PingOne Advanced Identity Cloud

Reference

This reference is for access management designers, developers, and administrators.

Name changes for ForgeRock products

Product names changed when ForgeRock became part of Ping Identity. Learn more in New name for ForgeRock Identity Cloud.

Configure services

You can configure services globally or per realm. Global services affect all realms in PingOne Advanced Identity Cloud. Realm services affect only the realm in which they’re configured.

Global services

Under Native Consoles > Access Management > Configure > Global Services, locate the CORS Service and the Dashboard service.

These services affect all realms in PingOne Advanced Identity Cloud.

CORS Service

Configuration

The following settings appear on the Configuration tab:

Enable the CORS filter

If disable, no CORS headers will be added to responses.

Default value: true

Secondary Configurations

This service has the following Secondary Configurations.

configuration
Enable the CORS filter

If disable, no CORS headers will be added to responses.

Default value: false

Accepted Origins

The set of accepted origins.

Accepted Methods

The set of (non-simple) accepted methods, included in the pre-flight response in the header Access-Control-Allow-Methods.

Accepted Headers

The set of (non-simple) accepted headers, included in the pre-flight response in the header Access-Control-Allow-Headers.

Exposed Headers

The set of headers to transmit in the header Access-Control-Expose-Headers.

Max Age

The max age (in seconds) for caching, included in the pre-flight response in the header Access-Control-Max-Age.

Default value: 0

Allow Credentials

Whether to transmit the Access-Control-Allow-Credentials: true header in the response.

Default value: false

Dashboard

Realm Defaults

The following settings appear on the Realm Defaults tab:

Available Dashboard Apps

List of application dashboard names available by default for realms with the Dashboard service configured.

Secondary Configurations

This service has the following Secondary Configurations.

instances
Dashboard Class Name

Identifies how to access the application, for example SAML2ApplicationClass for a SAML 2.0 application.

Dashboard Name

The application name as it will appear to the administrator for configuring the dashboard.

Dashboard Display Name

The application name that displays on the dashboard client.

Dashboard Icon

The icon name that will be displayed on the dashboard client identifying the application.

Dashboard Login

The URL that takes the user to the application.

ICF Identifier

Identifier used by the ForgeRock Identity Connector Framework (ICF).

Realm services

Under Native Consoles > Access Management > Realms > Realm Name > Services, you can enable, remove, or configure services for individual realms.

Android Key Attestation Service

The following settings are available in this service:

Cache duration (hours)

The number of hours to cache the certificate revocation status list and Google hardware attestation root certificate.

Defaults to one day (24).

Specify 0 to prevent caching.

Certificate revocation status list URL

The URL to retrieve the certificate revocation status list (CRL).

Keys are checked against the revocation status list to ensure they have not been revoked or suspended.

Keys can be revoked for a number of reasons, including mishandling or suspected extraction by an attacker.

Defaults to https://android.googleapis.com/attestation/status - a list maintained by Google.

Google hardware attestation root certificate URL

The URL for retrieving the Google hardware attestation root certificates.

Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.

If you do not provide a URL, you must map the certificate using the secret label am.services.attestation.google.public.key.

For more information, refer to Use ESVs for signing and encryption keys.

Base URL Source

The following settings are available in this service:

Base URL Source

Specifies how the base URL is generated.

The following values are supported:

  • Extension class (EXTENSION_CLASS). The extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter org.forgerock.openam.services.baseurl.BaseURLProvider.

  • Fixed value (FIXED_VALUE). The base URL is retrieved from the value specified in the Fixed value base URL field.

  • Forwarded header (FORWARDED_HEADER). The base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in RFC7239.

  • Host/protocol from incoming request (REQUEST_VALUES). The hostname, server name, and port are retrieved from the incoming HTTP request.

  • X-Forwarded-* headers (X_FORWARDED_HEADERS). The base URL is retrieved from non-standard header fields, such as X-Forwarded-For, X-Forwarded-By, X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Port.

    If the X-Forwarded-Proto header is not provided, the server uses a fallback scheme, based on the URI of the request.

    If multiple X-Forwarded-Host headers are specified, the outermost proxy host is used.

Default value: REQUEST_VALUES

Device Binding service

The following settings are available in this service:

Device Binding Attribute

The user’s attribute in which to store bound device data.

PingOne Advanced Identity Cloud must be able to write to the attribute.

Default value: boundDevices

Device Binding Encryption Scheme

Encryption scheme to use to secure device binding data stored on the server.

PingOne Advanced Identity Cloud encrypts the data for each bound device using a unique random secret key with the selected AES encryption standard in CBC mode with PKCS#5 padding. An HMAC-SHA of the selected strength (truncated to half-size) protects the integrity and authenticity of the encryption. PingOne Advanced Identity Cloud encrypts the unique random key with the given RSA key pair and stores it with the bound device data.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings (value: NONE)

Default value: NONE

Encryption Key Store

Path to the key store from which to load encryption keys.

This property is preconfigured in your PingOne Advanced Identity Cloud tenant and should not be altered.

Default value: /path/to/openam/security/keystores/keystore.jks

Key Store Type

Type of key store to load.

This property is preconfigured in your PingOne Advanced Identity Cloud tenant and should not be altered.

Default value: JKS

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the PingOne Advanced Identity Cloud configuration. You should modify the default value.

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt bound device data.

Private Key Password

Password to unlock the private key.

Device Profiles Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store Device profiles.

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

Encryption Key Store

Path to the key store from which to load encryption keys.

Updating this setting is currently not supported in Advanced Identity Cloud. Changing its value may lead to a loss of functionality in this feature.

The configuration will be migrated in the future to support customization of keys using ESVs. For more information, please contact your ForgeRock representative.

Key Store Type

Type of key store to load.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the PingOne Advanced Identity Cloud configuration.

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

Private Key Password

Password to unlock the private key.

Email Service

The Email Service is not currently used in PingOne Advanced Identity Cloud.

The following settings are available in this service:

Email From Address

Specifies the address from which to send email notifications.

For example, you might set this property to: no-reply@example.com

For Microsoft Graph API transport configurations, this must exist as a valid address in the Microsoft Exchange administration center.

Email Attribute Name

Specifies the profile attribute from which to retrieve the end user’s email address.

Default value: mail

Email Subject

Specifies a subject for notification messages. If you do not set this, PingOne Advanced Identity Cloud does not set the subject for notification messages.

Email Content

Specifies content for notification messages. If you do not set this, PingOne Advanced Identity Cloud includes only the confirmation URL in the mail body.

Email Rate Limit

Specifies the minimum number of seconds that must elapse between sending emails to an individual user.

Default value: 1

Transport Type

The mail server transport type to use. This value must be set to one of the secondary configurations.

Secondary configurations

This service has the following secondary configurations.

Microsoft Graph API
Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Default value: org.forgerock.openam.services.email.rest.MicrosoftRestMailServer

Email Rest Endpoint URL

Specifies the REST endpoint for sending emails, in the format https://graph.microsoft.com/v1.0/users/USER ID/sendMail.

Refer to the sendMail API reference for details.

OAuth2 Token Endpoint URL

Specifies the endpoint for OAuth 2.0 authentication, in the format https://login.microsoftonline.com/TENANT ID/oauth2/v2.0/token.

OAuth2 Client Id

Specifies the client ID for use in OAuth 2.0 authentication.

This is the client ID or application ID provided by the Microsoft Application Registration portal.

OAuth2 Scopes

Specifies the scopes to request as part of the OAuth 2.0 authentication.

The value supported by Microsoft Graph API is https://graph.microsoft.com/.default.

SMTP
Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Mail Server Host Name

Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.

For example, you might set this property to: smtp.example.com

Mail Server Host Port

Specifies the port number for the SMTP mail server.

Mail Server Authentication Username

Specifies the username for the SMTP mail server.

For example, you might set this property to: username

Mail Server Authentication Password

Specifies the password for the SMTP username.

Mail Server Secure Connection

Specifies whether to connect to the SMTP mail server using SSL.

The possible values for this property are:

  • SSL

  • Non SSL

  • Start TLS

ForgeRock Authenticator (OATH) Service

The following settings are available in this service:

Profile Storage Attribute

Attribute for storing ForgeRock Authenticator OATH profiles.

Device Profile Encryption Scheme

Encryption scheme for securing device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

Encryption Key Store

Path to the key store from which to load encryption keys.

Updating this setting is currently not supported in Advanced Identity Cloud. Changing its value may lead to a loss of functionality in this feature.

The configuration will be migrated in the future to support customization of keys using ESVs. For more information, please contact your ForgeRock representative.

Key Store Type

Type of encryption key store.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

Key Store Password

Password to unlock the key store. This password will be encrypted.

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

Private Key Password

Password to unlock the private key.

ForgeRock Authenticator (OATH) Device Skippable Attribute Name

The data store attribute that holds the user’s decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.

ForgeRock Authenticator (Push) Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store Push Notification profiles.

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

Encryption Key Store

Path to the key store from which to load encryption keys.

Updating this setting is currently not supported in Advanced Identity Cloud. Changing its value may lead to a loss of functionality in this feature.

The configuration will be migrated in the future to support customization of keys using ESVs. For more information, please contact your ForgeRock representative.

Key Store Type

Type of key store to load.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the PingOne Advanced Identity Cloud configuration.

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

Private Key Password

Password to unlock the private key.

ForgeRock Authenticator (Push) Device Skippable Attribute Name

Name of the attribute on a user’s profile used to store their selection of whether to skip ForgeRock Authenticator (Push) 2FA modules.

Globalization Settings

The following settings are available in this service:

Auto Generated Common Name Format

Use this list to configure how PingOne Advanced Identity Cloud formats names shown in the console banner.

This setting lets you customize the name of the authenticated user shown in the UI, based on the user’s locale.

Identity Assertion service

Configuration

The following settings appear on the Configuration tab:

Enable

Enables the Identity Assertion service that lets PingOne Advanced Identity Cloud use ${ig.abbr} to manage authentication through a third party such as WDSSO or Kerberos.

When enabled, the servers defined in the secondary configuration become available as options in the Identity Assertion node configuration.

Server cache duration (minutes)

Supports caching of identity assertion server configurations. A value greater than 0 indicates the duration in minutes that the server configurations are cached. A value of 0 disables caching.

Secondary configurations

This service has the following secondary configurations.

Identity Assertion server URL

The identity assertion server URL, for example, https://ig.example.com:8448. Don’t include the route in this URL because you define the route when you configure the Identity Assertion node.

