9.1.0

• Home

Table of Contents

• System Admin Guide
  • Alarms
    • Overview
      • Terminology
      • The Alarm Object
      • Sliding Window Alarms
      • Managing Alarms
      • Notifications
      • Clusters
    • Alarm Types
      • Expiry
      • Failed Authentication
      • Failed Communication
      • Failed Connection
      • Slow Connection
    • Alarm Handlers
      • Email Notifier
      • Webhook Notifier
      • Slack Notifier
      • PagerDuty Notifier
    • Testing Alarms
      • Testing Alarms using the Web UI
      • Testing Alarms using the CLI
      • Verifying the alarm
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
      • Batching Log Messages for performance
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
    • User Account Credentials
    • Credential Policies
      • Data source requirements
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • Credential Data Access
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL and CockroachDB
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Credential Data Access
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
    • Metrics
  • Logging
    • Log Levels
    • Configuration Overview
    • Appenders
      • Standard Out
      • Cluster Log
      • Request Log
      • Audit Log
      • Metrics
    • Loggers
    • Logging Incorrect Cookies
    • Masking
    • Shipping Logs
    • Log4j Scripting Languages
    • Files Not Configurable by Log4j
      • Configuration Service Logs
  • Monitoring
    • JMX
    • Tracing
    • Zulu Flight Recorder
      • Starting a Recording Manually
      • Starting a Recording from the Command Line
      • Starting a Recording on Startup
    • Status Endpoint
      • Command line tool
    • Prometheus-compliant Metrics
      • Common Alerts
      • Configuration
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • Server Events
    • Event Listener Types
      • Script EventListeners
      • EventListener Plugins
    • Types of Events
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • Upgrading from 7.4.X to 7.5.0
      • HTTP Client Default Timeouts
    • Upgrading from 7.5.X to 7.6.0
      • Systemd config file update
      • New SAML Authenticator
    • Upgrading from 7.6.X to 8.0.0
      • Upgrading the XML Configuration
      • Authorization custom token procedures update
      • DynamoDB schema changes
      • WebAuthn authenticator
      • HAAPI capability and use of legacy DPOP
      • Microsoft SQL Server JDBC driver
      • Changes to HAAPI responses
      • Password-based PBES2 JWE algorithms
      • Windows Connector Failover Update
    • Upgrading from 8.0.X to 8.1.0
      • Database Changes
      • Custom Token Issuers
      • Email Authenticator
    • Upgrading from 8.1.X to 8.2.0
      • User consent template
      • SDK Changes
      • Token Procedure Plugin Configuration
      • Claims
    • Upgrading from 8.2.X to 8.3.0
    • Upgrading from 8.3.X to 8.4.0
      • SDK
      • Database Changes
      • Deprecation notice
      • Logging Incorrect Cookies
    • Upgrading from 8.4.X to 8.5.0
      • Template Changes
      • Deprecation notice
    • Upgrading from 8.5.X to 8.6.0
      • Deprecation notice
    • Upgrading from 8.6.X to 8.7.0
      • Hypermedia API external browser flow
      • HAAPI authorization code and refresh token binding
    • Upgrading from 8.7.X to 9.0.0
      • JDBC data source - database schema changes
      • User management
      • Service name
      • Attribute Authorization Manager
      • Updates on Docker images
      • SDK changes
      • Events and audit data
      • Token Issuers Data Sources
      • Custom Claims
      • Database client change
      • HTML Forms authenticator
      • Logging Incorrect Cookies
      • SAML Authenticator removal
    • Upgrading from 9.0.X to 9.1.0
      • JDBC data source
      • HTML Forms authenticator
      • SDK changes
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • BankID Version 6 API
      • BankID on the Phone
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
      • Launch behavior
      • Change specific browser behavior
      • Disable autostart
      • Debugging the templates
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Base Configuration
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • Hyperlink
      • Inactive Accounts
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • The Data Deletion Request Callback URL
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Binding Message
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • JWKS Endpoint
      • Configuration
    • OpenID Wallet
      • Configuring OpenID Wallet Authenticator
      • Anonymous JWKS Endpoint
      • Further Reading
    • Passkeys
      • Configuring a Passkeys authenticator
      • Registering devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML2
      • Paths
      • Validation Scripts
      • Configuration
      • SAML2 dynamic authenticator
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
      • User Confirmation
    • Bundle Action
      • Configuration
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
      • Subject Check
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Account
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Single Sign-On of second factors
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Request Acknowledgement
      • Localization
      • Configuration
    • Require Active Account
      • Configuration
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Restart Action
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Signup
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
      • Introspect with application/jwt as accept header
    • Json Web Key Set (JWKS)
    • Device Authorization Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
    • Claim configuration
      • Claim mappers
      • Claim value providers
      • Configuring a claim
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • OAuth Metadata
  • OpenID Connect Metadata
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • Database Client Management
    • Database Client VS DCR
    • Enabling Database Clients
    • Configuring a Data Source
    • Create a Database Client Endpoint
    • Authorization Access
    • Managing Database Clients in the DevOps Dashboard
    • Configuring Clients
    • Warnings
    • Database Client Limitations
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
    • User Info
    • Dynamic Client Registration
    • Database Client Management
    • Device Authorization
    • OpenID Connect Sessions
    • Backchannel Authentication
    • Verifiable Credentials
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
  • Token Procedure Plugins
    • Configuring and using Token Procedure Plugins
    • Developing Token Procedure Plugins
      • Using Custom Token Issuers
      • Using Custom Token Introspecters
  • Verifiable Credential Issuance
    • Pre-authorized Code Flow
      • Pre-authorized Code and User PIN Issuance
    • Rich Authorization Requests (RAR) support
    • Formats and data models
    • Endpoints
      • Token procedures
    • Credential Request Handling
      • Subject and issuer DID methods
      • Token Issuers
      • Authorization Requests
    • Configuration Model Summary
    • Configuration Example
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • Data Sources
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
    • Password validation
    • Username updates
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Authentication Service Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with Velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customizing the Look and Feel
      • Creating Custom Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Assets
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Plugin Services
      • Service Restrictions by Plugin Type
      • Service Restrictions in ManagedObject
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
    • Authorization code and refresh token binding
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
    • Mutation Errors
    • DynamoDB limitations
      • User Management service limitations
      • Dynamic Client Registration service limitations
      • Database Client limitations
    • GraphQL error for unsupported features
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Invoking YANG Actions Using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
      • Re-encrypting custom Plugin configuration
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Environment
      • Localization
      • White-listed-proxies
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
    • Profile
      • Authentication-service
      • Authorization-server
      • User-management-service
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
      • Credential-policies
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

