Environment

environments/environment

Defines an environment with all services and meta information it needs

Path :

/environments/environment

Parameters:
  • name

    string

    (default: se.curity)

    The name of the organization running the services in an environment (Entity ID)

  • deployment-type

    union

    (optional)

    The type of deployment this system is executing as.

  • base-url

    uri

    (optional)

    The external base URL used to contact this machine

  • static-resource-root-path

    uri

    (default: )

    The root path under the base-url from which static resources should be served

  • available-template-areas

    string

    (multi-value) (optional)

    Reports the template areas that are available as they are found on the file system of the admin node

Localization

environments/environment/localization

The localization settings for this environment

Path :/environments/environment/localization
Parameters:default-locale

string

(default: en)

Default locale if no locale is specified in request

White-listed-proxies

environments/environment/white-listed-proxies

A list of proxies that are allowed to be in the middle of the requestor and this server. If this list is empty, the X-Forwarded-For header will be ignored. If this list is non-empty the X-Forwarded-For header will be used as the remote-ip of the client if the proxies match this list.

Path :/environments/environment/white-listed-proxies
Parameters:proxy

union

(multi-value) (optional)

An IPv4/IPv6 address, hostname or IPv4/IPv6 cidr of the proxy to whitelist.

Cluster

environments/environment/cluster

Settings of a configuration cluster

Path :

/environments/environment/cluster

Parameters:
  • keystore

    string

    (mandatory)

    The keystore for cluster communication. This should only be set with keystores generated by Curity

  • host

    host

    (mandatory)

    The host or IP of the cluster admin node that the run-time nodes will connect to

  • port

    port-number

    (default: 6789)

    The port of the cluster admin node

  • distributed-service-port

    port-number

    (default: 6790)

    The port of the distributed service

  • admin-listening-host

    host

    (default: 0.0.0.0)

    The host or IP that the admin node should listen on (e.g., 0.0.0.0 to listen on all network interfaces)

Admin-service

environments/environment/admin-service

Enable the admin service

Path :

/environments/environment/admin-service

Parameters:
  • credential-manager

    leafref /processing/credential-managers/credential-manager/id

    (optional)

    A credential manager that verifies accounts against an external user repository (e.g., LDAP)

  • tenant-id

    non-empty-string

    (optional)

    ID of the tenant associated with the admin-service credential manager. When not set the default tenant is used

  • authorization-manager

    leafref /processing/authorization-managers/authorization-manager/id

    (optional)

    An authorization manager that authorizes Admin service requests against backend

Http

environments/environment/admin-service/http

Enables the HTTP admin service interface (Web UI and/or RESTCONF)

Path :

/environments/environment/admin-service/http

Parameters:
  • listening-host

    ip-address

    (default: 0.0.0.0)

    IP used for listening host

  • listening-port

    port-number

    (default: 6749)

    The port the admin endpoint listens on

  • ssl-server-keystore

    leafref /facilities/crypto/ssl/server-keystore/id

    (optional)

    A pointer to the key used for the SSL server. When no key is configured, the admin will be served on a http connection instead of an https.

  • base-url

    uri

    (optional)

    The external base URL used to contact the admin web-ui and restconf

  • enable-http-v2

    boolean

    (default: false)

    Enables support for the HTTP/2 protocol. HTTP/2 is usually faster than HTTP/1.x, but may not be as widely supported by clients. HTTP/1.x is always enabled.

Web-ui

environments/environment/admin-service/http/web-ui

Enable the admin Web UI

Path :/environments/environment/admin-service/http/web-ui
Appearance
environments/environment/admin-service/http/web-ui/appearance
Path :/environments/environment/admin-service/http/web-ui/appearance
Parameters:badge-color

string

(optional)

A CSS hex (format #aabbcc) color for the UI environment badge. Default colors are used when not set.

Ui-modes
environments/environment/admin-service/http/web-ui/ui-modes

This section contains settings for the different modes in the Web UI

Path :/environments/environment/admin-service/http/web-ui/ui-modes
Normal-mode
environments/environment/admin-service/http/web-ui/ui-modes/normal-mode

Customizations for the normal mode UI

Path :

/environments/environment/admin-service/http/web-ui/ui-modes/normal-mode

Parameters:
  • authentication-profile

    leafref /profiles/profile/id

    (optional)

    The authentication profile to use in Normal Mode

  • token-profile

    leafref /profiles/profile/id

    (optional)

    The token profile to use in Normal Mode

  • user-management-profile

    leafref /profiles/profile/id

    (optional)

    The user management profile to use in Normal Mode

  • application-profile

    leafref /profiles/profile/id

    (optional)

    The application profile to use in Normal Mode

  • service-role

    leafref /environments/environment/services/service-role/id

    (optional)

    The service role to use in Normal Mode for HTTP runtime settings

  • account-manager

    leafref /processing/account-managers/account-manager/id

    (optional)

    The account manager to use in Normal Mode

  • credential-manager

    leafref /processing/credential-managers/credential-manager/id

    (optional)

    The credential manager to use in Normal Mode

Admin-federated-login
environments/environment/admin-service/http/web-ui/admin-federated-login

Configure the admin UI to enable logging in with a federated account. Use an internal OpenID Connect client or an external OpenID Connect provider

Path :

/environments/environment/admin-service/http/web-ui/admin-federated-login

Parameters:
  • disable-local-accounts

    empty

    (optional)

    Disable local account login

  • logo

    string

    (optional)

    A logo of the client, that can shown in user interface screens.

  • name

    non-empty-string

    (optional)

    Name of OpenID Connect provider

Choice: internal-or-external
Option: external-openid-provider
External-openid-provider
environments/environment/admin-service/http/web-ui/admin-federated-login/external-openid-provider

Use external OpenID Connect provider

Path :

/environments/environment/admin-service/http/web-ui/admin-federated-login/external-openid-provider

Parameters:
  • client-id

    non-empty-string

    (mandatory)

    The client id to use when obtaining an OAuth 2.0 access token

  • client-secret

    non-empty-string

    (mandatory)

    The client secret to use when obtaining an OAuth 2.0 access token

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client

  • authorization-endpoint

    uri

    (mandatory)

    The complete url to the authorization endpoint of the OpenID Connect Provider

  • token-endpoint

    uri

    (mandatory)

    The complete url to the token endpoint of the OpenID Connect Provider

  • userinfo-endpoint

    uri

    (optional)

    The complete url to the userinfo endpoint of the OpenID Connect Provider

  • scopes

    scope

    (multi-value) (optional)

    Additional scopes (beyond ‘openid’) that should be requested

  • claims

    non-empty-string

    (multi-value) (optional)

    Additional claims that should be requested

Option: using-oauth-profile
Using-oauth-profile
environments/environment/admin-service/http/web-ui/admin-federated-login/using-oauth-profile

Enable login using Curity OpenID Connect client

Path :

/environments/environment/admin-service/http/web-ui/admin-federated-login/using-oauth-profile

Parameters:
  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client

  • oauth-profile

    leafref /base:profiles/base:profile/base:id

    (mandatory)

    The OAuth Profile to which client belongs

  • client

    leafref /base:profiles/base:profile[base:id=current()/../as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id

    (mandatory)

    OpenID Connect client

Restconf

environments/environment/admin-service/http/restconf

Enable the RESTCONF API

Path :/environments/environment/admin-service/http/restconf
Parameters:basic-authentication

boolean

(default: true)

Allows users to access the RESTCONF API using basic credentials

Oauth
environments/environment/admin-service/http/restconf/oauth

Allow users to access the RESTCONF API using OAuth access tokens

Path :

/environments/environment/admin-service/http/restconf/oauth

Parameters:
  • oauth-profile

    leafref /base:profiles/base:profile/base:id

    (mandatory)

    The OAuth Profile to accept tokens from when accessing the Dashboard

  • client

    leafref /base:profiles/base:profile[base:id=current()/../as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id

    (multi-value) (optional)

    The clients to use for authenticating users to the RESTCONF API

Devops-dashboard

environments/environment/admin-service/http/devops-dashboard

Enable the DevOps Dashboard UI

Path :

/environments/environment/admin-service/http/devops-dashboard

Parameters:
  • authorization-manager

    leafref /base:processing/base:authorization-managers/base:authorization-manager/base:id

    (optional)

    Authorization Manager that should authorize requests from the DevOps Dashboard client to the GraphQL APIs. If not configured, access to the GraphQL APIs by the dashboard client will be forbidden.

  • client

    leafref /base:profiles/base:profile[base:id=current()/../../base:restconf/as:oauth/as:oauth-profile]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id

    (mandatory)

    The client to use for authenticating users to the dashboard

Themes

environments/environment/themes

UI theme configuration

Path :/environments/environment/themes

Default-theme

environments/environment/themes/default-theme

The default theme, not using any template areas.

Path :

/environments/environment/themes/default-theme

Parameters:
  • theme-css-properties

    base64-encoded-string

    (optional)

    A base64 encoded string of theme CSS variables

  • theme-custom-css

    base64-encoded-string

    (optional)

    A base64 encoded string of custom css that will be joined with the css properties

Template-variables

environments/environment/themes/default-theme/template-variables{name} (keys ['name'])

A list of template variables that will be available in the template context

Path :

/environments/environment/themes/default-theme/template-variables{name}

Parameters:
  • name

    string

    (mandatory)

    The name of the template variable as it will appear in the template context. The name must start with an underscore.

  • value

    non-empty-string

    (optional)

    The value of the variable

  • static-resource-cache-duration

    uint32

    (default: 2628000)

    The maximum duration (in seconds) that a static resource should be cached by a client Web browser

Zones

environments/environment/services/zones

List of available zones in the system, these are referenced by subsystems when needed

Path :/environments/environment/services/zones

Default-zone

environments/environment/services/zones/default-zone

The default zone to be used unless another is explicitly necessary

Path :

/environments/environment/services/zones/default-zone

Parameters:
  • email-provider

    leafref /facilities/email-providers/email-provider/id

    (optional)

    The email-provider to use for this zone

  • symmetric-key

    string

    (optional)

    Key used to sign cookies, for example.

  • secondary-symmetric-key

    string

    (optional)

    Secondary key. Used to verify signatures when using the main symmetric-key fails. Allows rotating the symmetric-key.

Mobile-app-association

environments/environment/services/zones/default-zone/mobile-app-association
Path :/environments/environment/services/zones/default-zone/mobile-app-association
Ios-app-configuration
environments/environment/services/zones/default-zone/mobile-app-association/ios-app-configuration{app-id} (keys ['app-id'])
Path :/environments/environment/services/zones/default-zone/mobile-app-association/ios-app-configuration{app-id}
Parameters:app-id

string

(mandatory)

App id for IOS applications

Android-app-configuration
environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace package-name} (keys ['namespace package-name'])
Path :

/environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace package-name}

Parameters:
  • namespace

    string

    (optional)

  • package-name

    string

    (optional)

Sha256-cert-fingerprints
environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace package-name}/sha256-cert-fingerprints{fingerprint} (keys ['fingerprint'])
Path :

/environments/environment/services/zones/default-zone/mobile-app-association/android-app-configuration{namespace package-name}/sha256-cert-fingerprints{fingerprint}

Parameters:
  • fingerprint

    string

    (mandatory)

  • allowed-origins-for-cors

    non-empty-string

    (multi-value) (optional)

    The origins (scheme, host, and optional port) that are allowed to make cross origin requests

Zone

environments/environment/services/zones/zone{id} (keys ['id'])

The zone list may be empty. If so, the default zone is the only one used. If the list is non-empty, the default zone is used by nodes not configured to use aparticular zone.

Path :

/environments/environment/services/zones/zone{id}

Parameters:
  • id

    string

    (mandatory)

    The only meaning of a zone is a name. It’s up to the admin to decide where and what that zone stands for.

  • email-provider

    leafref /facilities/email-providers/email-provider/id

    (optional)

    The email-provider to use for this zone

  • symmetric-key

    string

    (optional)

    Key used to sign cookies, for example. If not set, the key of the default zone is used.

  • secondary-symmetric-key

    string

    (optional)

    Secondary key. Used to verify signatures when using the main symmetric-key fails. Allows rotating the symmetric-key.

Mobile-app-association

environments/environment/services/zones/zone{id}/mobile-app-association
Path :/environments/environment/services/zones/zone{id}/mobile-app-association
Ios-app-configuration
environments/environment/services/zones/zone{id}/mobile-app-association/ios-app-configuration{app-id} (keys ['app-id'])
Path :/environments/environment/services/zones/zone{id}/mobile-app-association/ios-app-configuration{app-id}
Parameters:app-id

string

(mandatory)

App id for IOS applications

Android-app-configuration
environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace package-name} (keys ['namespace package-name'])
Path :

/environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace package-name}

Parameters:
  • namespace

    string

    (optional)

  • package-name

    string

    (optional)

Sha256-cert-fingerprints
environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace package-name}/sha256-cert-fingerprints{fingerprint} (keys ['fingerprint'])
Path :

/environments/environment/services/zones/zone{id}/mobile-app-association/android-app-configuration{namespace package-name}/sha256-cert-fingerprints{fingerprint}

Parameters:
  • fingerprint

    string

    (mandatory)

  • allowed-origins-for-cors

    non-empty-string

    (multi-value) (optional)

    The origins (scheme, host, and optional port) that are allowed to make cross origin requests

Service-role

environments/environment/services/service-role{id} (keys ['id'])
Path :

/environments/environment/services/service-role{id}

Parameters:
  • id

    string

    (mandatory)

    A given name of the service role

  • location

    string

    (optional)

    Where the service is located, physically

  • enabled

    boolean

    (default: true)

    Enable or disable the entire daemon instance

  • zone

    leafref ../../zones/zone/id

    (optional)

    The zone that the service is in (which, if not set, will be the default zone)

  • listening-host

    ip-address

    (default: 0.0.0.0)

    IP used for listening host

  • listening-port

    port-number

    (default: 8443)

    The port the service listens on

  • protocol

    enumeration http, https

    (default: https)

    Which protocol to use, almost always, https should be used

  • ssl-server-keystore

    leafref /facilities/crypto/ssl/server-keystore/id

    (optional)

    A pointer to the key used for the SSL server

  • enable-http-v2

    boolean

    (default: false)

    Enable HTTP 2 (H2)

  • jvm-options

    string

    (default: -XX:+UseG1GC -XX:+UseStringDeduplication)

    The options that should be passed to the Java Virtual Machine (JVM) when the service is started

  • disable-android-assetlinks-generation

    empty

    (optional)

    Disable generation of assetlinks (’…/.well-known/assetlinks.json’) from configured Android App associations

Hsts

environments/environment/services/service-role{id}/hsts

Enable HSTS support for this role

Path :

/environments/environment/services/service-role{id}/hsts

Parameters:
  • max-age

    uint32

    (default: 15465601)

    Maximum number of seconds that HSTS will be used for

  • include-subdomains

    boolean

    (default: false)

    Whether or not subdomains should use HSTS as well

  • preload

    boolean

    (default: false)

    Whether or not any pre-loaded certificates should be used by a browser

Content-security-policy

environments/environment/services/service-role{id}/content-security-policy
Path :/environments/environment/services/service-role{id}/content-security-policy

Reporting-endpoint

environments/environment/services/service-role{id}/content-security-policy/reporting-endpoint

Enables reporting of HTTP Content Security Policy violations: adds the Content-Security-Policy report-to and report-uri directives, as well as the Reporting-Endpoints HTTP header.

Path :

/environments/environment/services/service-role{id}/content-security-policy/reporting-endpoint

Parameters:
  • id

    string

    (default: csp-reporting-endpoint)

    Name of the reporting endpoint

  • url

    uri

    (mandatory)

    URL to report Content Security Policy violations to.