Shared Encryption Secret

PingOne Advanced Identity Cloud uses this identifier to create a specific secret label, using the template am.services.identityassertion.service.identifier.shared.secret where identifier is the value of Shared Encryption Secret.

The identifier can only contain alphanumeric characters a-z, A-Z, 0-9, and periods (.). It can’t start or end with a period.

The secret is shared by PingOne Advanced Identity Cloud and ${ig.abbr} to encrypt the assertion request JWT sent to ${ig.abbr} and then decrypt the result JWT.

Learn about mapping secrets in Map ESV secrets to secret labels.

JWT TTL (seconds)

The identity assertion request JWT time-to-live duration in seconds. This is the period until the JWT sent to the gateway expires.

Skew Allowance (seconds)

The time difference skew allowance to use when validating the assertion result JWT’s issued-at and expiry claims. This is to address time differences between the ${ig.abbr} host and the AM hosts.

IoT Service

The following settings are available in this service:

Create OAuth 2.0 Client

Create an OAuth 2.0 Client with the given name and default configuration required to serve as the client for the IoT Service. The client will be created without any scope(s).

OAuth 2.0 Client Name

The name of the default OAuth 2.0 Client used by the IoT Service to request access tokens for things.

Create OAuth 2.0 JWT Issuer

Create a Trusted JWT Issuer with the given name and default configuration required for the IoT Service to act as the Issuer when handling request for thing access tokens.

OAuth 2.0 JWT Issuer Name

The name of the Trusted JWT Issuer used by the IoT Service to request access tokens for things.

OAuth 2.0 Subject Attribute

The name of the identity store attribute from which to read the OAuth 2.0 subject value. The subject is used in access tokens issued for things. This allows the thing’s access token subject to have a value other than the thing’s ID, which is the value used by default.

Readable Attributes

Specifies the list of attributes that a thing is allowed to request from its identity.

OAuth 2.0 provider

Core

The following settings appear on the Core tab:

Use Client-Side Access & Refresh Tokens

When enabled, PingOne Advanced Identity Cloud issues access and refresh tokens that can be inspected by resource servers.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Use Macaroon Access and Refresh Tokens

When enabled, AM will issue access and refresh tokens as Macaroons with caveats.

Authorization Code Lifetime (seconds)

The time an authorization code is valid for, in seconds.

Refresh Token Lifetime (seconds)

The time in seconds a refresh token is valid for. If this field is set to -1, the refresh token will never expire.

Access Token Lifetime (seconds)

The time an access token is valid for, in seconds. Note that if you set the value to 0, the access token will not be valid. A maximum lifetime of 600 seconds is recommended.

Issue Refresh Tokens

Whether to issue a refresh token when returning an access token.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Issue Refresh Tokens on Refreshing Access Tokens

Whether to issue a refresh token when refreshing an access token.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Use Policy Engine for Scope decisions

With this setting enabled, the policy engine is consulted for each scope value that is requested.

Scope decisions are made in the following way when based on the policy engine:

  • If a policy returns an action of GRANT=true, the scope is consented automatically, and the user is not consulted in a user-interaction flow.

  • If a policy returns an action of GRANT=false, the scope is not added to any resulting token, and the user will not refer to it in a user-interaction flow.

  • If no policy returns a value for the GRANT action:

    • For user-facing grant types, such as the authorization or device code flows, the user is asked for consent or saved consent is used.

    • For grant types that are not user-facing, such as those using password or client credentials, the scope is not added to any resulting token.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Scopes Policy Set

The policy set that defines the context in which policy evaluations occur when Use Policy Engine for Scope decisions is enabled on the OAuth 2.0 provider. Leave this field blank, or set it to oauth2Scopes to use the default policy set.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Default value: [Empty]

OAuth2 Access Token May Act Script

The script that is executed when issuing an access token explicitly to modify the may_act claim placed on the token.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

The possible values for this property are:

  • c735de08-f8f2-4e69-aa4a-2d8d3d438323. OAuth2 May Act Script

  • [Empty]. --- Select a script ---

OIDC ID Token May Act Script

The script that is executed when issuing an OIDC ID Token explicitly to modify the may_act claim placed on the token.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

The possible values for this property are:

  • c735de08-f8f2-4e69-aa4a-2d8d3d438323. OAuth2 May Act Script

  • [Empty]. --- Select a script ---

Advanced

The following settings appear on the Advanced tab:

Custom Login URL Template

Custom URL for handling login, to override the default PingOne Advanced Identity Cloud login page.

Supports Freemarker syntax, with the following variables:

Variable

Description

gotoUrl

The URL to redirect to after login.

acrValues

The Authentication Context Class Reference (acr) values for the authorization request.

realm

The PingOne Advanced Identity Cloud realm the authorization request was made on.

service

The name of the authentication journey requested to perform resource owner authentication.

locale

A space-separated list of locales, ordered by preference.

The following example template redirects users to a custom page to handle login. This page redirects to the /oauth2/authorize endpoint with any required parameters:

http://mylogin.com/login?goto=${goto}<#if acrValues??>&acr_values=${acrValues}</#if><#if realm??>&realm=${realm}</#if><#if module??>&module=${module}</#if><#if service??>&service=${service}</#if><#if locale??>&locale=${locale}</#if>

The default PingOne Advanced Identity Cloud login page is constructed using "Base URL Source" service.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Scope Implementation Class

The class that contains the required scope implementation, must implement the org.forgerock.oauth2.core.ScopeValidator interface.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Additional Audience Values

The additional audience values that will be permitted when verifying Client Authentication JWTs.

These audience values will be in addition to the AS base, issuer and endpoint URIs.

User Profile Attribute(s) the Resource Owner is Authenticated On

Names of profile attributes that resource owners use to log in. You can add others to the default, for example mail.

User Display Name attribute

The profile attribute that contains the name to be displayed for the user on the consent page.

Client Registration Scope Allowlist

The set of scopes allowed when registering clients dynamically, with translations.

Scopes may be entered as simple strings or pipe-separated strings representing the internal scope name, locale, and localized description.

For example: read|en|Permission to view email messages in your account

Locale strings are in the format: language_country_variant, for example en, en_GB, or en_US_WIN.

If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.

If the description is also omitted, nothing is displayed on the consent page for the scope. For example specifying read| would allow the scope read to be used by the client, but would not display it to the user on the consent page when requested.

Subject Types supported

List of subject types supported. Valid values are:

  • public - Each client receives the same subject (sub) value.

  • pairwise - Each client receives a different subject (sub) value, to prevent correlation between clients.

Default Client Scopes

List of scopes a client is granted if they request registration without specifying the scopes they want. Default scopes are NOT granted automatically to clients created through the UI.

OAuth2 Token Signing Algorithm

Algorithm used to sign client-side OAuth 2.0 tokens in order to detect tampering.

PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

The possible values for this property are:

  • HS256

  • HS384

  • HS512

  • RS256

  • RS384

  • RS512

  • ES256

  • ES384

  • ES512

  • PS256

  • PS384

  • PS512

Client-Side Token Compression

Whether client-side access and refresh tokens should be compressed.

Encrypt Client-Side Tokens

Whether client-side access and refresh tokens should be encrypted.

Enabling token encryption will disable token signing as encryption is performed using direct symmetric encryption.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Subject Identifier Hash Salt

If pairwise subject types are supported, it is STRONGLY RECOMMENDED to change this value. It is used in the salting of hashes for returning specific sub claims to individuals using the same request_uri or sector_identifier_uri.

If you map am.services.oauth2.provider.hash.salt.secret to a secret in a secret store, PingOne Advanced Identity Cloud ignores this value.

Learn more about secret labels in OAuth 2.0 and OpenID Connect provider secrets.

Code Verifier Parameter Required

If enabled, requests using the authorization code grant or device flow require a code_challenge attribute to comply with the PKCE standard.

For more information, read the PKCE specification.

Note that if a client specifies a code_challenge parameter in the authorization request, PKCE is enabled regardless of the value of this attribute.

The possible values for this property are:

  • true. All requests

  • public. Requests from all public clients

  • passwordless. Requests from all passwordless public clients

  • false. No requests

Modified Timestamp Attribute Name

The identity Data Store attribute used to return modified timestamp values.

This attribute is paired together with the Created Timestamp Attribute Name attribute (createdTimestampAttribute). You can leave both attributes unset (default) or set them both. If you set only one attribute and leave the other blank, the access token fails with a 500 error.

For example, when you configure PingOne Advanced Identity Cloud as an OIDC Provider in a Mobile Connect application, the client accesses the userinfo endpoint to obtain the updated_at claim value in the ID token. The updated_at claim gets its value from the modifiedTimestampAttribute attribute in the user profile. If the profile has never been modified, the updated_at claim uses the createdTimestampAttribute attribute.

Created Timestamp Attribute Name

The identity Data Store attribute used to return created timestamp values.

Password Grant Authentication Service

The journey used to authenticate the username and password for the Resource owner password credentials grant.

The list of possible values for this property reflects the list of configured authentication journeys.

Don’t change the default value (PasswordGrant) unless you have configured a suitable replacement journey.

Enable Auth Module Messages for Password Credentials Grant

If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.

The Password Grant Type requires the grant_type=password parameter.

Grant Types

The set of Grant Types (OAuth 2.0 flows) this client can use.

If you don’t set any Grant Types here, the client can’t use any OAuth 2.0 flows.

Trusted TLS Client Certificate Header

HTTP Header to receive TLS client certificates when TLS is terminated at a proxy.

Leave blank if not terminating TLS at a proxy. Configure the proxy to strip this header from incoming requests. Best practice is to use a random string.

TLS Client Certificate Header Format

Format of the HTTP header used to communicate a client certificate from a reverse proxy.

The following formats are supported:

  • URLENCODED_PEM - a URL-encoded PEM format certificate. This is the format used by Nginx.

  • X_FORWARDED_CLIENT_CERT - the X-Forwarded-Client-Certformat used by Envoy and Istio.

The possible values for this property are:

  • URLENCODED_PEM

  • X_FORWARDED_CLIENT_CERT

Support TLS Certificate-Bound Access Tokens

Whether to bind access tokens to the client certificate when using TLS client certificate authentication.

Check TLS Certificate Revocation Status

Whether to check if TLS client certificates have been revoked.

If enabled then AM will check if TLS client certificates used for client authentication have been revoked using either OCSP (preferred) or CRL. AM implements "soft fail" semantics: if the revocation status cannot be established due to a temporary error (e.g., network error) then the certificate is assumed to still be valid.

OCSP Responder URI

URI of the OCSP responder service to use for checking certificate revocation status.

