alarms
The top container for this module.
alarms/control
Configuration to control the alarm behavior.
/alarms/control
union
(default: 32)
The ‘status-change’ entries are kept in a circular list per alarm. When this number is exceeded, the oldest status change entry is automatically removed. If the value is ‘infinite’, the status-change entries are accumulated infinitely.
enumeration all-state-changes, raise-and-clear, severity-level
enumeration
all-state-changes, raise-and-clear, severity-level
(default: all-state-changes)
This leaf controls the notifications sent for alarm status updates. There are three options: 1. Notifications are sent for all updates, severity-level changes, and alarm-text changes. 2. Notifications are only sent for alarm raise and clear. 3. Notifications are sent for status changes equal to or above the specified severity level. Clear notifications shall always be sent. Notifications shall also be sent for state changes that make an alarm less severe than the specified level. For example, in option 3, assume that the severity level is set to major and that the alarm has the following state changes: [(Time, severity, clear)]: [(T1, major, -), (T2, minor, -), (T3, warning, -), (T4, minor, -), (T5, major, -), (T6, critical, -), (T7, major. -), (T8, major, clear)] In that case, notifications will be sent at times T1, T2, T5, T6, T7, and T8.
severity indeterminate, warning, minor, major, critical
severity
indeterminate, warning, minor, major, critical
(optional)
Only send notifications for alarm-state changes crossing the specified level. Always send clear notifications.
alarms/control/alarm-shelving
The ‘alarm-shelving/shelf’ list is used to shelve (block/filter) alarms. The conditions in the shelf criteria are logically ANDed. The first matching shelf is used, and an alarm is shelved only for this first match. Matching alarms MUST appear in the /alarms/shelved-alarms/shelved-alarm list, and non-matching /alarms MUST appear in the /alarms/alarm-list/alarm list. The server does not send any notifications for shelved alarms. The server MUST maintain states (e.g., severity changes) for the shelved alarms. Alarms that match the criteria shall have an operator state ‘shelved’. When the shelf configuration removes an alarm from the shelf, the server shall add the operator state ‘un-shelved’.
alarms/control/alarm-shelving/shelf{name} (keys ['name'])
Each entry defines the criteria for shelving alarms. Criteria are ANDed. If no criteria are specified, all alarms will be shelved.
/alarms/control/alarm-shelving/shelf{name}
string
(mandatory)
An arbitrary name for the alarm shelf.
An optional textual description of the shelf. This description should include the reason for shelving these alarms.
resource-match
(multi-value) (optional)
Shelve alarms for matching resources.
alarms/control/alarm-shelving/shelf{name}/alarm-type{alarm-type-id, alarm-type-qualifier-match} (keys ['alarm-type-id', 'alarm-type-qualifier-match'])
Any alarm matching the combined criteria of ‘alarm-type-id’ and ‘alarm-type-qualifier-match’ MUST be matched.
/alarms/control/alarm-shelving/shelf{name}/alarm-type{alarm-type-id, alarm-type-qualifier-match}
alarm-type-id
Shelve all alarms that have an ‘alarm-type-id’ that is equal to or derived from the given ‘alarm-type-id’.
An XML Schema regular expression that is used to match an alarm type qualifier. Shelve all alarms that match this regular expression for the alarm type qualifier.
alarms/alarm-inventory
The ‘alarm-inventory/alarm-type’ list contains all possible alarm types for the system. If the system knows for which resources a specific alarm type can appear, it is also identified in the inventory. The list also tells if each alarm type has a corresponding clear state. The inventory shall only contain concrete alarm types. The alarm inventory MUST be updated by the system when new alarms can appear. This can be the case when installing new software modules or inserting new card types. A notification ‘alarm-inventory-changed’ is sent when the inventory is changed.
alarms/alarm-inventory/alarm-type{alarm-type-id, alarm-type-qualifier} (keys ['alarm-type-id', 'alarm-type-qualifier'])
An entry in this list defines a possible alarm.
/alarms/alarm-inventory/alarm-type{alarm-type-id, alarm-type-qualifier}
The statically defined alarm type identifier for this possible alarm.
alarm-type-qualifier
The optionally dynamically defined alarm type identifier for this possible alarm.
boolean
This leaf tells the operator if the alarm will be cleared when the correct corrective action has been taken. Implementations SHOULD strive for detecting the cleared state for all alarm types. If this leaf is ‘true’, the operator can monitor the alarm until it becomes cleared after the corrective action has been taken. If this leaf is ‘false’, the operator needs to validate that the alarm is no longer active using other mechanisms. Alarms can lack a corresponding clear due to missing instrumentation or no logical corresponding clear state.
A description of the possible alarm. It SHOULD include information on possible underlying root causes and corrective actions.
Optionally, specifies for which resources the alarm type is valid.
This leaf-list indicates the possible severity levels of this alarm type. Note well that ‘clear’ is not part of the severity type. In general, the severity level should be defined by the instrumentation based on the dynamic state, rather than being defined statically by the alarm type, in order to provide a relevant severity level based on dynamic state and context. However, most alarm types have a defined set of possible severity levels, and this should be provided here.
alarms/summary
This container gives a summary of the number of alarms.
empty
This is a hint to the operator that there are active alarm shelves. This leaf MUST exist if the /alarms/shelved-alarms/number-of-shelved-alarms is > 0.
alarms/summary/alarm-summary{severity} (keys ['severity'])
A global summary of all alarms in the system. The summary does not include shelved alarms.
/alarms/summary/alarm-summary{severity}
Alarm summary for this severity level.
gauge32
Total number of alarms of this severity level.
Total number of alarms of this severity level that are not cleared.
For this severity level, the number of alarms that are cleared.
For this severity level, the number of alarms that are cleared but not closed.
For this severity level, the number of alarms that are cleared and closed.
For this severity level, the number of alarms that are not cleared but closed.
For this severity level, the number of alarms that are not cleared and not closed.
alarms/alarm-list
The alarms in the system.
/alarms/alarm-list
This object shows the total number of alarms in the system, i.e., the total number of entries in the alarm list.
date-and-time
A timestamp when the alarm list was last changed. The value can be used by a manager to initiate an alarm resynchronization procedure.
alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier} (keys ['resource', 'alarm-type-id', 'alarm-type-qualifier'])
The list of alarms. Each entry in the list holds one alarm for a given alarm type and resource. An alarm can be updated from the underlying resource or by the user. The following leafs are maintained by the resource: ‘is-cleared’, ‘last-change’, ‘perceived-severity’, and ‘alarm-text’. An operator can change ‘operator-state’ and ‘operator-text’. Entries appear in the alarm list the first time an alarm becomes active for a given alarm type and resource. Entries do not get deleted when the alarm is cleared. Clear status is represented as a boolean flag. Alarm entries are removed, i.e., purged, from the list by an explicit purge action. For example, purge all alarms that are cleared and in closed operator state that are older than 24 hours. Purged alarms are removed from the alarm list. If the alarm resource state changes after a purge, the alarm will reappear in the alarm list. Systems may also remove alarms based on locally configured policies; this is out of scope for this module.
/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}
The timestamp when this alarm entry was created. This represents the first time the alarm appeared; it can also represent that the alarm reappeared after a purge. Further state changes of the same alarm do not change this leaf; these changes will update the ‘last-changed’ leaf.
(default: false)
True if this alarm was triggered by a self test operation. Self test alarms do not indicate any issues in the system.
resource
The alarming resource. See also ‘alt-resource’. This could be, for example, a reference to the alarming interface
This leaf and the leaf ‘alarm-type-qualifier’ together provide a unique identification of the alarm type.
This leaf is used when the ‘alarm-type-id’ leaf cannot uniquely identify the alarm type. Normally, this is not the case, and this leaf is the empty string.
Indicates the current clearance state of the alarm. An alarm might toggle from active alarm to cleared alarm and back to active again.
An alarm may change severity level and toggle between active and cleared during its lifetime. This leaf indicates the last time it was raised (‘is-cleared’ = ‘false’).
A timestamp when the ‘status-change’ or ‘operator-state-change’ list was last changed.
The last severity of the alarm. If an alarm was raised with severity ‘warning’ but later changed to ‘major’, this leaf will show ‘major’.
alarm-text
The last reported alarm text. This text should contain information for an operator to be able to understand the problem and how to resolve it.
alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time} (keys ['time'])
This list is used by operators to indicate the state of human intervention on an alarm. For example, if an operator has seen an alarm, the operator can add a new item to this list indicating that the alarm is acknowledged.
/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time}
Timestamp for operator action on the alarm.
The name of the operator that has acted on this alarm.
operator-state
The operator’s view of the alarm state.
Additional optional textual information provided by the operator.
Used if the alarming resource is available over other interfaces. This field can contain SNMP OIDs, CIM paths, or 3GPP distinguished names, for example.
alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/related-alarm{resource alarm-type-id alarm-type-qualifier} (keys ['resource alarm-type-id alarm-type-qualifier'])
References to related alarms. Note that the related alarm might have been purged from the alarm list.
/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/related-alarm{resource alarm-type-id alarm-type-qualifier}
leafref /alarms/alarm-list/alarm/resource
leafref
/alarms/alarm-list/alarm/resource
The alarming resource for the related alarm.
leafref /alarms/alarm-list/alarm[resource=current()/../resource]/alarm-type-id
/alarms/alarm-list/alarm[resource=current()/../resource]/alarm-type-id
The alarm type identifier for the related alarm.
leafref /alarms/alarm-list/alarm[resource=current()/../resource][alarm-type-id=current()/../alarm-type-id]/alarm-type-qualifier
/alarms/alarm-list/alarm[resource=current()/../resource][alarm-type-id=current()/../alarm-type-id]/alarm-type-qualifier
The alarm qualifier for the related alarm.
Resources that might be affected by this alarm. If the system creates an alarm on a resource and also has a mapping to other resources that might be impacted, these resources can be listed in this leaf-list. In this way, the system can create one alarm instead of several. For example, if an interface has an alarm, the ‘impacted-resource’ can reference the aggregated port channels.
Resources that are candidates for causing the alarm. If the system has a mechanism to understand the candidate root causes of an alarm, this leaf-list can be used to list the root-cause candidate resources. In this way, the system can create one alarm instead of several. An example might be a logging system (alarm resource) that fails; the alarm can reference the file system in the ‘root-cause-resource’ leaf-list. Note that the intended use is not to also send an alarm with the ‘root-cause-resource’ as an alarming resource. The ‘root-cause-resource’ leaf-list is a hint and should not also generate an alarm for the same problem.
alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time} (keys ['time'])
A list of status-change events for this alarm. The entry with latest timestamp in this list MUST correspond to the leafs ‘is-cleared’, ‘perceived-severity’, and ‘alarm-text’ for the alarm. This list is ordered according to the timestamps of alarm state changes. The first item corresponds to the latest state change. The following state changes create an entry in this list: - changed severity (warning, minor, major, critical) - clearance status; this also updates the ‘is-cleared’ leaf - alarm-text update
/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time}
The time the status of the alarm changed. The value represents the time the real alarm-state change appeared in the resource and not when it was added to the alarm list. The /alarm-list/alarm/last-changed MUST be set to the same value.
severity-with-clear
The severity of the alarm as defined by X.733. Note that this may not be the original severity since the alarm may have changed severity.
A user-friendly text describing the alarm-state change.
alarms/shelved-alarms
The shelved alarms. Alarms appear here if they match the criteria in /alarms/control/alarm-shelving. This list does not generate any notifications. The list represents alarms that are considered not relevant by the operator. Alarms in this list have an ‘operator-state’ of ‘shelved’. This cannot be changed.
/alarms/shelved-alarms
This object shows the total number of current alarms, i.e., the total number of entries in the alarm list.
A timestamp when the shelved-alarm list was last changed. The value can be used by a manager to initiate an alarm resynchronization procedure.
alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier} (keys ['resource', 'alarm-type-id', 'alarm-type-qualifier'])
The list of shelved alarms. Shelved alarms can only be updated from the underlying resource; no operator actions are supported.
/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}
leafref /alarms/control/alarm-shelving/shelf/name
/alarms/control/alarm-shelving/shelf/name
The name of the shelf.
alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time} (keys ['time'])
This list is used by operators to indicate the state of human intervention on an alarm. For shelved alarms, the system has set the list item in the list to ‘shelved’.
/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time}
alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/related-alarm{resource alarm-type-id alarm-type-qualifier} (keys ['resource alarm-type-id alarm-type-qualifier'])
/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/related-alarm{resource alarm-type-id alarm-type-qualifier}
alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time} (keys ['time'])
/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time}
alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource} (keys ['alarm-type-id', 'alarm-type-qualifier-match', 'resource'])
This list is used to assign further information or configuration for each alarm type. This module supports a mechanism where the client can override the system-default alarm severity levels. The ‘alarm-profile’ is also a useful augmentation point for specific additions to alarm types.
/alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource}
The alarm type identifier to match.
An XML Schema regular expression that is used to match the alarm type qualifier.
