512

ES512

am.services.oauth2.oidc.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

am.services.oauth2.oidc.signing.EDDSA

EdDSA with SHA-512

For confidential clients, if you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), PingOne Advanced Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store.

CA certificates for mTLS client authentication

This table shows the label of the trusted CA certificate for mTLS client authentication:

Secret label Algorithms

am.services.oauth2.tls.client.cert.authentication

Social identity client secrets

Decrypt ID tokens

This table shows the label for the secret to decrypt ID tokens and userinfo endpoint JWTs when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.oidc.rp.idtoken.encryption

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Sign JWTs and objects

This table shows the label for the secret to sign JWTs and objects when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.oidc.rp.jwt.authenticity.signing

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Certificates for mTLS client authentication

This table shows the label of the trusted CA or self-signed certificate for mTLS client authentication when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.tls.client.cert.authentication

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Web and Java agent secrets

Sign agent JWTs

This table shows the label for the secret to sign the JWTs issued to Web and Java agents:

Secret label Algorithms

am.global.services.oauth2.oidc.agent.idtoken.signing

RS256
RS384
RS512

Authentication secrets

Secure journey state data

This table shows the label for the secret to encrypt sensitive data in the secure state of an authentication journey:

Secret label Algorithms

am.authn.trees.transientstate.encryption

AES 256-bit

SAML 2.0 secrets

Sign SAML 2.0 metadata

This table shows the label for the secret to sign SAML 2.0 metadata:

Secret label Algorithms

am.services.saml2.metadata.signing.RSA

RSA SHA-256

SAML v2.0 signing and encryption

The following table shows the secret label mappings used to sign and encrypt SAML v2.0 elements, and to enable mTLS authentication between entity providers:

Secret label Default alias Algorithms

am.default.applications.federation.entity.providers.saml2.idp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.idp.signing

rsajwtsigningkey

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.sp.signing

rsajwtsigningkey

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.mtls(2)

am.applications.federation.entity.providers.saml2.identifier.basicauth(3)

(1) This algorithm is for compatibility purposes only. Avoid its use.

(2) For artifact resolution requests only, the SP uses the certificates mapped to this secret label for mTLS authentication to the remote IDP. These certificates are exported with <KeyDescriptor use="signing"> in the SP metadata.

(3) The SP uses the certificate mapped to this secret label for basic authentication. If you set a Secret Label Identifier, and PingOne Advanced Identity Cloud finds a mapping to am.applications.federation.entity.providers.saml2.identifier .basicauth, PingOne Advanced Identity Cloud uses this secret and ignores the value of the Password field. For basic authentication, there is no default secret label for the realm, or globally.

You can specify a custom Secret Label Identifier for each SAML v2.0 entity provider in a realm. PingOne Advanced Identity Cloud generates new secret labels that can be unique to the provider, or shared by multiple providers.

For example, you could add a custom secret label identifier named mySamlSecrets to a hosted identity provider. PingOne Advanced Identity Cloud then dynamically creates the following secret labels, which the hosted identity provider uses for signing and encryption:

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.signing

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption

PingOne Advanced Identity Cloud attempts to look up the secrets with the custom secret label identifier. If unsuccessful, PingOne Advanced Identity Cloud looks up the secrets using the default secret labels.

Attestation secrets

Google hardware attestation root certificate

This table shows the label for the Google hardware attestation root certificate, which is used to increase confidence that the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage.

Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.

Secret label Algorithms

am.services.attestation.google.public.key

RSA / X.509

Http Client service secrets

HTTP client mTLS certificates

The following table shows the secret label mappings for CA certificates used by the httpclient script binding to secure HTTP requests.

Secret label Default alias Algorithms

am.services.httpclient.mtls.clientcert.identifier.secret(1)

am.services.httpclient.mtls.servertrustcerts.identifier.secret(2)

(1) Map the am.services.httpclient.mtls.clientcert.identifier.secret dynamic secret label to the certificate to be used by the httpclient script binding when making HTTP requests. The identifier is the value of the Client Certificate Secret Label Identifier set in the HTTP Client service configuration.

(2) Map the am.services.httpclient.mtls.servertrustcerts.identifier.secret dynamic secret label to the truststore of certificates that verify the server certificate. The identifier is the value of Server Trust Certificate Secret Label Identifier set in the HTTP Client service configuration.

Policy Configuration service secrets

Certificates for the Policy Configuration service

This table shows the labels for secrets to encrypt the certificate used to authenticate Policy Configuration service connections:

Secret label Algorithms(1)

am.services.oauth2.oidc.signing.ES256

am.services.oauth2.oidc.signing.ES384

ES384

am.services.oauth2.oidc.signing.ES512

ES512

am.services.oauth2.oidc.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

am.services.oauth2.oidc.signing.EDDSA

EdDSA with SHA-512

For confidential clients, if you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), PingOne Advanced Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store.

Push Notification service secrets

Sign the Push Notification service access key

This table shows the label for secrets to sign the Amazon Simple Notification Service access key used by the Push Notification service.

The secret label mapping overrides the SNS Access Key Secret set in the service configuration.

Secret label Algorithms

am.services.pushnotification.sns.accesskey.secret