Server-tls

environments/environment/services/service-role{id}/server-tls
Path :

/environments/environment/services/service-role{id}/server-tls

Parameters:
  • enable-tls-v1-0

    boolean

    (default: false)

    Enable TLS 1.0 (should be disabled unless necessary)

  • enable-tls-v1-1

    boolean

    (default: false)

    Enable TLS 1.1 (should be disabled unless necessary)

  • enable-tls-v1-2

    boolean

    (default: true)

    Enable TLS 1.2

  • enable-tls-v1-3

    boolean

    (default: false)

    Enable TLS 1.3

Sni-host-check

environments/environment/services/service-role{id}/server-tls/sni-host-check

Enable SNI host check, such that inbound TLS connections with a Server Name Indicator must match the name of the server’s SSL certificate.

Path :/environments/environment/services/service-role{id}/server-tls/sni-host-check
Parameters:require-sni

boolean

(default: false)

Require the client to use SNI. Can only be set when sni-host-check is enabled.

Mutual-tls

environments/environment/services/service-role{id}/mutual-tls
Path :

/environments/environment/services/service-role{id}/mutual-tls

Parameters:
  • listening-port

    port-number

    (optional)

    The port to use for mutual TLS. Defaults to the same value as configured for listening-port for this service.

  • client-truststores

    leafref /base:facilities/crypto/ssl/client-truststore/client-certificate/id

    (multi-value) (optional)

    The certificates that have signed any client’s certificate used to authenticate such clients. If no truststores are configured, ALL truststores are added to the mutual-tls trust for this service.

Thread-count

environments/environment/services/service-role{id}/thread-count
Path :

/environments/environment/services/service-role{id}/thread-count

Parameters:
  • minimum

    uint16

    (default: 8)

    The minimum number of threads that should be started when the service’s Java Virtual Machine (JVM) starts

  • maximum

    uint16

    (default: 100)

    The maximum number of threads that can be started by the Java Virtual Machine (JVM) of the service

Ciphers

environments/environment/services/service-role{id}/ciphers

White- and black-listing of ciphers used for incoming secure connections. Enabling this feature will disable any white- and black-lists automatically enforced by the server.

Path :

/environments/environment/services/service-role{id}/ciphers

Parameters:
  • included-ciphers

    non-empty-string

    (multi-value) (optional)

    A white-list of ciphers to use for incoming secure connections

  • excluded-ciphers

    non-empty-string

    (multi-value) (optional)

    A black-list of ciphers not to use for incoming secure connections

Webfinger

environments/environment/services/service-role{id}/webfinger

Enable webfinger support for this service

Path :/environments/environment/services/service-role{id}/webfinger
Parameters:endpoints

leafref /profiles/profile/endpoints/endpoint/id

(multi-value) (optional)

A list of endpoints deployed on this service instance, no order implied

Runtime-service

environments/environment/services/runtime-service{id} (keys ['id'])

This list shows the connected and recently connected runtime nodes

Path :

/environments/environment/services/runtime-service{id}

Parameters:
  • id

    string

    (mandatory)

    The unique id of the runtime node

  • name

    string

    (optional)

    The given name of the runtime node

  • role

    string

    (optional)

    The service role the node is using

  • boot-time

    uint32

    (optional)

    The time the node was booted

  • status

    enumeration connected, disconnected

    (default: disconnected)

    The node’s cluster status

  • uptime

    union

    (optional)

    Current uptime for the node

Reporting

environments/environment/reporting

Reporting makes runtime nodes expose Prometheus compatible metrics

Path :

/environments/environment/reporting

Parameters:
  • enable

    boolean

    (default: true)

    Enable reporting

  • include-profile-id

    boolean

    (default: false)

    Include profile_id label in metrics

Alarms

environments/environment/alarms
Path :/environments/environment/alarms

Alarm-handler

alarm-handler (keys: ['id'])

An alarm handler processes alarms that are raised and cleared by the system.

Path :/environments/environment/alarms/alarm-handlers/alarm-handler{id}
Parameters:id

string

(mandatory)

Choice: alarm-handler-type

Option: webhook-notifier

Webhook-notifier

webhook-notifier
Path :/environments/environment/alarms/alarm-handlers/alarm-handler{id}/webhook-notifier
Parameters:message-format

enumeration flat, nested

(default: nested)

The Json format that should be used for the posted message. The ‘flat’ format presents a single level json object and ‘nested’ is a structured json format.

Web-service
webhook-notifier/web-service
Path :

/environments/environment/alarms/alarm-handlers/alarm-handler{id}/webhook-notifier/web-service

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Option: email-notifier

Email-notifier

email-notifier
Path :/environments/environment/alarms/alarm-handlers/alarm-handler{id}/email-notifier
Email-provider
email-notifier/email-provider
Path :

/environments/environment/alarms/alarm-handlers/alarm-handler{id}/email-notifier/email-provider

Parameters:
  • id

    leafref /base:facilities/base:email-providers/base:email-provider/base:id

    (mandatory)

    A reference to the Email-Provider

  • recipients

    string

    (multi-value) (optional)

    A set of email addresses to send alarm notifications to

Option: slack-notifier

Slack-notifier

slack-notifier
Path :/environments/environment/alarms/alarm-handlers/alarm-handler{id}/slack-notifier
Web-service
slack-notifier/web-service
Path :

/environments/environment/alarms/alarm-handlers/alarm-handler{id}/slack-notifier/web-service

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Option: pagerduty-notifier

Pagerduty-notifier

pagerduty-notifier
Path :/environments/environment/alarms/alarm-handlers/alarm-handler{id}/pagerduty-notifier
Parameters:integration-key

string

(mandatory)

The Integration Key from Pager Duty to use when calling the Events API

Web-service
pagerduty-notifier/web-service
Path :

/environments/environment/alarms/alarm-handlers/alarm-handler{id}/pagerduty-notifier/web-service

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Profile

profile (keys: ['id', 'type'])

The section is augmented by each profile added to the system. The profile is the main function in the system, like oauth, openid connect etc

Path :

/profiles/profile{id, type}

Parameters:
  • id

    string

    (mandatory)

    A descriptive id of the profile

  • type

    profile-type

    (mandatory)

    This will result in filtering, so that an endpoint and a profilecan be matched, and only used when compatible

  • expose-detailed-error-messages

    empty

    (optional)

    Expose detailed error messages in the server responses whenever possible. By default, in case of failures due to external services or internal errors, the server returns a generic error message to avoid accidentally exposing sensitive information.

Apps-service

apps-service

The Applications Server.

Path :/profiles/profile{id, type}/settings/apps-service
Parameters:oauth-profile-id

leafref /base:profiles/base:profile/base:id

(optional)

The (optional) OAuth profile that is used for this application profile.

Applications

applications

All configured applications

Path :/profiles/profile{id, type}/settings/apps-service/applications

Application

applications/application{id} (keys ['id'])
Path :/profiles/profile{id, type}/settings/apps-service/applications/application{id}
Parameters:id

string

(mandatory)

Choice: application-type
Token-handler
applications/application{id}/token-handler

The settings for a Token Handler application

Path :

/profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler

Parameters:
  • single-page-application-base-url

    uri

    (mandatory)

    The domain that the Single Page Application (SPA) is served from, as base url of the SPA. This is needed to allow CORS requests from the SPA to the Token Handler service.

  • backend-for-frontend-parent-domain

    string

    (optional)

    The parent domain of the backend-for-frontend (BFF) service. It will be set as the domain for the proxy cookie. This setting is only needed when OAuth Agent and BFF run on different subdomains. For example if the agent runs on ‘agent.example.com’, and the BFF runs on ‘bff.example.com’, then this setting must be ‘example.com’. This is required to share the proxy cookie between the agent and the BFF service.

  • cookie-prefix

    string

    (default: th-)

    The prefix to use with cookies that are managed by Token Handler. Defaults to ‘th-‘.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    The HTTP client that is used (e.g. to call the token endpoint). This client needs to be configured with a trust store, if specific TLS trust is needed to access the Authorization Server. If not defined, the default HTTP client is used.

  • session-cookie-path

    string

    (optional)

    The path to be set on the session cookie. If not set, the path to this token handler application will be used (/<app-anonymous-endpoint-path>/<application-id>). This needs to be set only when a proxy rewrites the path to this application.

  • require-custom-header

    boolean

    (default: false)

    Require the ‘token-handler-version’ HTTP header on all token handler application endpoints to force CORS pre-flight requests. This strengthens the security of this token handler application.

  • proxy-type

    enumeration apigee, aws, azure, kong, openresty, nginx

    (mandatory)

    The proxy to be used with this token handler application.

Choice: oauth-client
Internal-client
applications/application{id}/token-handler/internal-client
Path :/profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler/internal-client
Parameters:client-id

leafref /base:profiles/base:profile[base:id=current()/../../../../../apps:oauth-profile-id]/base:settings/as:authorization-server/as:client-store/as:config-backed/as:client/as:id

(mandatory)

The internal client-id to use to make the authorization request.

External-client
applications/application{id}/token-handler/external-client
Path :

/profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler/external-client

Parameters:
  • client-id

    non-empty-string

    (mandatory)

    Client ID that is used to make the authorization request.

  • client-secret

    non-empty-string

    (mandatory)

    The client secret that is used to make the authorization request.

  • authorization-endpoint

    uri

    (mandatory)

    The URL of the authorization endpoint.

  • token-endpoint

    uri

    (mandatory)

    The URL of the token endpoint.

  • use-pkce

    boolean

    (default: true)

    Use PKCE when making an authorization request. Enabled by default.

  • token-issuer

    uri

    (optional)

    The issuer of the authorization server that issues the tokens. This will be used for ID token validation to check the iss claim, and for authorization response validation - to check the iss parameter. If this is not set then no such validation will be done.

  • redirect-uri

    uri

    (mandatory)

    The redirect URL to be used in authorization requests.

  • scope

    string

    (multi-value) (optional)

    The scopes to ask for in an authorization request.

Logout
applications/application{id}/token-handler/external-client/logout

Enables RP-initiated logout from the authorization server.

Path :

/profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler/external-client/logout

Parameters:
  • logout-endpoint

    uri

    (mandatory)

    The URL of the logout endpoint.

  • post-logout-redirect-uri

    uri

    (optional)

    The post-logout redirect URL. The user-agent will be redirected here after a successful logout.

Proxy-keystore
applications/application{id}/token-handler/proxy-keystore

The elliptic-curve public key used to encrypt the proxy cookie.

Path :/profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler/proxy-keystore
Parameters:id

leafref /base:facilities/base:crypto/base:encryption-keys/base:encryption-key/base:id

(mandatory)

The elliptic-curve public key used to encrypt the proxy cookie.

Authorization-parameters-whitelist
applications/application{id}/token-handler/authorization-parameters-whitelist
Path :/profiles/profile{id, type}/settings/apps-service/applications/application{id}/token-handler/authorization-parameters-whitelist
Parameters:allowed-parameter

non-empty-string

(multi-value) (optional)

The authorization parameter names that are allowed to be sent by an SPA in ‘login/start’ requests. The ‘scope’ parameter is always allowed and it doesn’t have to be whitelisted here.

Authentication-service

settings/authentication-service

The Authentication Service is a Profile that enables Authentication on the server. It can be configured with any number of authenticators of any type.

Path :

/profiles/profile{id, type}/settings/authentication-service

Parameters:
  • tenant-id

    non-empty-string

    (optional)

    ID of the tenant associated with this profile. Token Services and User Management Services linked to this Authentication profile inherit this tenant ID. When this value is set, most facilities and data, like accounts and credentials, will be isolated for each tenant.

  • sso-expiration-time

    uint32

    (default: 3600)

    The number of seconds the SSO session will be valid

  • sso-inactivity-timeout

    uint32

    (optional)

    The number of seconds the SSO session will be valid while not used

  • sso-cookie-is-session-cookie

    boolean

    (default: false)

    Whether the SSO cookie should persist only for the browser session, i.e. expire when browser is closed. Note that when set to true, the SSO cookie will expire when the browser session does regardless of the value set in sso-expiration-time or in sso-inactivity-timeout. The cookie will however never be valid for a longer duration than set by sso-expiration-time and sso-inactivity-timeout or the longest lasting sso-expiration-time and sso-inactivity-timeout set on any specific authenticator.

  • persisted-sso-session

    boolean

    (default: false)

    By default the SSO cookie is not persisted in a database. By setting this to true the cookie is persisted in the session store, and only a reference is used as cookie. This is needed if the SSO cookie contains large amounts of user data.

  • encode-persisted-sso-session-data

    boolean

    (default: false)

    When the sso session is persisted to database, this setting enables encoding of the session data. Useful to mitigate against charset encoding problems with the database

  • username-cookie-name

    string

    (default: username)

    The name of the cookie that stores the user’s preferences, like username and locale settings

  • logout-redirect-url

    uri

    (optional)

    If set, the user will be redirected to this URL after logout

  • enable-preflight

    boolean

    (default: true)

    By default the preflight endpoint will be enabled on the anonymous endpoint. This option allows the endpoint to be disabled.

  • protocol-id

    leafref ../protocols/protocol/id

    (optional)

    The id of the protocol plugin

  • sms-provider

    leafref /base:facilities/base:sms-providers/base:sms-provider/base:id

    (optional)

    The sms-provider to be used for this zone

  • api-driven-ui

    empty

    (optional)

    Enables the API-driven UI to be used on this authentication profile and linked oauth profiles.

  • cross-site-block-enabled

    boolean

    (optional)

    Enables the unsafe (e.g. POST) cross-site requests blocking mechanism. Blocks cross-site requests (those originating from a different or third-party domain) with an unsafe method from being accepted, except for endpoints the explicitly allow it. Disabling this feature can help with interoperability but does pose security risks, and should only be enabled if strictly required.

Base-url

settings/authentication-service/base-url

This setting will let this profile operate under specific URLs. It makes it possible to have many URLs running on the same Curity instance. Each authentication service will redirect using these settings if present. If this is not set, the profile will use the base-url setting from the environment section. The SSO can only occur inside a profile since the SSO cookie is bound to this URL.

Path :

/profiles/profile{id, type}/settings/authentication-service/base-url

Parameters:
  • default-base-url

    uri

    (mandatory)

    This URL is used as default. If the incoming request does not contain an X-Forwarded-Host header with a white-listed URL in the additional-base-url section, this one will be used.

  • additional-base-url

    uri

    (multi-value) (optional)

    This is a multi-value element where additional URLs can be configured. If the X-Forwarded-Host or Host Header contains any of these, it will be selected and used when redirecting internally.

Redirect-url-whitelist

settings/authentication-service/redirect-url-whitelist

This list is the profile wide redirect whitelist, any redirect will be validated against this list of hosts. By default the endpoints the profile interacts with such as the token service’s authorize, assisted-token and device flow endpoints are added to the list. Any external endpoints that the authentication service redirects to needs to be added here.

Path :/profiles/profile{id, type}/settings/authentication-service/redirect-url-whitelist
Parameters:url

uri

(multi-value) (optional)

Account-domain

settings/authentication-service/account-domains/account-domain{id} (keys ['id'])

The domain (i.e., grouping, organizational unit, realm) of accounts

Path :

/profiles/profile{id, type}/settings/authentication-service/account-domains/account-domain{id}

Parameters:
  • id

    string

    (mandatory)

    The given ID of an account domain

  • description

    string

    (optional)

    A description of the domain

Authentication-actions

settings/authentication-service/authentication-actions

Authentication Actions allow you to orchestrate what happens after the credentials are verified but before the session is committed.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions

Authentication-action

settings/authentication-service/authentication-actions/authentication-action{id} (keys ['id'])

An Authentication Action that can be assigned to authenticators

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}

Parameters:
  • id

    string

    (mandatory)

    The given ID of the Authentication Action

  • reference

    string

    (optional)

    Element linked to this authentication action

  • template-area

    non-empty-string

    (optional)

    Optional override for template area

  • cross-site-block-enabled

    boolean

    (optional)

    Enables the unsafe (e.g. POST) cross-site requests blocking mechanism. Blocks cross-site requests (those originating from a different or third-party domain) with an unsafe method from being accepted, except for endpoints the explicitly allow it. Disabling this feature can help with interoperability but does pose security risks, and should only be enabled if strictly required.

