Credential
services/credential[]
This configuration is used to describe an external credential service which IAG can use to retrieve credentials for use in single sign-on to protected applications.
Each credential service must contain:
- name
- enc_key
- host
- url_pattern
- user_attribute
This entry is an array and can be used to specify multiple credential services.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| name | string | The name which is associated with this credential service. | |
| host | string | The hostname of the endpoint where the credentials will be retrieved from. | |
| port | string | The port of the endpoint where the credentials will be retrieved from. | |
| proxy | string | The proxy server which will be used when connecting to the credential service. The configuration entry should be of the form: <server>:<port> | |
| url_pattern | string | The path of the endpoint where the credentials will be retrieved from. This must contain the {user} and {resource} macros. When communicating with the credential service, IAG will substitute {resource} for the resource name provided in the configuration which refers to this credential service. | |
| user_attribute | string | Default value: AZN_PRINCIPAL_ID | The name of the credential attribute which is used to populate the {user} macro in the URL used when communicating with the credential service. |
| user_attribute_encoding | string | Values: url, base64urlDefault value: url | The type of encoding to perform on the user_attribute for inclusion in the URL to communicate with the credential service. - If this value is url, the user attribute value will be URL Encoded.- If this value is base64url, the user attribute value will be converted to lower case and Base64 Encoded for URL. |
| enc_key | string | The key which will be used to encrypt and decrypt credential data. This key should be an RSA or ECDSA key for which the private and public parts are available. | |
| ssl | ssl | ||
| authentication | authentication |
services/credential[]/ssl
SSL settings for the credential service connection.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| certificate | Array of string | PEM based personal certificate files which will be used when communicating with the resource server. These certificate files should include the private key, a certificate signed with the private key, and the signer certificate or signer certificate chain (if required). | |
| server_dn | string | Specifies the accepted DN of the certificate presented by the credential service. If this entry is empty, any DN will be accepted. | |
| sni | string | The server name (SNI) which will be indicated when establishing a connection to the credential service. If this entry is empty, no name will be indicated. |
services/credential[]/authentication
Controls how IAG will authenticate itself when communicating with the credential service. Only one of the following may be used at any time.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| sso | sso | ||
| access_token | access_token | ||
| ba | ba |
services/credential[]/authentication/sso
Uses the OAuth client credential flow to retrieve an access token to use when communicating with to the credential service.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| endpoint | string | The endpoint which will be called to obtain an access token which is used in requests to the credential service. The endpoint should conform to the OAuth client credential flow (OAuth 2.0 RFC 6749, section 4.4). | |
| client_id | string | The client identifier to use during the OAuth client credential flow. | |
| client_secret | string | The client identifier to use during the OAuth client credential flow. | |
| payload | string | Values: basic, formDefault value: basic | Specifies how the client id and secret will be posted to the authentication endpoint. - If this value is form, the client id and secret will be included in forms POST data.- If this value is basic, a basic authentication header will be constructed using the client id and secret. |
services/credential[]/authentication/access_token
Uses an access token presented in the authorization header as a bearer token when communicating with the credential service.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| token | string | The literal access token that will be passed as a bearer token. Alternatively, if surrounded by {}, this field can name a credential attribute for which the value of will be used as a bearer token. |
services/credential[]/authentication/ba
Uses basic authentication when communicating with the credential service.
Properties
| Name | Type | Constraints | Description |
|---|---|---|---|
| username | string | The username to be used to perform basic authentication to the credential service. | |
| password | string | The password to be used to perform basic authentication to the credential service. |
Example
services:
credential:
- name: myCredService
enc_key: "@vault-rsa.pem"
host: ibm_app_gw.ice.ibmcloud.com
proxy: "proxy.ibm.com:3128"
url_pattern: "/v1.0/pwdvault/{user}/resources/{resource}"
ssl:
certificate:
- "@vault-ibm-com.crt"
server_dn: cn=vault
sni: vault.verify.ibm.com
user_attribute: "AZN_PRINCIPAL_ID"
user_attribute_encoding: url
authentication:
sso:
client_id: 36bxxxx-xxxx-xxxx-xxxx-xxxxxxxxxae5
client_secret: ctZxxxxqQs
endpoint: https://ibm_app_gw.ice.ibmcloud.com/v1.0/endpoint/default/token
payload: form
Updated about 2 years ago