Cryptography

This chapter contains information how to manage the crypto configuration of the Identity Server.

Configuring certificates

To add new certificates to the crypto configuration, you can have the admin node of the server have certificate files read from etc/init upon server startup. The accepted files are PEM- or DER-encoded X509-certificates, that are named with the appropriate file extension (i.e. .pem, .der, .cer or .crt). As certificates are always used with a particular purpose, an ordering is applied based on the directory that contains the particular certificate file. When a certificate is imported, the filename (without the extension) is used as its id.

The following directory structure is used:

directory	certificate purpose
etc/init/crypto/ssl-server-truststore	a trusted server certificate used when setting up SSL/TLS connections. Imported in /facilities/crypto/ssl/server-truststore
etc/init/crypto/signature-verification	a certificate that can can be used to verify a digital signature. Imported in /facilities/crypto/signature-verification-keys
etc/init/crypto/signer-truststores	an issuer certificate that can be used to verify a digital signature from an upstream authentication provider. Imported in /facilities/crypto/signer-truststores

Example:

The X509-certificate stored as etc/init/crypto/ssl-server-truststore/www.example.com.der is imported in /facilities/crypto/ssl/server-truststore with an id www.example.com.

Note

This mechanism only allows adding new or replacing existing certificates in the configuration. To delete a certificate from configuration, please see Server Configuration overview.