Choice: action-type
Option: opt-in-mfa
Opt-in-mfa
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa

Parameters:
  • disable-recovery-codes

    boolean

    (default: false)

    Disable use of recovery codes

  • allow-authentication-with-recovery-code

    boolean

    (default: false)

    Allow using recovery codes to complete authentication

  • allow-authentication-with-sso-for-second-factor

    boolean

    (default: false)

    Allow using an SSO to complete second factor authentication

  • opt-out-ttl-in-days

    uint32

    (default: 0)

    TTL of the second factor opt-out, in days. If zero (the default), then second factor opt-out is not allowed

Account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Mfa-state-bucket
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/mfa-state-bucket

Bucket to store MfA state in. Required for LDAP account managers.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/mfa-state-bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Allowed-second-factor
settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/allowed-second-factor{authenticator-id} (keys ['authenticator-id'])

List with the allowed second factors

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/opt-in-mfa/allowed-second-factor{authenticator-id}

Parameters:
  • authenticator-id

    leafref ../../../../../auth:authenticators/auth:authenticator/auth:id

    (mandatory)

    The second factor authenticator ID

  • description

    non-empty-string

    (optional)

    The authentication method description that appears in the user interface. If not defined, the authenticator description will be used

Option: multi-factor-condition
Multi-factor-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition
Parameters:disable-second-factor-subject-check

boolean

(default: false)

Disables the second factor subject check, allowing the second factor subject to be different from the authenticated subject (i.e. first factor). Should only be enabled when different subjects are allowed and there is a check somewhere else verifying that the second factor subject value is adequate for the first subject value.

Choice: condition
The condition for which to use a second factor
Attribute-enable-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition

Parameters:
  • attribute-name

    string

    (default: requireSecondFactor)

    The name of the attribute that will contain the boolean to trigger the secondfactor. If the attribute is not found it is treated same as False

  • attribute-source

    attribute-location subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The location from where the attribute is retrieved.

Second-factor
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition/second-factor

The authenticator to trigger as the second factor when the the condition is met.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-enable-condition/second-factor
Parameters:id

leafref ../../../../../../auth:authenticators/auth:authenticator/auth:id

(optional)

Attribute-acr-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-acr-condition
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/attribute-acr-condition

Parameters:
  • attribute-name

    string

    (default: secondFactorAcr)

    The name of the attribute to look for that contains the ACR to use as second factor

  • attribute-source

    attribute-location subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The location from where the attribute is retrieved.

Subject-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition
Subject-pattern-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition/subject-pattern-condition{subject-pattern} (keys ['subject-pattern'])
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition/subject-pattern-condition{subject-pattern}
Parameters:subject-pattern

string

(mandatory)

The regex to match the subject attribute against.

Second-factor
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition/subject-pattern-condition{subject-pattern}/second-factor

The authenticator to use as second factor when the subject pattern matches

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/subject-condition/subject-pattern-condition{subject-pattern}/second-factor
Parameters:id

leafref ../../../../../../../auth:authenticators/auth:authenticator/auth:id

(optional)

Always
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/always
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/always
Second-factor
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/always/second-factor

The authenticator to trigger as the second factor when the the condition is met.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/always/second-factor
Parameters:id

leafref ../../../../../../auth:authenticators/auth:authenticator/auth:id

(optional)

Client-property-condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition
Condition
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition/condition{condition-script} (keys ['condition-script'])
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition/condition{condition-script}
Parameters:condition-script

script

(mandatory)

The expression to run against the client attributes. This expression will be evaluated against the properties of the OAuth client that issued the request that started the authentication flow. Example expressions: client.id == ‘my-good-client’ client.properties.mfa-client == ‘true’

Second-factor
settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition/condition{condition-script}/second-factor

The authenticator to use as second factor when the expression returns true

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/multi-factor-condition/client-property-condition/condition{condition-script}/second-factor
Parameters:id

leafref ../../../../../../../auth:authenticators/auth:authenticator/auth:id

(optional)

Option: zone-transfer
Zone-transfer
settings/authentication-service/authentication-actions/authentication-action{id}/zone-transfer
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/zone-transfer

Parameters:
  • attribute

    non-empty-string

    (default: zone)

    Name of the attribute from which to extract the id of the intended zone.

  • attribute-source

    attribute-location subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Location to search for the zone attribute.

  • cookie

    non-empty-string

    (default: zone)

    Name of the cookie that contains the zone id after a successful execution.

  • zones

    leafref /base:environments/base:environment/base:services/base:zones/base:zone/base:id

    (multi-value) (optional)

    The zones to be considered.

Option: signup
Signup
settings/authentication-service/authentication-actions/authentication-action{id}/signup
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup
Choice: registration-factor
Password
settings/authentication-service/authentication-actions/authentication-action{id}/signup/password
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/password
Parameters:credential-manager

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(mandatory)

The Credential Manager is used to verify the credentials

Authenticator
settings/authentication-service/authentication-actions/authentication-action{id}/signup/authenticator
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/authenticator
Signup-authenticator
settings/authentication-service/authentication-actions/authentication-action{id}/signup/authenticator/signup-authenticator
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/authenticator/signup-authenticator
Parameters:id

leafref ../../../../../../auth:authenticators/auth:authenticator/auth:id

(mandatory)

A reference to an authenticator

Bucket
settings/authentication-service/authentication-actions/authentication-action{id}/signup/authenticator/bucket

Reference to the Bucket data source used to store any additional info needed by the authenticator when creating a new account

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/authenticator/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Signup-fields
settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields
Phone
settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/phone
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/phone
Parameters:required

boolean

(default: false)

First-name
settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/first-name
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/first-name
Parameters:required

boolean

(default: false)

Last-name
settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/last-name
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/last-name
Parameters:required

boolean

(default: false)

Custom-signup-fields
settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/custom-signup-fields{name} (keys ['name'])

A custom account attribute

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/signup-fields/custom-signup-fields{name}

Parameters:
  • name

    string

    (mandatory)

    Attribute name

  • required

    boolean

    (default: false)

    User must provide value when creating new account

Account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/signup/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/signup/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: sequence
Sequence
settings/authentication-service/authentication-actions/authentication-action{id}/sequence
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/sequence
Parameters:action

leafref ../../../auth:authentication-action/auth:id

(multi-value) (optional)

Option: bundle
Bundle
settings/authentication-service/authentication-actions/authentication-action{id}/bundle
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/bundle

Parameters:
  • description

    string

    (optional)

  • config-spec

    string

    (optional)

  • login-action

    leafref ../../../auth:authentication-action/auth:id

    (multi-value) (optional)

  • sso-action

    leafref ../../../auth:authentication-action/auth:id

    (multi-value) (optional)

Option: switch
Switch
settings/authentication-service/authentication-actions/authentication-action{id}/switch
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/switch
Parameters:fail-if-no-match

boolean

(default: true)

If true (default value) the action will deny the authentication if no condition is matched. Otherwise it will succeed.

Case
settings/authentication-service/authentication-actions/authentication-action{id}/switch/case{name} (keys ['name'])
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/switch/case{name}

Parameters:
  • name

    string

    (mandatory)

    A mandatory unique name for this switch case

  • condition-script

    script

    (mandatory)

    The JavaScript boolean expression conditioning the execution of this case’s authenticator.

  • action

    leafref ../../../../auth:authentication-action/auth:id

    (mandatory)

    The authentication action to run if the condition is true.

Option: request-acknowledgement
Request-acknowledgement
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement

Parameters:
  • accept-button-label

    string

    (optional)

    The label displayed on the button to accept the acknowledgement. This message can be configured and localized using message keys.

  • cancel-button-label

    string

    (optional)

    The label displayed on the button to cancel or decline the acknowledgement. This message can be configured and localized using message keys.

  • cancellable

    boolean

    (default: true)

    When true the user can cancel or decline the acknowledgement request. When false the user can only accept it.

  • message

    string

    (mandatory)

    The acknowledgement request message displayed to the user so that he can accept or decline it. This message can be configured and localized using message keys.

Choice: mode
Option: always
Always
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/always

The acknowledgement is always requested

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/always
Option: attribute-condition
Attribute-condition
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/attribute-condition

The acknowledgement is requested only if an attribute is present in one of the attributes location. If the attribute is present, the user already responded to the acknowledgement and it is not requested anymore. Otherwise the user response is requested.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/attribute-condition

Parameters:
  • location

    enumeration subject-attributes, context-attributes, action-attributes

    (mandatory)

    Location to search or store the attribute.

  • name

    string

    (mandatory)

    The name under which to search or store the attribute.

User-response-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/user-response-attribute

The attribute’s name storing the user response as a boolean value

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/request-acknowledgement/user-response-attribute

Parameters:
  • location

    enumeration subject-attributes, context-attributes, action-attributes

    (mandatory)

    Location to search or store the attribute.

  • name

    string

    (mandatory)

    The name under which to search or store the attribute.

Option: changed-country
Changed-country
settings/authentication-service/authentication-actions/authentication-action{id}/changed-country
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/changed-country

Parameters:
  • changed-country-action-attribute-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The location where the attribute with the action result will be added. The default location are the subject attributes.

  • changed-country-action-attribute-name

    string

    (default: requireSecondFactor)

    The name of the attribute that will be potentially used from a following action.

Bucket
settings/authentication-service/authentication-actions/authentication-action{id}/changed-country/bucket
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/changed-country/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Option: update-account
Update-account
settings/authentication-service/authentication-actions/authentication-action{id}/update-account
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account
Account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Operation
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name} (keys ['name'])

The list of operations to be performed on the account.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}
Parameters:name

string

(mandatory)

The operation name.

Choice: operation
Option: add-attribute
Add-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute

Adds an attribute.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute

Parameters:
  • source-attribute-is-required

    boolean

    (default: false)

    If enabled, the action will return failure if the source attribute is not found. The default behavior is to ignore the operation.

  • source-attribute-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: action-attributes)

    The location on which the source attribute is searched.

  • source-attribute-path

    string

    (mandatory)

    The path to the source attribute, i.e., the attribute containing the value used on the addition.

  • target-attribute-path

    string

    (mandatory)

    The path to the the account attribute to be added.

Convert-to-multi-valued
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute/convert-to-multi-valued

Convert the value into a multi-valued attribute value

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/add-attribute/convert-to-multi-valued
Parameters:primary

boolean

(default: false)

Is the primary value?

Option: delete-attribute
Delete-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/delete-attribute

Deletes an attribute.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/delete-attribute
Parameters:target-attribute-path

string

(mandatory)

The path to the the account attribute to be deleted.

Option: replace-attribute
Replace-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute

Replaces an attribute.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute

Parameters:
  • source-attribute-is-required

    boolean

    (default: false)

    If enabled, the action will return failure if the source attribute is not found. The default behavior is to ignore the operation.

  • source-attribute-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: action-attributes)

    The location on which the source attribute is searched.

  • source-attribute-path

    string

    (mandatory)

    The path to the source attribute, i.e., the attribute containing the value used on replace.

  • target-attribute-path

    string

    (mandatory)

    The path to the the account attribute to be replaced.

Convert-to-multi-valued
settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute/convert-to-multi-valued

Convert the value into a multi-valued attribute value

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/update-account/operation{name}/replace-attribute/convert-to-multi-valued
Parameters:primary

boolean

(default: false)

Is the primary value?

Option: send-email
Send-email
settings/authentication-service/authentication-actions/authentication-action{id}/send-email
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/send-email

Parameters:
  • recipient-attribute-name

    string

    (mandatory)

    The name of the attribute containing the email recipient.

  • recipient-attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Location to search for the attribute containing the email recipient.

Email-provider
settings/authentication-service/authentication-actions/authentication-action{id}/send-email/email-provider
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/send-email/email-provider
Parameters:id

leafref /base:facilities/base:email-providers/base:email-provider/base:id

(mandatory)

A reference to the Email-Provider

Choice: mode
Option: content
Content
settings/authentication-service/authentication-actions/authentication-action{id}/send-email/content

Configuration of the email content.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/send-email/content

Parameters:
  • body

    string

    (mandatory)

    The email body.

  • subject

    string

    (mandatory)

    The email subject.

  • title

    string

    (mandatory)

    The email title.

Option: template
param template:

string

(optional)

Name of the template to use for the email content.

Option: auto-create-account
Auto-create-account
settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account

Parameters:
  • add-extra-attributes

    boolean

    (default: false)

    Add all other attributes from the configured location to the account (subject attributes are used by default)

  • auto-create-link

    boolean

    (default: false)

    When this is set to ‘true’ and the authenticator belongs to a domain, a link will be created on the authenticator’s domain with foreignAccount the ‘subject’, using the same account manager used to create the account.

  • email-attribute

    string

    (optional)

    The attribute containing the email for the new account. If not configured, a unique email will be generated for the account. If configured but no attribute is found, a server error will occur.

  • email-attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Source location for the attribute containing the email.

  • extra-attributes-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Source location for the additional attributes to add to the account.

  • fail-on-conflicts

    boolean

    (default: false)

    When this is set to ‘true’, the action will fail authentication if the account cannot be created, for example if the email is used by some other account.

  • phone-number-attribute

    string

    (optional)

    The attribute containing the phone number for the new account. If configured but no attribute is found, a server error will occur.

  • phone-number-attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Source location for the attribute containing the phone number.

  • username-attribute

    string

    (default: subject)

    The attribute containing the username for the new account. If this attribute is not found, a server error will occur.

  • username-attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Source location for the attribute containing the username.

Account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-create-account/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: copy-attribute
Copy-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute
Operation
settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute/operation{name} (keys ['name'])

List of attributes to copy or move from one location to another

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/copy-attribute/operation{name}

Parameters:
  • name

    string

    (mandatory)

    Unique identifier of the operation

  • move

    boolean

    (default: false)

    When true, the attribute is moved, instead of being copied, from the source location to the target one

  • source-is-attribute-name

    boolean

    (default: false)

    The source path is literal, and does not represent a path. Enable this if your attribute names contain a period, which would indicate that it is addressing a nested object.

  • source-location

    enumeration subject-attributes, context-attributes, action-attributes

    (mandatory)

    The source location of the attribute to copy: Subject attributes, Context attributes or Action attributes

  • source-path

    string

    (mandatory)

    The path to the source attribute to copy

  • target-is-attribute-name

    boolean

    (default: false)

    The target path is literal, and does not represent a path. Enable this if the attribute you are creating contains a period, which would indicate that it is addressing a nested object.

  • target-location

    enumeration subject-attributes, context-attributes, action-attributes

    (mandatory)

    The target location to copy the attribute to: Subject attributes, Context attributes or Action attributes

  • target-path

    string

    (mandatory)

    The path to the destination to copy the attribute to

Option: new-country
New-country
settings/authentication-service/authentication-actions/authentication-action{id}/new-country
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/new-country

Parameters:
  • new-country-action-attribute-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The location where the attribute with the action result will be added. The default location are the subject attributes.

  • new-country-action-attribute-name

    string

    (default: requireSecondFactor)

    The name of the attribute that will be potentially used from a following action.

Bucket
settings/authentication-service/authentication-actions/authentication-action{id}/new-country/bucket
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/new-country/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Option: lookup-linked-accounts-transformer
Lookup-linked-accounts-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer

Parameters:
  • attribute-name

    string

    (default: linked_accounts)

    The attribute name to store the list of linked accounts in

  • attribute-target

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The target location for the attribute with the list of linked accounts.