Specifies which resources to match.
A description of the alarm profile.
alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource}/alarm-severity-assignment-profile
The client can override the system-default severity level.
Specifies the configured severity level(s) for the matching alarm. If the alarm has several severity levels, the leaf-list shall be given in rising severity order. The original M3100/M3160 ASAP function only allows for a one-to-one mapping between alarm type and severity, but since YANG module supports stateful alarms, the mapping must allow for several severity levels. Assume a high-utilization alarm type with two thresholds with the system-default severity levels of threshold1 = warning and threshold2 = minor. Setting this leaf-list to (minor, major) will assign the severity levels as threshold1 = minor and threshold2 = major
environments/environment
Defines an environment with all services and meta information it needs
/environments/environment
(default: se.curity)
The name of the organization running the services in an environment (Entity ID)
The type of deployment this system is executing as.
uri
The external base URL used to contact this machine
(default: )
The root path under the base-url from which static resources should be served
Reports the template areas that are available as they are found on the file system of the admin node
environments/environment/localization
The localization settings for this environment
(default: en)
Default locale if no locale is specified in request
environments/environment/white-listed-proxies
A list of proxies that are allowed to be in the middle of the requestor and this server. If this list is empty, the X-Forwarded-For header will be ignored. If this list is non-empty the X-Forwarded-For header will be used as the remote-ip of the client if the proxies match this list.
An IPv4/IPv6 address, hostname or IPv4/IPv6 cidr of the proxy to whitelist.
environments/environment/cluster
Settings of a configuration cluster
/environments/environment/cluster
The keystore for cluster communication. This should only be set with keystores generated by Curity
host
The host or IP of the cluster admin node that the run-time nodes will connect to
port-number
(default: 6789)
The port of the cluster admin node
(default: 0.0.0.0)
The host or IP that the admin node should listen on (e.g., 0.0.0.0 to listen on all network interfaces)
environments/environment/admin-service
Enable the admin service
leafref /processing/credential-managers/credential-manager/id
/processing/credential-managers/credential-manager/id
A credential manager that verifies accounts against an external user repository (e.g., LDAP)
environments/environment/admin-service/http
Enables the HTTP admin service interface (Web UI and/or RESTCONF)
/environments/environment/admin-service/http
ip-address
IP used for listening host
(default: 6749)
The port the admin endpoint listens on
leafref /facilities/crypto/ssl/server-keystore/id
/facilities/crypto/ssl/server-keystore/id
A pointer to the key used for the SSL server. When no key is configured, the admin will be served on a http connection instead of an https.
The external base URL used to contact the admin web-ui and restconf
Enables support for the HTTP/2 protocol. HTTP/2 is usually faster than HTTP/1.x, but may not be as widely supported by clients. HTTP/1.x is always enabled.
environments/environment/admin-service/http/web-ui
Enable the admin Web UI
environments/environment/admin-service/http/web-ui/appearance
A CSS hex (format #aabbcc) color for the UI environment badge. Default colors are used when not set.
environments/environment/admin-service/http/web-ui/ui-modes
This section contains settings for the different modes in the Web UI
environments/environment/admin-service/http/web-ui/ui-modes/normal-mode
Customizations for the normal mode UI
/environments/environment/admin-service/http/web-ui/ui-modes/normal-mode
leafref /profiles/profile/id
/profiles/profile/id
The authentication profile to use in Normal Mode
The token profile to use in Normal Mode
The user management profile to use in Normal Mode
leafref /environments/environment/services/service-role/id
/environments/environment/services/service-role/id
The service role to use in Normal Mode for HTTP runtime settings
leafref /processing/account-managers/account-manager/id
/processing/account-managers/account-manager/id
The account manager to use in Normal Mode
The credential manager to use in Normal Mode
environments/environment/admin-service/http/web-ui/admin-federated-login
Configure the admin UI to enable logging in with a federated account. Use an internal OpenID Connect client or an external OpenID Connect provider
/environments/environment/admin-service/http/web-ui/admin-federated-login
Disable local account login
A logo of the client, that can shown in user interface screens.
non-empty-string
Name of OpenID Connect provider
environments/environment/admin-service/http/web-ui/admin-federated-login/external-openid-provider
Use external OpenID Connect provider
/environments/environment/admin-service/http/web-ui/admin-federated-login/external-openid-provider
The client id to use when obtaining an OAuth 2.0 access token
The client secret to use when obtaining an OAuth 2.0 access token
leafref /base:facilities/base:http/base:client/base:id
/base:facilities/base:http/base:client/base:id
A reference to the Http Client
The complete url to the authorization endpoint of the OpenID Connect Provider
The complete url to the token endpoint of the OpenID Connect Provider
The complete url to the userinfo endpoint of the OpenID Connect Provider
scope
Additional scopes (beyond ‘openid’) that should be requested
Additional claims that should be requested
environments/environment/admin-service/http/web-ui/admin-federated-login/using-oauth-profile
Enable login using Curity OpenID Connect client
/environments/environment/admin-service/http/web-ui/admin-federated-login/using-oauth-profile
leafref /base:profiles/base:profile/base:id
/base:profiles/base:profile/base:id
The OAuth Profile to which client belongs
leafref /base:profiles/base:profile[base:id=current()/../as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id
/base:profiles/base:profile[base:id=current()/../as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id
OpenID Connect client
environments/environment/admin-service/http/restconf
Enable the RESTCONF API
(default: true)
Allows users to access the RESTCONF API using basic credentials
environments/environment/admin-service/http/restconf/oauth
Allow users to access the RESTCONF API using OAuth access tokens
/environments/environment/admin-service/http/restconf/oauth
The OAuth Profile to accept tokens from when accessing the Dashboard
The clients to use for authenticating users to the RESTCONF API
environments/environment/admin-service/http/devops-dashboard
Enable the DevOps Dashboard UI
/environments/environment/admin-service/http/devops-dashboard
leafref /base:processing/base:authorization-managers/base:authorization-manager/base:id
/base:processing/base:authorization-managers/base:authorization-manager/base:id
Authorization Manager that should authorize requests from the DevOps Dashboard client to the GraphQL APIs. If not configured, access to the GraphQL APIs by the dashboard client will be forbidden.
leafref /base:profiles/base:profile[base:id=current()/../../base:restconf/as:oauth/as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id
/base:profiles/base:profile[base:id=current()/../../base:restconf/as:oauth/as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id
The client to use for authenticating users to the dashboard
environments/environment/themes
UI theme configuration
environments/environment/themes/default-theme
The default theme, not using any template areas.
/environments/environment/themes/default-theme
base64-encoded-string
A base64 encoded string of theme CSS variables
A base64 encoded string of custom css that will be joined with the css properties
environments/environment/themes/default-theme/template-variables{name} (keys ['name'])
A list of template variables that will be available in the template context
/environments/environment/themes/default-theme/template-variables{name}
The name of the template variable as it will appear in the template context. The name must start with an underscore.
The value of the variable
uint32
(default: 2628000)
The maximum duration (in seconds) that a static resource should be cached by a client Web browser
environments/environment/services/zones
List of available zones in the system, these are referenced by subsystems when needed
environments/environment/services/zones/default-zone
The default zone to be used unless another is explicitly necessary
/environments/environment/services/zones/default-zone
leafref /facilities/email-providers/email-provider/id
/facilities/email-providers/email-provider/id
The email-provider to use for this zone
Key used to sign cookies, for example.
environments/environment/services/zones/default-zone/mobile-app-association
environments/environment/services/zones/default-zone/mobile-app-association/ios-app-configuration{app-id} (keys ['app-id'])
App id for IOS applications
environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace} (keys ['namespace'])
/environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace}
environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace}/sha256-cert-fingerprints{fingerprint} (keys ['fingerprint'])
/environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace}/sha256-cert-fingerprints{fingerprint}
The origins (scheme, host, and optional port) that are allowed to make cross origin requests
environments/environment/services/zones/zone{id} (keys ['id'])
The zone list may be empty. If so, the default zone is the only one used. If the list is non-empty, the default zone is used by nodes not configured to use aparticular zone.
/environments/environment/services/zones/zone{id}
The only meaning of a zone is a name. It’s up to the admin to decide where and what that zone stands for.
Key used to sign cookies, for example. If not set, the key of the default zone is used.
environments/environment/services/zones/zone{id}/mobile-app-association
environments/environment/services/zones/zone{id}/mobile-app-association/ios-app-configuration{app-id} (keys ['app-id'])
environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace} (keys ['namespace'])
/environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace}
environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace}/sha256-cert-fingerprints{fingerprint} (keys ['fingerprint'])
/environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace}/sha256-cert-fingerprints{fingerprint}
environments/environment/services/service-role{id} (keys ['id'])
/environments/environment/services/service-role{id}
A given name of the service role
Where the service is located, physically
Enable or disable the entire daemon instance
leafref ../../zones/zone/id
../../zones/zone/id
The zone that the service is in (which, if not set, will be the default zone)
(default: 8443)
The port the service listens on
enumeration http, https
http, https
(default: https)
Which protocol to use, almost always, https should be used
A pointer to the key used for the SSL server
Enable HTTP 2 (H2)
(default: -XX:+UseG1GC -XX:+UseStringDeduplication)
The options that should be passed to the Java Virtual Machine (JVM) when the service is started
environments/environment/services/service-role{id}/hsts
Enable HSTS support for this role
/environments/environment/services/service-role{id}/hsts
(default: 15465601)
Maximum number of seconds that HSTS will be used for
Whether or not subdomains should use HSTS as well
Whether or not any pre-loaded certificates should be used by a browser
environments/environment/services/service-role{id}/content-security-policy
environments/environment/services/service-role{id}/content-security-policy/reporting-endpoint
Enables reporting of HTTP Content Security Policy violations: adds the Content-Security-Policy report-to and report-uri directives, as well as the Reporting-Endpoints HTTP header.
/environments/environment/services/service-role{id}/content-security-policy/reporting-endpoint
(default: csp-reporting-endpoint)
Name of the reporting endpoint
URL to report Content Security Policy violations to.
environments/environment/services/service-role{id}/server-tls
/environments/environment/services/service-role{id}/server-tls
Enable TLS 1.0 (should be disabled unless necessary)
Enable TLS 1.1 (should be disabled unless necessary)
Enable TLS 1.2
Enable TLS 1.3
environments/environment/services/service-role{id}/server-tls/sni-host-check
Enable SNI host check, such that inbound TLS connections with a Server Name Indicator must match the name of the server’s SSL certificate.
Require the client to use SNI. Can only be set when sni-host-check is enabled.
environments/environment/services/service-role{id}/mutual-tls
/environments/environment/services/service-role{id}/mutual-tls
The port to use for mutual TLS. Defaults to the same value as configured for listening-port for this service.
leafref /base:facilities/crypto/ssl/client-truststore/client-certificate/id
/base:facilities/crypto/ssl/client-truststore/client-certificate/id
The certificates that have signed any client’s certificate used to authenticate such clients. If no truststores are configured, ALL truststores are added to the mutual-tls trust for this service.
environments/environment/services/service-role{id}/thread-count
/environments/environment/services/service-role{id}/thread-count
uint16
(default: 8)
The minimum number of threads that should be started when the service’s Java Virtual Machine (JVM) starts
(default: 100)
The maximum number of threads that can be started by the Java Virtual Machine (JVM) of the service
environments/environment/services/service-role{id}/ciphers
White- and black-listing of ciphers used for incoming secure connections. Enabling this feature will disable any white- and black-lists automatically enforced by the server.
/environments/environment/services/service-role{id}/ciphers
A white-list of ciphers to use for incoming secure connections
A black-list of ciphers not to use for incoming secure connections
environments/environment/services/service-role{id}/webfinger
Enable webfinger support for this service
leafref /profiles/profile/endpoints/endpoint/id
/profiles/profile/endpoints/endpoint/id
A list of endpoints deployed on this service instance, no order implied
environments/environment/services/runtime-service{id} (keys ['id'])
This list shows the connected and recently connected runtime nodes
/environments/environment/services/runtime-service{id}
The unique id of the runtime node
The given name of the runtime node
The service role the node is using
The time the node was booted
enumeration connected, disconnected
connected, disconnected
(default: disconnected)
The node’s cluster status
Current uptime for the node
environments/environment/reporting
Reporting makes runtime nodes expose Prometheus compatible metrics
/environments/environment/reporting
Enable reporting
Include profile_id label in metrics
environments/environment/alarms
alarm-handler (keys: ['id'])
An alarm handler processes alarms that are raised and cleared by the system.
pagerduty-notifier
The Integration Key from Pager Duty to use when calling the Events API
pagerduty-notifier/web-service
/environments/environment/alarms/alarm-handlers/alarm-handler{id}/pagerduty-notifier/web-service
sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’
(default: 80)
sets the port of the webservice service, e.g. 80 or 443.
