Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13739

Organization Authentication Signing Secret use should be better mentioned.

    Details

    • Sprint:
      2018.11 - Docs 6.5
    • Support Ticket IDs:

      Description

      Currently Organization Authentication Signing Secret is just a note like this

      https://backstage.forgerock.com/docs/am/6/authentication-guide/#session-state-configure-cookie-security

      Organization Authentication Signing Secret
          Specifies a cryptographically-secure random-generated HMAC shared secret for signing RESTful authentication requests. When users attempt to authenticate to the XUI, AM signs a JSON Web Token (JWT) containing this shared secret. The JWT contains the authentication session ID, realm, and authentication index type value, but does not contain the user's credentials.
          When modifying this value, ensure the new shared secret is Base-64 encoded and at least 128 bits in length.
          ssoadm attribute: iplanet-am-auth-hmac-signing-shared-secret 
      

      However, with the many types of HMAC signing including the ones in https://backstage.forgerock.com/docs/am/6/authentication-guide/#global-session-client-based-sessions where there also HMAC signing and a corresponding section dedicate to it https://backstage.forgerock.com/docs/am/6/authentication-guide/#client-based-sessions the main role of "Organization Authentication Signing Secret" is not quite explicitly clear.

      RFE
      Maybe it would be good to indicate say in https://backstage.forgerock.com/docs/am/6/authentication-guide/#sec-rest-authentication (or related) that the *Organization Authentication Signing Secret" is used to sign the AuthId. (in constrast to Client-based session which is the authenticated session which is not really an AuthId)

        Attachments

          Activity

            People

            • Assignee:
              cristina.herraz Cristina Herraz
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: