- Audience Manager Guide
- Evolution guide to Real-Time CDP
- Overview
- Features
- Addressable Audiences
- Administration
- Algorithmic Models
- Audience Lab
- Audience Marketplace
- Customer Data Feeds
- Data Explorer
- Data Export Controls
- Data Sources
- Declared IDs
- Derived Signals
- Destinations
- Destinations Overview
- Destinations Home Page
- Adobe Experience Cloud Destinations
- People-Based Destinations
- Device-Based Destinations (Server-to-Server)
- Custom Destinations
- Destinations Reference
- Profile Merge Rules
- Profile Merge Rules Overview
- Getting Started with Profile Merge Rules
- Profile Merge Rules Dashboard
- Profile Merge Rule Options Defined
- General Use Cases for Profile Merge Rules
- Profile Link Device Graph Use Cases
- External Device Graph Use Cases
- Report Metrics for Profile Merge Rules
- Profile Merge Rules and Device Un-Segmentation Processes
- Instant Cross-Device Suppression
- Segments
- Segments: Purpose, Composition, and Rules
- Segments List View
- Segment Summary View
- Retrieving Segment Metadata
- Paused and Deleted Segments
- Recency and Frequency
- Segment Builder
- Code Syntax Used in the Segment Expression Editor
- Trait and Segment Population Data in Segment Builder
- Trait Recommendations
- Trait and Segment Qualification Reference
- Traits
- Traits Overview
- Trait Details Page
- Traits Dashboard
- Active Audience Traits and Data Source Synced Traits
- Folder Traits: About
- Manage Folder Traits
- Trait Builder
- Trait Storage
- Accuracy and Reach
- Classifying Traits with a Common Taxonomy
- Name Requirements for Key Variables
- Segment and Trait Time-to-Live Explained
- Prefix Requirements for Key Variables
- Geotargeting With Platform-level Keys
- Device Targeting With Platform-level Keys
- Sample Expressions With Boolean and Comparison Operators
- Trait and Segment Qualification Reference
- Visitor Profile Viewer
- Reporting
- Reports Overview
- Reports Dashboard
- General Reports
- Trend Reports
- Audience Optimization Reports
- Interactive and Overlap Reports
- Interactive and Overlap Reports Overview
- Trait-to-Trait Overlap Report
- Segment-to-Trait Overlap Report
- Segment-to-Segment Overlap Report
- Unused Signals Report
- Improve Log File Processing Times with Lookup Tables
- Filter Report Results With the Data Sliders
- Overlap Reports: Update Schedule and Minimum Segment Size
- CSV Files for Overlap Reports
- Report Technology
- Onboarding Status Report
- Outbound File History
- Counting Unique Users in Overlap and General Reports
- Data Sampling and Error Rates in Selected Audience Manager Reports
- API and SDK Code
- API and SDK Code Overview
- Audience Manager API Code Migration
- Data Collection Server (DCS) API Methods and Code
- REST APIs
- REST APIs Overview
- Getting Started with REST APIs
- Algorithmic API Methods
- Data Integration Library API Methods
- Data Source API Methods
- Derived Signals API Methods
- Destination API Methods
- Domain Management API Methods
- Folder API Methods
- Segment API Methods
- Taxonomic API Methods
- Trait API Methods
- Trait Type Methods
- User, Group, and Permissions Management API Methods
- DCS Region API Methods
- SDK Code
- Data Integration Library (DIL) API
- Implementation and Integration Guides
- Implementation and Integration Guides
- Data Integration Methods
- Integrate Google Ad Manager using Google Publisher Tags (GPT)
- Integrating with Third-Party Destinations
- Implementing Audience Manager
- Media Data Integration
- Receiving Audience Data
- Sending Audience Data
- Sending Audience Data
- Real-Time Inbound Data Integration
- Batch Data Transfer Process
- Batch Data Transfer Process Described
- Send Batch Data to Audience Manager Overview
- ID Synchronization for Inbound Data Transfers
- Name and Content Requirements for ID Synchronization Files
- Inbound Data File Contents: Syntax, Invalid Characters, Variables, and Examples
- Amazon S3 Name and File Size Requirements for Inbound Data Files
- FTP Name and File Size Requirements for Inbound Data Files
- File PGP Encryption for Inbound Data Types
- File Compression for Inbound Data Transfer Files
- Sample Message to Partners after Inbound Processing
- Leverage Amazon S3 Cross-Account Bucket Permissions for Your Inbound Files
- Custom Partner Integrations
- Integration with Adobe Experience Platform
- Integration with Other Experience Cloud Applications
- Reference
- Reference Overview
- Amazon S3: About
- Advertiser Use Cases
- Publisher Use Cases
- Beta Environment
- Boolean Expressions in Trait and Segment Builder
- Bulk Management Tools
- CID Replaces DPID and DPUUID
- How Data Delivery and File Processing Times Affect Reports
- Index of IDs in Audience Manager
- Key-Value Pairs Explained
- Password Requirements, Locked Accounts, and Forgotten Passwords
- Signals, Traits, and Segments
- Supported Browsers
- System Components
- Style Conventions for Code and Text Elements
- Time Zones in Audience Manager
- TLS 1.0 and 1.1 Deprecation
- Understanding Calls to the Demdex Domain
- Visitor Authentication States in Audience Manager
- FAQs
- Audience Manager FAQ Overview
- API FAQ
- Audience Lab FAQ
- Customer Data Feed FAQ
- Data Collection and Product Integration FAQ
- Inbound Customer Data Ingestion FAQ
- Privacy and Data Retention FAQ
- People-Based Destinations FAQ
- Product Features and Functions FAQ
- Profile Merge Rules and Device Graph FAQ
- Look-Alike Modeling FAQ
- Predictive Audiences FAQ
- Targeting FAQ
- Reporting FAQ
- Help and Legal
- Top Customer Support Issues
- Overview
- Why did my Onboarded trait populations drop to 0 around October 15th?