(default: /)
sets the main context of the webservice service, e.g. ‘/scim’.
webhook-notifier
enumeration flat, nested
flat, nested
(default: nested)
The Json format that should be used for the posted message. The ‘flat’ format presents a single level json object and ‘nested’ is a structured json format.
webhook-notifier/web-service
/environments/environment/alarms/alarm-handlers/alarm-handler{id}/webhook-notifier/web-service
email-notifier
email-notifier/email-provider
/environments/environment/alarms/alarm-handlers/alarm-handler{id}/email-notifier/email-provider
leafref /base:facilities/base:email-providers/base:email-provider/base:id
/base:facilities/base:email-providers/base:email-provider/base:id
A reference to the Email-Provider
A set of email addresses to send alarm notifications to
slack-notifier
slack-notifier/web-service
/environments/environment/alarms/alarm-handlers/alarm-handler{id}/slack-notifier/web-service
profile (keys: ['id', 'type'])
The section is augmented by each profile added to the system. The profile is the main function in the system, like oauth, openid connect etc
/profiles/profile{id, type}
A descriptive id of the profile
profile-type
This will result in filtering, so that an endpoint and a profilecan be matched, and only used when compatible
Expose detailed error messages in the server responses whenever possible. By default, in case of failures due to external services or internal errors, the server returns a generic error message to avoid accidentally exposing sensitive information.
settings/authentication-service
The Authentication Service is a Profile that enables Authentication on the server. It can be configured with any number of authenticators of any type.
/profiles/profile{id, type}/settings/authentication-service
(default: 3600)
The maximum time the SSO session will be valid
The maximum time the SSO session will be valid while not used
Whether the SSO cookie should persist only for the browser session, i.e. expire when browser is closed. Note that when set to true, the SSO cookie will expire when the browser session does regardless of the value set in sso-expiration-time or in sso-inactivity-timeout. The cookie will however never be valid for a longer duration than set by sso-expiration-time and sso-inactivity-timeout or the longest lasting sso-expiration-time and sso-inactivity-timeout set on any specific authenticator.
By default the SSO cookie is not persisted in a database. By setting this to true the cookie is persisted in the session store, and only a reference is used as cookie. This is needed if the SSO cookie contains large amounts of user data.
When the sso session is persisted to database, this setting enables encoding of the session data. Useful to mitigate against charset encoding problems with the database
(default: username)
The name of the cookie that stores the user’s preferences, like username and locale settings
If set, the user will be redirected to this URL after logout
By default the preflight endpoint will be enabled on the anonymous endpoint. This option allows the endpoint to be disabled.
leafref ../protocols/protocol/id
../protocols/protocol/id
The id of the protocol plugin
leafref /base:facilities/base:sms-providers/base:sms-provider/base:id
/base:facilities/base:sms-providers/base:sms-provider/base:id
The sms-provider to be used for this zone
Enables the API-driven UI to be used on this authentication profile and linked oauth profiles.
Enables the unsafe (e.g. POST) cross-site requests blocking mechanism. Blocks cross-site requests (those originating from a different or third-party domain) with an unsafe method from being accepted, except for endpoints the explicitly allow it. Disabling this feature can help with interoperability but does pose security risks, and should only be enabled if strictly required.
settings/authentication-service/base-url
This setting will let this profile operate under specific URLs. It makes it possible to have many URLs running on the same Curity instance. Each authentication service will redirect using these settings if present. If this is not set, the profile will use the base-url setting from the environment section. The SSO can only occur inside a profile since the SSO cookie is bound to this URL.
/profiles/profile{id, type}/settings/authentication-service/base-url
This URL is used as default. If the incoming request does not contain an X-Forwarded-Host header with a white-listed URL in the additional-base-url section, this one will be used.
This is a multi-value element where additional URLs can be configured. If the X-Forwarded-Host or Host Header contains any of these, it will be selected and used when redirecting internally.
settings/authentication-service/redirect-url-whitelist
This list is the profile wide redirect whitelist, any redirect will be validated against this list of hosts. By default the endpoints the profile interacts with such as the token service’s authorize, assisted-token and device flow endpoints are added to the list. Any external endpoints that the authentication service redirects to needs to be added here.
settings/authentication-service/account-domains/account-domain{id} (keys ['id'])
The domain (i.e., grouping, organizational unit, realm) of accounts
/profiles/profile{id, type}/settings/authentication-service/account-domains/account-domain{id}
The given ID of an account domain
A description of the domain
settings/authentication-service/authentication-actions
settings/authentication-service/authentication-actions/authentication-action{id} (keys ['id'])
An Authentication Action that can be assigned to authenticators
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}
The given ID of the Authentication Action
Optional override for template area
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa
Disable use of recovery codes
Allow using recovery codes to complete authentication
(default: 0)
TTL of the second factor opt-out, in days. If zero (the default), then second factor opt-out is not allowed
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/account-manager
leafref /base:processing/base:account-managers/base:account-manager/base:id
/base:processing/base:account-managers/base:account-manager/base:id
A reference to an Account Manager
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/mfa-state-bucket
Bucket to store MfA state in. Required for LDAP account managers.
leafref /base:facilities/base:data-sources/base:data-source/base:id
/base:facilities/base:data-sources/base:data-source/base:id
A reference to a data source
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/allowed-second-factor{authenticator-id} (keys ['authenticator-id'])
List with the allowed second factors
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/allowed-second-factor{authenticator-id}
leafref ../../../../../auth:authenticators/auth:authenticator/auth:id
../../../../../auth:authenticators/auth:authenticator/auth:id
The second factor authenticator ID
The authentication method description that appears in the user interface. If not defined, the authenticator description will be used
settings/authentication-service/authentication-actions/authentication-action{id}/zone-transfer
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/zone-transfer
(default: zone)
Name of the attribute from which to extract the id of the intended zone.
attribute-location subject-attributes, context-attributes, action-attributes
attribute-location
subject-attributes, context-attributes, action-attributes
(default: subject-attributes)
Location to search for the zone attribute.
Name of the cookie that contains the zone id after a successful execution.
leafref /base:environments/base:environment/base:services/base:zones/base:zone/base:id
/base:environments/base:environment/base:services/base:zones/base:zone/base:id
The zones to be considered.
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition
Disables the second factor subject check, allowing the second factor subject to be different from the authenticated subject (i.e. first factor). Should only be enabled when different subjects are allowed and there is a check somewhere else verifying that the second factor subject value is adequate for the first subject value.
The condition for which to use a second factor
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition
(default: requireSecondFactor)
The name of the attribute that will contain the boolean to trigger the secondfactor. If the attribute is not found it is treated same as False
The location from where the attribute is retrieved.
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition/second-factor
The authenticator to trigger as the second factor when the the condition is met.
leafref ../../../../../../auth:authenticators/auth:authenticator/auth:id
../../../../../../auth:authenticators/auth:authenticator/auth:id
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-acr-condition
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-acr-condition
(default: secondFactorAcr)
The name of the attribute to look for that contains the ACR to use as second factor
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition/subject-pattern-condition{subject-pattern} (keys ['subject-pattern'])
The regex to match the subject attribute against.
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition/subject-pattern-condition{subject-pattern}/second-factor
The authenticator to use as second factor when the subject pattern matches
leafref ../../../../../../../auth:authenticators/auth:authenticator/auth:id
../../../../../../../auth:authenticators/auth:authenticator/auth:id
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition/condition{condition-script} (keys ['condition-script'])
script
The expression to run against the client attributes. This expression will be evaluated against the properties of the OAuth client that issued the request that started the authentication flow. Example expressions: client.id == ‘my-good-client’ client.properties.mfa-client == ‘true’
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition/condition{condition-script}/second-factor
The authenticator to use as second factor when the expression returns true
settings/authentication-service/authentication-actions/authentication-action{id}/switch
If true (default value) the action will deny the authentication if no condition is matched. Otherwise it will succeed.
settings/authentication-service/authentication-actions/authentication-action{id}/switch/case{name} (keys ['name'])
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/switch/case{name}
A mandatory unique name for this switch case
The JavaScript boolean expression conditioning the execution of this case’s authenticator.
leafref ../../../../auth:authentication-action/auth:id
../../../../auth:authentication-action/auth:id
The authentication action to run if the condition is true.
settings/authentication-service/authentication-actions/authentication-action{id}/sequence
leafref ../../../auth:authentication-action/auth:id
../../../auth:authentication-action/auth:id
settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account
Add all other attributes from the configured location to the account (subject attributes are used by default)
When this is set to ‘true’ and the authenticator belongs to a domain, a link will be created on the authenticator’s domain with foreignAccount the ‘subject’, using the same account manager used to create the account.
The attribute containing the email for the new account. If not configured, a unique email will be generated for the account. If configured but no attribute is found, a server error will occur.
enumeration subject-attributes, context-attributes, action-attributes
Source location for the attribute containing the email.
Source location for the additional attributes to add to the account.
When this is set to ‘true’, the action will fail authentication if the account cannot be created, for example if the email is used by some other account.
The attribute containing the phone number for the new account. If configured but no attribute is found, a server error will occur.
Source location for the attribute containing the phone number.
(default: subject)
The attribute containing the username for the new account. If this attribute is not found, a server error will occur.
Source location for the attribute containing the username.
settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account/account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/new-country
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/new-country
The location where the attribute with the action result will be added. The default location are the subject attributes.
The name of the attribute that will be potentially used from a following action.
settings/authentication-service/authentication-actions/authentication-action{id}/new-country/bucket
settings/authentication-service/authentication-actions/authentication-action{id}/script-transformer
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/script-transformer
The source and destination of the transformed attributes.
leafref /base:processing/base:procedures/base:transformation-procedure/base:id
/base:processing/base:procedures/base:transformation-procedure/base:id
This is an optional list where attributes can be listed that should be removed from the original set of parameters. If the name of the attribute matches what the authentication returned, that attribute will be removed. The excluded attributes need to have a fully qualified path. Example: emails.email.value, or to remove all emails: emails
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account
Set to true if any already existing link to the same foreign subject in the Linking Account Domain should be overwritten
Set to true if the account to be linked with the current Linking Account Manager is the Local account, and the current Authenticators session is the foreign account
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/linking-account-domain
leafref ../../../../../auth:account-domains/auth:account-domain/auth:id
../../../../../auth:account-domains/auth:account-domain/auth:id
A reference to an Account Domain
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/linking-account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/advanced
This option allows you to store the links using some arbitrary attribute from the Authenticated Session, instead of the account id. Use with caution!
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/advanced
The name of the attribute containing the account ID. This is used as the local account in the link. If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on. No check is made to verify that the account corresponding to the given ID exists. It is strongly recommended to NOT use an attribute that might change such as subject (username) or email. Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable. It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues.
The source location for the attribute containing the account ID. Defaults to subject-attributes
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation
Require the user to confirm the links. By default the link establishment is automatic. Use this setting to enable and configure user confirmation.
Override the domain name shown on the confirmation user interface
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation/attribute-for-foreign-identifier
The attribute with the foreign identifier to use on the user confirmation. By default, the subject attribute will be used
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation/attribute-for-foreign-identifier
The attribute location
The attribute name
settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation/attribute-for-local-identifier
The attribute with the local identifier to use on the user confirmation. By default, the subject attribute will be used
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation/attribute-for-local-identifier
settings/authentication-service/authentication-actions/authentication-action{id}/update-account
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name} (keys ['name'])
The list of operations to be performed on the account.
The operation name.
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute
Adds an attribute.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute
If enabled, the action will return failure if the source attribute is not found. The default behavior is to ignore the operation.
(default: action-attributes)
The location on which the source attribute is searched.
The path to the source attribute, i.e., the attribute containing the value used on the addition.
The path to the the account attribute to be added.
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute/convert-to-multi-valued
Convert the value into a multi-valued attribute value
Is the primary value?
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/delete-attribute
Deletes an attribute.
The path to the the account attribute to be deleted.
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute
Replaces an attribute.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute
The path to the source attribute, i.e., the attribute containing the value used on replace.
The path to the the account attribute to be replaced.
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute/convert-to-multi-valued
settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer
(default: linked_accounts)
The attribute name to store the list of linked accounts in
The target location for the attribute with the list of linked accounts.
settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer/linking-account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey
int32
(default: 250)
The speed that can dictate if a journey is impossible (km/h). Default is 250 km/h.
settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey/bucket
settings/authentication-service/authentication-actions/authentication-action{id}/allow-deny-country
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/allow-deny-country
Enable to allow the countries in the list, disable to deny them.
The list of countries to allow or deny.
settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute/attribute{name} (keys ['name'])
List of additional attributes, their values and location.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute/attribute{name}
Name of an attribute
The destination of the additional attribute.
param boolean-value: boolean (optional) Boolean value of an additional attribute
Boolean value of an additional attribute
param integer-value: int32 (optional) Integer value of an additional attribute
Integer value of an additional attribute
param string-value: string (optional) String value of an additional attribute
String value of an additional attribute
settings/authentication-service/authentication-actions/authentication-action{id}/reset-password
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/reset-password
When this is set to true, the users will be able to skip the password reset.