Important

The server needs to be started with the appropriate start-up arguments to consider reloading configuration files, please for more information please see Server Configuration overview.

Configuring private keystores

As opposed to adding new certificates to the configuration, adding a keystore with a private key involves other actions than adding a certificate with just a public key, as a private key is usually transported with some layer of protection. There are two approaches for adding a new keystore to the configuration. The first method interacts with the configuration service, that validates and adds a given keystore into a running configuration. The other method is for preparing a keystore to be used in an XML-snippet that can be loaded by the server when it is configuring.

Both methods rely on starting with a private key that is stored in a base64-encoded PKCS12 or JKS file format.

Note

You can use tools like openssl to convert between existing keystore formats, or to create new key pairs. If you need to create a new RSA key pair, for example, you can use the following commands to create a new PKCS12 keystore with a 2048 bits RSA key pair, that is base64-encoded:

$ openssl req -x509 -sha256 -newkey rsa:2048 -keyout curity.key -out curity.crt -days 365
$ openssl pkcs12 -export -name curity -in curity.crt -inkey curity.key -out curity.p12
$ openssl base64 -in curity.p12 -out curity.p12-b64

Using an action to add a keystore

A keystore can be added through the CLI.

Before getting into the CLI, prepare the base64-encoded file with the keystore to eliminate chunked lines and make it a one-liner. You can do that using the tr command line tool to do this:

$ tr -d '\n' < curity.p12-b64

The output is something you want to copy into your clipboard for use in the CLI.

Next, get in to the CLI . Once you have connected, enter the following command to add the new signing key:

request facilities crypto add-signing-key-keystore id new-signing-key-alias

Replace new-signing-key-alias with the desired id of the new keystore.

The CLI will ask for a value for keystore; here you should paste the contents of the base64-encoded keystore (e.g. the contents of the curity.p12-b64 file). Also enter the password that protects the PKCS12 keystore. The interaction should look something like this:

admin@my-host% request facilities crypto add-signing-key-keystore id new-signing-key-alias-from-cli
Value for 'keystore' (<string, min: 1 chars>): MIILAAIBAzCCCsYGCSqGSIb3DQEHAaC....qA7KxkOQQIsHfJOFKfsQECAggA
Value for 'password' (<string, min: 1 chars>): Password1
status true

(keystore contents abbreviated for readability).

For a list of all possible actions that can be used to manage (i.e. add/replace) keystores, type request facilities crypto in the CLI and then press tab for autocomplete. This will list actions with their descriptions.

admin@my-host% request facilities crypto
Possible completions:
  add-decryption-key-keystore    - This action adds a new Server SSL key to the configuration
  add-encryption-key-keystore    - This action adds a new Server SSL key to the configuration
  add-signature-verification-key - This action adds a new Signature verification key to the configuration
  add-signer-truststore          - This action adds a new signer truststore to the configuration
  add-signing-key-keystore       - This action adds a new signing key to the configuration
  add-ssl-client-keystore        - This action adds a new SSL client key to the configuration
  add-ssl-client-truststore      - This action adds a new Client SSL truststore to the configuration
  add-ssl-server-keystore        - This action adds a new Server SSL key to the configuration
  add-ssl-server-truststore      - This action adds a new Server SSL truststore to the configuration
  apply-csr-response             - This action sets a certificate chain into a key store
  generate-csr                   - This action generates a CSR (Certificate Signing Request) from a keystore with a private key and a certificate
  generate-signing-key-keystore  - This action creates and adds a new signing key to the configuration
  generate-ssl-server-keystore   - This action creates and adds a new Server SSL key to the configuration

These actions can also be invoked using the RESTCONF API. See the Invoking YANG Actions Using RESTCONF section for more information on how to do that.

Preparing the keystore for embedding in an XML configuration document

In case you are preparing an XML configuration file, you can use the conversion tools to process a PKCS12 keystore into the data that can be used to configure the crypto facilities of the Curity Identity Server. See the section on Converting KeyStores (keystore-entry) into correct PKCS12 format.