If specified this value overrides any OCSP or CRL mechanisms specified in individual certificates.

OCSP Responder Certificate

PEM-encoded certificate to use to verify OCSP responses.

If specified this certificate will be used to verify the signature on all OCSP responses. Otherwise the appropriate certificate will be determined from the trusted CA certificates.

Macaroon Token Format

The format to use when serializing and parsing Macaroons. V1 is bulky and should only be used when compatibility with older Macaroon libraries is required.

The possible values for this property are:

  • V1

  • V2

Require exp claim in Request Object

If enabled, the exp claim must be included in JWT request objects specified at /oauth2/authorize or /oauth2/par.

The exp (expiration time) claim defines the lifetime of the JWT, after which the JWT is no longer valid.

To comply with the FAPI security profile, this setting must be enabled.

Default value: false

Require nbf claim in Request Object

If enabled, the nbf claim must be included in JWT request objects specified at /oauth2/authorize or /oauth2/par.

The nbf (not before) claim defines the earliest time that the JWT can be accepted for processing.

To comply with the FAPI security profile, this setting must be enabled.

Default value: false

Max nbf and exp difference

The maximum permitted difference, in minutes, between the nbf and exp claims, as defined in the request object JWT.

A value of 0 indicates that there is no maximum time requirement.

If set to a value greater than 0, and either nbf or exp is not defined, the JWT is validated successfully, providing the claims are not required.

If set to a value greater than 0, and both claims are present, the JWT is validated accordingly, even when not required.

To comply with the FAPI security profile, this setting must be 60 (minutes) or less.

Default value: 0

Max nbf age

The maximum permitted age, in minutes, of the nbf claim.

A value of 0 indicates that there is no maximum time requirement.

If set to a value greater than 0, and nbf is neither required nor specified, the JWT is validated successfully.

If set to a value greater than 0, and nbf is present, the JWT is validated accordingly, even when not required.

To comply with the FAPI security profile, this setting must be 60 (minutes) or less.

Default value: 0

Request Object Processing Specification

For OIDC requests only, this setting determines which specification is used to validate request object JWTs.

For example, the following OIDC request specifies a request object JWT and could be validated either according to the JAR specification or as a standard OIDC request:

/authorize?client_id=myClient&request={JWT with scope=openid, response_type=id_token}

OAuth 2.0 requests that do not fall into this category, such as PAR or non-OIDC JWT requests, are processed according to the JAR specification, regardless of the value of this setting.

The possible values are:

This table summarizes the differences between the rules that need to be adhered to in each case.

Table 1. Specification Rules
OIDC specification JAR specification

Request object

May be unsigned.

Must be JWS signed, and optionally, JWE encrypted.

Authorization request parameters

Assembles parameters from both the request object and the query parameters.

If duplicates exist, the request object parameter takes precedence.

Assembles parameters from the request object ONLY.

Duplicates that are defined as query parameters are ignored.

Required request parameters

  • client_id

  • response_type

  • scope, including openid scope value

  • client_id (must match the client ID specified in the request itself)

  • request OR request_uri

Default value: OIDC

PAR Request URI Lifetime (seconds)

The length of time that the PAR Request URI is valid, in seconds.

It is strongly recommended to set this value to a short interval; for example, between 5 and 150 seconds. Setting this attribute to a higher value increases the load on the CTS, and may even result in denial of service if the requests are large and consume the available storage capacity.

For information about the PAR flow, refer to Authorization code grant with PAR.

Default value: 90

Require Pushed Authorization Requests

If enabled, clients must use the PAR endpoint to initiate authorization requests, otherwise PingOne Advanced Identity Cloud returns an error indicating a missing or invalid request object.

This applies to all clients, including clients that aren’t configured to require PAR.

You can also set this independently for individual clients under Native Consoles > Access Management. Go to Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Default value: false

Refresh Token Grace Period (seconds)

The time, in seconds, that a refresh token can be reused. This grace period lets OAuth 2.0 clients recover seamlessly, if the response from an original refresh token request is not received, because of a network problem or other transient issue. During the grace period, the refresh token can be reused multiple times, if the network problem persists. When the grace period ends, the refresh token is revoked.

The refresh token grace period applies only to server-side tokens, in a one-to-one storage scheme.

Having a long grace period poses a security risk. You should therefore keep the grace period as small as possible. By default, the grace period can’t exceed 120 seconds.

There is no grace period by default, so the default value is 0.

Allow Client Credentials in Token Endpoint Query Parameters

When this setting is true, you can include client credentials in token endpoint requests as query parameters.

Previously, you could supply client credentials (the client_id and client_secret) as query parameters in POST requests to the /oauth2/access_token endpoint. This is now prohibited by default and you must include the credentials within the POST request body.

The Allow Client Credentials in Token Endpoint Query Parameters setting controls this behavior. For security reasons, ForgeRock recommends you keep this property disabled to prevent client credentials from being included as query parameters.

If you set this property to true to support existing scripts and clients, you should update your scripts and clients as soon as possible then set the property back to false.

Default value: false

Include subname claim in tokens issued by the OAuth2 Provider

When this setting is true, Advanced Identity Cloud adds the subname claim to access tokens and ID tokens by default.

The value of the subname claim is the name of the token’s subject, for example, demo, or myOAuth2Client.

Default value: true

Client Dynamic Registration

The following settings appear on the Client Dynamic Registration tab:

Require Software Statement for Dynamic Client Registration

When enabled, a software statement JWT containing at least the iss (issuer) claim must be provided when registering an OAuth 2.0 client dynamically.

Required Software Statement Attested Attributes

The client attributes that must be present in the software statement JWT when registering an OAuth 2.0 client dynamically. Applies only if you enable Require Software Statements for Dynamic Client Registration.

Leave blank to allow any attributes to be present.

Allow Open Dynamic Client Registration

Allow clients to register without an access token. If enabled, consider adding some form of rate limiting. For details, refer to Client Registration in the OIDC specification.

Generate Registration Access Tokens

Whether to generate Registration Access Tokens for clients that register by using open dynamic client registration. Such tokens let the client access the Client Configuration Endpoint as per the OpenID Connect specification. This setting has no effect if Allow Open Dynamic Client Registration is disabled.

Scope to give access to dynamic client registration

Mandatory scope required when registering a new OAuth2 client.

OpenID Connect

The following settings appear on the OpenID Connect tab:

Overrideable Id_Token Claims

List of claims in the ID token that can be overridden in the OIDC claims script. These should be the subset of the core OIDC claims, such as aud or azp.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

ID Token Signing Algorithms supported

Algorithms supported to sign OIDC id_tokens.

PingOne Advanced Identity Cloud supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

  • RS384 - RSASSA-PKCS-v1_5 using SHA-384.

  • RS512 - RSASSA-PKCS-v1_5 using SHA-512.

  • PS256 - RSASSA-PSS using SHA-256.

  • PS384 - RSASSA-PSS using SHA-384.

  • PS512 - RSASSA-PSS using SHA-512.

ID Token Encryption Algorithms supported

Encryption algorithms supported to encrypt OIDC ID tokens to hide their contents.

PingOne Advanced Identity Cloud supports the following ID token encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

ID Token Encryption Methods supported

Encryption methods supported to encrypt OpenID Connect ID tokens in order to hide its contents.

PingOne Advanced Identity Cloud supports the following ID token encryption algorithms:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Supported Claims

Set of claims supported by the OIDC /oauth2/userinfo endpoint, with translations.

Claims may be entered as simple strings or pipe separated strings representing the internal claim name, locale, and localized description.

For example: name|en|Your full name..

Locale strings are in the format: language + "" + country + "" + variant, for example en, en_GB, or en_US_WIN. If the locale and pipe is omitted, the description is displayed to all users that have undefined locales.

If the description is also omitted, nothing is displayed on the consent page for the claim. For example specifying family_name| would allow the claim family_name to be used by the client, but would not display it to the user on the consent page when requested.

OpenID Connect JWT Token Lifetime (seconds)

The amount of time the JWT will be valid for, in seconds.

OIDC Provider Discovery

Turns on and off OIDC Discovery endpoint.

Advanced OpenID Connect

The following settings appear on the Advanced OpenID Connect tab:

Remote JSON Web Key URL

The Remote URL where the provider’s JSON Web Key can be retrieved.

If this setting is not configured, PingOne Advanced Identity Cloud provides a local URL to access the public key of the private key used to sign ID tokens.

Idtokeninfo Endpoint Requires Client Authentication

When enabled, the /oauth2/idtokeninfo endpoint requires client authentication if the signing algorithm is set to HS256, HS384, or HS512.

Enable "claims_parameter_supported"

If enabled, clients will be able to request individual claims using the claims request parameter, as per section 5.5 of the OpenID Connect specification.

OpenID Connect acr_values to Auth Mapping

Maps OIDC ACR values to authentication journeys. For details, refer to the acr_values parameter in the OIDC authentication request specification.

Do not configure more than one ACR mapping to the same authentication journey. Doing so can result in misrepresentation of the ACR information in the issued ID token.
Default ACR values

Default requested Authentication Context Class Reference values.

List of strings that specifies the default acr values that the OP is being requested to use for processing requests from this Client, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value in the issued ID Token. The acr Claim is requested as a Voluntary Claim by this parameter. The acr_values_supported discovery element contains a list of the acr values supported by this server. Values specified in the acr_values request parameter or an individual acr Claim request override these default values.

OpenID Connect id_token amr Values to Auth Module Mappings

Specify the amr values returned in the OIDC id_token. When authentication completes, the journey that was used is mapped to the amr value. If you do not require amr values or are not providing OIDC tokens, leave this field blank.

Always Return Claims in ID Tokens

If enabled, include scope-derived claims in the id_token, even if an access token is also returned that could provide access to get the claims from the userinfo endpoint.

If not enabled, if an access token is requested the client must use it to access the userinfo endpoint for scope-derived claims, as they will not be included in the ID token.

Enable Session Management

If this is disabled, OIDC session management related-endpoints are disabled. When enabled PingOne Advanced Identity Cloud stores ops tokens corresponding to OIDC sessions in the CTS store and an OIDC session ID in the session.

Request Parameter Signing Algorithms Supported

Algorithms supported to verify signature of Request parameter. PingOne Advanced Identity Cloud supports signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

Request Parameter Encryption Algorithms Supported

Encryption algorithms supported to decrypt Request parameter.

PingOne Advanced Identity Cloud supports the following ID token encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

Request Parameter Encryption Methods Supported

Encryption methods supported to decrypt Request parameter.