(default: resetPassword)
When this attribute is found in the subject attributes and set to ‘true’, the user will be prompted with an option to perform a password update.
Source location for the attribute controlling the password update.
Regular expression which checks the strength of the submitted password
settings/authentication-service/authentication-actions/authentication-action{id}/reset-password/account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/reset-password/credential-manager
leafref /base:processing/base:credential-managers/base:credential-manager/base:id
/base:processing/base:credential-managers/base:credential-manager/base:id
A reference to a Credential Manager
settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attribute-data-source
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attribute-data-source
This is a whitelist of attributes that if returned by the data source will be added to thetransformation response
settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attributes{attribute-name} (keys ['attribute-name'])
The list of attributes to perform the transformation on
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attributes{attribute-name}
The name of the attribute, that the transformation will be applied on. This attribute will be created if its not returned by the data source, as long as a value can be found.
The name of the resulting attribute after the transformation is applied, if not set the name will be the same as the original attribute
The name of the attribute (eg. column) that contains the replacement value for the attribute
settings/authentication-service/authentication-actions/authentication-action{id}/send-email
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/send-email
The name of the attribute containing the email recipient.
Location to search for the attribute containing the email recipient.
settings/authentication-service/authentication-actions/authentication-action{id}/send-email/email-provider
settings/authentication-service/authentication-actions/authentication-action{id}/send-email/content
Configuration of the email content.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/send-email/content
The email body.
The email subject.
The email title.
param template:string (optional) Name of the template to use for the email content.
Name of the template to use for the email content.
settings/authentication-service/authentication-actions/authentication-action{id}/changed-country
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/changed-country
settings/authentication-service/authentication-actions/authentication-action{id}/changed-country/bucket
settings/authentication-service/authentication-actions/authentication-action{id}/deny
The error string used when the action denies the authentication.
settings/authentication-service/authentication-actions/authentication-action{id}/deny/always
Always deny authentication.
settings/authentication-service/authentication-actions/authentication-action{id}/deny/attribute-condition
Deny authentication depending on the presence of an attribute.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/deny/attribute-condition
The expected attribute’s value that determines whether authentication is denied.
The name of the attribute that determines whether authentication is denied. If the attribute is present and its value matches the expected boolean value, the authentication is denied; otherwise, it proceeds.
Location to search for the attribute that determines whether authentication is denied.
settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt
settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt/required-attribute{name} (keys ['name'])
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt/required-attribute{name}
A regular expression to validate the value of this field.
enumeration text, email, url, password, checkbox, number, tel, color
text, email, url, password, checkbox, number, tel, color
(default: text)
settings/authentication-service/authentication-actions/authentication-action{id}/restart
The flag indicating whether authenticator should run after the pipeline restart.
settings/authentication-service/authentication-actions/authentication-action{id}/restart/always
Always restart authentication pipeline.
settings/authentication-service/authentication-actions/authentication-action{id}/restart/attribute-condition
Restart authentication pipeline depending on the presence of an attribute.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/restart/attribute-condition
The expected attribute’s value that determines whether the pipeline is restarted.
The attribute name.
The attribute location.
settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute/operation{name} (keys ['name'])
List of attributes to copy or move from one location to another
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute/operation{name}
Unique identifier of the operation
When true, the attribute is moved, instead of being copied, from the source location to the target one
The source location of the attribute to copy: Subject attributes, Context attributes or Action attributes
The path to the source attribute to copy
The target location to copy the attribute to: Subject attributes, Context attributes or Action attributes
The path to the destination to copy the attribute to
settings/authentication-service/authentication-actions/authentication-action{id}/remove-attribute-transformer
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/remove-attribute-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer
Set to true if this action should fail if no link could be resolved
The name of the authentication-attribute to put the linked domain in
The target location where to put the attribute with the linked domain in.
The name of the authentication-attribute to put the original subject in
The target location where to put the attribute with the original subject in.
settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer/linking-account-domain
settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer/linking-account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/selector
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/selector
Name of the output attribute.
Location to add the output attribute.
The title to be displayed for the selection. Can be a message key.
settings/authentication-service/authentication-actions/authentication-action{id}/selector/option{title} (keys ['title'])
Options to be presented to the user.
The text to be displayed for this option. Can be a message key.
param boolean-attribute-value: boolean (optional)
param integer-attribute-value: int64 (optional)
int64
param string-attribute-value: string (optional)
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement
The label displayed on the button to accept the acknowledgement. This message can be configured and localized using message keys.
The label displayed on the button to cancel or decline the acknowledgement. This message can be configured and localized using message keys.
When true the user can cancel or decline the acknowledgement request. When false the user can only accept it.
The acknowledgement request message displayed to the user so that he can accept or decline it. This message can be configured and localized using message keys.
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/always
The acknowledgement is always requested
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/attribute-condition
The acknowledgement is requested only if an attribute is present in one of the attributes location. If the attribute is present, the user already responded to the acknowledgement and it is not requested anymore. Otherwise the user response is requested.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/attribute-condition
Location to search or store the attribute.
The name under which to search or store the attribute.
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/user-response-attribute
The attribute’s name storing the user response as a boolean value
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/user-response-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer/attributes{attribute-base-path, attribute-name} (keys ['attribute-base-path', 'attribute-name'])
This transformer applies the defined regex on the matching key. The username key is called ‘subject’ and if omitted will be passed through without change. If a matching-regex is omitted, the attribute will be passed through without change of value, but might be given a new name.If an attribute value doesn’t match any key, the transformer will ignore that value and it will be passed through.
/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer/attributes{attribute-base-path, attribute-name}
The location of the attribute in the Attributes tree structure. This contains the path without the attribute name. Example: emails.email or name It’s also possible to address root elements by using the $root keyword: $root.subject. If the element is directly under the top level simply set the path to $root, if it’s nested either use the example above or explicitly state root via $root.emails.email
The name of the attribute, that the regex will be applied on. The attribute is looked for in the path given in attribute-base-path To address the value of an email, simply set the attribute-base-path to $root.emails.email and the attribute-name to value
The regular expression to apply on the attribute value, in the form of a regex patternIf the value is a multivalued attribute (list elements) the regex will be applied on all values individually.All values will be included in the result, if the regex didn’t match, the original value is included.
The string or expression to replace the matching portion of the attribute value with. Must be set of the matching-regex is set.
The name of the resulting attribute after the transformation is applied, if not set the name will be thesame as the original attribute name. Note: This is placed in the attribute-base-path same as the attribute-name that it is replacing. It is not possible to move elements around in the structure, replacement and renaming is done on the same path
When present, the attributes issued by the additional authentication factors will be included, alongside with the attributes issued by the main authenticator. The attributes from the additional authenticators will have authority equal to the authenticator’s ACR. The attributes from the main authenticator don’t have any authority.
authenticator (keys: ['id'])
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}
The Authentication Context Class Reference (ACR) that this authenticator supports
leafref ../../../account-domains/account-domain/id
../../../account-domains/account-domain/id
Optional domain in which accounts are stored
A readable description of the Authenticator, for User presentation, can be a locale key
This controls the expiration time for this specific authenticator. If this is not set, the value set on the profile will be used instead.A common scenario is to allow some factors to have longer lifetimes than others, which is accomplished by setting this value on the authenticator in question
The maximum time an SSO session created by this authenticator will be valid without being used. If this value is not set, then the profile value will be used (if set there).
leafref ../../../authenticators/authenticator/id
../../../authenticators/authenticator/id
Optional authenticator (or any from a group) that the user must authenticate with prior to this one
A category of usage that this authenticator instance is intended for.
geo-filtering
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/geo-filtering
If enabled then allow the countries in the list to use the authenticator. Deny otherwise.
The list of countries (ISO-3166 code) that are allowed or denied to use the authenticators.
authentication-actions
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/authentication-actions
leafref ../../../../authentication-actions/authentication-action/id
../../../../authentication-actions/authentication-action/id
An ordered list of actions that will run after authentication is complete. They can work on the attributes (including subject) that the authenticator has returned, and shape these to match the desired pattern/format, and can reject the authentication if necessary
An ordered list of actions that will run when single sign-on with the current acr is complete. They will work on the attributes that was returned at the original authentication. They can reject the sso if necessary
param required-authentication-action-for-registration: leafref ../../../authentication-actions/authentication-action/id (multi-value) (optional) Optional authentication action that must explicitly allow for this registration to occur param required-authenticator-for-registration: leafref ../../../authenticators/authenticator/id (optional) Optional authenticator (or any from a group) that the user must authenticate with prior to this registering with this.
leafref ../../../authentication-actions/authentication-action/id
../../../authentication-actions/authentication-action/id
Optional authentication action that must explicitly allow for this registration to occur
Optional authenticator (or any from a group) that the user must authenticate with prior to this registering with this.
request-validations
request-validations/request-validation{request-subpath, endpoint, http-method} (keys ['request-subpath', 'endpoint', 'http-method'])
Procedures that will execute to validate the request data
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/request-validations/request-validation{request-subpath, endpoint, http-method}
leafref /base:profiles/base:profile[base:type=current()/../../../../../../../base:type][base:id=current()/../../../../../../../base:id]/base:endpoints/base:endpoint/base:id
/base:profiles/base:profile[base:type=current()/../../../../../../../base:type][base:id=current()/../../../../../../../base:id]/base:endpoints/base:endpoint/base:id
The endpoint that this subpath exists on
enumeration get, post
get, post
leafref /base:processing/base:procedures/base:validation-procedure/base:id
/base:processing/base:procedures/base:validation-procedure/base:id
group
A group of authenticators, any one can be picked and will represent the group. (Logical OR)
leafref ../../../../authenticators/authenticator/id
../../../../authenticators/authenticator/id
The authenticators that belong to the group
sms
An SMS authenticator. Sends a challange over SMS
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/sms
The OTP in the SMS will be a regular OTP and not a hyperlink
(default: 6)
The length of the OTP
(default: 60)
The time the OTP or the hyperlink is valid
Whether or not users should be able to add a new device during the login process
Whether or not the information page should be shown before the registration page
(default: 3)
The maximum number times a user is allowed to try to validate a OTP. When this value is set to 0, there is no maximum attempts enforced.
The maximum number of OTP or hyperlinks that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.
When active a login will be automatically performed after a successful registration
param account-manager: leafref /base:processing/base:account-managers/base:account-manager/base:id (optional) The Account Manager is used to fetch the account param intermediate-attribute-name: string (optional) The intermediate subject attribute that contains the identifier to use when this authenticator is used as a second factor, if configured, the account manager must not be configured
The Account Manager is used to fetch the account
The intermediate subject attribute that contains the identifier to use when this authenticator is used as a second factor, if configured, the account manager must not be configured
email
An email authenticator. Sends a challenge over email
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/email
The maximum number of Email-challenges that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.
The maximum number times a user can try to validate the nonce sent with a hyperlink. When this value is set to 0, there is no maximum attempts enforced.
If set to true, the authenticator will not check if the account is active before sending the hyperlink.
If set to true, the authenticator will change the account status to active once the hyperlink sent was consumed by the user.
param hyperlink-time-to-live: uint32 (default: 120) The time the hyperlink is valid param hyperlink-continue-authentication-in-verify-window: boolean (default: true) Whether authentication should continue in the browser window/tab where the hyperlink is verified. This is only possible when the hyperlink is verified in the same session as it was requested.
(default: 120)
The time the hyperlink is valid
Whether authentication should continue in the browser window/tab where the hyperlink is verified. This is only possible when the hyperlink is verified in the same session as it was requested.
email/send-otp-as-code
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/email/send-otp-as-code
The time the OTP is valid
encap
The settings for an Encap authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/encap
The Account Manager is responsible for credentials and accounts. Depending on whether you pick an account manager that support registration, the html-form will support creating accounts and managing the accounts
The ID of the authentication service Encap client
(default: encap)
The application ID of the Encap mobile application being used
The API key to be used (only applicable when using the public Encap test server)
The URL to where the Encap webservice is located (e.g., https://demo.encapsecurity.com/pt)
leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id
/base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id
The key ID of the private key that will be used when signing messages sent to the Encap server
The URL where users may download the mobile authentication application
A title message that is sent to the encap server when starting authentication
A context body that is sent to the encap server when starting authentication, as text/plain
(default: text/plain)
The content type of the context-content
The maximum number of authentication attempts that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.
Set a device expiration in seconds from the time the device is activated, if not set devices never expire. If this is set, it is not possible to override in the template.
encap/non-interactive-registration
Enables the possibility to activate a new device without user interaction. This can be used when the app also serves as an OpenID Connect client.
The custom scheme url to redirect to with the activation code (myapp://some-redirect)
sign-in-with-apple
Sign in with Apple methods
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/sign-in-with-apple
(default: https://appleid.apple.com)
The issuer of the Sign in with Apple service. Will be used to get the configuration document
The Team ID of your Apple Developer team.
The Service identifier registered with your Apple Developer team
The key to sign the client secret with. This key is issued from your Apple Developer account.