Linking-account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer/linking-account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/lookup-linked-accounts-transformer/linking-account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: selector
Selector
settings/authentication-service/authentication-actions/authentication-action{id}/selector
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/selector

Parameters:
  • attribute-name

    string

    (mandatory)

    Name of the output attribute.

  • attribute-target

    enumeration subject-attributes, context-attributes, action-attributes

    (default: action-attributes)

    Location to add the output attribute.

  • title

    string

    (optional)

    The title to be displayed for the selection. Can be a message key.

Option
settings/authentication-service/authentication-actions/authentication-action{id}/selector/option{title} (keys ['title'])

Options to be presented to the user.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/selector/option{title}
Parameters:title

string

(mandatory)

The text to be displayed for this option. Can be a message key.

Choice: attribute-value
Option: boolean-attribute-value
param boolean-attribute-value:
 

boolean

(optional)

Option: integer-attribute-value
param integer-attribute-value:
 

int64

(optional)

Option: string-attribute-value
param string-attribute-value:
 

string

(optional)

Option: attribute-prompt
Attribute-prompt
settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt
Required-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt/required-attribute{name} (keys ['name'])
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/attribute-prompt/required-attribute{name}

Parameters:
  • name

    string

    (mandatory)

  • attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

  • regular-expression

    string

    (optional)

    A regular expression to validate the value of this field.

  • required

    boolean

    (default: false)

  • type

    enumeration text, email, url, password, checkbox, number, tel, color

    (default: text)

Option: data-source-transformer
Data-source-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer
Parameters:attributes-location

enumeration subject-attributes, context-attributes, action-attributes

(default: subject-attributes)

The source and destination of the transformed attributes.

Attribute-data-source
settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attribute-data-source
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attribute-data-source

Parameters:
  • data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (mandatory)

    A reference to a data source

  • additional-attributes-to-include

    string

    (multi-value) (optional)

    This is a whitelist of attributes that if returned by the data source will be added to thetransformation response

Attributes
settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attributes{attribute-name} (keys ['attribute-name'])

The list of attributes to perform the transformation on

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/data-source-transformer/attributes{attribute-name}

Parameters:
  • attribute-name

    string

    (mandatory)

    The name of the attribute, that the transformation will be applied on. This attribute will be created if its not returned by the data source, as long as a value can be found.

  • transformed-attribute-name

    string

    (optional)

    The name of the resulting attribute after the transformation is applied, if not set the name will be the same as the original attribute

  • use-value-of-attribute-named

    string

    (mandatory)

    The name of the attribute (eg. column) that contains the replacement value for the attribute

  • excluded-attributes

    string

    (multi-value) (optional)

    This is an optional list where attributes can be listed that should be removed from the original set of parameters. If the name of the attribute matches what the authentication returned, that attribute will be removed. The excluded attributes need to have a fully qualified path. Example: emails.email.value, or to remove all emails: emails

Option: deny
Deny
settings/authentication-service/authentication-actions/authentication-action{id}/deny
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/deny
Parameters:error

string

(optional)

The error string used when the action denies the authentication.

Choice: mode
Option: always
Always
settings/authentication-service/authentication-actions/authentication-action{id}/deny/always

Always deny authentication.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/deny/always
Option: attribute-condition
Attribute-condition
settings/authentication-service/authentication-actions/authentication-action{id}/deny/attribute-condition

Deny authentication depending on the presence of an attribute.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/deny/attribute-condition

Parameters:
  • expected-value

    boolean

    (default: true)

    The expected attribute’s value that determines whether authentication is denied.

  • name

    string

    (mandatory)

    The name of the attribute that determines whether authentication is denied. If the attribute is present and its value matches the expected boolean value, the authentication is denied; otherwise, it proceeds.

  • source

    enumeration subject-attributes, context-attributes, action-attributes

    (mandatory)

    Location to search for the attribute that determines whether authentication is denied.

Option: impossible-journey
Impossible-journey
settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey

Parameters:
  • impossible-journey-action-attribute-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The location where the attribute with the action result will be added. The default location are the subject attributes.

  • impossible-journey-action-attribute-name

    string

    (default: requireSecondFactor)

    The name of the attribute that will be potentially used from a following action.

  • speed-in-kmh-for-impossible-journey-calculations

    int32

    (default: 250)

    The speed that can dictate if a journey is impossible (km/h). Default is 250 km/h.

Bucket
settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey/bucket
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/impossible-journey/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Linking-account-domain
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/linking-account-domain
Parameters:id

leafref ../../../../../auth:account-domains/auth:account-domain/auth:id

(mandatory)

A reference to an Account Domain

Linking-account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/linking-account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Advanced

This option allows you to store the links using some arbitrary attribute from the Authenticated Session, instead of the account id. Use with caution!

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/advanced

Parameters:
  • account-id-in-attribute

    union

    (mandatory)

    The name of the attribute containing the account ID. This is used as the local account in the link. If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on. No check is made to verify that the account corresponding to the given ID exists. It is strongly recommended to NOT use an attribute that might change such as subject (username) or email. Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable. It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues.

  • account-id-in-attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The source location for the attribute containing the account ID. Defaults to subject-attributes

User-confirmation

Require the user to confirm the links. By default the link establishment is automatic. Use this setting to enable and configure user confirmation.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation
Parameters:linking-account-domain-name

string

(optional)

Override the domain name shown on the confirmation user interface

Attribute-for-foreign-identifier

The attribute with the foreign identifier to use on the user confirmation. By default, the subject attribute will be used

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation/attribute-for-foreign-identifier

Parameters:
  • location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The attribute location

  • name

    string

    (mandatory)

    The attribute name

Attribute-for-local-identifier

The attribute with the local identifier to use on the user confirmation. By default, the subject attribute will be used

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/auto-link-account/user-confirmation/attribute-for-local-identifier

Parameters:
  • location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The attribute location

  • name

    string

    (mandatory)

    The attribute name

Option: remove-attribute-transformer
Remove-attribute-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/remove-attribute-transformer
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/remove-attribute-transformer

Parameters:
  • attributes-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The source and destination of the transformed attributes.

  • excluded-attributes

    string

    (multi-value) (optional)

    This is an optional list where attributes can be listed that should be removed from the original set of parameters. If the name of the attribute matches what the authentication returned, that attribute will be removed. The excluded attributes need to have a fully qualified path. Example: emails.email.value, or to remove all emails: emails

Option: reset-password
Reset-password
settings/authentication-service/authentication-actions/authentication-action{id}/reset-password
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/reset-password

Parameters:
  • allow-skip

    boolean

    (default: false)

    When this is set to true, the users will be able to skip the password reset.

  • attribute

    string

    (default: resetPassword)

    When this attribute is found in the subject attributes and set to ‘true’, the user will be prompted with an option to perform a password update.

  • attribute-source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    Source location for the attribute controlling the password update.

  • regular-expression

    string

    (optional)

    Regular expression which checks the strength of the submitted password

Account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/reset-password/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/reset-password/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Credential-manager
settings/authentication-service/authentication-actions/authentication-action{id}/reset-password/credential-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/reset-password/credential-manager
Parameters:id

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(mandatory)

A reference to a Credential Manager

Option: resolve-linked-account-transformer
Resolve-linked-account-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer

Parameters:
  • fail-on-no-link

    boolean

    (default: false)

    Set to true if this action should fail if no link could be resolved

  • linked-domain-attribute-name

    string

    (optional)

    The name of the authentication-attribute to put the linked domain in

  • linked-domain-attribute-target

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The target location where to put the attribute with the linked domain in.

  • original-subject-attribute-name

    string

    (optional)

    The name of the authentication-attribute to put the original subject in

  • original-subject-attribute-target

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The target location where to put the attribute with the original subject in.

Linking-account-domain
settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer/linking-account-domain
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer/linking-account-domain
Parameters:id

leafref ../../../../../auth:account-domains/auth:account-domain/auth:id

(mandatory)

A reference to an Account Domain

Linking-account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer/linking-account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/resolve-linked-account-transformer/linking-account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: restart
Restart
settings/authentication-service/authentication-actions/authentication-action{id}/restart
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/restart
Parameters:re-run-authenticator

boolean

(default: false)

The flag indicating whether authenticator should run after the pipeline restart.

Choice: mode
Option: always
Always
settings/authentication-service/authentication-actions/authentication-action{id}/restart/always

Always restart authentication pipeline.

Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/restart/always
Option: attribute-condition
Attribute-condition
settings/authentication-service/authentication-actions/authentication-action{id}/restart/attribute-condition

Restart authentication pipeline depending on the presence of an attribute.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/restart/attribute-condition

Parameters:
  • expected-value

    boolean

    (default: true)

    The expected attribute’s value that determines whether the pipeline is restarted.

  • name

    string

    (mandatory)

    The attribute name.

  • source

    enumeration subject-attributes, context-attributes, action-attributes

    (default: action-attributes)

    The attribute location.

Option: regex-transformer
Regex-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer
Parameters:attributes-location

enumeration subject-attributes, context-attributes, action-attributes

(default: subject-attributes)

The source and destination of the transformed attributes.

Attributes
settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer/attributes{attribute-base-path, attribute-name} (keys ['attribute-base-path', 'attribute-name'])

This transformer applies the defined regex on the matching key. The username key is called ‘subject’ and if omitted will be passed through without change. If a matching-regex is omitted, the attribute will be passed through without change of value, but might be given a new name.If an attribute value doesn’t match any key, the transformer will ignore that value and it will be passed through.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/regex-transformer/attributes{attribute-base-path, attribute-name}

Parameters:
  • attribute-base-path

    string

    (mandatory)

    The location of the attribute in the Attributes tree structure. This contains the path without the attribute name. Example: emails.email or name It’s also possible to address root elements by using the $root keyword: $root.subject. If the element is directly under the top level simply set the path to $root, if it’s nested either use the example above or explicitly state root via $root.emails.email

  • attribute-name

    string

    (mandatory)

    The name of the attribute, that the regex will be applied on. The attribute is looked for in the path given in attribute-base-path To address the value of an email, simply set the attribute-base-path to $root.emails.email and the attribute-name to value

  • matching-regex

    string

    (optional)

    The regular expression to apply on the attribute value, in the form of a regex patternIf the value is a multivalued attribute (list elements) the regex will be applied on all values individually.All values will be included in the result, if the regex didn’t match, the original value is included.

  • replacement-value

    string

    (optional)

    The string or expression to replace the matching portion of the attribute value with. Must be set of the matching-regex is set.

  • transformed-attribute-name

    string

    (optional)

    The name of the resulting attribute after the transformation is applied, if not set the name will be thesame as the original attribute name. Note: This is placed in the attribute-base-path same as the attribute-name that it is replacing. It is not possible to move elements around in the structure, replacement and renaming is done on the same path

  • excluded-attributes

    string

    (multi-value) (optional)

    This is an optional list where attributes can be listed that should be removed from the original set of parameters. If the name of the attribute matches what the authentication returned, that attribute will be removed. The excluded attributes need to have a fully qualified path. Example: emails.email.value, or to remove all emails: emails

Option: allow-deny-country
Allow-deny-country
settings/authentication-service/authentication-actions/authentication-action{id}/allow-deny-country
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/allow-deny-country

Parameters:
  • allow-listed-countries

    boolean

    (default: true)

    Enable to allow the countries in the list, disable to deny them.

  • country-list-to-allow-or-deny

    string

    (multi-value) (optional)

    The list of countries to allow or deny.

Option: set-attribute
Set-attribute
settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute
Attribute
settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute/attribute{name} (keys ['name'])

List of additional attributes, their values and location.

Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/set-attribute/attribute{name}

Parameters:
  • name

    string

    (mandatory)

    Name of an attribute. By default this will be treated as an attribute path, meaning this action may be used to create nested attributes.

  • is-attribute-name

    boolean

    (default: false)

    The name is literal, and does not represent a path. Enable this if your attribute names contain a period, which would indicate that it is addressing a nested object.

  • target

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The destination of the additional attribute.

Choice: value
Option: boolean-value
param boolean-value:
 

boolean

(optional)

Boolean value of an additional attribute

Option: integer-value
param integer-value:
 

int32

(optional)

Integer value of an additional attribute

Option: string-value
param string-value:
 

string

(optional)

String value of an additional attribute

Option: require-active-account
Require-active-account
settings/authentication-service/authentication-actions/authentication-action{id}/require-active-account
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/require-active-account
Account-manager
settings/authentication-service/authentication-actions/authentication-action{id}/require-active-account/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/require-active-account/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: script-transformer
Script-transformer
settings/authentication-service/authentication-actions/authentication-action{id}/script-transformer
Path :

/profiles/profile{id, type}/settings/authentication-service/authentication-actions/authentication-action{id}/script-transformer

Parameters:
  • attributes-location

    enumeration subject-attributes, context-attributes, action-attributes

    (default: subject-attributes)

    The source and destination of the transformed attributes.

  • transformation-procedure

    leafref /base:processing/base:procedures/base:transformation-procedure/base:id

    (mandatory)

  • excluded-attributes

    string

    (multi-value) (optional)

    This is an optional list where attributes can be listed that should be removed from the original set of parameters. If the name of the attribute matches what the authentication returned, that attribute will be removed. The excluded attributes need to have a fully qualified path. Example: emails.email.value, or to remove all emails: emails

  • include-attributes-of-all-authenticators

    empty

    (optional)

    When present, the attributes issued by the additional authentication factors will be included, alongside with the attributes issued by the main authenticator. The attributes from the additional authenticators will have authority equal to the authenticator’s ACR. The attributes from the main authenticator don’t have any authority.

Authenticator

authenticator (keys: ['id'])
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}

Parameters:
  • id

    string

    (mandatory)

  • authentication-context-class-reference

    string

    (optional)

    The Authentication Context Class Reference (ACR) that this authenticator supports

  • account-domain

    leafref ../../../account-domains/account-domain/id

    (optional)

    Optional domain in which accounts are stored

  • description

    string

    (optional)

    A readable description of the Authenticator, for User presentation, can be a locale key

  • sso-expiration-time

    uint32

    (optional)

    This controls the expiration time for this specific authenticator. If this is not set, the value set on the profile will be used instead.A common scenario is to allow some factors to have longer lifetimes than others, which is accomplished by setting this value on the authenticator in question

  • sso-inactivity-timeout

    uint32

    (optional)

    The maximum time an SSO session created by this authenticator will be valid without being used. If this value is not set, then the profile value will be used (if set there).

  • previous-authenticator

    leafref ../../../authenticators/authenticator/id

    (optional)

    Optional authenticator (or any from a group) that the user must authenticate with prior to this one

  • purpose

    union

    (optional)

    A category of usage that this authenticator instance is intended for.

  • exclude-from-metadata

    boolean

    (default: false)

    Whether or not the authenticator should be excluded from the OAuth and OpenID Connect metadata (“acr_values_supported” attribute) of a token profile linked to this authentication profile

  • template-area

    non-empty-string

    (optional)

    Optional override for template area

  • cross-site-block-enabled

    boolean

    (optional)

    Enables the unsafe (e.g. POST) cross-site requests blocking mechanism. Blocks cross-site requests (those originating from a different or third-party domain) with an unsafe method from being accepted, except for endpoints the explicitly allow it. Disabling this feature can help with interoperability but does pose security risks, and should only be enabled if strictly required.

Geo-filtering

geo-filtering
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/geo-filtering

Parameters:
  • allow-authenticator

    boolean

    (default: false)

    If enabled then allow the countries in the list to use the authenticator. Deny otherwise.

  • filter-countries

    non-empty-string

    (multi-value) (optional)

    The list of countries (ISO-3166 code) that are allowed or denied to use the authenticators.