PingOne Advanced Identity Cloud supports the following Request parameter encryption algorithms:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Supported Token Endpoint JWS Signing Algorithms.

Supported JWS Signing Algorithms for 'private_key_jwt' JWT based authentication method.

Authorized OIDC SSO Clients

Clients authorized to use OpenID Connect ID tokens as SSO Tokens.

Allows clients to act with the full authority of the user. Grant this permission only to trusted clients.

UserInfo Signing Algorithms Supported

Algorithms supported to verify signature of the UserInfo endpoint. PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

UserInfo Encryption Algorithms Supported

Encryption algorithms supported by the UserInfo endpoint.

PingOne Advanced Identity Cloud supports the following UserInfo endpoint encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

UserInfo Encryption Methods Supported

Encryption methods supported by the UserInfo endpoint.

PingOne Advanced Identity Cloud supports the following UserInfo endpoint encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Token Introspection Response Signing Algorithms Supported

Algorithms that are supported for signing the Token Introspection endpoint JWT response.

PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

  • RS384 - RSASSA-PKCS-v1_5 using SHA-384.

  • RS512 - RSASSA-PKCS-v1_5 using SHA-512.

  • EdDSA - EdDSA with SHA-512.

Token Introspection Response Encryption Algorithms Supported

Encryption algorithms supported by the Token Introspection endpoint JWT response.

PingOne Advanced Identity Cloud supports the following UserInfo endpoint encryption algorithms:

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

Token Introspection Response Encryption Methods Supported

Encryption methods supported by the Token Introspection endpoint JWT response.

PingOne Advanced Identity Cloud supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Authorization Response Signing Algorithms Supported

Algorithms supported for signing the /oauth2/authorize endpoint JWT response.

PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256

  • HS384 - HMAC with SHA-384

  • HS512 - HMAC with SHA-512

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256

  • RS384 - RSASSA-PKCS1-v1_5 using SHA-384

  • RS512 - RSASSA-PKCS1-v1_5 using SHA-512

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve

  • PS256 - RSASSA-PSS using SHA-256 and MGF1 with SHA-256

  • PS384 - RSASSA-PSS using SHA-384 and MGF1 with SHA-384

  • PS512 - RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Default value:

PS384
ES384
RS384
HS256
HS512
ES256
RS256
HS384
ES512
PS256
PS512
RS512
Authorization Response Encryption Algorithms Supported

Algorithms supported for encrypting the /oauth2/authorize JWT response.

PingOne Advanced Identity Cloud supports the following Token Introspection endpoint encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

  • ECDH-ES - Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF.

  • ECDH-ES+A128KW - ECDH-ES using Concat KDF and CEK wrapped with A128KW.

  • ECDH-ES+A192KW - ECDH-ES using Concat KDF and CEK wrapped with A192KW.

  • ECDH-ES+A256KW - ECDH-ES using Concat KDF and CEK wrapped with A256KW.

Default value:

ECDH-ES+A256KW
ECDH-ES+A192KW
RSA-OAEP
ECDH-ES+A128KW
RSA-OAEP-256
A128KW
A256KW
ECDH-ES
dir
A192KW
Authorization Response Encryption Methods Supported

Methods supported for encrypting the /oauth2/authorize JWT response.

PingOne Advanced Identity Cloud supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Default value:

A256GCM
A192GCM
A128GCM
A128CBC-HS256
A192CBC-HS384
A256CBC-HS512
Include all kty and alg combinations in jwks_uri

By default only distinct kid entries are returned in the jwks_uri and the alg property is not included. Enabling this flag will result in duplicate kid entries, each one specifying a different kty and alg combination. RFC7517 distinct key KIDs

Device Flow

The following settings appear on the Device Flow tab:

Verification URL

The URL that the user will be instructed to visit to complete their OAuth 2.0 login and consent when using the device code flow.

Device Completion URL

The URL that the user will be sent to on completion of their OAuth 2.0 login and consent when using the device code flow.

Device Code Lifetime (seconds)

The lifetime of the device code, in seconds.

Device Polling Interval

The polling frequency for devices waiting for tokens when using the device code flow.

User Code Character Length

The number of characters in the generated user code.

Default value: 8

User Code Character Set

The set of characters to be used to generate a user code.

Consider limitations of low resolution mobile devices when defining a character set. For example, the OAuth 2.0 Device Grant specification recommends removing characters that can be easily confused, such as "0" and "O" or "1", "l" and "I". Refer to RFC 8628 for further examples.

Default value: 234567ACDEFGHJKLMNPQRSTWXYZabcdefhijkmnopqrstwxyz

The following settings appear on the Consent tab:

Saved Consent Attribute Name

Name of a multi-valued attribute on resource owner profiles where PingOne Advanced Identity Cloud can save authorization consent decisions.

When the resource owner chooses to save the decision to authorize access for a client application, PingOne Advanced Identity Cloud updates the resource owner’s profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

Allow Clients to Skip Consent

If enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Enable Remote Consent

Enables consent to be gathered by a separate service.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

Remote Consent Service ID

The ID of an existing remote consent service agent.

You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

The possible values for this property are:

  • [Empty]

Remote Consent Service Request Signing Algorithms Supported

Algorithms supported to sign consent_request JWTs for Remote Consent Services.

PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

Remote Consent Service Request Encryption Algorithms Supported

Encryption algorithms supported to encrypt Remote Consent Service requests.

PingOne Advanced Identity Cloud supports the following encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

Remote Consent Service Request Encryption Methods Supported

Encryption methods supported to encrypt Remote Consent Service requests.

PingOne Advanced Identity Cloud supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

Remote Consent Service Response Signing Algorithms Supported

Algorithms supported to verify signed consent_response JWT from Remote Consent Services.

PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • HS256 - HMAC with SHA-256.

  • HS384 - HMAC with SHA-384.

  • HS512 - HMAC with SHA-512.

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • ES384 - ECDSA with SHA-384 and NIST standard P-384 elliptic curve.

  • ES512 - ECDSA with SHA-512 and NIST standard P-521 elliptic curve.

  • RS256 - RSASSA-PKCS-v1_5 using SHA-256.

Remote Consent Service Response Encryption Algorithms Supported

Encryption algorithms supported to decrypt Remote Consent Service responses.

PingOne Advanced Identity Cloud supports the following encryption algorithms:

  • RSA1_5 - RSA with PKCS#1 v1.5 padding.

  • RSA-OAEP - RSA with Optimal Asymmetric Encryption Padding (OAEP) with SHA-1 and MGF-1.

  • RSA-OAEP-256 - RSA with OAEP with SHA-256 and MGF-1.

  • A128KW - AES Key Wrapping with 128-bit key derived from the client secret.

  • A192KW - AES Key Wrapping with 192-bit key derived from the client secret.

  • A256KW - AES Key Wrapping with 256-bit key derived from the client secret.

  • dir - Direct encryption with AES using the hashed client secret.

Remote Consent Service Response Encryption Methods Supported

Encryption methods supported to decrypt Remote Consent Service responses.

PingOne Advanced Identity Cloud supports the following encryption methods:

  • A128GCM, A192GCM, and A256GCM - AES in Galois Counter Mode (GCM) authenticated encryption mode.

  • A128CBC-HS256, A192CBC-HS384, and A256CBC-HS512 - AES encryption in CBC mode, with HMAC-SHA-2 for integrity.

CIBA

The following settings appear on the CIBA tab:

Back Channel Authentication ID Lifetime (seconds)

The time back channel authentication request id is valid for, in seconds.

Polling Wait Interval (seconds)

The minimum amount of time in seconds that the Client should wait between polling requests to the token endpoint

Signing Algorithms Supported

Algorithms supported to sign the CIBA request parameter.

PingOne Advanced Identity Cloud supports the signing algorithms listed in JSON Web Algorithms (JWA): "alg" (Algorithm) Header Parameter Values for JWS:

  • ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.

  • PS256 - RSASSA-PSS using SHA-256.

Plugins

The Plugins settings are used to configure the following supported OAuth2 plugin extension points:

Each plugin is configured using three different attributes:

  • Plugin Type:

    This value can be either SCRIPTED to run a custom script, or JAVA for a custom implementation class.

  • Script:

    The script that is run for SCRIPTED plugin types.

  • Implementation Class:

    The class that is invoked for JAVA plugin types. The class must implement the appropriate Java interface in the org.forgerock.oauth2.core.plugins package for the plugin.

    You can override this setting for individual clients. To access client application settings, go to Native Consoles > Access Management > Realms > Realm Name > Applications > OAuth 2.0 > Clients > Client ID.

The following settings appear on the Plugins tab:

Access Token Modification Plugin Type

Default value: SCRIPTED

Access Token Modification Script

This script is run when issuing an access token. The script lets you modify the token, for example, by altering the data fields, before it is persisted or returned to the client.

The script is run if Access Token Modification Plugin Type is set to SCRIPTED.

Refer to Access tokens.

Default value: Alpha OAuth2 Access Token Modification Script

Access Token Modifier Plugin Implementation Class

The Java class that provides the custom implementation for the access token modifier plugin interface, org.forgerock.oauth2.core.plugins.AccessTokenModifier. This class is invoked when Access Token Modification Plugin Type is set to JAVA.

Default value: org.forgerock.openam.oauth2.OpenAMScopeValidator

OIDC Claims Plugin Type

Default value: SCRIPTED

OIDC Claims Script

This script is run when issuing an ID token or during a request to the /userinfo OpenID Connect endpoint. Use this script to retrieve claim values based on an issued access token.

The script is run if OIDC Claims Plugin Type is set to SCRIPTED.

Default value: Alpha OIDC Claims Script

OIDC Claims Plugin Implementation Class

The Java class that provides the custom implementation for the OIDC claims plugin interface, org.forgerock.oauth2.core.plugins.UserInfoClaimsPlugin. This class is invoked when OIDC Claims Plugin Type is set to JAVA.

Default value: org.forgerock.openam.oauth2.OpenAMScopeValidator

Scope Evaluation Plugin Type

Default value: JAVA

Scope Evaluation Script

This script retrieves and evaluates the scope information for an OAuth2 access token.

The script lets you populate the scopes with profile attribute values. For example, if one of the scopes is mail, PingOne Advanced Identity Cloud sets mail to the resource owner’s email address in the token information returned.

Default value: --- Select a script ---

Scope Evaluation Plugin Implementation Class

The Java class that provides the custom implementation for the evaluate scope plugin interface: org.forgerock.oauth2.core.plugins.ScopeEvaluator.