The Key ID of the signing key downloaded from the apple developer portal. A 10 character string listed in ‘Certificates, Identifiers & Profiles > Keys’
(default: openid email name)
Scope to ask for, space separated
A reference to the Http Client to use. If not defined, the default HTTP client is used
google
Google OpenID Connect methods
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/google
(default: https://accounts.google.com/.well-known/openid-configuration)
The url to the openid-configuration document at Google
The client-id, registered at Google
The client-secret, registered at Google
(default: openid profile email)
Scope to ask Google for, space separated, note that if using google apps with custom domains the openid, profile and email scopes need to be present.
The allowed clock-skew in seconds when validating the JWT from the OpenID Server
The Authentication Context Class Reference (ACR) or authentication method that the OpenID Server should require
The claim to use as subject
This can be set to a google apps domain, such as your-company.com it will then only accept authentications done with an account in that domain
enumeration always, if-reauthentication-requested
always, if-reauthentication-requested
Force google to show the select account screen.
oidc
OpenID Connect methods
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc
The url to the openid-configuration document at theOpenID server (must end in ‘/.well-known/openid-configuration’)
The client-id, registered at the OpenID server
Send the client credentials using HTTP Basic authentication. When false, the credentials are sent in the request-body
(default: openid)
Scope to ask the OpenID server for, space separated
The Authentication Context Class Reference (ACR) or authentication method that should be sent in the request to the OpenID Server
If there is a previously authenticated subject, pass the subject as login_hint to the OpenID Server.
enumeration always, if-requested-by-client
always, if-requested-by-client
Setting controlling sending of prompt=login parameter. By default, it is not sent.
param client-secret: non-empty-string (optional) The client-secret (client-secret-post), registered at the OpenID server
The client-secret (client-secret-post), registered at the OpenID server
oidc/asymmetrically-signed-jwt
Settings for the asymmetrically signed JWT (private_key_jwt)
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/asymmetrically-signed-jwt
Signing key for the asymmetrically signed JWT (private_key_jwt)
enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512
RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512
Signature algorithm for the asymmetrically signed JWT (private_key_jwt)
oidc/symmetrically-signed-jwt
Allowed symmetrically signing algorithms for JWT (client_secret_jwt)
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/symmetrically-signed-jwt
Signing key for the symmetrically signed JWT (client_secret_jwt)
enumeration HS256, HS384, HS512
HS256, HS384, HS512
The signature algorithms to allow for JWT (client_secret_jwt)
oidc/encrypted-id-token
ID Token is expected to be encrypted
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/encrypted-id-token
leafref /base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id
/base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id
A reference to a Decryption Keystore with a key
allowed-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW
allowed-key-management-algorithms
RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW
Key Management Algorithm - the algorithm used to obtain the Content Encryption Key, and present in the ‘alg’ JWE header. If empty, any supported algorithm is allowed.
allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM
allowed-content-encryption-algorithms
A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM
Content Encryption Algorithm - the algorithm used to obtain the content, and present in the ‘enc’ JWE header If empty, any supported algorithm is allowed
oidc/fetch-userinfo
Fetch claims from the userinfo endpoint
param plain:empty (optional) Expect user info response to be plain JSON param signed:empty (optional) Expect user info response to be a signed JWT
Expect user info response to be plain JSON
Expect user info response to be a signed JWT
oidc/fetch-userinfo/encrypted
Settings for decrypting an encrypted userinfo response
param unsigned-payload: empty (optional) Expect the encrypted userinfo payload to be plain JSON param signed-payload: empty (optional) Expect the encrypted userinfo payload to be a signed JWT param allowed-algorithms: allowed-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW (multi-value) (optional) Key Management Algorithm - the algorithm used to obtain the Content Encryption Key, and present in the ‘alg’ JWE header. If empty, any supported algorithm is allowed. param allowed-content-encryption-algorithms: allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM (multi-value) (optional) Content Encryption Algorithm - the algorithm used to obtain the content, and present in the ‘enc’ JWE header If empty, any supported algorithm is allowed
Expect the encrypted userinfo payload to be plain JSON
Expect the encrypted userinfo payload to be a signed JWT
bankid
The settings for a BankID authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/bankid
The Common Name (CN) of the certificate used by the BankID provider
enumeration any, with-keypad
any, with-keypad
The type of smartcard reader that must be used when authenticating with a form of BankID that supports smartcards
enumeration test, production
test, production
(default: production)
The method by which to connect to the BankID – either test or production
Use the new BankID API endpoint (appapi2.bankid.com). The old API endpoint (appapi.bankid.com) will be discontinued in June 2019. This option is obsolete and will be removed in a subsequent release.
The maximum number of authentication attempts that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced. This option is obsolete and will be removed in a subsequent release (the BankID API itself handles this).
Generate a QR code for the autostart token, to be able to perform the ‘other device’-flow without asking the user for a personal number.
Parse the returned BankID signature to obtain issuers and the device info. This will make the contextAttributes large, storing the SSO sessions in a database is advised.
enumeration bankid-on-file, bankid-on-smartcard, mobile-bankid, nordea-e-id-on-file-and-on-smartcard, any
bankid-on-file, bankid-on-smartcard, mobile-bankid, nordea-e-id-on-file-and-on-smartcard, any
(multi-value) (default: any)
The allowed forms of BankID that may be used for authentication
pingfederate
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/pingfederate
Use a template form to redirect to the PingFederate service. Useful when postMessage notifications are needed
(default: uuuu-MM-dd HH:mm:ssZZ)
The format of date time strings used by PingFederate
webauthn
The settings for a WebAuthN authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/webauthn
Whether or not users should be able to register a device during the login process
If enabled, when a user authenticates with a security key and has no built-in device registered for the active browser, they will immediately be asked to register an additional built-in device.
(default: webauthn-platform-device)
The name of the cookie that keeps track of whether a built-in device has been registered for a particular browser.
webauthn/account-manager
webauthn/passkeys-or-user-verifying-devices
Users must register and authenticate using devices that perform user verification, i.e. devices that authorize their usage via gestures such as biometric recognition or PIN entry. In most cases this means the device is a passkey, but it could be an equally strong device that verifies the user.
webauthn/any-device
Users can register and authenticate using any devices, regardless of user verification
If enabled, users can register built-in devices, a.k.a. platform devices, in addition to security-keys, a.k.a. cross-platform devices.
html-form
The settings for an HTML form authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/html-form
Optional email-provider to use for ‘forgot password’ and ‘forgot username’ procedures. This overrides the default email provider that is configured for the zone.
The maximum number times a user is allowed to try to validate credentials. When this value is set to 0, there is no maximum attempts enforced.
When active, this authenticator will only be usable as a second factor. The username is picked up by the authenticated state and the user is asked to enter only a password.
When active a login will be automatically performed after a successful activation or password change.
When true, a checkbox with ‘remember me’ is shown to the user. This allows the user to have it’s session forgotten when the browser is closed.
The Credential Manager is used to verify the credentials
duo
The settings for a Duo authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/duo
Allow registration during login
Show information page with instructions about installing the Duo app before registration.
When active a login will be automatically performed after a successful registration.
The API hostname of the Duo account.
The auth API integration key of the Duo account.
The auth API secret key of the Duo account.
The admin API integration key of the Duo account.
The admin API secret key of the Duo account.
(default: 1500)
The seconds for which the created activation code is going to be valid.
duo/account-manager
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/duo/account-manager
enumeration auto, push, passcode, sms, phone
auto, push, passcode, sms, phone
The allowed factors of Duo that may be used for authentication
windows
The settings for a Windows authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/windows
The shared secret used to decrypt identity data sent from the Windows Connector
The URL, including the scheme, host, port, and URI, of the Windows Connector
leafref ../../../auth:authenticator/auth:id
../../../auth:authenticator/auth:id
The authenticator that a user should login with if Integrated Windows Authentication (IWA) fails
facebook
Facebook login method
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/facebook
The client-id registered with Facebook
The client-secret registered with Facebook
(default: public_profile email)
A space-separated list of scopes to request from Facebook
(default: https://www.facebook.com/dialog/oauth)
URL to the Facebook authorization endpoint
(default: https://graph.facebook.com/v3.2/oauth/access_token)
URL to the Facebook token endpoint
(default: https://graph.facebook.com/v3.2/me)
URL to the Facebook userinfo endpoint
saml2
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/saml2
The SAML Entity Id that the authenticator uses when communicating with the remote SAML IDP.
The allowed clock-skew in seconds when validating the inbound response message
If there is a previously authenticated subject, pass the subject in the RequestedAuthnContext to the SAML Identity Provider.
Setting controlling sending of ForceAuthn=true parameter. By default, it is not sent.
The SAML Entity Id of the remote SAML IDP
The target IDP URL where SAML Authentication Requests are delivered to.
leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id
/base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id
The key to verify the signature of received SAML Response messages. When no key is configured and signed SAML messages are received, then the messages will be rejected.
Indicate whether the received SAML Response message must be signed.
Indicate whether the received Assertion must be signed.
Optional reference to the signing key that is used to sign outbound SAML AuthnRequest messages. If not configured, signing AuthnRequests is disabled.
saml2/authentication-context-class-reference
The Authentication Context Class Reference (ACR) values to be included in the SAML Authentication Request.
param none:empty (optional) Do not use ACR values param pass-through: empty (optional) Use the ACR values from the request to the Authentication Service. param explicit:non-empty-string (optional) Use a specific ACR value.
Do not use ACR values
Use the ACR values from the request to the Authentication Service.
Use a specific ACR value.
saml2/request-options
Optional settings to finetune how a SAML Authentication Request message is constructed.
The optional NameIdFormat that is requested in a SAML Authentication Request. When not configured, no NameIdFormat is requested.
siths
The settings for a SITHS authentication provider
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/siths
enumeration test, production, test-or-production
test, production, test-or-production
The type of SITHS cards that should be allowed – either test, production, or both
param idp-entity-id: string (mandatory) The SAML Entity Id of the remote SAML IDP param idp-url:string (mandatory) The target IDP URL where SAML Authentication Requests are delivered to. param issuer-entity-id: string (optional) The SAML Entity Id that the authenticator uses when communicating with the remote SAML IDP. When this is not set, the server’s configured id will be used. param signature-verification-key: leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id (optional) The key to verify the signature of received SAML Response messages. When no key is configured and signed SAML messages are received, then the messages will be rejected. param wants-response-signed: boolean (default: false) Indicate whether the received SAML Response message must be signed. param wants-assertion-signed: boolean (default: true) Indicate whether the received Assertion must be signed. param request-signing-key: leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id (optional) Optional reference to the signing key that is used to sign outbound SAML AuthnRequest messages. If not configured, signing AuthnRequests is disabled. param saml-clock-skew: int32 (default: 60) The number of seconds allowed for clock skew that the inbound response message may be older or newer than our own clock
The SAML Entity Id that the authenticator uses when communicating with the remote SAML IDP. When this is not set, the server’s configured id will be used.
The number of seconds allowed for clock skew that the inbound response message may be older or newer than our own clock
saml/request-options
saml/authentication-context-class-reference
ping-idp-adapter
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/ping-idp-adapter
The URL to the IdP Adapter
The password to use for basic authentication against the dropoff endpoint
The username to use for basic authentication against the dropoff endpoint
totp
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp
enumeration sha1, sha256, sha512
sha1, sha256, sha512
(default: sha1)
The algorithm used to produce the TOTP. This parameter is ignored by some implementations and defaults to SHA1.
Clock skew in seconds
(default: 1)
The Delay window of the algorithm. Greater number means that a TOTP can be used for a period of time so many times longer than the interval (delay window * interval).
Set a device expiration in seconds from the time the device is activated, if not set devices never expires. If this is set, it is not possible to override in the template. Only one device can be active per account, registering a new device expires any previous ones.
(default: idsvr-totp)
The device type (or vendor) that will be stored in the device store. This is used in registration as well as on the lookup of the devices the user has associated. If you only use one device type, it is suggested to leave this setting as is. Otherwise refer to the documentation on how this is used exactly.
Determines how long of a one-time passcode to display to the user. This parameter is ignored by some implementations and defaults to 6.
(default: 30)
The interval of the TOTP device. This parameter is ignored by some implementations and defaults to 30 seconds.
totp/account-manager
totp/bucket
totp/generated-key-config
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/generated-key-config
Allow the users to set a device alias. This can be useful if a user has more than one device of this type. If it is set to false, the alias will be the username of the user.
(default: Identity server)
The issuer is embedded in the QR code and will show up in TOTP apps (i.e. Google Authenticator)
totp/generated-key-config/bucket
totp/pre-shared-key-config
totp/pre-shared-key-config/key-repository
dynamic
Implementation type of target delegate authenticator plugin.
dynamic/configuration-bucket
dynamic/configuration-web-service
/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/dynamic/configuration-web-service
backchannel-authenticator (keys: ['id'])
/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}
The Authentication Context Class Reference (ACR) that for this authenticator. If not set, the value of the referenced front-channel authenticator is used, or one is derived from the authenticator’s type and id.
bankid-backchannel
The ID of the frontchannel authenticator linked to this backchannel authenticator
email-backchannel
sms-backchannel
service-provider (keys: ['id'])
Service providers are usually applications or relying parties. They depend on the identity server for authentication
/profiles/profile{id, type}/settings/authentication-service/service-providers/service-provider{id}
Optional override for template area, this is used when listing multiple authenticators if many are possible to use it’s sometimes needed to brand the selection page per application.