The output of the conversion, a base64-encoded string, can be used in an XML-snippet:

Listing 26 Sample signing key configuration configuration

<config xmlns="http://tail-f.com/ns/config/1.0">
    <facilities xmlns="https://curity.se/ns/conf/base">
        <crypto>
            <signing-keys>
                <signing-key>
                    <id>default-signing-key</id>
                    <keystore>MIILAAIBAzCCCsYGCSqGSIb3DQEHAaC....qA7KxkOQQIsHfJOFKfsQECAggA</keystore>
                </signing-key>
            </signing-keys>
        </crypto>
    </facilities>
</config>

(keystore contents abbreviated for readability).

This XML can be added to the configuration in $IDSVR_HOME/etc/init and reloaded using the normal procedure.

Converting KeyStores (keystore-entry) into correct PKCS12 format

In Curity, private keys are stored in a pre-defined format in the configuration. To facilitate the conversion to this format, a convertks script is available in the bin directory of the Identity Server distribution.

The resulting key can be configured in the crypto-section as ssl/server-keystore, ssl/client-keystore, signing-keys, encryption-keys and decryption-keys.

Usage of the convertks script

The convertks script helps with processing a base64-encoded keystore, pick one Private Key entry out of that keystore, and write it as sole Entry in a new KeyStore. The output of the script is a base64-encoded version of this KeyStore.

There are two main ways of using the script, either by providing the input keystore as argument, or by providing it as a file.

The convertks script can show all its options when you invoke it with:

$ convertks --help

Provide KeyStore through command-line

Given a base64-encoded KeyStore (i.e. “MIInputKeystore”) that is protected with a KeyStore-password ‘KeyStorePassword’, containing an entry with an alias of ‘InputEntryAlias’ that is protected with password ‘InputEntryPassword’, the convertks script can be invoked with the following commandline:

$ convertks --in-password KeyStorePassword --in-alias InputEntryAlias --in-entry-password InputEntryPassword --in-keystore MIInputKeystore

Note: if entry-password is the same as password of the keystore, it can be omitted in the argument list.

This will output the KeyStore in the correct format to the console. If the output needs to be written to a file instead, add the --out-file parameter with the appropriate filename. The script will be silent.

Note that if any required argument is not provided, the script will prompt for it.

Using stdin

Instead of providing the keystore on the commandline itself, it can also be provided through stdin, i.e. with a command like:

$ cat "MIInputKeystore" | convertks --in-password KeyStorePassword --in-alias InputEntryAlias --in-entry-password InputEntryPassword

Provide KeyStore through file

If the base64-encoded KeyStore is stored in a file, this procedure is the same as above, but the --in-keystore parameter that provides the KeyStore must be replaced with the --in-file argument that contains the name of the file. Given that the file is “current-keystore-base64.txt”, the convertks script can be invoked with the following commandline:

$ convertks --in-password KeyStorePassword --in-alias InputEntryAlias --in-entry-password InputEntryPassword --in-file current-keystore-base64.txt --out-file new-keystore-base64.txt

Note: if entry-password is the same as password of the keystore, it can be omitted in the argument list.

This will output the KeyStore in the correct format to the file new-keystore-base64.txt

If there is no --out-file argument provided, the new keystore will be shown in the console.

Working with PKCS1 private keys

There are plenty of keystore formats that are used throughout, one of which is specified in the PKCS#1 specification in RFC 8017. A major drawback for PKCS#1 keystores is the fact that they can only contain one key, which makes it more difficult to manage, as the Curity Identity Server prefers to use keystores with private- and public keys (or certificates) combined.

Note

When certificates are obtained from Let’s Encrypt using the getssl script, the resulting files are two PKCS#1 files.

As a consequence, to use PKCS#1 keys and certificates, they must be processed outside Curity so they can be configured using the Admin UI or other means. Converting the PKCS#1 key material into a Curity supported format can be done with tooling like for example openssl. This section will walk through the steps needed to perform the conversions to produce a singular keystore that can be used with Curity Identity Server.