Default value: org.forgerock.openam.oauth2.OpenAMScopeValidator

Scope Validation Plugin Type

Default value: JAVA

Scope Validation Script

This script validates and customizes the set of requested scopes for authorize, access token, refresh token, and backchannel authorize requests.

Default value: --- Select a script ---

Scope Validation Plugin Implementation Class

The Java class that provides the custom implementation for the evaluate scope plugin interface: org.forgerock.oauth2.core.plugins.ScopeValidator.

Default value: org.forgerock.openam.oauth2.OpenAMScopeValidator

Authorize Endpoint Data Provider Plugin Type

Default value: JAVA

Authorize Endpoint Data Provider Script

Use this script to retrieve additional data from an authorization request, such as data from the user’s session or from an external service.

Default value: --- Select a script ---

Authorize Endpoint Data Provider Plugin Implementation Class

The Java class that provides the custom implementation for the authorize endpoint data provider plugin interface: org.forgerock.oauth2.core.plugins.AuthorizeEndpointDataProvider.

Default value: org.forgerock.openam.oauth2.OpenAMScopeValidator

Access Token Enricher Plugin Implementation Class

The class that provides the custom implementation for the access token enricher plugin interface.

The access token enricher plugin interface is deprecated and will be removed in a future release.

Default value: org.forgerock.openam.oauth2.OpenAMScopeValidator

OneSpan Configuration

The following settings are available in this service:

OneSpan IAA user name

OneSpan IAA user name

OneSpan IAA Environment

OneSpan IAA Environment

The possible values for this property are:

  • sdb

  • prod

Application Reference

A descriptive value for the integrated application

PingOne Worker service

Configuration

The following settings appear on the Configuration tab:

Enabled

Enables the service.

Secondary Configurations

This service has the following Secondary Configurations:

Client ID

Client ID of the worker application in PingOne.

Client Secret Label Identifier

Identifier that PingOne Advanced Identity Cloud uses to create a specific secret label for the client secret of the worker application.

The secret label uses the template am.services.pingone.worker.identifier.clientsecret where identifier is the Client Secret Label Identifier value.

This field can only contain characters a-z, A-Z, 0-9, and . and can’t start or end with a period.

For information on how to map the client secret to the secret label, refer to Map ESV secrets to secret labels.

Environment ID

The environment that contains the worker application in PingOne.

PingOne API Server URL

The regional base URL of the PingOne API server.

Enter one of the following:

  • https://api.pingone.com/v1 - for the North America region (excluding Canada)

  • https://api.pingone.ca/v1 - for the Canada region

  • https://api.pingone.eu/v1 - for the European Union region

  • https://api.pingone.asia/v1 - for the Asia-Pacific region

Default: https://api.pingone.com/v1

PingOne Authorization Server URL

The regional base URL for the PingOne authorization server.

Enter one of the following:

  • https://auth.pingone.com - for the North America region (excluding Canada)

  • https://auth.pingone.ca - for the Canada region

  • https://auth.pingone.eu - for the European Union region

  • https://auth.pingone.asia - for the Asia-Pacific region

Default: https://auth.pingone.com

Policy Configuration

The following settings are available in this service:

Primary LDAP Server

Configuration directory server host:port that PingOne Advanced Identity Cloud searches for policy information.

Format: local PingOne Advanced Identity Cloud server name | hostname:port

Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space.

For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389

Default value:

userstore-1.userstore:1389
userstore-0.userstore:1389
userstore-2.userstore:1389
LDAP Users Base DN

Base DN for LDAP Users subject searches.

Default value: ou=identities

LDAP Bind DN

Bind DN to connect to the directory server for policy information.

If you enable mTLS, PingOne Advanced Identity Cloud ignores this property.

Default value: &{am.stores.user.username}

LDAP Bind Password

Bind password to connect to the directory server for policy information.

If you enable mTLS, PingOne Advanced Identity Cloud ignores this property.

Default value:

{
    "$string": "&{am.stores.user.password}"
}
LDAP Organization Search Filter

Search filter to match organization entries.

Default value: (objectclass=sunismanagedorganization)

LDAP Users Search Filter

Search filter to match user entries.

Default value: (objectclass=inetorgperson)

LDAP Users Search Scope

Search scope to find user entries.

The possible values for this property are:

  • SCOPE_BASE

  • SCOPE_ONE

  • SCOPE_SUB

Default value: SCOPE_SUB

LDAP Users Search Attribute

Naming attribute for user entries.

Default value: uid

Maximum Results Returned from Search

Search limit for LDAP searches.

Default value: 100

Search Timeout

Time after which PingOne Advanced Identity Cloud returns an error for an incomplete search, in seconds.

Default value: 5

LDAP SSL/TLS

If enabled, PingOne Advanced Identity Cloud connects securely to the directory server. This requires that you install the directory server certificate.

Default value:

{
    "$bool": "&{am.stores.ssl.enabled}"
}
LDAP Connection Pool Minimum Size

Minimum number of connections in the pool.

Default value: 1

LDAP Connection Pool Maximum Size

Maximum number of connections in the pool.

Default value: 10

Heartbeat Interval

Specifies how often should PingOne Advanced Identity Cloud send a heartbeat request to the directory.

Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won’t become idle.

Default value: 10

Heartbeat Unit

Defines the time unit corresponding to the Heartbeat Interval setting.

Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won’t become idle.

The possible values for this property are:

  • Label: second (Value: SECONDS)

  • Label: minute (Value: MINUTES)

  • Label: hour (Value: HOURS)

Default value: SECONDS

Subjects Result Time to Live

Maximum time that PingOne Advanced Identity Cloud caches a subject result for evaluating policy requests, in minutes. A value of 0 prevents PingOne Advanced Identity Cloud from caching subject evaluations for policy decisions.

Default value: 10

User Alias

If enabled, PingOne Advanced Identity Cloud can evaluate policy for remote users aliased to local users.

Default value: false

Check resources exist when Resource Server is updated

Check all registered resources exist when updating the Resource Server.

When enabled, the Policy Set checks registered Resource Types one by one against the configuration store. Consider disabling this option if you have many Resource Types registered to a Policy Set.

Default value: true

mTLS Enabled

Enables mutual TLS (mTLS) authentication between PingOne Advanced Identity Cloud and this data store.

When you enable mTLS, you must also:

  • Enable LDAP SSL/TLS.

  • Map the secret label am.policy.configuration.serice.mtls.cert to the alias you want to use for mTLS authentication to this store.

PingOne Advanced Identity Cloud ignores the LDAP Bind DN and LDAP Bind Password when you enable mTLS.

Push Notification Service

The following settings are available in this service:

SNS Access Key ID

Amazon Simple Notification Service Access Key ID. For more information, refer to Create an AWS (Push Auth) Credential in the ForgeRock Knowledge Base.

For example, you might set this property to: AKIAIOSFODNN7EXAMPLE

SNS Access Key Secret

Amazon Simple Notification Service Access Key Secret. For more information, refer to Create an AWS (Push Auth) Credential in the ForgeRock Knowledge Base.

For greater security, you can store this secret in the realm secret store.

Map the secret to the secret label am.services.pushnotification.sns.accesskey.secret.

If a secret is mapped to this secret label, PingOne Advanced Identity Cloud uses that secret and ignores the value of the SNS Access Key Secret property.

If a secret is mapped to this secret label and PingOne Advanced Identity Cloud can’t locate the secret, it falls back to the value of the SNS Access Key Secret property.

SNS Endpoint for APNS

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).

For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/APNS/production

SNS Endpoint for GCM

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages over Google Cloud Messaging (GCM).

For example, you might set this property to: arn:aws:sns:us-east-1:1234567890:app/GCM/production

SNS Client Region

Region of your registered Amazon Simple Notification Service client. For more information, refer to https://docs.aws.amazon.com/general/latest/gr/rande.html.

The possible values for this property are:

  • us-gov-west-1

  • us-east-1

  • us-west-1

  • us-west-2

  • eu-west-1

  • eu-central-1

  • ap-southeast-1

  • ap-southeast-2

  • ap-northeast-1

  • ap-northeast-2

  • sa-east-1

  • n-north-1

Message Transport Delegate Factory

The fully qualified class name of the factory responsible for creating the PushNotificationDelegate. The class must implement org.forgerock.openam.services.push.PushNotificationDelegate.

Response Cache Duration

The minimum lifetime to keep unanswered message records in the message dispatcher cache, in seconds. To keep unanswered message records indefinitely, set this property to 0.Should be tuned so that it is applicable to the use case of this service. For example, the ForgeRock Authenticator (Push) authentication module has a default timeout of 120 seconds.

Response Cache Concurrency

Level of concurrency to use when accessing the message dispatcher cache. Must be greater than 0. Choose a value to accommodate as many threads as will ever concurrently access the message dispatcher cache.

Response Cache Size

Maximum size of the message dispatcher cache, in number of records. If set to 0 the cache can grow indefinitely. If the number of records that need to be stored exceeds this maximum, then older items in the cache will be removed to make space.

Remote Consent Service

The following settings are available in this service:

Client Name

The name used to identify this OAuth 2.0 remote consent service when referencedin other services.

Authorization Server jwk_uri

The jwk_uri for retrieving the authorization server signing and encryption keys.

JWK Store Cache Timeout (in minutes)

The cache timeout for the JWK store of the authorization server, in minutes.

JWK Store Cache Miss Cache Time (in minutes)

The length of time a cache miss is cached, in minutes.

Consent Response Time Limit (in minutes)

The time limit set on the consent response JWT before it expires, in minutes.

Self Service Trees

Realm Attributes

The following settings appear on the Realm Attributes tab:

Enabled

Enable the service.

Tree Mapping

The following settings appear in the Tree Mapping pane:

resetPassword

Map the default journey to use for resetting passwords.

updatePassword

Map the default journey to use for updating passwords.

forgottenUsername

Map the default journey to use to retrieve forgotten usernames.

registration

Map the default journey to use when registering a new account.

Session

Dynamic Attributes

The following settings appear on the Dynamic Attributes tab:

Maximum Session Time

Maximum time a session can remain valid before PingOne Advanced Identity Cloud requires the user to authenticate again, in minutes.

Default value: 120

Maximum Idle Time

Maximum time a server-side session can remain idle before PingOne Advanced Identity Cloud requires the user to authenticate again, in minutes.

Default value: 30

Maximum Caching Time

Maximum time that external clients of AM are recommended to cache the session for, in minutes.

Default value: 3

Active User Sessions

Maximum number of concurrent server-side sessions PingOne Advanced Identity Cloud allows a user to have.