When a list needs to be shown, this is marked as default
This URL is used if a request is made to the authentication service without the parameters necessary to initiate an authentication transaction. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction.
This URL is used to redirect the user to the application after a successful login has taken place
This is a list that marks which authenticators should be used for the particular service
leafref ../../../authenticator-filters/authenticator-filter/id
../../../authenticator-filters/authenticator-filter/id
The optional list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe or be a trusted source.
protocol (keys: ['id'])
Protocol transformer configurations
simple-api
A Protocol plugin using the Simple API Protocol. Required if this authentication profile is used by a token service profile
ping-federate
A Protocol plugin using Pingfederate’s agentless adapter integration method
/profiles/profile{id, type}/settings/authentication-service/protocols/protocol{id}/ping-federate
This URL is used if a request is made to the authentication service without the parameters necessary to initiate an authentication transaction. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction. When integrating to PingFederate, this could happen, for example, if the user arrives at the authentication service via PingFederate, book marks the page, and later follows their new bookmark. In this case, the user would not see an error page, but instead be redirected to this URL.
When PingFederate is requesting authentication directly, this optional list of URI’s or URI-patterns define which origins are allowed to frame pages in, i.e. this list decides how and which allowed frame response headers are sent. If none are configured, framing is not allowed for this protocol. Note that when PingFederate includes a client_id, the ServiceProvider’s framing settings are used!
saml
A SAML Protocol plugin for integration with services like ADFS and other SAML providers
/profiles/profile{id, type}/settings/authentication-service/protocols/protocol{id}/saml
Reference to the key that is used to sign the login token
The recipient or audience of the SAML response messages and assertions
The Assertion Consumer Service (ACS) URL where SAML Response messages are posted to
enumeration generic, adfs
generic, adfs
(default: generic)
The type of Federation Service that will receive the login token
The number of seconds allowed for clock skew (subtracted from issuance timestamp) thatis used to compute the time before which a token must not be used
(default: 300)
The number of seconds that SAML assertions are valid
Include SessionIndex in AuthnStatement of the SAML response.
The URL to send logout responses to. If empty, the ACS URL will be used.
Sign the assertion in addition to the response.
authenticator-filter (keys: ['id'])
Authenticator filter configuration. Authenticator filters are used to filter out authenticators depending on runtime information such as the request’s user-agent, for example.
geo-country
Geolocation Country Authenticator Filter
/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/geo-country
Apply the exclusions when the country request comes matches any in the list. If this is set to false, then the exclusions are applied when the country fails to match. A common use-case for setting this to false would be to remove certain authenticators when the request comes from a country that is not in the list.
geo-country/exclusions
List of authenticators to exclude.
script-filter
Script Authenticator Filter
leafref /base:processing/base:procedures/base:filter-procedure/base:id
/base:processing/base:procedures/base:filter-procedure/base:id
A reference to an existing authenticator-filter-procedure.
user-agent
User-Agent Authenticator Filter
This filter is applied only if the request’s User-Agent matches this regex.
user-agent/exclusions
cidr
CIDR Authenticator Filter
/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/cidr
The CIDR specifying the IP addresses and routing prefixes for which this filter should be applied.
Apply the exclusions when the cidr matches the IP. If this is set to false, then the exclusions are applied when the cidr fails to match. A common use-case for setting this to false would be to remove certain authenticators when the client is not on the internal network
cidr/exclusions
settings/user-management-service
/profiles/profile{id, type}/settings/user-management-service
The authorization manager to authorize access to the REST API
Data source where delegations are stored
(default: 500)
The max number of results to return in a single search response. Set to 0 to allow unlimited number of results.
Enable dynamic clients to be included in the account response in GraphQL.
settings/user-management-service/api-authentication
/profiles/profile{id, type}/settings/user-management-service/api-authentication
The realm to use when reporting an unauthenticated request in a HTTP-response. When no value is configured, the id of the user-management profile is used as realm.
The OAuth profile that is used to provide application access to the user-management endpoints.
param user-account-data-source: leafref /base:facilities/base:data-sources/base:data-source/base:id (mandatory) Data source to be used for user accounts. param devices-data-source: leafref /base:facilities/base:data-sources/base:data-source/base:id (optional) Data source to be used for devices.
Data source to be used for user accounts.
Data source to be used for devices.
param account-manager: leafref /base:processing/base:account-managers/base:account-manager/base:id (mandatory) The account manager with the accounts managed by this profile
The account manager with the accounts managed by this profile
settings/user-management-service/attribute-data-sources{id} (keys ['id'])
/profiles/profile{id, type}/settings/user-management-service/attribute-data-sources{id}
The resourceType provided by this data-source. The concept of a resource-type is borrowed from the SCIM specification (see https://tools.ietf.org/html/rfc7643#section-6) and refers to the name of the resource (eg. Group). Currently, resource-types are not mapped to SCIM endpoints and the resources they refer to may only be retrieved via the Users endpoint
The namespace associated with the resources provided by this data-source. If not specified, the following value will be used: urn:se.curity:scim:2.0:resourceType (where resourceType is the configured resourceType value).
settings/user-management-service/credential-management
/profiles/profile{id, type}/settings/user-management-service/credential-management
The credential manager to use for password updates. Notice that if a password is provided during account creation, a credential manager is required. If no credential manager is configured and a client tries to update a password, an error will occur.
validation-procedure to use to validate user passwords on updates.
settings/user-management-service/graphql-schema
settings/user-management-service/graphql-schema/additional-account-attribute{name} (keys ['name'])
/profiles/profile{id, type}/settings/user-management-service/graphql-schema/additional-account-attribute{name}
Name of a custom attribute
enumeration String, Boolean, Long, Object
String, Boolean, Long, Object
Data type of a custom attribute
authorization-server
The Authorization Server is a full OAuth 2.0 server with OpenID Connect support. It can issue tokens using the token issuer subsystem together with Token Procedures
/profiles/profile{id, type}/settings/authorization-server
Defines if refresh tokens are created on every refresh or if they are kept
Revoke delegation when public client attempts to reuse refresh token
Override the issuer for tokens issued by this authorization server. Setting this value instead of using the derived value for issuer, can break the standard discovery specification and should therefore only be used in exceptional circumstances, i.e. backwards compatibility or to integrate with existing environments where the derived issuer can not be used.
The (default) account manager to use for user attribute lookups
An absolute URL that refers to the privacy policy of the Authorization Server
An absolute URL that refers to the terms of service that users must accept when using any client configured in the profile
The published URL of the documentation that describes to developers how to use the service
If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification
client-authentication
The methods by which an OAuth client may be authenticated
/profiles/profile{id, type}/settings/authorization-server/client-authentication
Basic authentication and form post. This is enabled by default.
Allow a client to not authenticate to the token endpoint. Selecting this authentication method for a client makes it a public client, as defined by OAuth.
client-authentication/asymmetrically-signed-jwt
Allowed asymmetric signing algorithms for JWT’s
enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA
RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA
The signature algorithms to allow
client-authentication/symmetrically-signed-jwt
Allowed symmetric signing algorithms for JWT’s
client-authentication/using-jwt
Settings for introspection of client signed JWT’s. Should not normally need to be changed from the defaults
/profiles/profile{id, type}/settings/authorization-server/client-authentication/using-jwt
Whether the ‘jti’ (JWT ID) claim should be checked for uniqueness in provided client assertion JWT’s
(default: 10)
The number of seconds that token lifetimes and issue times should be skewed to accommodate for clocks that may be out of sync
client-authentication/mutual-tls
Configure settings to allow client authentication through using mutual-tls
client-authentication/mutual-tls/by-proxy
Allow mutual TLS to be terminated in a proxy instead of directly within the identity server
/profiles/profile{id, type}/settings/authorization-server/client-authentication/mutual-tls/by-proxy
User ID credential that the proxy uses to authenticate using HTTP Basic authentication through a Proxy-Authorization header.
Password credential that the proxy uses to authenticate using HTTP Basic authentication through a Proxy-Authorization header.
Name of the HTTP header that the proxy uses to include the PEM- or base64-encoded DER representation of the client certificate in the forwarded request. Must be set for mutual-tls by-proxy to work.
request-object
The settings for allowing a request to be provided through a by-value or by-reference request object. By-value request objects are passed using the ‘request’ parameter whereas by-reference ones are provided in the ‘request-uri’ parameter. When enabled, a client can be required to provide a request object JWT. Additional restrictions per the relevant specifications are applied when used at the CIBA and PAR endpoints.
/profiles/profile{id, type}/settings/authorization-server/request-object
int16
The maximum time (from the ‘nbf’ claims to the ‘exp’ claim) that a request object should be valid for
DEPRECATED: If enabled, all authorization request parameters must be inside the request object, as claims, with the exception of request and request_uri. If a parameter is also present in the query string or form then it needs to have the same value as the claim inside the request object.
enumeration merge-outside-parameters-preferring-inside, ignore-outside-parameters, error-if-outside-parameters, must-be-inside-and-match-if-outside
merge-outside-parameters-preferring-inside, ignore-outside-parameters, error-if-outside-parameters, must-be-inside-and-match-if-outside
How claims in request objects and (form or query string) parameters are combined
request-object/encrypted-jwt
The request object JWT must be encrypted and signed
/profiles/profile{id, type}/settings/authorization-server/request-object/encrypted-jwt
Whether or not encrypted request objects should only be required for front-channel requests to the authorization endpoint
Indicate whether to include the certificate thumbprint (‘x5t’) in the JWKS endpoint
Indicate whether to include the certificate (‘x5c’) in the JWKS endpoint
request-object/asymmetrically-signed-jwt
Allowed asymmetric signing algorithms for request object JWTs
/profiles/profile{id, type}/settings/authorization-server/request-object/asymmetrically-signed-jwt
enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA, none
RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA, none
The list of claims that must be inside the request object.
authentication-service
/profiles/profile{id, type}/settings/authorization-server/authentication-service
client-capabilities
This section defines what a client may do when communicating with the OAuth server
client-capabilities/code
/profiles/profile{id, type}/settings/authorization-server/client-capabilities/code
token-time-to-live
The TTL of the Authorization Code
When enabled, all clients can enable per-request redirect-uri’s when using pushed authorization requests. This option can not be used together with redirect-uri-validation-policies. In order to use redirect-uri-validation-policies, this option to allow-per-request-redirect-uris must be disabled. This setting is deprecated in favour of redirect-uri-validation-policies.
enumeration plain, S256
plain, S256
A list of proof key challenge methods the clients aren’t allowed to use. Useful when one of the methods provided by the server is deemed insecure. This setting affects all the clients. Clients can have additional methods disallowed in their settings.
client-capabilities/code/require-pushed-authorization-requests
Require all clients in this profile to use pushed authorization requests to initiate the code flow.
client-capabilities/implicit
client-capabilities/resource-owner-password-credentials
The credential manager to use when authenticating the user using Resource Owner Password Credentials
client-capabilities/client-credentials
client-capabilities/introspection
client-capabilities/token-exchange
client-capabilities/assisted-token
/profiles/profile{id, type}/settings/authorization-server/client-capabilities/assisted-token
When set, the issued token is stored in a secure cookie in the user-agent; and is thereafter re-issued on subsequent requests
When set, the token storage cookie name is prefixed with the defined value. The cookie name will always be collision free over profiles and clients.This value will get URL-encoded, to enforce a valid cookie name.
client-capabilities/backchannel-authentication
/profiles/profile{id, type}/settings/authorization-server/client-capabilities/backchannel-authentication
(default: 900)
The default time to live for backchannel authentication requests.
Enables mandatory signed request object in backchannel authentication request
(default: 10000)
The maximum length allowed for binding_message.
client-capabilities/device-authorization
/profiles/profile{id, type}/settings/authorization-server/client-capabilities/device-authorization
The suggested interval between polling attempts for clients
The time-to-live of an issued user and device code
When enabled, a QR-code is generated and returned with a user and device code
When set, the alias will be used as verification-url where the user should go to verify its user code. If not set, the verification-url is derived from the profile’s base-url settings.
client-capabilities/assertion
Allow client to use the assertion grant on the token endpoint.
client-capabilities/assertion/asymmetrically-signed-jwt
Allowed asymmetric signing algorithms for JWT assertions
enumeration RS256, RS384, RS512, PS256, PS384, PS512
RS256, RS384, RS512, PS256, PS384, PS512
client-capabilities/assertion/symmetrically-signed-jwt
Allowed symmetric signing algorithms for JWT assertions
scopes
/profiles/profile{id, type}/settings/authorization-server/scopes
The shortest time an access token will be valid for
The default scope (the empty scope) is described with this description
scopes/scope{id} (keys ['id'])
/profiles/profile{id, type}/settings/authorization-server/scopes/scope{id}
Whether this is a prefix scope. Prefix scopes allow clients to use dynamic scopes that start with a prefix, but may have any value after that.