Authentication-actions

authentication-actions
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/authentication-actions

Parameters:
  • login

    leafref ../../../../authentication-actions/authentication-action/id

    (multi-value) (optional)

    An ordered list of actions that will run after authentication is complete. They can work on the attributes (including subject) that the authenticator has returned, and shape these to match the desired pattern/format, and can reject the authentication if necessary

  • sso

    leafref ../../../../authentication-actions/authentication-action/id

    (multi-value) (optional)

    An ordered list of actions that will run when single sign-on with the current acr is complete. They will work on the attributes that was returned at the original authentication. They can reject the sso if necessary

Additional-context-attributes

additional-context-attributes

List of key/value attributes that will be added to the context attributes when this authenticator finishes.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/additional-context-attributes
Attribute
additional-context-attributes/attribute{key} (keys ['key'])
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/additional-context-attributes/attribute{key}

Parameters:

Choice: registration-requirement

param required-authentication-action-for-registration:
 

leafref ../../../authentication-actions/authentication-action/id

(multi-value) (optional)

Optional authentication action that must explicitly allow for this registration to occur

param required-authenticator-for-registration:
 

leafref ../../../authenticators/authenticator/id

(optional)

Optional authenticator (or any from a group) that the user must authenticate with prior to this registering with this.

Request-validations

request-validations
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/request-validations
Request-validation
request-validations/request-validation{request-subpath, endpoint, http-method} (keys ['request-subpath', 'endpoint', 'http-method'])

Procedures that will execute to validate the request data

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/request-validations/request-validation{request-subpath, endpoint, http-method}

Parameters:
  • request-subpath

    string

    (mandatory)

  • endpoint

    leafref /base:profiles/base:profile[base:type=current()/../../../../../../../base:type][base:id=current()/../../../../../../../base:id]/base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint that this subpath exists on

  • http-method

    enumeration get, post

    (mandatory)

  • validation-procedure

    leafref /base:processing/base:procedures/base:validation-procedure/base:id

    (mandatory)

Choice: authenticator-type

Group

group

A group of authenticators, any one can be picked and will represent the group. (Logical OR)

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/group

Parameters:
  • skip-selection-when-single-authenticator

    boolean

    (default: false)

    Controls whether the authenticator selection should be skipped when a single authenticator is available in the group

  • authenticators

    leafref ../../../../authenticators/authenticator/id

    (multi-value) (optional)

    The authenticators that belong to the group

Sms

sms

An SMS authenticator. Sends a challange over SMS

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/sms

Parameters:
  • send-otp-as-code

    boolean

    (default: false)

    The OTP in the SMS will be a regular OTP and not a hyperlink

  • otp-length

    uint16

    (default: 6)

    The length of the OTP

  • otp-or-hyperlink-time-to-live

    uint32

    (default: 60)

    The time the OTP or the hyperlink is valid

  • allow-registration-during-login

    boolean

    (default: true)

    Whether or not users should be able to add a new device during the login process

  • show-info-before-registration

    boolean

    (default: true)

    Whether or not the information page should be shown before the registration page

  • max-allowed-attempts

    uint16

    (default: 3)

    The maximum number times a user is allowed to try to validate a OTP. When this value is set to 0, there is no maximum attempts enforced.

  • max-challenges-sent

    uint16

    (default: 3)

    The maximum number of OTP or hyperlinks that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.

  • auto-login-enabled

    boolean

    (default: false)

    When active a login will be automatically performed after a successful registration

Choice: account-manager-or-intermediate-attribute
param account-manager:
 

leafref /base:processing/base:account-managers/base:account-manager/base:id

(optional)

The Account Manager is used to fetch the account

param intermediate-attribute-name:
 

string

(optional)

The intermediate subject attribute that contains the identifier to use when this authenticator is used as a second factor, if configured, the account manager must not be configured

Email

email

An email authenticator. Sends a challenge over email

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/email

Parameters:
  • max-challenges-sent

    uint16

    (default: 3)

    The maximum number of Email-challenges that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.

  • max-allowed-attempts

    uint16

    (default: 3)

    The maximum number times a user can try to validate the nonce sent with a hyperlink. When this value is set to 0, there is no maximum attempts enforced.

  • allow-inactive-accounts

    boolean

    (default: false)

    If set to true, the authenticator will not check if the account is active before sending the hyperlink.

  • activate-inactive-accounts

    boolean

    (default: false)

    If set to true, the authenticator will change the account status to active once the hyperlink sent was consumed by the user.

Send-otp-as-code
email/send-otp-as-code
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/email/send-otp-as-code

Parameters:
  • otp-time-to-live

    uint32

    (default: 120)

    The time the OTP is valid

  • otp-length

    uint16

    (default: 6)

    The length of the OTP

Choice: account-manager-or-intermediate-attribute
param account-manager:
 

leafref /base:processing/base:account-managers/base:account-manager/base:id

(optional)

The Account Manager is used to fetch the account

param intermediate-attribute-name:
 

string

(optional)

The intermediate subject attribute that contains the identifier to use when this authenticator is used as a second factor, if configured, the account manager must not be configured

Encap

encap

The settings for an Encap authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/encap

Parameters:
  • account-manager

    leafref /base:processing/base:account-managers/base:account-manager/base:id

    (mandatory)

    The Account Manager is responsible for credentials and accounts. Depending on whether you pick an account manager that support registration, the html-form will support creating accounts and managing the accounts

  • client-id

    string

    (mandatory)

    The ID of the authentication service Encap client

  • application-id

    string

    (default: encap)

    The application ID of the Encap mobile application being used

  • api-key

    string

    (optional)

    The API key to be used (only applicable when using the public Encap test server)

  • encap-server-url

    uri

    (mandatory)

    The URL to where the Encap webservice is located (e.g., https://demo.encapsecurity.com/pt)

  • allow-registration-during-login

    boolean

    (default: true)

    Whether or not users should be able to add a new device during the login process

  • show-info-before-registration

    boolean

    (default: true)

    Whether or not the information page should be shown before the registration page

  • client-key-id

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    The key ID of the private key that will be used when signing messages sent to the Encap server

  • authentication-app-download-uri

    uri

    (optional)

    The URL where users may download the mobile authentication application

  • context-title

    string

    (optional)

    A title message that is sent to the encap server when starting authentication

  • context-content

    string

    (optional)

    A context body that is sent to the encap server when starting authentication, as text/plain

  • context-content-type

    string

    (default: text/plain)

    The content type of the context-content

  • max-allowed-attempts

    uint16

    (default: 3)

    The maximum number of authentication attempts that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.

  • device-expiration

    uint32

    (optional)

    Set a device expiration in seconds from the time the device is activated, if not set devices never expire. If this is set, it is not possible to override in the template.

  • auto-login-enabled

    boolean

    (default: false)

    When active a login will be automatically performed after a successful registration

Non-interactive-registration
encap/non-interactive-registration

Enables the possibility to activate a new device without user interaction. This can be used when the app also serves as an OpenID Connect client.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/encap/non-interactive-registration
Parameters:app-url

uri

(mandatory)

The custom scheme url to redirect to with the activation code (myapp://some-redirect)

Openid-wallet

openid-wallet

The settings for the OpenID Wallet authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet

Parameters:
  • wallet-invocation-url-prefix

    string

    (default: haip)

    The prefix that will be used for building the wallet invocation URLs. Can be just a URI scheme (such as ‘haip’) or a URL (such as ‘https://wallet.example.com’).

  • signature-algorithm

    enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA

    (mandatory)

    Signature algorithm for the signed request object.

  • authorization-request-time-to-live

    uint16

    (default: 60)

    Validity period of an authorization request in seconds. This setting controls the maximum amount of time a user can take from opening this authenticator to obtaining a request object (via a provided link or via a provided QR code).

  • request-object-time-to-live

    uint16

    (default: 300)

    Validity period of a request object in seconds. This setting controls the ‘exp’ claim of the generated request object.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the HTTP client to use. If not defined, the default HTTP client is used

Signing-key
openid-wallet/signing-key

A reference to a signing key. This key will be used to sign request objects created by this authenticator.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/signing-key
Parameters:id

leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

(mandatory)

A reference to a Signing Keystore with an asymmetric key

Client
openid-wallet/client
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/client
Parameters:client-id

non-empty-string

(mandatory)

The client_id to be used in authorization requests.

Choice: client-id-scheme
The configuration of client id scheme.
Option: did
Did
openid-wallet/client/did
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/client/did
Option: pre-registered
Pre-registered
openid-wallet/client/pre-registered
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/client/pre-registered
Option: x509-san-dns
X509-san-dns
openid-wallet/client/x509-san-dns
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/client/x509-san-dns
Option: x509-san-uri
X509-san-uri
openid-wallet/client/x509-san-uri
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/client/x509-san-uri
Presentation-definition
openid-wallet/presentation-definition

Presentation definition articulates what proofs this Verifier requires.

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/presentation-definition

Parameters:
  • name

    string

    (optional)

    Distinctive designation of presentation definition. May be displayed by wallets to users.

  • purpose

    string

    (optional)

    Describes the purpose for which the presentation definition’s inputs are being used for. May be displayed by wallets to users.

Input-descriptor
openid-wallet/presentation-definition/input-descriptor

Input descriptor is populated with properties describing what type of input data are required for submission to the Verifier.

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/presentation-definition/input-descriptor

Parameters:
  • name

    string

    (optional)

    Describes what is being requested. May be displayed by wallets to users.

  • purpose

    string

    (optional)

    Describes the purpose for which the data is being requested. May be displayed by wallets to users.

  • format

    enumeration jwt-vc-json, vc-sd-jwt

    (default: jwt-vc-json)

    The credential format to request

Constraints
openid-wallet/presentation-definition/input-descriptor/constraints
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/openid-wallet/presentation-definition/input-descriptor/constraints

Parameters:
  • credential-type

    string

    (optional)

    The credential type accepted by this Verifier.

  • credential-issuer

    string

    (optional)

    The credential issuer accepted by this Verifier.

Option: html-form

Html-form

html-form

The settings for an HTML form authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/html-form

Parameters:
  • email-provider

    leafref /base:facilities/base:email-providers/base:email-provider/base:id

    (optional)

    Optional email-provider to use for ‘forgot password’ and ‘forgot username’ procedures. This overrides the default email provider that is configured for the zone.

  • max-allowed-attempts

    uint16

    (default: 3)

    DEPRECATED: The maximum number times a user is allowed to try to validate credentials. When this value is set to 0, there is no maximum attempts enforced. This setting is deprecated in favor of configuring a credential policy, with temporary lockout, on the credential manager associated to this authenticator.

  • password-only

    boolean

    (default: false)

    When active, this authenticator will only be usable as a second factor. The username is picked up by the authenticated state and the user is asked to enter only a password.

  • auto-login-enabled

    boolean

    (default: false)

    When active a login will be automatically performed after a successful activation or password change.

  • show-remember-me-option

    boolean

    (default: false)

    When true, a checkbox with ‘remember me’ is shown to the user. This allows the user to have it’s session forgotten when the browser is closed.

  • account-manager

    leafref /base:processing/base:account-managers/base:account-manager/base:id

    (optional)

    The Account Manager is used to fetch the account

  • credential-manager

    leafref /base:processing/base:credential-managers/base:credential-manager/base:id

    (mandatory)

    The Credential Manager is used to verify the credentials

Option: sign-in-with-apple

Sign-in-with-apple

sign-in-with-apple

Sign in with Apple methods

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/sign-in-with-apple

Parameters:
  • issuer

    uri

    (default: https://appleid.apple.com)

    The issuer of the Sign in with Apple service. Will be used to get the configuration document

  • team-id

    non-empty-string

    (mandatory)

    The Team ID of your Apple Developer team.

  • client-id

    non-empty-string

    (mandatory)

    The Service identifier registered with your Apple Developer team

  • jwt-signing-key

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    The key to sign the client secret with. This key is issued from your Apple Developer account.

  • jwt-signing-key-id

    string

    (mandatory)

    The Key ID of the signing key downloaded from the apple developer portal. A 10 character string listed in ‘Certificates, Identifiers & Profiles > Keys’

  • scope

    non-empty-string

    (default: openid email name)

    Scope to ask for, space separated

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client to use. If not defined, the default HTTP client is used

Bankid

bankid

The settings for a BankID authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/bankid

Parameters:
  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

  • bankid-issuer-cn

    union

    (optional)

    The Common Name (CN) of the certificate used by the BankID provider

  • qr-code-ttl

    uint16

    (default: 60)

    The amount of seconds that QR is displayed

  • type-of-card-reader

    enumeration any, with-keypad

    (optional)

    The type of smartcard reader that must be used when authenticating with a form of BankID that supports smartcards

  • mode

    enumeration test, production

    (default: production)

    The method by which to connect to the BankID – either test or production

  • use-new-api-endpoint

    boolean

    (default: true)

    Use the new BankID API endpoint (appapi2.bankid.com). The old API endpoint (appapi.bankid.com) will be discontinued in June 2019. This option is obsolete and will be removed in a subsequent release.

  • api-version

    enumeration version-5, version-6

    (default: version-5)

    The version of the BankID API to use.

  • max-allowed-attempts

    uint16

    (default: 3)

    The maximum number of authentication attempts that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced. This option is obsolete and will be removed in a subsequent release (the BankID API itself handles this).

  • generate-autostart-qr-code

    boolean

    (default: false)

    Generate a QR code for the autostart token, to be able to perform the ‘other device’-flow without asking the user for a personal number.

  • add-extended-bankid-attributes

    boolean

    (default: false)

    Parse the returned BankID signature to obtain issuers and the device info. This will make the contextAttributes large, storing the SSO sessions in a database is advised.

  • user-message

    non-empty-string

    (optional)

    A message to show to the user in the app. The value may be a message-key, or the actual message. The message may be overridden by the client sending a binding message in the authentication request.

  • mrtd

    boolean

    (default: false)

    Require the user to authenticate using a MRTD (machine readable travel document), like a Swedish Passport

  • enforce-ip-address-match-on-same-device

    boolean

    (default: false)

    On same-device flows using autostart tokens, enforces the verification that the IP address of the device doing the authentication flow is the same as the IP address of the device with the BankId application. The authentication will be rejected if the addresses don’t match, which helps increases the security. However, it may reject legitimate authentications if the user’s device simultaneously uses multiple IP addresses

  • allowed-bankid-types

    enumeration bankid-on-file, bankid-on-smartcard, mobile-bankid, nordea-e-id-on-file-and-on-smartcard, any

    (multi-value) (default: any)

    The allowed forms of BankID that may be used for authentication

Risk-assessment
bankid/risk-assessment

The risk parameters of the BankID API

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/bankid/risk-assessment

Parameters:
  • accepted-risk-level

    enumeration low, moderate

    (optional)

    The maximum risk level that BankID will accept.

  • send-device-data

    boolean

    (default: false)

    Send device information to BankID to be used in the risk assessment. The authenticator will pass on information like user-agent, referring domain and device identifier.

Option: saml2

Saml2

saml2
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/saml2

Parameters:
  • issuer-entity-id

    string

    (mandatory)

    The SAML Entity Id that the authenticator uses when communicating with the remote SAML IDP.

  • clock-skew

    uint32

    (default: 60)

    The allowed clock-skew in seconds when validating the inbound response message

  • include-subject-with-requested-authn-context

    boolean

    (default: false)

    If there is a previously authenticated subject, pass the subject in the AuthnRequest to the SAML Identity Provider.

  • force-authn

    enumeration always, if-requested-by-client

    (optional)

    Setting controlling sending of ForceAuthn=true parameter. By default, it is not sent; this overrules the forceAuthN parameter of the request or the configuration of forced re-authentication on a client.

  • idp-entity-id

    string

    (mandatory)

    The SAML Entity Id of the remote SAML IDP

  • idp-url

    string

    (mandatory)

    The target IDP URL where SAML Authentication Requests are delivered to.

  • signature-verification-key

    leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

    (optional)

    The key to verify the signature of received SAML Response messages. When no key is configured and signed SAML messages are received, then the messages will be rejected.

  • wants-response-signed

    boolean

    (default: false)

    Indicate whether the received SAML Response message must be signed.