Hint

When looking inside the contents of a PEM-encoded file, you can tell that it is a PKCS#1 formatted private key when the file starts with -----BEGIN RSA PRIVATE KEY-----. A PKCS#8 formatted file would start with -----BEGIN PRIVATE KEY-----.

Given there are two files, a private key in one file (e.g. curity.example.com.key) and a certificate in another file (e.g. curity.example.com.crt), you can use the following commands to convert these into one file in the PKCS#8 format, that can be used directly with the Curity Identity Server to import:

Listing 27 Use openssl to convert PKCS#1 files into a PKCS#8 keystore file

$ openssl pkcs8 -in "curity.example.com.key" -topk8 -out "curity.example.com.key.pkcs8" -nocrypt
$ cat curity.example.com.key.pkcs8 curity.example.com.crt > curity.example.com.pkcs8

The commands above produce a file curity.example.com.key.pkcs8 that can be used in the same way that a PKCS#12 file can be used to configure Curity Identity Server using the instructions from Configuring private keystores.

Hardware Security Module

This section describes the setup of a Hardware Security Module (HSM) in the Curity Identity Server. Curity interfaces with an HSM using PKCS#11. This means that some kind of shared library is needed which provides this PKCS#11 capability. This is typically provided by the manufacturer of the HSM. Once an HSM is configured, keys can be used from the HSM. It is not required that all keys, public or private, reside on the HSM. It is possible to configure Curity to use some keys from its own configuration and others from the HSM. This can be especially helpful during testing, but can be useful even in production when it is desirable to configure the public keys in Curity rather than fetch them from the HSM (which may only be accessible over a network connection).

SSL, signature verification keys (public keys), signing keys, trust anchors, and client keys can all be configured to be stored on the HSM. When configuring a keystore, the admin just needs to specify that the key is located on the HSM. The admin node need not have access to the HSM; only run-time nodes that will use the keys housed in the HSM need access to the unit. This may be a subset of the run-time nodes depending on your deployment. There is currently no way to test the connectivity of the HSM from the admin node because it is assumed that this node won’t have access to an HSM.

In order for a key to be accessible to Curity, the HSM must contain not only a public key but also a certificate; without this, the key will not be found at run-time by Curity. The certificate can be self-signed, but it may also be signed by a trusted authority. The only algorithm supported at this time is RSA; elliptic curve and DSA keys cannot be used.

Entering a PIN

In order for each Curity run-time node to access keys on an HSM, they will need to login. This is done using a PIN or pass phrase. There are four ways to provide this PIN to Curity:

1. On the command line using the -i flag with the PIN as an argument (e.g., idsvr -i 11223344)
2. On the command line using the -i flag with a file as an argument where that file contains the PIN (e.g., idsvr -i ~/.hsm-pin)
3. On the command line using only the -i flag and entering the PIN when prompted
4. Using the environment variable IDSVR_HSM_PIN.

If the -i flag is used with a PIN as an argument (as in the first or second option above), then the admin will not need to interactively provide one. When provided directly on the command line, the PIN will be included in the output of ps and other such tools; to avoid this, the second option of reading the PIN from a file can be used. With this option, the file can be a symlink or pipe as well. The third option of providing the PIN through an environment variable may also make it accessible to such tools. If the PIN is set interactively, it will only be resident in the node’s memory and not accessible from outside tools (like ps). This method requires interactive input from an admin on the console during startup, however.

Configuring the HSM

Before any keystore can be configured as one residing in the HSM, the configuration for the unit must be defined. This is done by setting at least the path to the shared library that provides PKCS#11 support. This can be done using any of the management interfaces. For detailed information on the HSM-related settings, refer to the configuration reference.

Configuring the HSM in the GUI

To configure an HSM using the admin UI, navigate to the System ‣ General page. On this page, there is a section labeled Hardware Security Module. By default, this is toggled off, as shown in Fig. 20:

Fig. 20 The HSM is toggled off (i.e., disabled) by default

Once it is toggled on, various settings can be configured. As shown in Fig. 21, the two that are required are some sort of identifier or name and the path (as it will be on any run-time node that uses the HSM) to the shared library that provides the PKCS#11 implementation.