The Time To Live for a scope
Whether the scope is required in the request (but not necessarily granted) when configured for any client in the profile or during registration of a non-templatized dynamic clients when all scopes or this scope in particular is allowed to be registered by dynamic clients.
Expose this scope as part of the published metadata.
leafref ../../../claims/claim/name
../../../claims/claim/name
The claims that are issued when the client is granted this scope of access
scopes/scope{id}/properties
scopes/scope{id}/properties/property{key} (keys ['key'])
/profiles/profile{id, type}/settings/authorization-server/scopes/scope{id}/properties/property{key}
leafref ../../claims/claim/name
../../claims/claim/name
The claims that are issued for the default scope (empty scope)
claims
/profiles/profile{id, type}/settings/authorization-server/claims
When this is set to true, all the system claims will be exposed in the metadata.
uint8
(default: 5)
Maximum total time allowed for all claims providers to return claims. Depending on the claims provider used and their implementation, it may not be possible to cancel their operation in order to fulfill this timeout.
claims/claim{name} (keys ['name'])
The list of claims available in the profile
/profiles/profile{id, type}/settings/authorization-server/claims/claim{name}
The name of the claim
A user-friendly description. Can be presented to the user during consent
leafref ../../claims-value-provider/id
../../claims-value-provider/id
The claims-value-provider that provides the value for the claim; if nothing is set, a ‘none’-claims provider (i.e. a claims provider that provides no value) will be used.
Whether the claim is required in the request (but not necessarily granted) when configured for any client in the profile or during registration of a non-templatized dynamic client.
If this claim should be exposed in the metadata
claims/claim{name}/transformation
A transformation from the raw data to the claim name and value
/profiles/profile{id, type}/settings/authorization-server/claims/claim{name}/transformation
A value mapping procedure for this claim.
The input attributes to map
claims/claims-value-provider{id} (keys ['id'])
The claim value sources. These lookup attributes based on the given claims
The name of the claim value provider
claims/claims-value-provider{id}/authentication-context-claims-provider
claims/claims-value-provider{id}/admin-groups-claims-provider
claims/claims-value-provider{id}/account-manager-claims-provider
/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/account-manager-claims-provider
Whether an account’s attributes should be mapped to OpenID Connect claims
While this is turned off, the claims provider will not resolve any claims if the account is inactive.
claims/claims-value-provider{id}/account-manager-claims-provider/account-manager
claims/claims-value-provider{id}/script-claims-provider
The id used to identify a procedure
claims/claims-value-provider{id}/script-claims-provider/account-manager
claims/claims-value-provider{id}/script-claims-provider/bucket
claims/claims-value-provider{id}/script-claims-provider/data-source
claims/claims-value-provider{id}/script-claims-provider/webservice
/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/script-claims-provider/webservice
claims/claims-value-provider{id}/client-certificate-claims-provider
claims/claims-value-provider{id}/authentication-subject-claims-provider
claims/claims-value-provider{id}/data-source-claims-provider
claims/claims-value-provider{id}/data-source-claims-provider/data-source
claims/claims-value-provider{id}/consent-claims-provider
claims/claims-value-provider{id}/system-information-claims-provider
claims/claims-mappers
The mapping to what token or response the claim is used. A claim that is not mapped will not be issued.
leafref ../claims-mapper/id
../claims-mapper/id
The default claims mapper to use when adding claims to tokens if not defined otherwise in the client.
claims/claims-mappers/claims-mapper{id} (keys ['id'])
/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}
The name of the mapper
A description for the administrator
claims/claims-mappers/claims-mapper{id}/access_token
The claims that go into the default access tokens. This will be the result of the getDefaultAccessTokenData() function.
/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/access_token
leafref ../../../../claim/name
../../../../claim/name
system-access-token-claim-name aud, client_id, delegationId, exp, iat, iss, nbf, scope, sub, purpose, cnf, jti, dcrm_client
system-access-token-claim-name
aud, client_id, delegationId, exp, iat, iss, nbf, scope, sub, purpose, cnf, jti, dcrm_client
(multi-value) (default: aud)
The claims that always will exist on an access token. Not editable
claims/claims-mappers/claims-mapper{id}/id_token
The claims that go into the default id tokens. This will be the result of the getDefaultIdTokenData() function.
/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/id_token
system-id-token-claim-name iss, sub, aud, exp, iat, auth_time, nonce, acr, amr, azp, nbf, client_id, delegationId, purpose
system-id-token-claim-name
iss, sub, aud, exp, iat, auth_time, nonce, acr, amr, azp, nbf, client_id, delegationId, purpose
(multi-value) (default: iss)
The claims that always will exist on an ID token. Not editable
claims/claims-mappers/claims-mapper{id}/userinfo
The claims that go into the default user info response. This will be the result of the getDefaultResponseData() function.
/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/userinfo
(multi-value) (default: sub)
claims/claims-mappers/claims-mapper{id}/wrapper-token
The claims that go into JWT tokens that wrap opaque tokens.This is used by opaque token issuers that are configured to return a wrapper JWT instead of an opaque reference as the token artifact.Adding a claim here does not include it in the wrapped token’s data available via introspection.
/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/wrapper-token
system-wrapper-token-claim-name iss, iat, exp, azp, jti, aud
system-wrapper-token-claim-name
iss, iat, exp, azp, jti, aud
The claims that always will exist on a wrapper JWT token. Not editable
claims/claims-mappers/claims-mapper{id}/custom{id} (keys ['id'])
The claims that go into custom tokens. This will be the result of the get default data functions such as getDefaultData(‘idOfCustomTokenMapping’) function.
/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/custom{id}
The id of the mapping. Used as key to the getDefaultData functions
enumeration access_token, access-token, id_token, id-token, userinfo, user-info
access_token, access-token, id_token, id-token, userinfo, user-info
(default: access_token)
The list of claims for this mapping
openid-connect
/profiles/profile{id, type}/settings/authorization-server/openid-connect
Define the time to live of id tokens. Can be overruled by individual client configuration.
When set, any claim that is not defined by the OpenID Connect specification, but is added by a procedure, is not removed by scope filtering.
openid-connect/expose-metadata
This section specifies what metadata is exposed on the OpenID Connect discovery endpoint for this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata
An optional value that must contain the full URL to the JWKS endpoint. If this is not set, the URL is established by deriving it from the anonymous endpoint. If more than one anonymous endpoint is available, it is required to set this value.
(default: 600)
The number of seconds that the metadata can be cached as network resource, as used in HTTP response headers.
openid-connect/expose-metadata/authorize-endpoint
The authorize-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one authorize-endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/authorize-endpoint
leafref ../../../../../../base:endpoints/base:endpoint/base:id
../../../../../../base:endpoints/base:endpoint/base:id
The endpoint ID
The external base URL to report for this endpoint
openid-connect/expose-metadata/token-endpoint
The token-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one token-endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/token-endpoint
openid-connect/expose-metadata/userinfo-endpoint
The userinfo-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one userinfo-endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/userinfo-endpoint
openid-connect/expose-metadata/revocation-endpoint
The revocation-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one revocation-endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/revocation-endpoint
openid-connect/expose-metadata/introspection-endpoint
The introspection-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one introspection-endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/introspection-endpoint
openid-connect/expose-metadata/assisted-token-endpoint
The assisted-token-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one assisted-token-endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/assisted-token-endpoint
openid-connect/expose-metadata/dynamic-client-registration-endpoint
The dynamic client registration endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one dynamic-client-registration endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/dynamic-client-registration-endpoint
openid-connect/expose-metadata/device-authorization-endpoint
The device authorization endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one device authorization endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/device-authorization-endpoint
openid-connect/expose-metadata/backchannel-authentication-endpoint
The backchannel authentication endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one backchannel authentication endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/backchannel-authentication-endpoint
openid-connect/expose-metadata/session-endpoint
The session endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one session endpoint is deployed on this profile.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/session-endpoint
openid-connect/expose-metadata/signed-metadata
When present, a signed version of the metadata will be included in the response. The metadata will be included as a JWT, as issued by the default token-issuer of the current profile.
(default: 40320)
The number of minutes that the signed metadata JWT can be used before it expires, as used in the JWT’s ‘exp’ claim
openid-connect/require-pairwise-subject-identifiers
Set when clients on this profile must always be issued pairwise pseudonyms for authenticated subjects
openid-connect/id-token-encryption
Enables the use of issuing encrypted ID tokens.
/profiles/profile{id, type}/settings/authorization-server/openid-connect/id-token-encryption
allowed-asymmetric-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
allowed-asymmetric-key-management-algorithms
RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW
The whitelist of allowed key-management encryption algorithms. If nothing is selected, all are allowed.
The whitelist of allowed content encryption algorithms. If nothing is selected, all are allowed.
consentors
consentors/consentor{id} (keys ['id'])
The list of available consentors for the profile
/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}
The consentor name
A readable consentor description, for user presentation. Can be a locale key.
consentors/consentor{id}/signing-consentor
A signing token consentor
/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}/signing-consentor
leafref /base:profiles/base:profile[base:id=current()/../../../../../../base:id][base:type=current()/../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id
/base:profiles/base:profile[base:id=current()/../../../../../../base:id][base:type=current()/../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id
The token issuer used to sign the JWT that is signed by the consentor
The JavaScript procedure to compute the text to display.
consentors/consentor{id}/signing-consentor/webservice
Enable and configure this if the procedure needs access to a web service in its context.
/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}/signing-consentor/webservice
consentors/consentor{id}/signing-consentor/attribute-data-source
Enable and configure this if the procedure needs access an attribute data source in its context.
redirect-uri-validation-policies
Configuration settings for allowing different validation methods for redirect uri’s.
leafref ../redirect-uri-validation-policy/id
../redirect-uri-validation-policy/id
The default redirect-uri validation policy to use for the profile. If not set, redirect-uri’s are validated as exact match.
redirect-uri-validation-policies/redirect-uri-validation-policy{id} (keys ['id'])
/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}
The name of the redirect-uri-validation-policy
A human readable name of the redirect uri validation policy.
redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation
Configure how a redirect_uri is validated when it is being used in a request.
/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation
Disable all validations when the URI is localhost, such as port, path etc
Allow the query string of the redirect_uri to be different per request
redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation/authenticated-authorization-requests
Configure how a redirect_uri is validated when it is received as part of a request where the client was authenticated, e.g. when it is a PAR or CIBA request.
/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation/authenticated-authorization-requests
Consider the port in the URL when comparing the registered URI with the requested redirect_uri
Validate the path part of the URI to match exactly the registered path
Allow the registered path to be appended with suffix path parts per request
Validate the querystring to match (dynamic clients) or start with the configured querystring (static clients). If disabled, any querystring value is acceptable.
enumeration exact, tld-plus-one, tld-plus-two, no-validation
exact, tld-plus-one, tld-plus-two, no-validation
(default: exact)
Validation on the domain parts of the URI
redirect-uri-validation-policies/redirect-uri-validation-policy{id}/registration-validation
Configure how a redirect_uri is validated when it is being used in a registration request.
Allow a client to register a non-TLS http redirect_uri
client-store
client-store/config-backed
client-store/config-backed/client{id} (keys ['id'])
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}
The client ID corresponding to the spec
A human readable name of the client
A human readable description of the client
A logo of the client, that can shown in user interface templates.
This URL is used if a request is made to the OAuth server without the parameters necessary to initiate authentication. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction.
A settable state of the client, to be able to host disabled clients
An operational state, for history purpose
Describes who was the user that created the client.
The Time To Live for an access token
disablable-token-time-to-live
The Time To Live for a Refresh token. If set to ‘disabled’, no Refresh Tokens will be issued
When set, the refresh-token-ttl is used to set the expiration of new refresh tokens, until this max value is reached.
The Time to Live for an id token. If not set, the profile-setting is used.
leafref ../../../../claims/claims-mappers/claims-mapper/id
../../../../claims/claims-mappers/claims-mapper/id
The mapper to use when adding claims to tokens. The mapper decides what claims end up in which token or response. The claims themselves are defined in the scope. If not set, the default-mapper is used
An absolute URL that refers to the privacy policy for the client
An absolute URL that refers to the terms of service of the client
Whether the port should be validated when a client is configured to redirect to the loopback interface. Defaults to true for backwards compatibility. Future versions may default to false because RFC-8252 (sec. 3) says the port should not be validated and this does not generally reduces the security of local redirects. This option can not be set when the profile enables redirect-uri validation policies. This setting is deprecated in favour of redirect-uri-validation-policies.
leafref ../../../../redirect-uri-validation-policies/redirect-uri-validation-policy/id
../../../../redirect-uri-validation-policies/redirect-uri-validation-policy/id
The redirect uri validation policy to use for this client. This value overrides the profile’s setting for the default redirect uri validation policy.