  • wants-assertion-signed

    boolean

    (default: true)

    Indicate whether the received Assertion must be signed.

  • request-signing-key

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (optional)

    Optional reference to the signing key that is used to sign outbound SAML AuthnRequest messages. If not configured, signing AuthnRequests is disabled.

  • request-binding

    enumeration redirect, post

    (default: redirect)

    The binding to use to send the SAML AuthnRequest message to the IDP

  • assertion-decryption-key

    leafref /base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id

    (optional)

    The key to decrypt encrypted assertions from the SAML Response. When this is set, an encrypted assertion is required.

Authentication-context-class-reference
saml2/authentication-context-class-reference

The Authentication Context Class Reference (ACR) values to be included in the SAML Authentication Request.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/saml2/authentication-context-class-reference
Choice: authentication-context-class-reference
param none:

empty

(optional)

Do not use ACR values

param pass-through:
 

empty

(optional)

Use the ACR values from the request to the Authentication Service.

param explicit:

non-empty-string

(optional)

Use a specific ACR value.

Request-options
saml2/request-options

Optional settings to finetune how a SAML Authentication Request message is constructed.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/saml2/request-options
Parameters:nameid-format

string

(optional)

The optional NameIdFormat that is requested in a SAML Authentication Request. When not configured, no NameIdFormat is requested.

Use-artifact-binding
saml2/use-artifact-binding

When enabled Assertion Consumer Service expects to receive the authentication response through the artifact binding

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/saml2/use-artifact-binding

Parameters:
  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    HTTP client to use when resolving artifacts

  • artifact-resolution-url

    uri

    (mandatory)

    The target IDP URL used for artifact resolution (when using artifact request binding).

Option: google

Google

google

Google OpenID Connect methods

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/google

Parameters:
  • configuration-url

    uri

    (default: https://accounts.google.com/.well-known/openid-configuration)

    The url to the openid-configuration document at Google

  • client-id

    string

    (mandatory)

    The client-id, registered at Google

  • client-secret

    non-empty-string

    (optional)

    The client-secret, registered at Google

  • scope

    string

    (default: openid profile email)

    Scope to ask Google for, space separated, note that if using google apps with custom domains the openid, profile and email scopes need to be present.

  • clock-skew

    uint32

    (default: 60)

    The allowed clock-skew in seconds when validating the JWT from the OpenID Server

  • authentication-context-class-reference

    non-empty-string

    (optional)

    The Authentication Context Class Reference (ACR) or authentication method that the OpenID Server should require

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client to use. If not defined, the default HTTP client is used

  • map-to-subject

    string

    (optional)

    The claim to use as subject

  • hosted-domain

    string

    (optional)

    This can be set to a google apps domain, such as your-company.com it will then only accept authentications done with an account in that domain

  • prompt-select-account

    enumeration always, if-reauthentication-requested

    (optional)

    Force google to show the select account screen.

Option: facebook

Facebook

facebook

Facebook login method

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/facebook

Parameters:
  • client-id

    string

    (mandatory)

    The client-id registered with Facebook

  • client-secret

    string

    (mandatory)

    The client-secret registered with Facebook

  • scope

    string

    (default: public_profile email)

    A space-separated list of scopes to request from Facebook

  • authorization-endpoint

    string

    (default: https://www.facebook.com/dialog/oauth)

    URL to the Facebook authorization endpoint

  • token-endpoint

    string

    (default: https://graph.facebook.com/v3.2/oauth/access_token)

    URL to the Facebook token endpoint

  • userinfo-endpoint

    string

    (default: https://graph.facebook.com/v3.2/me)

    URL to the Facebook userinfo endpoint

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client to use. If not defined, the default HTTP client is used

  • account-manager

    leafref /base:processing/base:account-managers/base:account-manager/base:id

    (optional)

    The Account Manager is used to fetch the account

Duo

duo

The settings for a Duo authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/duo

Parameters:
  • allow-registration-during-login

    boolean

    (default: true)

    Allow registration during login

  • show-info-before-registration

    boolean

    (default: true)

    Show information page with instructions about installing the Duo app before registration.

  • auto-login-enabled

    boolean

    (default: false)

    When active a login will be automatically performed after a successful registration.

  • api-hostname

    string

    (mandatory)

    The API hostname of the Duo account.

  • auth-api-integration-key

    string

    (mandatory)

    The auth API integration key of the Duo account.

  • auth-api-secret-key

    string

    (mandatory)

    The auth API secret key of the Duo account.

  • admin-api-integration-key

    string

    (mandatory)

    The admin API integration key of the Duo account.

  • admin-api-secret-key

    string

    (mandatory)

    The admin API secret key of the Duo account.

  • valid-seconds

    uint32

    (default: 1500)

    The seconds for which the created activation code is going to be valid.

Account-manager
duo/account-manager
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/duo/account-manager

Parameters:
  • id

    leafref /base:processing/base:account-managers/base:account-manager/base:id

    (mandatory)

    A reference to an Account Manager

  • factors

    enumeration auto, push, passcode, sms, phone

    (multi-value) (optional)

    The allowed factors of Duo that may be used for authentication

Option: passkeys

Passkeys

passkeys

The settings for a Passkeys authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/passkeys

Parameters:
  • allow-registration-during-login

    boolean

    (default: true)

    Whether or not users should be able to register a device during the login process

  • enable-discoverable-credentials

    boolean

    (default: false)

    Enable public key credential selection based on credentials known to the browser/operating system. Before enabling, please ensure your database structure has been updated as per the product’s upgrade guides.

Account-manager
passkeys/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/passkeys/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: oidc

Oidc

oidc

OpenID Connect methods

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc

Parameters:
  • configuration-url

    uri

    (mandatory)

    The url to the openid-configuration document at theOpenID server (must end in ‘/.well-known/openid-configuration’)

  • client-id

    string

    (mandatory)

    The client-id, registered at the OpenID server

  • use-http-basic-authentication

    boolean

    (default: false)

    Send the client credentials using HTTP Basic authentication. When false, the credentials are sent in the request-body

  • scope

    string

    (default: openid)

    Scope to ask the OpenID server for, space separated

  • clock-skew

    uint32

    (default: 60)

    The allowed clock-skew in seconds when validating the JWT from the OpenID Server

  • authentication-context-class-reference

    non-empty-string

    (optional)

    The Authentication Context Class Reference (ACR) or authentication method that should be sent in the request to the OpenID Server

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client to use. If not defined, the default HTTP client is used

  • use-subject-for-login-hint

    boolean

    (default: false)

    If there is a previously authenticated subject, pass the subject as login_hint to the OpenID Server.

  • prompt-login

    enumeration always, if-requested-by-client

    (optional)

    Setting controlling sending of prompt=login parameter. By default, it is not sent.

Choice: client-authentication-method
param client-secret:
 

non-empty-string

(optional)

The client-secret (client-secret-post), registered at the OpenID server

Asymmetrically-signed-jwt
oidc/asymmetrically-signed-jwt

Settings for the asymmetrically signed JWT (private_key_jwt)

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/asymmetrically-signed-jwt

Parameters:
  • signing-key

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    Signing key for the asymmetrically signed JWT (private_key_jwt)

  • signature-algorithm

    enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512

    (mandatory)

    Signature algorithm for the asymmetrically signed JWT (private_key_jwt)

Symmetrically-signed-jwt
oidc/symmetrically-signed-jwt

Allowed symmetrically signing algorithms for JWT (client_secret_jwt)

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/symmetrically-signed-jwt

Parameters:
  • signing-key

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    Signing key for the symmetrically signed JWT (client_secret_jwt)

  • signature-algorithm

    enumeration HS256, HS384, HS512

    (mandatory)

    The signature algorithms to allow for JWT (client_secret_jwt)

Encrypted-id-token
oidc/encrypted-id-token

ID Token is expected to be encrypted

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/encrypted-id-token

Parameters:
  • decryption-key

    leafref /base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id

    (mandatory)

    A reference to a Decryption Keystore with a key

  • allowed-algorithms

    allowed-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW

    (multi-value) (optional)

    Key Management Algorithm - the algorithm used to obtain the Content Encryption Key, and present in the ‘alg’ JWE header. If empty, any supported algorithm is allowed.

  • allowed-content-encryption-algorithms

    allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

    (multi-value) (optional)

    Content Encryption Algorithm - the algorithm used to obtain the content, and present in the ‘enc’ JWE header If empty, any supported algorithm is allowed

Fetch-userinfo
oidc/fetch-userinfo

Fetch claims from the userinfo endpoint

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/fetch-userinfo
Choice: signed-or-encrypted-userinfo
param plain:

empty

(optional)

Expect user info response to be plain JSON

param signed:

empty

(optional)

Expect user info response to be a signed JWT

Encrypted
oidc/fetch-userinfo/encrypted

Settings for decrypting an encrypted userinfo response

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/fetch-userinfo/encrypted
Parameters:decryption-key

leafref /base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id

(mandatory)

A reference to a Decryption Keystore with a key

Choice: signed-or-unsigned-payload
param unsigned-payload:
 

empty

(optional)

Expect the encrypted userinfo payload to be plain JSON

param signed-payload:
 

empty

(optional)

Expect the encrypted userinfo payload to be a signed JWT

param allowed-algorithms:
 

allowed-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW

(multi-value) (optional)

Key Management Algorithm - the algorithm used to obtain the Content Encryption Key, and present in the ‘alg’ JWE header. If empty, any supported algorithm is allowed.

param allowed-content-encryption-algorithms:
 

allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

(multi-value) (optional)

Content Encryption Algorithm - the algorithm used to obtain the content, and present in the ‘enc’ JWE header If empty, any supported algorithm is allowed

Parameter-mappings
oidc/parameter-mappings
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/parameter-mappings
Parameter-mapping
oidc/parameter-mappings/parameter-mapping{parameter-name} (keys ['parameter-name'])

Specifies a query parameter name and how to get the value for it.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/oidc/parameter-mappings/parameter-mapping{parameter-name}
Parameters:parameter-name

string

(mandatory)

The name of the query parameter.

Choice: value
param static-value:
 

string

(optional)

A static string to use as the value.

param use-value-from-request:
 

string

(optional)

The name of the query parameter of the original request to get the value from.

Option: pingfederate

Pingfederate

pingfederate
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/pingfederate

Parameters:
  • sso-endpoint

    string

    (mandatory)

  • pickup-url

    string

    (mandatory)

  • pickup-username

    string

    (optional)

  • pickup-password

    string

    (optional)

  • sp-adapter-id

    string

    (mandatory)

  • use-template-redirect

    boolean

    (default: false)

    Use a template form to redirect to the PingFederate service. Useful when postMessage notifications are needed

  • date-time-format

    non-empty-string

    (default: uuuu-MM-dd HH:mm:ssZZ)

    The format of date time strings used by PingFederate

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Option: siths

Siths

siths

The settings for a SITHS authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/siths

Parameters:
  • symmetric-key

    base64-encoded-string

    (mandatory)

    The shared secret used to decrypt identity data sent from the Windows Connector

  • windows-connector-url

    uri

    (mandatory)

    The URL, including the scheme, host, port, and URI, of the Windows Connector

  • mode

    enumeration test, production, test-or-production

    (default: production)

    The type of SITHS cards that should be allowed – either test, production, or both

Option: webauthn

Webauthn

webauthn

The settings for a WebAuthN authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/webauthn

Parameters:
  • allow-registration-during-login

    boolean

    (default: true)

    Whether or not users should be able to register a device during the login process

  • ask-to-register-additional-platform-device

    boolean

    (default: true)

    If enabled, when a user authenticates with a security key and has no built-in device registered for the active browser, they will immediately be asked to register an additional built-in device.

  • platform-device-cookie-name

    non-empty-string

    (default: webauthn-platform-device)

    The name of the cookie that keeps track of whether a built-in device has been registered for a particular browser.

Account-manager
webauthn/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/webauthn/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Choice: mode
Passkeys-or-user-verifying-devices
webauthn/passkeys-or-user-verifying-devices

Users must register and authenticate using devices that perform user verification, i.e. devices that authorize their usage via gestures such as biometric recognition or PIN entry. In most cases this means the device is a passkey, but it could be an equally strong device that verifies the user.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/webauthn/passkeys-or-user-verifying-devices
Any-device
webauthn/any-device

Users can register and authenticate using any devices, regardless of user verification

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/webauthn/any-device
Parameters:allow-platform-devices

boolean

(default: true)

If enabled, users can register built-in devices, a.k.a. platform devices, in addition to security-keys, a.k.a. cross-platform devices.

Option: windows

Windows

windows

The settings for a Windows authentication provider

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/windows

Parameters:
  • symmetric-key

    base64-encoded-string

    (mandatory)

    The shared secret used to decrypt identity data sent from the Windows Connector

  • windows-connector-url

    uri

    (mandatory)

    The URL, including the scheme, host, port, and URI, of the Windows Connector

  • fail-over-authenticator

    leafref ../../../auth:authenticator/auth:id

    (optional)

    The authenticator that a user should login with if Integrated Windows Authentication (IWA) fails

Option: totp

Totp

totp
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp

Parameters:
  • algorithm

    enumeration sha1, sha256, sha512

    (default: sha1)

    The algorithm used to produce the TOTP. This parameter is ignored by some implementations and defaults to SHA1.

  • allow-multiple-device-registration

    boolean

    (default: false)

    Allow multiple device registrations. Defaults to false.

  • allow-registration-during-login

    boolean

    (default: true)

  • auto-login-enabled

    boolean

    (default: false)

    When active a login will be automatically performed after a successful registration.

  • clock-skew

    int32

    (default: 0)

    Clock skew in seconds

  • delay-window

    int32

    (default: 1)

    The Delay window of the algorithm. Greater number means that a TOTP can be used for a period of time so many times longer than the interval (delay window * interval).

  • device-expiration

    int32

    (optional)

    Set a device expiration in seconds from the time the device is activated, if not set devices never expires. If this is set, it is not possible to override in the template. Only one device can be active per account, registering a new device expires any previous ones.

  • device-type

    string

    (default: idsvr-totp)

    The device type (or vendor) that will be stored in the device store. This is used in registration as well as on the lookup of the devices the user has associated. If you only use one device type, it is suggested to leave this setting as is. Otherwise refer to the documentation on how this is used exactly.

  • digits

    int32

    (default: 6)

    Determines how long of a one-time passcode to display to the user. This parameter is ignored by some implementations and defaults to 6.

  • interval

    int32

    (default: 30)

    The interval of the TOTP device. This parameter is ignored by some implementations and defaults to 30 seconds.

Account-manager
totp/account-manager
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Bucket
totp/bucket
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Choice: key-distribution-settings
Option: generated-key-config
Generated-key-config
totp/generated-key-config
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/generated-key-config

Parameters:
  • allow-user-to-set-device-alias

    boolean

    (default: false)

    Allow the users to set a device alias. This can be useful if a user has more than one device of this type. If it is set to false, the alias will be the username of the user.

  • issuer

    string

    (default: Identity server)

    The issuer is embedded in the QR code and will show up in TOTP apps (i.e. Google Authenticator)

Bucket
totp/generated-key-config/bucket
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/generated-key-config/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Option: pre-shared-key-config
Pre-shared-key-config
totp/pre-shared-key-config
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/pre-shared-key-config
Key-repository
totp/pre-shared-key-config/key-repository
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/totp/pre-shared-key-config/key-repository
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Option: ping-idp-adapter

Ping-idp-adapter

ping-idp-adapter
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/ping-idp-adapter

Parameters:
  • idp-application-url

    uri

    (mandatory)

    The URL to the IdP Adapter

  • password

    string

    (mandatory)

    The password to use for basic authentication against the dropoff endpoint

  • username

    string

    (mandatory)

    The username to use for basic authentication against the dropoff endpoint

Option: dynamic

Dynamic

dynamic
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/dynamic
Parameters:delegate-implementation-type

union

(mandatory)

Implementation type of target delegate authenticator plugin.