Default value: 5

Session Property Whitelist Service

The following settings are available in this service:

Allowlisted Session Property Names

A list of properties that users may read, edit the value of, or delete from their session.

Adding properties to sessions can affect PingOne Advanced Identity Cloud’s performance because there is no size constraint limiting the set of properties you can add to sessions and no limit on the number of session properties you can add.

Protected attributes cannot be set, edited, or deleted, even if they are included in this allowlist.
Session Properties to return for session queries

A list of session properties that can be returned to admins in a REST session query response.

This setting may impact REST query performance - when session properties are added, the CTS token must be retrieved, and will be the subject of decryption and decompression, if configured.

Protected attributes will NOT be allowed to be set, edited or deleted, even if they are included in this list.

Social Authentication Implementations

Realm Attributes

The following settings appear on the Realm Attributes tab:

Enabled Implementations

Provide a key that has been used to define the settings above to enable that set of settings.

For example: google

Display Names

The display names for the implementations - this will be used to provide a name for the icon displayed on the login page. The key should be used across all the settings on this page to join them together.

For example:

Key

Value

google

Google

Authentication Chains

The name of the authentication chains that are the entry points to being authenticated by each respective social authentication provider. The key should correspond to a key used to define a Display Name above.

For example:

Key

Value

google

socialAuthChainGoogle

Icons

Either a full URL or a path relative to the base of the site/server where the image can be found. The image will be used on the login page to link to the authentication chain defined above. The key should correspond to a key used to define a Display Name above.

For example:

Key

Value

google

/images/google-sign-in.png

Social Identity Provider Service

Configuration

The following settings appear on the Configuration tab:

Enabled

Enable the service.

Secondary Configurations

This service has the following Secondary Configurations.

instagramConfig
Enabled

Enable the service.

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://api.instagram.com/oauth/authorize/.

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.instagram.com/oauth/access_token.

User Profile Service URL

User profile information URL.

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://graph.instagram.com/me?fields=id,username.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://graph.instagram.com/debug_token.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: user_profile

Client Authentication Method

Field used to define how the client would be identified by the social provider.

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

googleConfig
Enabled

Enable the service.

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://accounts.google.com/o/oauth2/v2/auth

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://www.googleapis.com/oauth2/v4/token

User Profile Service URL

User profile information URL.

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://www.googleapis.com/oauth2/v3/userinfo

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: openid, profile, email

Client Authentication Method

Field used to define how the client would be identified by the social provider.

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

For example, you might set this property to: https://accounts.google.com/.well-known/openid-configuration

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Issuer

The Issuer of OIDC ID Tokens.

For example, you might set this property to: https://accounts.google.com

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request.

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

oauth2Config
Enabled

Enable the service.

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

User Profile Service URL

User profile information URL.

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

Client Authentication Method

Field used to define how the client would be identified by the social provider.

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

appleConfig
Enabled

Enable the service.

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://appleid.apple.com/auth/authorize

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://appleid.apple.com/auth/token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

Client Authentication Method

Field used to define how the client would be identified by the social provider.

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Issuer

The Issuer of OIDC ID Tokens.

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request.

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

itsmeConfig
Enabled

Enable the service.

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://idp.prd.itsme.services/v2/authorization

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://idp.prd.itsme.services/v2/token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://idp.prd.itsme.services/v2/userinfo

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: openid, profile, email

Client Authentication Method

Field used to define how the client would be identified by the social provider.

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Default value: NONE

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

Default value: true

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

For example, you might set this property to: https://idp.prd.itsme.services/v2/.well-known/openid-configuration

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

For example, you might set this property to: https://idp.prd.itsme.services/v2/authorization

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Default value: true

Issuer

The Issuer of OIDC ID Tokens.

For example, you might set this property to: https://idp.prd.itsme.services/v2

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.

Default value: true

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

Default value: SIGNED_THEN_ENCRYPTED_JWT

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

For example, you might set this property to: https://idp.prd.itsme.services/v2/jwkSet

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

Default value: RS256

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

Default value: RSA-OAEP

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Default value: AES_128_CBC_HMAC_SHA_256

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 3d97c436-42c0-4dd0-a571-ea6f34f752b3

amazonConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: user_id

Default value: user_id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://www.amazon.com/ap/oa

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.amazon.com/auth/o2/token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://api.amazon.com/user/profile

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties.

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: profile

Default value: profile

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating.

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 6b3cfd48-62d3-48ff-a96f-fe8f3a22ab30

facebookConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Default value: id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL.

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://www.facebook.com/dialog/oauth

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://graph.facebook.com/v2.7/oauth/access_token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://graph.facebook.com/debug_token

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: email, user_birthday

Default value:

email
user_birthday
Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: bae1d54a-e97d-4997-aa5d-c027f21af82c

weChatConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: openid

Default value: openid

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://open.weixin.qq.com/connect/qrconnect

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.wechat.com/sns/oauth2/access_token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://api.wechat.com/sns/userinfo

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: snsapi_login

Default value: snsapi_login

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

Refresh Token Endpoint

The endpoint for obtaining a refresh token.

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 472534ec-a25f-468d-a606-3fb1935190df

yahooConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Default value: sub

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://api.login.yahoo.com/oauth2/request_auth

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://api.login.yahoo.com/oauth2/get_token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL This is the URL endpoint for access token validation using the OAuth Identity Provider.Refer to the RFC 7662 (https://www.rfc-editor.org/info/rfc7662).

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: openid, sdpp-w

Default value:

openid
sdpp-w
Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Default value: NONE

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

Default value: false

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

For example, you might set this property to: https://api.login.yahoo.com/.well-known/openid-configuration

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Default value: false

Issuer

The Issuer of OIDC ID Tokens.

For example, you might set this property to: https://api.login.yahoo.com

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.

Default value: true

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

Default value: JSON

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 424da748-82cc-4b54-be6f-82bd64d82a74

oidcConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

Request Parameter JWT Option

Choose how Request Parameter JWTs will be sent to the OIDC Provider. Choose REFERENCE for OpenID Connect Request Parameter JWTs to be passed by reference. Choose VALUE for OpenID Connect Request Parameter JWTs to be passed as single, self-contained parameters.Choose NONE to specify that Request Parameter JWTs are not used.

Default value: NONE

Encrypt Request Parameter JWT

Enable the option to send an encrypted request parameter JWT.

Default value: false

ACR Values

Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference.

Well Known Endpoint

The endpoint for retrieving a list of OAuth/OIDC endpoints.

Request Object Audience

The intended audience of the request object. If unspecified, the issuer value will be used.

OP Encrypts ID Tokens

Whether the OP encrypts ID Tokens. Will determine which resolver to use.

Issuer

The Issuer of OIDC ID Tokens.

Enable Native Nonce

When enabled, the Identity Provider Native SDK MUST include a nonce Claim in the ID Token with the Claim value being the nonce value sent in the Authentication Request. Enabled by default.

Default value: true

User Info Response Format

The expected format of UserInfo responses. Dictates how AM will process the response. The expected format must match the actual format.

Default value: JSON

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

linkedInConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Default value: id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://www.linkedin.com/oauth/v2/authorization

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://www.linkedin.com/oauth/v2/accessToken

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://www.linkedin.com/oauth/v2/introspectToken

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: r_liteprofile, r_emailaddress

Default value:

r_liteprofile
r_emailaddress
Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

Email Address Endpoint

The endpoint for retrieving the email address.

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 8862ca8f-7770-4af5-a888-ac0df0947f36

salesforceConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: user_id

Default value: user_id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/authorize

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/userinfo

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

For example, you might set this property to: https://login.salesforce.com/services/oauth2/introspect

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: id, api, web

Default value:

id
api
web
Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 312e951f-70c5-49d2-a9ae-93aef909d5df

wordpressConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: username

Default value: username

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://public-api.wordpress.com/oauth2/authorize

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://public-api.wordpress.com/oauth2/token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://public-api.wordpress.com/rest/v1.1/me/

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: auth

Default value: auth

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 91d197de-5916-4dca-83b5-9a4df26e7159

microsoftConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id

Default value: id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://login.microsoftonline.com/common/oauth2/v2.0/authorize

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://login.microsoftonline.com/common/oauth2/v2.0/token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://graph.microsoft.com/v1.0/me

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: User.Read

Default value: User.Read

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 73cecbfc-dad0-4395-be6a-6858ee3a80e5

vkConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: sub

Default value: id

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

For example, you might set this property to: https://oauth.vk.com/authorize

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

For example, you might set this property to: https://oauth.vk.com/access_token

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

For example, you might set this property to: https://api.vk.com/method/users.get?fields=photo_50

Token Introspection Endpoint URL

OAuth Token Introspection endpoint URL.

This is the URL endpoint for access token validation using the OAuth Identity Provider. Refer to RFC 7662.

Redirect URL
Redirect after form post URL

Specify URL to redirect the form post parameters to.

Scope Delimiter

The delimiter used by an auth server to separate scopes.

OAuth Scopes

List of user profile properties

According to the OAuth 2.0 Authorization Framework that the client application requires. The list depends on the permissions that the resource owner grants to the client application. Some authorization servers use non-standard separators for scopes.

For example, you might set this property to: email

Default value: email

Client Authentication Method

Field used to define how the client would be identified by the social provider.

Default value: CLIENT_SECRET_POST

PKCE Method

The PKCE transformation method to use when making requests to the authorization endpoint.

Default value: S256

API Version

Version of the applicable VKontakte API.

Default value: 5.73

JWKS URI Endpoint

The JWKS URL endpoint for the RP to use when encrypting or validating

JWT Signing Algorithm

The signing algorithm to use when signing the client assertion and request object jwt sent to social provider.

JWT Encryption Algorithm

The encryption algorithm to use when encrypting the client assertion and request object jwt sent to social provider.

JWT Encryption Method

The encryption method to use when encrypting the client assertion and request object jwt sent to social provider.

Private Key JWT Expiration Time (seconds)

The expiration time on or after which the private key JWT must not be accepted for processing.

Default value: 600

Response Mode

Informs the Authorization Server of the mechanism to use for returning Authorization Response parameters.

Default value: DEFAULT

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 403cf226-6051-4368-8b72-9ba14f9a5140

twitterConfig
Enabled

Default value: true

Auth ID Key

Field used to identify a user by the social provider.

For example, you might set this property to: id_str

Default value: id_str

Client ID

OAuth client_id parameter.

For more information on the OAuth client_id parameter, refer to RFC 6749, section 2.2.

Client Secret

OAuth client_secret parameter.

