Skip to main content

Credential Services

Description

This configuration is used to describe an external credential service which IAG can use to retrieve credentials for use in single sign-on to protected applications.

Each credential service must contain:

  • name
  • enc_key
  • host
  • url_pattern
  • user_attribute

This entry is an array and can be used to specify multiple credential services.

Properties

The following table(s) describe the configuration properties for this component:

Name Type Constraints Description
user_attribute string Default:AZN_PRINCIPAL_ID The name of the credential attribute which is used to populate the {user} macro in the URL used when communicating with the credential service.
user_attribute_encoding string Values: url,base64url
Default:url
The type of encoding to perform on the user_attribute for inclusion in the URL to communicate with the credential service.
- If this value is 'url', the user attribute value will
be URL Encoded.
- If this value is 'base64url', the user attribute value will
be Base64 Encoded for URL.
name string The name which is associated with this credential service.
enc_key string The key which will be used to encrypt and decrypt credential data. This key should be an RSA or ECDSA key for which the private and public parts are available.
host string The hostname of the endpoint where the credentials will be retrieved from.
ssl SSL Object
authentication AUTHENTICATION Object
proxy string The proxy server which will be used when connecting to the credential service. The configuration entry should be of the form: '<server>:<port>'
url_pattern string The path of the endpoint where the credentials will be retrieved from. This must contain the {user} and {resource} macros.
When communicating with the credential service, IAG will substitute '{resource}' for the resource name provided in the configuration which refers to this credential service.
port string The port of the endpoint where the credentials will be retrieved from.

SSL Object

SSL settings for the credential service connection.

Name Type Constraints Description
server_dn string Specifies the accepted DN of the certificate presented by the credential service. If this entry is empty, any DN will be accepted.
certificate array[string] PEM based personal certificate files which will be used when communicating with the resource server. These certificate files should include the private key, a certificate signed with the private key, and the signer certificate or signer certificate chain (if required).
sni string The server name (SNI) which will be indicated when establishing a connection to the credential service. If this entry is empty, no name will be indicated.

AUTHENTICATION Object

Controls how IAG will authenticate itself when communicating with the credential service. Only one of the following may be used at any time.

Name Type Constraints Description
access_token ACCESS_TOKEN Object
sso SSO Object
ba BA Object

ACCESS_TOKEN Object

Uses an access token presented in the authorization header as a bearer token when communicating with the credential service.

Name Type Constraints Description
token string The literal access token that will be passed as a bearer token.
Alternatively, if surrounded by {}, this field can name a credential attribute for which the value of will be used as a bearer token.

SSO Object

Uses the OAuth client credential flow to retrieve an access token to use when communicating with to the credential service.

Name Type Constraints Description
client_secret string The client identifier to use during the OAuth client credential flow.
endpoint string The endpoint which will be called to obtain an access token which is used in requests to the credential service.
The endpoint should conform to the OAuth client credential flow (OAuth 2.0 RFC 6749, section 4.4).
payload string Default:basic Specifies how the client id and secret will be posted to the authentication endpoint.
- If this value is 'form', the client id and secret
will be included in forms POST data.
- If this value is 'basic', a basic authentication
header will be constructed using the client id and
secret.
client_id string The client identifier to use during the OAuth client credential flow.

BA Object

Uses basic authentication when communicating with the credential service.

Name Type Constraints Description
username string The username to be used to perform basic authentication to the credential service.
password string The password to be used to perform basic authentication to the credential service.

Example

 services:
       credential:
         - name: myCredService
           enc_key: "@vault-rsa.pem"
           host: ibm_app_gw.ice.ibmcloud.com
           proxy: "proxy.ibm.com:3128"
           url_pattern: "/v1.0/pwdvault/{user}/resources/{resource}"
           ssl:
             certificate: 
               - "@vault-ibm-com.crt"
             server_dn: cn=vault
             sni: vault.verify.ibm.com
           user_attribute: "AZN_PRINCIPAL_ID"
           user_attribute_encoding: url
           authentication:
             sso:
               client_id: 36bxxxx-xxxx-xxxx-xxxx-xxxxxxxxxae5
               client_secret: ctZxxxxqQs
               endpoint: https://ibm_app_gw.ice.ibmcloud.com/v1.0/endpoint/default/token
               payload: form