Choice: configuration-source
Option: configuration-bucket
Configuration-bucket
dynamic/configuration-bucket
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/dynamic/configuration-bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Option: configuration-web-service
Configuration-web-service
dynamic/configuration-web-service
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/dynamic/configuration-web-service

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Shared-delegate-authenticator-settings
dynamic/shared-delegate-authenticator-settings

Optional settings that are provided to the delegate authenticator

Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/authenticator{id}/dynamic/shared-delegate-authenticator-settings
Parameters:keystore-password

string

(optional)

The password used to decrypt a configured (private) keystore.

Backchannel-authenticator

backchannel-authenticator (keys: ['id'])
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

  • description

    string

    (optional)

    A readable description of the Authenticator, for User presentation, can be a locale key

  • authentication-context-class-reference

    non-empty-string

    (optional)

    The Authentication Context Class Reference (ACR) that for this authenticator. If not set, the value of the referenced front-channel authenticator is used, or one is derived from the authenticator’s type and id.

Authentication-actions

authentication-actions
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}/authentication-actions
Parameters:authentication-action

leafref ../../../../authentication-actions/authentication-action/id

(multi-value) (optional)

An ordered list of actions that will run after authentication is complete. They can work on the attributes (including subject) that the authenticator has returned, and shape these to match the desired pattern/format, and can reject the authentication if necessary

Choice: backchannel-authenticator-type

Option: bankid-backchannel

Bankid-backchannel

bankid-backchannel
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}/bankid-backchannel

Parameters:
  • frontchannel-authenticator

    leafref ../../../auth:authenticator/auth:id

    (mandatory)

    The ID of the frontchannel authenticator linked to this backchannel authenticator

  • sign-binding-message

    boolean

    (default: true)

    This setting is only applicable when a binding message is provided and the front channel bankid authenticator is using the version 6 API . On providing the binding message, ensures that the bankid sign api is used for signing the binding message

Option: sms-backchannel

Sms-backchannel

sms-backchannel
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}/sms-backchannel
Parameters:frontchannel-authenticator

leafref ../../../auth:authenticator/auth:id

(mandatory)

The ID of the frontchannel authenticator linked to this backchannel authenticator

Option: email-backchannel

Email-backchannel

email-backchannel
Path :/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}/email-backchannel
Parameters:frontchannel-authenticator

leafref ../../../auth:authenticator/auth:id

(mandatory)

The ID of the frontchannel authenticator linked to this backchannel authenticator

Option: bankid-phone

Bankid-phone

bankid-phone
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}/bankid-phone

Parameters:
  • add-extended-bankid-attributes

    boolean

    (default: false)

  • call-initiator

    enumeration user, rp

    (default: user)

    A value that describes who initiated the call. This is used by the BankID app to show information for how the user should proceed.

  • mode

    enumeration test, production

    (default: test)

  • type-of-card-reader

    enumeration with-keypad, any

    (optional)

  • user-message

    string

    (optional)

    A message to show to the user in the app. The value may be a message-key, or the actual message. The message may be overridden by the client sending a binding message in the authentication request.

Http-client
bankid-phone/http-client
Path :

/profiles/profile{id, type}/settings/authentication-service/authenticators/backchannel-authenticator{id}/bankid-phone/http-client

Parameters:
  • id

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

  • allowed-bankid-types

    enumeration bankid-on-file, bankid-on-smartcard, mobile-bankid, nordea-e-id-on-file-and-on-smartcard, any

    (multi-value) (optional)

Service-provider

service-provider (keys: ['id'])

Service providers are usually applications or relying parties. They depend on the identity server for authentication

Path :

/profiles/profile{id, type}/settings/authentication-service/service-providers/service-provider{id}

Parameters:
  • id

    string

    (mandatory)

  • template-area

    non-empty-string

    (optional)

    Optional override for template area, this is used when listing multiple authenticators if many are possible to use it’s sometimes needed to brand the selection page per application.

  • default-authenticator

    leafref ../../../authenticators/authenticator/id

    (optional)

    When a list needs to be shown, this is marked as default

  • context-info

    string

    (optional)

  • application-url

    uri

    (optional)

    This URL is used if a request is made to the authentication service without the parameters necessary to initiate an authentication transaction. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction.

  • target-url

    uri

    (mandatory)

    This URL is used to redirect the user to the application after a successful login has taken place

  • allowed-authenticators

    leafref ../../../authenticators/authenticator/id

    (multi-value) (optional)

    This is a list that marks which authenticators should be used for the particular service

  • authenticator-filters

    leafref ../../../authenticator-filters/authenticator-filter/id

    (multi-value) (optional)

  • required-claim

    string

    (multi-value) (optional)

  • allowed-origins

    non-empty-string

    (multi-value) (optional)

    The optional list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe or be a trusted source.

Protocol

protocol (keys: ['id'])

Configuration details of the protocols that can be used to connect the authentication service to other services.

Path :/profiles/profile{id, type}/settings/authentication-service/protocols/protocol{id}
Parameters:id

string

(mandatory)

Choice: protocol-type

Simple-api

simple-api

A Protocol plugin using the Simple API Protocol. Required if this authentication profile is used by a token service profile

Path :/profiles/profile{id, type}/settings/authentication-service/protocols/protocol{id}/simple-api

Ping-federate

ping-federate

A Protocol plugin using Pingfederate’s agentless adapter integration method

Path :

/profiles/profile{id, type}/settings/authentication-service/protocols/protocol{id}/ping-federate

Parameters:
  • dropoff-url

    uri

    (mandatory)

  • dropoff-username

    string

    (mandatory)

  • dropoff-password

    string

    (mandatory)

  • idp-adapter-id

    string

    (mandatory)

  • server-base-url

    uri

    (mandatory)

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

  • application-url

    uri

    (optional)

    This URL is used if a request is made to the authentication service without the parameters necessary to initiate an authentication transaction. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction. When integrating to PingFederate, this could happen, for example, if the user arrives at the authentication service via PingFederate, book marks the page, and later follows their new bookmark. In this case, the user would not see an error page, but instead be redirected to this URL.

  • allowed-origins

    non-empty-string

    (multi-value) (optional)

    When PingFederate is requesting authentication directly, this optional list of URI’s or URI-patterns define which origins are allowed to frame pages in, i.e. this list decides how and which allowed frame response headers are sent. If none are configured, framing is not allowed for this protocol. Note that when PingFederate includes a client_id, the ServiceProvider’s framing settings are used!

Saml

saml

A SAML Protocol plugin for integration with services like ADFS and other SAML providers

Path :

/profiles/profile{id, type}/settings/authentication-service/protocols/protocol{id}/saml

Parameters:
  • signing-key

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    Reference to the key that is used to sign the login token

  • recipient-entity-id

    string

    (mandatory)

    The recipient or audience of the SAML response messages and assertions

  • acs-url

    uri

    (mandatory)

    The Assertion Consumer Service (ACS) URL where SAML Response messages are posted to

  • saml-federation-service-type

    enumeration generic, adfs

    (default: generic)

    The type of Federation Service that will receive the login token

  • saml-clock-skew

    uint32

    (default: 60)

    The number of seconds allowed for clock skew (subtracted from or added to the issuance timestamp, considering saml-message-time-to-live) that is used to compute the time before or after which a token must not be used

  • saml-assertion-time-to-live

    uint32

    (default: 300)

    The number of seconds that SAML assertions are valid.

  • include-session-index-in-response

    boolean

    (default: false)

    Include SessionIndex in AuthnStatement of the SAML response.

  • logout-service-url

    uri

    (optional)

    The URL to send logout responses to. If empty, the ACS URL will be used.

  • sign-assertions

    boolean

    (default: false)

    Sign the assertion in addition to the response.

  • saml-message-time-to-live

    uint32

    (default: 300)

    The number of seconds after issuance that a SAML message is considered to be valid.

Authenticator-filter

authenticator-filter (keys: ['id'])

Authenticator filter configuration. Authenticator filters are used to filter out authenticators depending on runtime information such as the request’s user-agent, for example.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}
Parameters:id

string

(mandatory)

Choice: filter-type

Option: cidr

Cidr

cidr

CIDR Authenticator Filter

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/cidr

Parameters:
  • filter-cidr

    non-empty-string

    (mandatory)

    The CIDR specifying the IP addresses and routing prefixes for which this filter should be applied.

  • apply-filter-when-match

    boolean

    (default: true)

    Apply the exclusions when the cidr matches the IP. If this is set to false, then the exclusions are applied when the cidr fails to match. A common use-case for setting this to false would be to remove certain authenticators when the client is not on the internal network

Exclusions
cidr/exclusions

List of authenticators to exclude.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/cidr/exclusions
Parameters:authenticator

leafref ../../../../../auth:authenticators/auth:authenticator/auth:id

(multi-value) (optional)

Option: geo-country

Geo-country

geo-country

Geolocation Country Authenticator Filter

Path :

/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/geo-country

Parameters:
  • apply-filter-when-match

    boolean

    (default: true)

    Apply the exclusions when the country request comes matches any in the list. If this is set to false, then the exclusions are applied when the country fails to match. A common use-case for setting this to false would be to remove certain authenticators when the request comes from a country that is not in the list.

  • filter-countries

    non-empty-string

    (multi-value) (optional)

    The list of countries (ISO-3166 code) that are allowed or denied to use the authenticators.

Exclusions
geo-country/exclusions

List of authenticators to exclude.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/geo-country/exclusions
Parameters:authenticator

leafref ../../../../../auth:authenticators/auth:authenticator/auth:id

(multi-value) (optional)

Option: user-agent

User-agent

user-agent

User-Agent Authenticator Filter

Path :/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/user-agent
Parameters:user-agent-regex

non-empty-string

(mandatory)

This filter is applied only if the request’s User-Agent matches this regex.

Exclusions
user-agent/exclusions

List of authenticators to exclude.

Path :/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/user-agent/exclusions
Parameters:authenticator

leafref ../../../../../auth:authenticators/auth:authenticator/auth:id

(multi-value) (optional)

Option: script-filter

Script-filter

script-filter

Script Authenticator Filter

Path :/profiles/profile{id, type}/settings/authentication-service/authenticator-filters/authenticator-filter{id}/script-filter
Parameters:authenticator-filter-procedure

leafref /base:processing/base:procedures/base:filter-procedure/base:id

(mandatory)

A reference to an existing authenticator-filter-procedure.

User-management-service

settings/user-management-service
Path :

/profiles/profile{id, type}/settings/user-management-service

Parameters:
  • authorization-manager

    leafref /base:processing/base:authorization-managers/base:authorization-manager/base:id

    (optional)

    The authorization manager to authorize access to the REST API

  • allow-username-updates

    boolean

    (default: false)

    Allows updating the username of an existing account. When set to true, usernames can be updated in the account manager. When a credential manager is configured, it is also updated with the new username, keeping both data sources in sync. When set to false username updates are rejected.

  • token-data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (optional)

    Data source where delegations are stored

  • max-returned-search-results

    uint32

    (default: 500)

    The max number of results to return in a single search response. Set to 0 to allow unlimited number of results.

  • include-dynamic-clients-in-graph-QL-account-response

    boolean

    (default: false)

    Enable dynamic clients to be included in the account response in GraphQL.

Api-authentication

settings/user-management-service/api-authentication
Path :

/profiles/profile{id, type}/settings/user-management-service/api-authentication

Parameters:
  • realm

    non-empty-string

    (optional)

    The realm to use when reporting an unauthenticated request in a HTTP-response. When no value is configured, the id of the user-management profile is used as realm.

  • oauth-service

    leafref /base:profiles/base:profile/base:id

    (mandatory)

    The OAuth profile that is used to provide application access to the user-management endpoints.

Choice: user-data-store

Option: data-sources

param user-account-data-source:
 

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

Data source to be used for user accounts.

param devices-data-source:
 

leafref /base:facilities/base:data-sources/base:data-source/base:id

(optional)

Data source to be used for devices.

Option: account-manager

param account-manager:
 

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

The account manager with the accounts managed by this profile

Attribute-data-sources

settings/user-management-service/attribute-data-sources{id} (keys ['id'])
Path :

/profiles/profile{id, type}/settings/user-management-service/attribute-data-sources{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

  • data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (mandatory)

  • resource-type

    non-empty-string

    (mandatory)

    The resourceType provided by this data-source. The concept of a resource-type is borrowed from the SCIM specification (see https://tools.ietf.org/html/rfc7643#section-6) and refers to the name of the resource (eg. Group). Currently, resource-types are not mapped to SCIM endpoints and the resources they refer to may only be retrieved via the Users endpoint

  • namespace

    non-empty-string

    (optional)

    The namespace associated with the resources provided by this data-source. If not specified, the following value will be used: urn:se.curity:scim:2.0:resourceType (where resourceType is the configured resourceType value).

Credential-management

settings/user-management-service/credential-management
Path :

/profiles/profile{id, type}/settings/user-management-service/credential-management

Parameters:
  • credential-manager

    leafref /base:processing/base:credential-managers/base:credential-manager/base:id

    (mandatory)

    The credential manager to use for password updates. Notice that if a password is provided during account creation, a credential manager is required. If no credential manager is configured and a client tries to update a password, an error will occur.

  • password-validation-procedure

    leafref /base:processing/base:procedures/base:validation-procedure/base:id

    (optional)

    validation-procedure to use to validate user passwords on updates.

Graphql-schema

settings/user-management-service/graphql-schema
Path :/profiles/profile{id, type}/settings/user-management-service/graphql-schema

Additional-account-attribute

settings/user-management-service/graphql-schema/additional-account-attribute{name} (keys ['name'])
Path :

/profiles/profile{id, type}/settings/user-management-service/graphql-schema/additional-account-attribute{name}

Parameters:
  • name

    string

    (mandatory)

    Name of a custom attribute

  • type

    enumeration String, Boolean, Long, Object

    (optional)

    Data type of a custom attribute

Authorization-server

authorization-server

The Authorization Server is a full OAuth 2.0 server with OpenID Connect support. It can issue tokens using the token issuer subsystem together with Token Procedures

Path :

/profiles/profile{id, type}/settings/authorization-server

Parameters:
  • reuse-refresh-tokens

    boolean

    (default: false)

    Defines if refresh tokens are created on every refresh or if they are kept

  • revoke-delegation-for-public-clients-reusing-refresh-token

    boolean

    (default: true)

    Revoke delegation when public client attempts to reuse refresh token

  • issuer-override

    string

    (optional)

    Override the issuer for tokens issued by this authorization server. Setting this value instead of using the derived value for issuer, can break the standard discovery specification and should therefore only be used in exceptional circumstances, i.e. backwards compatibility or to integrate with existing environments where the derived issuer can not be used.

  • authorization-manager

    leafref /base:processing/base:authorization-managers/base:authorization-manager/base:id

    (optional)

  • account-manager

    leafref /base:processing/base:account-managers/base:account-manager/base:id

    (optional)

    The (default) account manager to use for user attribute lookups

  • privacy-policy-url

    uri

    (optional)

    An absolute URL that refers to the privacy policy of the Authorization Server

  • terms-of-service-url

    uri

    (optional)

    An absolute URL that refers to the terms of service that users must accept when using any client configured in the profile

  • developer-documentation-url

    uri

    (optional)

    The published URL of the documentation that describes to developers how to use the service

  • require-secured-authorization-response

    empty

    (optional)

    If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification

Database-client

database-client

Enables the Database Clients feature.

Path :/profiles/profile{id, type}/settings/authorization-server/database-client
Parameters:client-data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

Reference to data source that can store OAuth clients.

Client-tags

database-client/client-tags

Tags that may be used by Database Clients for classification purposes.