For more information on the OAuth client_secret parameter, refer to RFC 6749, section 2.3.1.

Authentication Endpoint URL

OAuth authentication endpoint URL

This is the URL endpoint for OAuth authentication provided by the OAuth Identity Provider.

Access Token Endpoint URL

OAuth access token endpoint URL.

This is the URL endpoint for access token retrieval provided by the OAuth Identity Provider. Refer to RFC 6749, section 3.2.

User Profile Service URL

User profile information URL

This URL endpoint provides user profile information and is provided by the OAuth Identity Provider. Note that this URL should return JSON objects in response.

Redirect URL
Request Token Endpoint

The endpoint for obtaining an access token.

UI Config Properties

Mapping of display properties to be defined and consumed by the UI.

Transform Script

A script that takes the raw profile object as input and outputs the normalized profile object.

Default value: 8e298710-b55e-4085-a464-88a375a4004b

Transaction Authentication Service

The following settings are available in this service:

Time to Live

The number of seconds within which the transaction must be completed.

User

Dynamic Attributes

The following settings appear on the Dynamic Attributes tab:

User Preferred Timezone

Time zone for accessing the UI.

Administrator DN Starting View

Specifies the DN for the initial screen when an administrator successfully logs in to the UI.

Default User Status

Inactive users cannot authenticate, though PingOne Advanced Identity Cloud stores their profiles.

The possible values for this property are:

  • Active

  • Inactive

Validation Service

The following settings are available in this service:

Valid goto URL Resources

List of valid goto URL resources.

Specifies a list of valid URLs for the goto and gotoOnFail query string parameters. AM only redirects a user after log in or log out to a URL in this list. If the URL is not in the list, AM redirects to either the user profile page, or the administration console. If this property is not set, AM will only allow URLs that match its domain; for example, domain-of-am-instance.com. Use the * wildcard to match all characters except ?.

Examples:

  • http://app.example.com:80/*

  • http://app.example.com:80/*?*

WebAuthn Profile Encryption Service

The following settings are available in this service:

Profile Storage Attribute

The user’s attribute in which to store WebAuthn profiles.

Device Profile Encryption Scheme

Encryption scheme to use to secure device profiles stored on the server.

If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.

AES-256 may require installation of the JCE Unlimited Strength policy files.

The possible values for this property are:

  • Label: AES-256/HMAC-SHA-512 with RSA Key Wrapping (Value: RSAES_AES256CBC_HS512)

  • Label: AES-128/HMAC-SHA-256 with RSA Key Wrapping (Value: RSAES_AES128CBC_HS256)

  • Label: No encryption of device settings. (Value: NONE)

Encryption Key Store

Path to the key store from which to load encryption keys.

Updating this setting is currently not supported in Advanced Identity Cloud. Changing its value may lead to a loss of functionality in this feature.

The configuration will be migrated in the future to support customization of keys using ESVs. For more information, please contact your ForgeRock representative.

Key Store Type

Type of key store to load.

Refer to the JDK 8 PKCS#11 Reference Guide for more details.

The possible values for this property are:

  • Label: Java Key Store (JKS). (Value: JKS)

  • Label: Java Cryptography Extension Key Store (JCEKS). (Value: JCEKS)

  • Label: PKCS#11 Hardware Crypto Storage. (Value: PKCS11)

  • Label: PKCS#12 Key Store. (Value: PKCS12)

Key Store Password

Password to unlock the key store. This password is encrypted when it is saved in the PingOne Advanced Identity Cloud configuration.

Key-Pair Alias

Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.

Private Key Password

Password to unlock the private key.

Secret labels

PingOne Advanced Identity Cloud uses these labels to match secrets for access management signing and encryption with the aliases of the secrets in the secret store. Expand the categories for additional information.

For instructions on using these secret labels, refer to Use ESVs for signing and encryption keys.

The term secret IDs is being phased out in favor of secret labels but you might come across instances of secret ID in the documentation and in the UI until the terminology change is complete.

OAuth 2.0 and OpenID Connect provider secrets

Encrypt client-side OAuth 2.0 tokens

This table shows the label for the secret to encrypt client-side access tokens:

Secret label Algorithms

am.services.oauth2.stateless.token.encryption

A128CBC-HS256

Sign client-side OAuth 2.0 tokens

This table shows the labels for the secrets to sign client-side access tokens:

Secret label Algorithms

am.services.oauth2.stateless.signing.ES256

ES256

am.services.oauth2.stateless.signing.ES384

ES384

am.services.oauth2.stateless.signing.ES512

ES512

am.services.oauth2.stateless.signing.HMAC

HS256
HS384
HS512

am.services.oauth2.stateless.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

Authenticate OAuth 2.0 clients

The secret label mappings used to authenticate OAuth 2.0 clients:

Secret label Default alias Algorithms

am.applications.oauth2.client.identifier.secret(1)

am.applications.oauth2.client.identifier.jwt.public.key(2)

am.applications.oauth2.client.identifier.mtls.trusted.cert(3)

am.applications.oauth2.client.identifier.id.token.enc.public.key(4)

(1) Map the am.applications.oauth2.client.identifier.secret dynamic secret label to override the OAuth 2.0 client’s Client secret property, where identifier is the value of the Secret Label Identifier set in the client configuration.
(2) Map the am.applications.oauth2.client.identifier.jwt.public.key dynamic secret label to override the OAuth 2.0 client’s Client JWT Bearer Public Key, where identifier is the value of the Secret Label Identifier set in the client configuration.
(3) Map the am.applications.oauth2.client.identifier.mtls.trusted.cert dynamic secret label to override the OAuth 2.0 client’s mTLS Self-Signed Certificate, where identifier is the value of the Secret Label Identifier set in the client configuration.
(4) Map the am.applications.oauth2.client.identifier.id.token.enc.public.key dynamic secret label to override the OAuth 2.0 client’s Client ID Token Public Encryption Key, where identifier is the value of the Secret Label Identifier set in the client configuration.

Secret label mappings for salting hashes

The secret label for salting hashes in OAuth 2.0 and OIDC flows.

Secret label Default alias Algorithms

am.services.oauth2.provider.hash.salt.secret

Use this secret label to override Subject Identifier Hash Salt in the provider configuration.

This secret can’t be rotated.

Decrypt OIDC request parameters

This table shows the labels for secrets to decrypt OIDC request parameters:

Secret label Algorithms

am.services.oauth2.oidc.decryption.RSA1.5

RSA with PKCS#1 v1.5 padding

am.services.oauth2.oidc.decryption.RSA.OAEP

RSA with OAEP with SHA-1 and MGF-1

am.services.oauth2.oidc.decryption.RSA.OAEP.256

RSA with OAEP with SHA-256 and MGF-1

For confidential clients, if you select an AES algorithm (A128KW, A192KW, or A256KW) or the direct encryption algorithm (dir), PingOne Advanced Identity Cloud uses the Client Secret from the profile, not an entry from the secret store.

The following use the Client Secret:

  • Signing ID tokens with an HMAC algorithm

  • Encrypting ID tokens with AES or direct encryption

  • Encrypting parameters with AES or direct encryption

Store only one secret in the Client Secret field.

For details about encryption options, refer to the OIDC specification.

Sign OIDC tokens

This table shows the labels for secrets to sign OIDC tokens and backchannel logout tokens:

Secret label Algorithms(1)

am.services.oauth2.oidc.signing.ES256

ES256

am.services.oauth2.oidc.signing.ES384

ES384

am.services.oauth2.oidc.signing.ES512

ES512

am.services.oauth2.oidc.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

am.services.oauth2.oidc.signing.EDDSA

EdDSA with SHA-512

For confidential clients, if you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), PingOne Advanced Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store.

CA certificates for mTLS client authentication

This table shows the label of the trusted CA certificate for mTLS client authentication:

Secret label Algorithms

am.services.oauth2.tls.client.cert.authentication

Social identity client secrets

Decrypt ID tokens

This table shows the label for the secret to decrypt ID tokens and userinfo endpoint JWTs when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.oidc.rp.idtoken.encryption

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Sign JWTs and objects

This table shows the label for the secret to sign JWTs and objects when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.oidc.rp.jwt.authenticity.signing

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Certificates for mTLS client authentication

This table shows the label of the trusted CA or self-signed certificate for mTLS client authentication when PingOne Advanced Identity Cloud acts as a relying party (RP) of the social identity provider service:

Secret label Algorithms

am.services.oauth2.tls.client.cert.authentication

Consult the .well-known endpoint of the identity provider.

The public key is exposed at the /oauth2/connect/rp/jwk_uri endpoint.

For details, refer to Social authentication.

Web and Java agent secrets

Sign agent JWTs

This table shows the label for the secret to sign the JWTs issued to Web and Java agents:

Secret label Algorithms

am.global.services.oauth2.oidc.agent.idtoken.signing

RS256
RS384
RS512

Authentication secrets

Secure journey state data

This table shows the label for the secret to encrypt sensitive data in the secure state of an authentication journey:

Secret label Algorithms

am.authn.trees.transientstate.encryption

AES 256-bit

SAML 2.0 secrets

Sign SAML 2.0 metadata

This table shows the label for the secret to sign SAML 2.0 metadata:

Secret label Algorithms

am.services.saml2.metadata.signing.RSA

RSA SHA-256

SAML v2.0 signing and encryption

The following table shows the secret label mappings used to sign and encrypt SAML v2.0 elements, and to enable mTLS authentication between entity providers:

Secret label Default alias Algorithms

am.default.applications.federation.entity.providers.saml2.idp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.idp.signing

rsajwtsigningkey

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.encryption

test

RSA with PKCS#1 v1.5 padding
RSA with OAEP

am.default.applications.federation.entity.providers.saml2.sp.signing

rsajwtsigningkey

RSA SHA-1(1)
ECDSA SHA-256
ECDSA SHA-384
ECDSA SHA-512
RSA SHA-256
RSA SHA-384
RSA SHA-512
DSA SHA-256

am.default.applications.federation.entity.providers.saml2.sp.mtls(2)

am.applications.federation.entity.providers.saml2.identifier.basicauth(3)

(1) This algorithm is for compatibility purposes only. Avoid its use.

(2) For artifact resolution requests only, the SP uses the certificates mapped to this secret label for mTLS authentication to the remote IDP. These certificates are exported with <KeyDescriptor use="signing"> in the SP metadata.

(3) The SP uses the certificate mapped to this secret label for basic authentication. If you set a Secret Label Identifier, and PingOne Advanced Identity Cloud finds a mapping to am.applications.federation.entity.providers.saml2.identifier .basicauth, PingOne Advanced Identity Cloud uses this secret and ignores the value of the Password field. For basic authentication, there is no default secret label for the realm, or globally.