- Why do my traits or segments not show up in the Overlap Reports page?
- Why are our Read-Only users able to create, edit or delete traits and segments?
- We are not an Audience Manager customer, but see the Audience Manager Javascript calls on our site
- Should I see my Audience Manager Audience Lab mapped segments on the destination details page?
- Documentation Updates
- Glossary
Digitally Signed HTTP(S) Requests
Audience Manager requires the HTTP(S) server-to-server requests to be digitally signed for validity. This document describes how you can sign HTTP(S) requests with private keys.
Overview
Using a private key provided by you and shared with Audience Manager, we can digitally sign the HTTP(S) requests that are sent between IRIS and your HTTP(S) server. This ensures:
- Authenticity: only the sender that has the private key (IRIS) can send valid
HTTP(S)messages to the partner. - Message integrity: with this approach, even on
HTTP, you are protected from a man in the middle attack where the messages get distorted.
IRIS has built-in support to rotate the keys with zero downtime, as shown in the Rotating the private key section below.
Information you need to provide
For an HTTP(S) real-time server-to-server destination, contact your Audience Manager consultant and specify:
- The key used to sign the request.
- The name of the
HTTP(S)header that will hold the generated signature (X-Signature in the example header below). - Optional: the type of hash used for the signature (md5, sha1, sha256).
* Connected to partner.website.com (127.0.0.1) port 80 (#0)
> POST /webpage HTTP/1.1
> Host: partner.host.com
> Accept: */*
> Content-Type: application/json
> Content-Length: 20
> X-Signature: +wFdR/afZNoVqtGl8/e1KJ4ykPU=
POST message content
How it works
- IRIS creates the
HTTP(S)message to be sent to the partner. - IRIS creates a signature based on the
HTTP(S)message and the private key communicated by the partner. - IRIS sends the
HTTP(S)request to the partner. This message contains the signature and the actual message, as seen in the example above. - The partner server receives the
HTTP(S)request. It reads the message body and the signature received from IRIS. - Based on the message body received and the private key, the partner server recalculates the signature. See the How to calculate the signature section just below on how to achieve this.
- Compare the signature created on the partner server (receiver) with the one received from IRIS (sender).
- If the signatures match, then the authenticity and message integrity have been validated. Only the sender, who has the private key, can send a valid signature (authenticity). Moreover, a man in the middle can’t modify the message and generate a new valid signature, since they don’t have the private key (message integrity).
How to calculate the signature
HMAC (Hash-based message authentication code) is the method used by IRIS for message signing. Implementations and libraries are available basically in every programming language. HMAC has no known extension attacks. See an example in Java below:
// Message to be signed.
// For GET type HTTP(S) destinations, the message used for signing will be the REQUEST_PATH + QUERY_STRING
// For POST type HTTP(S) destinations, the message used for signing will be the REQUEST_BODY.
// String getData = "/from-aam-s2s?sids=1,2,3";
String postData = "POST message content";
// Algorithm used. Currently supported: HmacSHA1, HmacSHA256, HmacMD5.
String algorithm = "HmacSHA1";
// Private key shared between the partner and Adobe Audience Manager.
String key = "sample_partner_private_key";
// Perform signing.
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(), algorithm);
Mac mac = Mac.getInstance(algorithm);
mac.init(signingKey);
byte[] result = mac.doFinal(postData.getBytes());
String signature = Base64.encodeBase64String(result).trim();
// signature = +wFdR/afZNoVqtGl8/e1KJ4ykPU=
The RFC for the HMAC hash implementation is https://www.ietf.org/rfc/rfc2104.txt. A test site: https://asecuritysite.com/encryption/hmac (note that you have to convert the hex encoding to base64).
Rotating the private key
To rotate the private key, partners must communicate the new private key to their Adobe Audience Manager consultant. The old key is removed from Audience Manager and IRIS only sends the new signature header. The keys have been rotated.
Data used for signing
For GET type destinations, the message used for signing will be the REQUEST_PATH + QUERY STRING (e.g. /from-aam-s2s?sids=1,2,3). IRIS does not take into account the hostname or HTTP(S) headers - these can be modified / misconfigured along the path or reported incorrectly.
For POST type destinations, the message used for signing is the REQUEST BODY. Again, headers or other request parameters are ignored.
Resources
Adobe Account
Change language
Copyright © 2023 Adobe. All Rights Reserved.