Defines if refresh tokens are created on every refresh or if they are kept, when set this takes precedence over profile setting (reuse-refresh-tokens), when not set profile setting applies
Describes how the client is authenticated param secret:sha-256-digest-string (optional) A password used by the client param asymmetric-key: leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id (optional) A public key that corresponds to the private key the client will use to sign a token with to authenticate itself
Describes how the client is authenticated
sha-256-digest-string
A password used by the client
A public key that corresponds to the private key the client will use to sign a token with to authenticate itself
client-store/config-backed/client{id}/jwks-uri
A key present in a JWKS referenced by an URI, accessed via an optional HTTP client ID
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/jwks-uri
The JWKS URI
The optional HTTP client used to retrieve the JWKS
A secret key that the client will use to sign or integrity protect a token with to authenticate itself
client-store/config-backed/client{id}/mutual-tls-by-proxy
Enable client authentication through mutual-tls by-proxy.
param client-dn: non-empty-string (optional) The DN of the client certificate that the client must identify with. param client-dns-name: non-empty-string (optional) The expected dNSName SAN entry in the certificate that the client must identify with. param client-uri: uri (optional) The expected uniformResourceIdentifier SAN entry in the certificate that the client must identify with. param client-ip: ip-address (optional) The expected IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6) that is expected to be present as an iPAddress SAN entry in the certificate that the client must identify with. param client-email: non-empty-string (optional) The expected rfc822Name SAN entry in the certificate that the client must identify with. param trusted-ca: leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id (mandatory) The CA that must be the issuer of the client certificate that can be accepted to authenticate this client. Must be set.
The DN of the client certificate that the client must identify with.
The expected dNSName SAN entry in the certificate that the client must identify with.
The expected uniformResourceIdentifier SAN entry in the certificate that the client must identify with.
The expected IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6) that is expected to be present as an iPAddress SAN entry in the certificate that the client must identify with.
The expected rfc822Name SAN entry in the certificate that the client must identify with.
leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id
/base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id
The CA that must be the issuer of the client certificate that can be accepted to authenticate this client. Must be set.
param client-certificate: leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id (optional) The client certificate that must be used to authenticate the client.
The client certificate that must be used to authenticate the client.
client-store/config-backed/client{id}/mutual-tls
Enable client authentication through direct mutual-tls
param client-certificate: leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id (optional) The client certificate that must be used to authenticate the client. param no-authentication: boolean (default: false) When no-authentication is selected, the client is a public client. Can only be used for clients that requests tokens, and only makes sense if they use the token endpoint (i.e. use the code flow). param credential-manager: leafref /base:processing/base:credential-managers/base:credential-manager/base:id (optional) The Credential Manager to use to transform the client secret. For configured clients, this credential manager is also used to retrieve the client secret from the configured data source on the credential manager
When no-authentication is selected, the client is a public client. Can only be used for clients that requests tokens, and only makes sense if they use the token endpoint (i.e. use the code flow).
The Credential Manager to use to transform the client secret. For configured clients, this credential manager is also used to retrieve the client secret from the configured data source on the credential manager
client-store/config-backed/client{id}/secondary-authentication-method
The instant after which the secondary verifier should not be used
client-store/config-backed/client{id}/secondary-authentication-method/jwks-uri
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/secondary-authentication-method/jwks-uri
client-store/config-backed/client{id}/secondary-authentication-method/mutual-tls-by-proxy
client-store/config-backed/client{id}/secondary-authentication-method/mutual-tls
client-store/config-backed/client{id}/request-object
Enable request-object support where the client can send in a JWT with the request parameters. If enabled, a request object JWT MUST be provided by the client.
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/request-object
The issuer of the request object’s JWT. If the issuer is not explicitly set, it must be the same value as the client_id of the client that makes the request.
A public key that corresponds to the private key that the issuer of the request object JWT used to sign the JWT
If set to true, then unsigned request objects sent by-value will be accepted.
client-store/config-backed/client{id}/request-object/by-reference
Enable the use of request object that are sent by-reference using the request_uri parameter
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/request-object/by-reference
The HTTP client that will be used when fetching the request object from a provided URI
If set to true, then unsigned request objects sent by-reference will be accepted.
Whitelist of all locations that can be included in a request_uri parameter. The value ‘*’ allows for any. A wildcard character ‘*’ is also allowed at the end of the uri value.
The whitelist of Redirect URIs allowed for the client. If code or Implicit flow is used, this will have a required minimum of 1 items
client-store/config-backed/client{id}/user-consent
When set, the user is asked to accept the delegation via a consent screen. This applies to all interactive flows (i.e. code, implicit, assisted token and device authorization flow)
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/user-consent
When enabled, the user is allowed to deselect optional scopes or claims when asked for consent.
When enabled, the built-in consent screen will not be shown and only the consentors will run.
client-store/config-backed/client{id}/user-consent/consentors
The consentors usable with this client. If empty, then all profile consentors will be usable
leafref ../../../../../../consentors/consentor/id
../../../../../../consentors/consentor/id
client-store/config-backed/client{id}/proof-key
Proof Key for Code Exchange (RFC 7636 - PKCE) is a measure for preventing authorization code interception. This is an attack on client systems that allow a malicious application to register itself as a handler for the custom scheme utilized by the legitimate app in the Authorization Code Grant flow.
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/proof-key
Enforces this client to provide a proof key challenge and -verifier when performing the Authorization Code Grant flow.
A list of proof key challenge methods the client isn’t allowed to use. Useful when one of the methods provided by the server is deemed insecure for the intended client. This setting would be merged with profile level setting. For example, if profile disallowed plain and client disallowed S256, then both methods are disallowed
The intended audiences for the token. The first element is the default. If none are stipulated, the ID of the client will be used as the audience
leafref ../../../../scopes/scope/id
../../../../scopes/scope/id
A subset of the scopes defined in the profile that this client is allowed to request or all if a subset are not defined here
client-store/config-backed/client{id}/user-authentication
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/user-authentication
Information that will be displayed to the user when authenticating the client
Optional default setting whether user authentication is forced at all times.
Optional maximum age in seconds after which re-authentication must take place.
Optional override for default locale.
Optional uri of the client that is called upon user logout when attempting front channel logout. Requires OpenId Connect to be enabled.
Optional uri of the client that is called upon user logout when attempting back channel logout. Requires OpenId Connect to be enabled.
The HTTP client that will be used when delivering the logout token to the backchannel logout uri
leafref /base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:authenticator/auth:id
/base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:authenticator/auth:id
The list of allowed authenticators for this client
leafref /base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticator-filters/auth:authenticator-filter/auth:id
/base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticator-filters/auth:authenticator-filter/auth:id
The list of authenticator-filters for this client
A list of named claims that must be required by the authenticator when authenticating the user.
The optional list of URIs that is allowed for the client to use as post logout redirect uri. Requires OpenId Connect to be enabled.
The optional list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe, be a trusted source or be used for CORS.
client-store/config-backed/client{id}/capabilities
OAuth capabilities that this client is allowed to perform
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities
Allows implicit flow
Allows for the Client Credentials Grant
Allows the client to use token introspection
The assisted-token capability allows the client to use a helper endpoint to use simplified OAuth flows.
Allows the client to use exchange tokens for other tokens
Allows the client to use the device flow
client-store/config-backed/client{id}/capabilities/code
Allows code flow
client-store/config-backed/client{id}/capabilities/code/require-pushed-authorization-requests
The client is required to use Pushed Authorization Requests when starting a code flow.
When enabled, the client can use per-request redirect-uri’s when using pushed authorization requests. Defaults to false.This setting is deprecated in favour of redirect-uri-validation-policies.
client-store/config-backed/client{id}/capabilities/resource-owner-password-credentials
Allows ROPC grant-type
The optional credential manager to use when authenticating the user using Resource Owner Password Credentials
client-store/config-backed/client{id}/capabilities/backchannel-authentication
Allows the client to perform backchannel authentication
leafref /base:profiles/base:profile[base:id=current()/../../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:backchannel-authenticator/auth:id
/base:profiles/base:profile[base:id=current()/../../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:backchannel-authenticator/auth:id
A list of backchannel enabled authenticators that the client is allowed to use. Should be a subset of backchannel authenticators from the linked authentication profile. If nothing is set, all backchannel-authenticators from the linked authentication profile will be available for this client to use.
client-store/config-backed/client{id}/capabilities/assertion
Allows the client to use JWT assertions as grant
client-store/config-backed/client{id}/capabilities/assertion/jwt
Configure the assertion grant for JWT assertions.
Allow a client to reuse the same JWT assertion to make multiple token requests.
client-store/config-backed/client{id}/capabilities/assertion/jwt/trust
When set, a JWT that is used as assertion must have an issuer claim that matches the configured value.
param asymmetric-signing-key: leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id (optional) A public key that corresponds to the private key that the issuer of the assertion used to sign the JWT
A public key that corresponds to the private key that the issuer of the assertion used to sign the JWT
client-store/config-backed/client{id}/capabilities/assertion/jwt/trust/jwks-uri
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/assertion/jwt/trust/jwks-uri
client-store/config-backed/client{id}/capabilities/haapi
Allows the client to use the hypermedia authentication API
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/haapi
When enabled, a HAAPI token can be issued to clients based on client authentication instead of based on client attestation. To set this option, a client must have credentials and can not be configured with attestation settings.
Use an older version of the DPoP processing, which is not nonce-based. This may be required if the client uses an older version of the HAAPI SDK. Refer to the HAAPI SDK documentation for details.
client-store/config-backed/client{id}/dynamic-client-registration-template
Enable client as template for Dynamic Client Registration
How the dynamically registered client based on this template can authenticate. Default is secret
param secret:empty (optional) param credential-manager: leafref /base:processing/base:credential-managers/base:credential-manager/base:id (optional) The credential manager that should be used to verify and manage templatized dynamic clients’ secrets. Note that the data source on the credential manager (if configured) is not used. Only the transformation algorithm. The secret is stored with the client metadata in the dynamic client registration data source.
The credential manager that should be used to verify and manage templatized dynamic clients’ secrets. Note that the data source on the credential manager (if configured) is not used. Only the transformation algorithm. The secret is stored with the client metadata in the dynamic client registration data source.
param authenticate-user-by: leafref ../../../client/id (multi-value) (optional) Reference to other OAuth clients in the profile that may be used to authenticate the user and obtain the initial access token necessary for a new client to register based on this client as a template. param authenticate-client-by: leafref ../../../client/id (multi-value) (optional) Reference to other OAuth clients in the profile that may be used to authenticate using client-credentials to obtain the initial access token necessary for a new client to register based on this client as a template
leafref ../../../client/id
../../../client/id
Reference to other OAuth clients in the profile that may be used to authenticate the user and obtain the initial access token necessary for a new client to register based on this client as a template.
Reference to other OAuth clients in the profile that may be used to authenticate using client-credentials to obtain the initial access token necessary for a new client to register based on this client as a template
client-store/config-backed/client{id}/use-pairwise-subject-identifiers
Enable this when the client must always be issuing pairwise pseudonym subject identifiers instead of public identifiers.
The sector identifier that is used to derive the pairwise pseudonym from, i.e. the pairwise pseudonym is defined for the pair of sector identifier and subject
client-store/config-backed/client{id}/signed-userinfo
Enable support for returning userinfo as signed JWT
leafref /base:profiles/base:profile[base:id=current()/../../../../../../../base:id][base:type=current()/../../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id
/base:profiles/base:profile[base:id=current()/../../../../../../../base:id][base:type=current()/../../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id
A token issuer with a purpose of userinfo
client-store/config-backed/client{id}/id-token-encryption
Enable Id token encryption as per JWE specification
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/id-token-encryption
leafref /base:facilities/base:crypto/base:encryption-keys/base:encryption-key/base:id
/base:facilities/base:crypto/base:encryption-keys/base:encryption-key/base:id
The reference to encryption keystore containing encryption key
The encryption algorithm used to encrypt the payload of the JWE token
The encryption algorithm for encrypting the content encryption key.Only asymmetric algorithms are supported as of 6.5.0
client-store/config-backed/client{id}/attestation
If set to true, allow the client to use HAAPI, but disable the validation of the attestation data. This is unsafe and must not be used in production.
client-store/config-backed/client{id}/attestation/web
leafref /base:facilities/base:client-attestation/cat:web-policy/cat:id
/base:facilities/base:client-attestation/cat:web-policy/cat:id
Link to the Web policy to use for this client. If not set, a default policy is used.
client-store/config-backed/client{id}/attestation/android
/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/attestation/android
leafref /base:facilities/base:client-attestation/cat:android-policy/cat:id
/base:facilities/base:client-attestation/cat:android-policy/cat:id
Link to the Android policy to use for this client. If not set, a default policy is used.
Android package name this client can be used from
SHA-256 digest of the certificate used to sign approved Android packages, encoded in base64