Fig. 21 The HSM can be toggled on and then the required settings and some optional ones can be configured

Either the slot list index or slot ID must be configured as well. By default, the list index is selected with a value of 0, but this can be changed as needed. The values will depend on the PKCS#11 provider used with the HSM. For example, to get this information with OpenSC, the pkcs11-tool command can be used as shown in Listing 28:

Listing 28 Getting information about the slots to use with OpenSC’s pkcs11-tool

$ pkcs11-tool -I
Cryptoki version 2.20
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.17)
Using slot 0 with a present token (0x0)

To make the HSM as compatible with Curity as possible, the Include Compatibility Attributes option should be toggled on. If this poses a problem, select attributes can be enabled using the Mechanisms option. This option allows certain PKCS#11 mechanics to be enabled or disabled as needed. Valid mechanisms can be found in the PKCS#11 reference guide; any unrecognized value will cause the unit to be inaccessible and a warning to be logged.

Configuring the HSM in the CLI

The CLI can also be used to configure the HSM. For example, enter configuration mode and set it as shown in Listing 29:

Listing 29 Typical example of configuring an HSM using the CLI

admin@prod-curity1% set facilities crypto hardware-security-module library /usr/local/lib/opensc-pkcs11.so

To delete the HSM configuration, just issue the command delete facilities crypto hardware-security-module and commit the change.

Debugging the PKCS#11 Provider

To get more information from the underlying PKCS#11 provider, you can pass the --debug-hsm flag to the idsvr command. This will cause all PKCS#11 keystore-related and provider-based messages to be written to the server log. You can also specify -Djava.security.debug=sunpkcs11,pkcs11keystore,pkcs11 in the JVM options of a certain node. If this method is used, the extra provider-related debugging information will be output after the node is restarted. When using this tactic, it can be helpful to include provider in the comma-separated list of debug message sources together with sunpkcs11, pkcs11keystore, and pkcs11. To set these and provider via the command-line, do not use the the --debug-hsm parameter; instead, pass it via the JAVA_OPTS environment variable when starting the idsvr command (e.g., JAVA_OPTS=-Djava.security.debug=sunpkcs11,pkcs11keystore,pkcs11,provider idsvr).

Some HSM providers, like OpenSC, include a proxy library that logs all access to the PKCS#11 module. To use such an interceptor, configure the proxy library as the one that Curity should use. In the case of OpenSC, in particular, the library that is being proxied needs to be set via an environment variable. This can be done from the shell when starting the idsvr command (e.g., PKCS11SPY=/usr/local/lib/opensc-pkcs11.so idsvr). In the same way, other environment variables of OpenSC’s can be set before invoking idsvr; for instance, the environment variable, OPENSC_DEBUG, can be set to some debug level, like 9, which results in trace-level debug messages being printed to the server log.

EdDSA support

The EdDSA algorithm is based on Edwards Curves, and its use with JOSE is standardized by RFC 8037. The Curity Identity Server fully supports the Ed25519 and Ed448 signature algorithms for digital signature creation and validation.

Contrary to RSA and Elliptic Curve algorithms, EdDSA explicitly specifies the hashing algorithm to use when calculating signatures, hence the signature algorithm name for the two EdDSA algorithms (Ed25519 and Ed448) is the same for both, i.e. EdDSA. The actual signature algorithm that is used to create or verify signatures must be derived from the accompanying key.

Listing 30 Example of a JWT header that is signed with EdDSA

{
  alg: 'EdDSA',
  x5t: 'ZRNic4l1nEsFtyu0BDTL4sbF0eo'
}

In the above JWT header, the x5t field points to the certificate that contains an EdDSA key. If that key is using the Ed25519 key algorithm, it should be validated using the Ed25519 signature algorithm.

Note that RFC 8037 profiles EdDSA for the PureEdDSA variants of Ed25519 and Ed448, and therefore does not use the Ed25519ph, Ed25519ctx` or Ed448ph variants.