You can specify a custom Secret Label Identifier for each SAML v2.0 entity provider in a realm. PingOne Advanced Identity Cloud generates new secret labels that can be unique to the provider, or shared by multiple providers.

For example, you could add a custom secret label identifier named mySamlSecrets to a hosted identity provider. PingOne Advanced Identity Cloud then dynamically creates the following secret labels, which the hosted identity provider uses for signing and encryption:

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.signing

  • am.applications.federation.entity.providers.saml2.mySamlSecrets.encryption

PingOne Advanced Identity Cloud attempts to look up the secrets with the custom secret label identifier. If unsuccessful, PingOne Advanced Identity Cloud looks up the secrets using the default secret labels.

Attestation secrets

Google hardware attestation root certificate

This table shows the label for the Google hardware attestation root certificate, which is used to increase confidence that the keys used by bound Android devices are valid, have not been revoked, and use hardware-backed security storage.

Refer to Verifying hardware-backed key pairs with Key Attestation in the Android developer documentation.

Secret label Algorithms

am.services.attestation.google.public.key

RSA / X.509

Policy Configuration service secrets

Certificates for the Policy Configuration service

This table shows the labels for secrets to encrypt the certificate used to authenticate Policy Configuration service connections:

Secret label Algorithms(1)

am.services.oauth2.oidc.signing.ES256

am.services.oauth2.oidc.signing.ES384

ES384

am.services.oauth2.oidc.signing.ES512

ES512

am.services.oauth2.oidc.signing.RSA

PS256
PS384
PS512
RS256
RS384
RS512

am.services.oauth2.oidc.signing.EDDSA

EdDSA with SHA-512

For confidential clients, if you select an HMAC algorithm for signing ID tokens (HS256, HS384, or HS512), PingOne Advanced Identity Cloud uses the Client Secret from the profile instead of an entry from the secret store.

Push Notification service secrets

Sign the Push Notification service access key

This table shows the label for secrets to sign the Amazon Simple Notification Service access key used by the Push Notification service.

The secret label mapping overrides the SNS Access Key Secret set in the service configuration.

Secret label Algorithms

am.services.pushnotification.sns.accesskey.secret

Glossary

Access control

Control to grant or to deny access to a resource.

Account lockout

The act of making an account temporarily or permanently inactive after successive authentication failures.

Actions

Defined as part of policies, these verbs indicate what authorized identities can do to resources.

Advice

In the context of a policy decision denying access, a hint to the policy enforcement point about remedial action to take that could result in a decision allowing access.

Agent administrator

User having privileges only to read and write agent profile configuration information, typically created to delegate agent profile creation to the user installing a web or Java agent.

Agent authenticator

Entity with read-only access to multiple agent profiles defined in the same realm; allows an agent to read web service profiles.

Application

In general terms, a service exposing protected resources.

In the context of PingOne Advanced Identity Cloud policies, the application is a template that constrains the policies that govern access to protected resources. An application can have zero or more policies.

Application type

Application types act as templates for creating policy applications.

Application types define a preset list of actions and functional logic, such as policy lookup and resource comparator logic.

Application types also define the internal normalization, indexing logic, and comparator logic for applications.

Attribute-based access control (ABAC)

Access control that is based on attributes of a user, such as how old a user is or whether the user is a paying customer.

Authentication

The act of confirming the identity of a principal.

Authentication level

Positive integer associated with an authentication node, usually used to require success with more stringent authentication measures when requesting resources requiring special protection.

Authentication Session

The interval while the user or entity is authenticating to PingOne Advanced Identity Cloud.

Authorization

The act of determining whether to grant or to deny a user access to a resource.

Authorization server

In OAuth 2.0, issues access tokens to the client after authenticating a resource owner and confirming that the owner authorizes the client to access the protected resource. PingOne Advanced Identity Cloud can play this role in the OAuth 2.0 authorization framework.

Auto-federation

Arrangement to federate a principal’s identity automatically based on a common attribute value shared across the principal’s profiles at different providers.

Circle of trust

Group of providers, including at least one identity provider, who have agreed to trust each other to participate in a SAML 2.0 provider federation.

Client

In OAuth 2.0, requests protected web resources on behalf of the resource owner given the owner’s authorization. PingOne Advanced Identity Cloud can play this role in the OAuth 2.0 authorization framework.

Client-side OAuth 2.0 tokens

After a successful OAuth 2.0 grant flow, PingOne Advanced Identity Cloud returns a token to the client.

This differs from server-side OAuth 2.0 tokens, where PingOne Advanced Identity Cloud returns a reference to the token to the client.

Client-side sessions

Sessions for which PingOne Advanced Identity Cloud returns session state to the client after each request, and requires the state to be passed in with the subsequent request.

For browser-based clients, PingOne Advanced Identity Cloud sets a cookie in the browser that contains the session state. When the browser returns the cookie, PingOne Advanced Identity Cloud decodes the session state from the cookie.

Conditions

Defined as part of policies, these determine the circumstances under which a policy applies.

Environmental conditions reflect circumstances like the client IP address, time of day, how the subject authenticated, or the authentication level achieved.

Subject conditions reflect characteristics of the subject like whether the subject authenticated, the identity of the subject, or claims in the subject’s JWT.

Configuration datastore

LDAP directory service holding PingOne Advanced Identity Cloud configuration data.

Cross-domain single sign-on (CDSSO)

PingOne Advanced Identity Cloud capability allowing single sign-on across different DNS domains.

Server-side OAuth 2.0 tokens

After a successful OAuth 2.0 grant flow, PingOne Advanced Identity Cloud returns a reference to the token to the client, rather than the token itself.

This differs from client-side OAuth 2.0 tokens, where PingOne Advanced Identity Cloud returns the entire token to the client.

Server-side sessions

Sessions that reside in the Core Token Service’s token store. Server-side sessions might also be cached in memory.

PingOne Advanced Identity Cloud tracks these sessions in order to handle events like logout and timeout, to permit session constraints, and to notify applications involved in SSO when a session ends.

Delegation

Granting users administrative privileges with PingOne Advanced Identity Cloud.

Entitlement

Decision that defines which resource names can and cannot be accessed for a given identity in the context of a particular application, which actions are allowed and which are denied, and any related advice and attributes.

Extended metadata

Federation configuration information specific to PingOne Advanced Identity Cloud.

Extensible Access Control Markup Language (XACML)

Standard, XML-based access control policy language, including a processing model for making authorization decisions based on policies.

Federation

Standardized means for aggregating identities, sharing authentication and authorization data information between trusted providers, and allowing principals to access services across different providers without authenticating repeatedly.

Identity

Set of data that uniquely describes a person or a thing such as a device or an application.

Identity federation

Linking of a principal’s identity across multiple providers.

Identity provider (IDP)

Entity that produces assertions about a principal (such as how and when a principal authenticated, or that the principal’s profile has a specified attribute value).

Identity repository

Data store holding user profiles and group information.

Java agent

Java web application installed in a web container that acts as a policy enforcement point, filtering requests to other applications in the container with policies based on application resource URLs.

Metadata

Federation configuration information for a provider.

Policy

Set of rules that define who is granted access to a protected resource when, how, and under what conditions.

Policy agent

Java, web, or custom agent that intercepts requests for resources, directs principals to PingOne Advanced Identity Cloud for authentication, and enforces policy decisions from PingOne Advanced Identity Cloud.

Policy Administration Point (PAP)

Entity that manages and stores policy definitions.

Policy Decision Point (PDP)

Entity that evaluates access rights and then issues authorization decisions.

Policy Enforcement Point (PEP)

Entity that intercepts a request for a resource and then enforces policy decisions from a PDP.

Policy Information Point (PIP)

Entity that provides extra information, such as user profile attributes that a PDP needs in order to make a decision.

Principal

Represents an entity that has been authenticated (such as a user, a device, or an application), and thus is distinguished from other entities.

When a Subject successfully authenticates, PingOne Advanced Identity Cloud associates the Subject with the Principal.

Privilege

In the context of delegated administration, a set of administrative tasks that can be performed by specified identities in a given realm.

Provider federation

Agreement among providers to participate in a circle of trust.

Realm

PingOne Advanced Identity Cloud unit for organizing configuration and identity information.

Administrators can delegate realm administration. The administrator assigns administrative privileges to users, allowing them to perform administrative tasks within the realm.

Resource

Something a user can access over the network such as a web page.

Defined as part of policies, these can include wildcards in order to match multiple actual resources.

Resource owner

In OAuth 2.0, entity who can authorize access to protected web resources, such as an end user.

Resource server

In OAuth 2.0, server hosting protected web resources, capable of handling access tokens to respond to requests for such resources.

Response attributes

Defined as part of policies, these PingOne Advanced Identity Cloud return additional information in the form of "attributes" with the response to a policy decision.

Role based access control (RBAC)

Access control that is based on whether a user has been granted a set of permissions (a role).

Security Assertion Markup Language (SAML)

Standard, XML-based language for exchanging authentication and authorization data between identity providers and service providers.

Service provider (SP)

Entity that consumes assertions about a principal (and provides a service that the principal is trying to access).

Session

The interval that starts after the user has authenticated and ends when the user logs out, or when their session is terminated. For browser-based clients, PingOne Advanced Identity Cloud manages user sessions across one or more applications by setting a session cookie.

Session token

Unique identifier issued by PingOne Advanced Identity Cloud after successful authentication.

For a server-side sessions, the session token is used to track a principal’s session.

Single log out (SLO)

Capability allowing a principal to end a session once, thereby ending her session across multiple applications.

Single sign-on (SSO)

Capability allowing a principal to authenticate once and gain access to multiple applications without authenticating again.

Standard metadata

Standard federation configuration information that you can share with other access management software.

Stateless service

Stateless services do not store any data locally to the service.

When the service requires data to perform any action, it requests it from a data store.

For example, a stateless authentication service stores session state for logged-in users in a database. This way, any server in the deployment can recover the session from the database and service requests for any user.

All PingOne Advanced Identity Cloud services are stateless unless otherwise specified. Refer to Client-side sessions and server-side sessions.

Subject

Entity that requests access to a resource.

When an identity successfully authenticates, PingOne Advanced Identity Cloud associates the identity with the Principal that distinguishes it from other identities.

An identity can be associated with multiple principals.

Web agent

Native library installed in a web server that acts as a policy enforcement point with policies based on web page URLs.