Credential

services/credential[]

This configuration is used to describe an external credential service which IAG can use to retrieve credentials for use in single sign-on to protected applications.
Each credential service must contain:

  • name
  • enc_key
  • host
  • url_pattern
  • user_attribute

This entry is an array and can be used to specify multiple credential services.

Properties

NameTypeConstraintsDescription
namestringThe name which is associated with this credential service.
hoststringThe hostname of the endpoint where the credentials will be retrieved from.
portstringThe port of the endpoint where the credentials will be retrieved from.
proxystringThe proxy server which will be used when connecting to the credential service. The configuration entry should be of the form: <server>:<port>
url_patternstringThe path of the endpoint where the credentials will be retrieved from. This must contain the {user} and {resource} macros. When communicating with the credential service, IAG will substitute {resource} for the resource name provided in the configuration which refers to this credential service.
user_attributestringDefault value: AZN_PRINCIPAL_IDThe name of the credential attribute which is used to populate the {user} macro in the URL used when communicating with the credential service.
user_attribute_encodingstringValues: url, base64url

Default value: url
The type of encoding to perform on the user_attribute for inclusion in the URL to communicate with the credential service.
- If this value is url, the user attribute value will be URL Encoded.
- If this value is base64url, the user attribute value will be converted to lower case and Base64 Encoded for URL.
enc_keystringThe key which will be used to encrypt and decrypt credential data. This key should be an RSA or ECDSA key for which the private and public parts are available.
sslssl
authenticationauthentication

services/credential[]/ssl

SSL settings for the credential service connection.

Properties

NameTypeConstraintsDescription
certificateArray of stringPEM based personal certificate files which will be used when communicating with the resource server. These certificate files should include the private key, a certificate signed with the private key, and the signer certificate or signer certificate chain (if required).
server_dnstringSpecifies the accepted DN of the certificate presented by the credential service. If this entry is empty, any DN will be accepted.
snistringThe server name (SNI) which will be indicated when establishing a connection to the credential service. If this entry is empty, no name will be indicated.

services/credential[]/authentication

Controls how IAG will authenticate itself when communicating with the credential service. Only one of the following may be used at any time.

Properties

NameTypeConstraintsDescription
ssosso
access_tokenaccess_token
baba

services/credential[]/authentication/sso

Uses the OAuth client credential flow to retrieve an access token to use when communicating with to the credential service.

Properties

NameTypeConstraintsDescription
endpointstringThe endpoint which will be called to obtain an access token which is used in requests to the credential service.
The endpoint should conform to the OAuth client credential flow (OAuth 2.0 RFC 6749, section 4.4).
client_idstringThe client identifier to use during the OAuth client credential flow.
client_secretstringThe client identifier to use during the OAuth client credential flow.
payloadstringValues: basic, form

Default value: basic
Specifies how the client id and secret will be posted to the authentication endpoint.
- If this value is form, the client id and secret will be included in forms POST data.
- If this value is basic, a basic authentication header will be constructed using the client id and secret.

services/credential[]/authentication/access_token

Uses an access token presented in the authorization header as a bearer token when communicating with the credential service.

Properties

NameTypeConstraintsDescription
tokenstringThe literal access token that will be passed as a bearer token.
Alternatively, if surrounded by {}, this field can name a credential attribute for which the value of will be used as a bearer token.

services/credential[]/authentication/ba

Uses basic authentication when communicating with the credential service.

Properties

NameTypeConstraintsDescription
usernamestringThe username to be used to perform basic authentication to the credential service.
passwordstringThe password to be used to perform basic authentication to the credential service.

Example

services:
  credential:
    - name: myCredService
      enc_key: "@vault-rsa.pem"
      host: ibm_app_gw.ice.ibmcloud.com
      proxy: "proxy.ibm.com:3128"
      url_pattern: "/v1.0/pwdvault/{user}/resources/{resource}"
      ssl:
        certificate:
          - "@vault-ibm-com.crt"
        server_dn: cn=vault
        sni: vault.verify.ibm.com
      user_attribute: "AZN_PRINCIPAL_ID"
      user_attribute_encoding: url
      authentication:
        sso:
          client_id: 36bxxxx-xxxx-xxxx-xxxx-xxxxxxxxxae5
          client_secret: ctZxxxxqQs
          endpoint: https://ibm_app_gw.ice.ibmcloud.com/v1.0/endpoint/default/token
          payload: form

Did this page help you?