Path :/profiles/profile{id, type}/settings/authorization-server/database-client/client-tags
Client-tag
database-client/client-tags/client-tag{tag} (keys ['tag'])
Path :

/profiles/profile{id, type}/settings/authorization-server/database-client/client-tags/client-tag{tag}

Parameters:
  • tag

    non-empty-string

    (mandatory)

    The name of the tag

  • description

    string

    (default: )

    Description of the tag

Client-authentication

client-authentication

The methods by which an OAuth client may be authenticated

Path :

/profiles/profile{id, type}/settings/authorization-server/client-authentication

Parameters:
  • basic-and-form-post

    boolean

    (default: true)

    Basic authentication and form post. This is enabled by default.

  • no-authentication

    boolean

    (default: false)

    Allow a client to not authenticate to the token endpoint. Selecting this authentication method for a client makes it a public client, as defined by OAuth.

Asymmetrically-signed-jwt

client-authentication/asymmetrically-signed-jwt

Allowed asymmetric signing algorithms for JWT’s

Path :/profiles/profile{id, type}/settings/authorization-server/client-authentication/asymmetrically-signed-jwt
Parameters:signature-algorithm

enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA

(multi-value) (optional)

The signature algorithms to allow

Symmetrically-signed-jwt

client-authentication/symmetrically-signed-jwt

Allowed symmetric signing algorithms for JWT’s

Path :/profiles/profile{id, type}/settings/authorization-server/client-authentication/symmetrically-signed-jwt
Parameters:signature-algorithm

enumeration HS256, HS384, HS512

(multi-value) (optional)

The signature algorithms to allow

Using-jwt

client-authentication/using-jwt

Settings for introspection of client signed JWT’s. Should not normally need to be changed from the defaults

Path :

/profiles/profile{id, type}/settings/authorization-server/client-authentication/using-jwt

Parameters:
  • enforce-unique-jti-values

    empty

    (optional)

    Whether the ‘jti’ (JWT ID) claim should be checked for uniqueness in provided client assertion JWT’s

  • clock-skew

    uint32

    (default: 10)

    The number of seconds that token lifetimes and issue times should be skewed to accommodate for clocks that may be out of sync

Mutual-tls

client-authentication/mutual-tls

Configure settings to allow client authentication through using mutual-tls

Path :/profiles/profile{id, type}/settings/authorization-server/client-authentication/mutual-tls
By-proxy
client-authentication/mutual-tls/by-proxy

Allow mutual TLS to be terminated in a proxy instead of directly within the identity server

Path :

/profiles/profile{id, type}/settings/authorization-server/client-authentication/mutual-tls/by-proxy

Parameters:
  • userid

    string

    (optional)

    User ID credential that the proxy uses to authenticate using HTTP Basic authentication through a Proxy-Authorization header.

  • password

    non-empty-string

    (optional)

    Password credential that the proxy uses to authenticate using HTTP Basic authentication through a Proxy-Authorization header.

  • client-certificate-http-header

    non-empty-string

    (mandatory)

    Name of the HTTP header that the proxy uses to include the PEM- or base64-encoded DER representation of the client certificate in the forwarded request. Must be set for mutual-tls by-proxy to work.

Request-object

request-object

The settings for allowing a request to be provided through a by-value or by-reference request object. By-value request objects are passed using the ‘request’ parameter whereas by-reference ones are provided in the ‘request-uri’ parameter. When enabled, a client can be required to provide a request object JWT. Additional restrictions per the relevant specifications are applied when used at the CIBA and PAR endpoints.

Path :

/profiles/profile{id, type}/settings/authorization-server/request-object

Parameters:
  • maximum-lifetime

    int16

    (optional)

    The maximum number of minutes (from the ‘nbf’ claims to the ‘exp’ claim) that a request object should be valid for

  • require-parameters-as-claims

    boolean

    (optional)

    DEPRECATED: If enabled, all authorization request parameters must be inside the request object, as claims, with the exception of request and request_uri. If a parameter is also present in the query string or form then it needs to have the same value as the claim inside the request object.

  • request-object-parameter-handling

    enumeration merge-outside-parameters-preferring-inside, ignore-outside-parameters, error-if-outside-parameters, must-be-inside-and-match-if-outside

    (optional)

    How claims in request objects and (form or query string) parameters are combined

Encrypted-jwt

request-object/encrypted-jwt

The request object JWT must be encrypted and signed

Path :

/profiles/profile{id, type}/settings/authorization-server/request-object/encrypted-jwt

Parameters:
  • front-channel-only

    boolean

    (default: false)

    Whether encrypted request objects should only be required for front-channel requests to the authorization endpoint. When enabled, request objects must be encrypted for front-channel requests, and may or may not be encrypted for back-channel requests. When disabled, request objects must always be encrypted.

  • decryption-key

    leafref /base:facilities/base:crypto/base:decryption-keys/base:decryption-key/base:id

    (mandatory)

    A reference to a Decryption Keystore with a key

  • include-x5t-in-jwks

    boolean

    (default: true)

    Indicate whether to include the certificate thumbprint (‘x5t’) in the JWKS endpoint

  • include-x5c-in-jwks

    boolean

    (default: false)

    Indicate whether to include the certificate (‘x5c’) in the JWKS endpoint

  • allowed-algorithms

    allowed-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW

    (multi-value) (optional)

    Key Management Algorithm - the algorithm used to obtain the Content Encryption Key, and present in the ‘alg’ JWE header. If empty, any supported algorithm is allowed.

  • allowed-content-encryption-algorithms

    allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

    (multi-value) (optional)

    Content Encryption Algorithm - the algorithm used to obtain the content, and present in the ‘enc’ JWE header If empty, any supported algorithm is allowed

Asymmetrically-signed-jwt

request-object/asymmetrically-signed-jwt

Allowed asymmetric signing algorithms for request object JWTs

Path :

/profiles/profile{id, type}/settings/authorization-server/request-object/asymmetrically-signed-jwt

Parameters:
  • signature-algorithm

    enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA, none

    (multi-value) (optional)

    The signature algorithms to allow

  • required-claim

    non-empty-string

    (multi-value) (optional)

    The list of claims that must be inside the request object.

Authentication-service

authentication-service
Path :

/profiles/profile{id, type}/settings/authorization-server/authentication-service

Parameters:
  • authentication-profile

    leafref /base:profiles/base:profile/base:id

    (optional)

  • clock-skew

    uint32

    (default: 3)

    The number of seconds that token lifetimes and issue times should be skewed to accommodate for clocks that may be out of sync

Client-capabilities

client-capabilities

This section defines what a client may do when communicating with the OAuth server

Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities

Code

client-capabilities/code
Path :

/profiles/profile{id, type}/settings/authorization-server/client-capabilities/code

Parameters:
  • authorization-code-ttl

    token-time-to-live

    (default: 30)

    The number of seconds an authorization code will be valid

  • allow-per-request-redirect-uris

    empty

    (optional)

    When enabled, all clients can enable per-request redirect-uri’s when using pushed authorization requests. This option can not be used together with redirect-uri-validation-policies. In order to use redirect-uri-validation-policies, this option to allow-per-request-redirect-uris must be disabled. This setting is deprecated in favour of redirect-uri-validation-policies.

  • disallowed-proof-key-challenge-methods

    enumeration plain, S256

    (multi-value) (optional)

    A list of proof key challenge methods the clients aren’t allowed to use. Useful when one of the methods provided by the server is deemed insecure. This setting affects all the clients. Clients can have additional methods disallowed in their settings.

Require-pushed-authorization-requests
client-capabilities/code/require-pushed-authorization-requests

Require all clients in this profile to use pushed authorization requests to initiate the code flow.

Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/code/require-pushed-authorization-requests

Implicit

client-capabilities/implicit
Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/implicit

Resource-owner-password-credentials

client-capabilities/resource-owner-password-credentials
Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/resource-owner-password-credentials
Parameters:credential-manager

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(optional)

The credential manager to use when authenticating the user using Resource Owner Password Credentials

Client-credentials

client-capabilities/client-credentials
Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/client-credentials

Introspection

client-capabilities/introspection
Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/introspection

Token-exchange

client-capabilities/token-exchange
Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/token-exchange

Oauth-token-exchange

client-capabilities/oauth-token-exchange
Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/oauth-token-exchange

Assisted-token

client-capabilities/assisted-token
Path :

/profiles/profile{id, type}/settings/authorization-server/client-capabilities/assisted-token

Parameters:
  • store-token-in-cookie

    boolean

    (default: true)

    When set, the issued token is stored in a secure cookie in the user-agent; and is thereafter re-issued on subsequent requests

  • token-cookie-name

    non-empty-string

    (optional)

    When set, the token storage cookie name is prefixed with the defined value. The cookie name will always be collision free over profiles and clients.This value will get URL-encoded, to enforce a valid cookie name.

Backchannel-authentication

client-capabilities/backchannel-authentication
Path :

/profiles/profile{id, type}/settings/authorization-server/client-capabilities/backchannel-authentication

Parameters:
  • request-ttl

    uint32

    (default: 900)

    The number of seconds the backchannel authentication requests will be valid

  • must-sign-request-object

    empty

    (optional)

    Enables mandatory signed request object in backchannel authentication request

  • binding-message-max-length

    uint32

    (default: 10000)

    The maximum length allowed for binding_message.

Device-authorization

client-capabilities/device-authorization
Path :

/profiles/profile{id, type}/settings/authorization-server/client-capabilities/device-authorization

Parameters:
  • polling-interval

    uint32

    (default: 30)

    The number of seconds interval between polling attempts for clients

  • user-device-code-ttl

    uint32

    (default: 300)

    The number of seconds an issued user and device code will be valid

  • generate-qr-code

    boolean

    (default: false)

    When enabled, a QR-code is generated and returned with a user and device code

  • alias

    uri

    (optional)

    When set, the alias will be used as verification-url where the user should go to verify its user code. If not set, the verification-url is derived from the profile’s base-url settings.

Assertion

client-capabilities/assertion

Allow client to use the assertion grant on the token endpoint.

Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/assertion
Parameters:clock-skew

uint32

(default: 10)

The number of seconds that token lifetimes and issue times should be skewed to accommodate for clocks that may be out of sync

Asymmetrically-signed-jwt
client-capabilities/assertion/asymmetrically-signed-jwt

Allowed asymmetric signing algorithms for JWT assertions

Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/assertion/asymmetrically-signed-jwt
Parameters:signature-algorithm

enumeration RS256, RS384, RS512, PS256, PS384, PS512

(multi-value) (optional)

The signature algorithms to allow

Symmetrically-signed-jwt
client-capabilities/assertion/symmetrically-signed-jwt

Allowed symmetric signing algorithms for JWT assertions

Path :/profiles/profile{id, type}/settings/authorization-server/client-capabilities/assertion/symmetrically-signed-jwt
Parameters:signature-algorithm

enumeration HS256, HS384, HS512

(multi-value) (optional)

The signature algorithms to allow

Scopes

scopes
Path :

/profiles/profile{id, type}/settings/authorization-server/scopes

Parameters:
  • min-access-token-lifetime

    uint32

    (default: 60)

    The shortest time an access token will be valid for

  • default-scope-description

    string

    (optional)

    The default scope (the empty scope) is described with this description

Scope

scopes/scope{id} (keys ['id'])
Path :

/profiles/profile{id, type}/settings/authorization-server/scopes/scope{id}

Parameters:
  • id

    scope

    (mandatory)

  • is-prefix

    boolean

    (default: false)

    Whether this is a prefix scope. Prefix scopes allow clients to use dynamic scopes that start with a prefix, but may have any value after that.

  • description

    string

    (optional)

  • time-to-live

    uint32

    (optional)

    The number of seconds a scope will be valid

  • required

    boolean

    (default: false)

    Whether the scope is required in the request (but not necessarily granted) when configured for any client in the profile or during registration of a non-templatized dynamic clients when all scopes or this scope in particular is allowed to be registered by dynamic clients.

  • expose-in-metadata

    boolean

    (default: true)

    Expose this scope as part of the published metadata.

  • claims

    leafref ../../../claims/claim/name

    (multi-value) (optional)

    The claims that are issued when the client is granted this scope of access

Properties
scopes/scope{id}/properties
Path :/profiles/profile{id, type}/settings/authorization-server/scopes/scope{id}/properties
Property
scopes/scope{id}/properties/property{key} (keys ['key'])
Path :

/profiles/profile{id, type}/settings/authorization-server/scopes/scope{id}/properties/property{key}

Parameters:
  • key

    string

    (mandatory)

  • value

    string

    (optional)

  • default-scope-claim

    leafref ../../claims/claim/name

    (multi-value) (optional)

    The claims that are issued for the default scope (empty scope)

Claims

claims
Path :

/profiles/profile{id, type}/settings/authorization-server/claims

Parameters:
  • expose-system-claims-in-metadata

    boolean

    (default: true)

    When this is set to true, all the system claims will be exposed in the metadata.

  • claims-value-provider-timeout

    uint8

    (default: 5)

    Maximum total time allowed for all claims providers to return claims. Depending on the claims provider used and their implementation, it may not be possible to cancel their operation in order to fulfill this timeout.

Claim

claims/claim{name} (keys ['name'])

The list of claims available in the profile

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claim{name}

Parameters:
  • name

    non-empty-string

    (mandatory)

    The name of the claim

  • description

    string

    (optional)

    A user-friendly description. Can be presented to the user during consent

  • required

    boolean

    (default: false)

    Whether the claim is required in the request (but not necessarily granted) when configured for any client in the profile or during registration of a non-templatized dynamic client.

  • expose-in-metadata

    boolean

    (default: true)

    If this claim should be exposed in the metadata

Choice: value-source
param no-source:
 

empty

(optional)

The no-source provides no attributes. If selected, a transformation procedure (generator) must be used to establish the claim’s value.

param value-provided-by:
 

leafref ../../claims-value-provider/id

(optional)

The claims-value-provider that provides the attribute or attributes that estabilish the value for the claim.

param reference-claim:
 

leafref ../../claim/name

(optional)

Name of another claim that is the source for the value of this claim.

Composite-claim
claims/claim{name}/composite-claim

Defines one or more other claims that are issued in a container, or can be transformed into a new scalar, list or object value.

Path :/profiles/profile{id, type}/settings/authorization-server/claims/claim{name}/composite-claim
Parameters:reference-claim

leafref ../../../claim/name

(multi-value) (optional)

Name of another claim that is to be included in the composite claim.

Transformation
claims/claim{name}/transformation

A transformation from the raw data to the claim name and value

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claim{name}/transformation

Parameters:
  • value-transformation-procedure

    script

    (optional)

    A value mapping procedure for this claim.

  • input-attribute-names

    string

    (multi-value) (optional)

    The input attributes to map. In case the claim’s value is provided by a referenced claim, input-attribute-names are implicitly set to be the one name of that referenced claim.

Claims-value-provider

claims/claims-value-provider{id} (keys ['id'])

The claim value sources. These lookup attributes based on the given claims

Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}
Parameters:id

non-empty-string

(mandatory)

The name of the claim value provider

Choice: provider-type
Option: data-source-claims-provider
Data-source-claims-provider
claims/claims-value-provider{id}/data-source-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/data-source-claims-provider
Data-source
claims/claims-value-provider{id}/data-source-claims-provider/data-source
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/data-source-claims-provider/data-source
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Option: system-information-claims-provider
System-information-claims-provider
claims/claims-value-provider{id}/system-information-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/system-information-claims-provider
Option: admin-groups-claims-provider
Admin-groups-claims-provider
claims/claims-value-provider{id}/admin-groups-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/admin-groups-claims-provider
Option: authentication-context-claims-provider
Authentication-context-claims-provider
claims/claims-value-provider{id}/authentication-context-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/authentication-context-claims-provider
Option: client-certificate-claims-provider
Client-certificate-claims-provider
claims/claims-value-provider{id}/client-certificate-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/client-certificate-claims-provider
Option: authentication-subject-claims-provider
Authentication-subject-claims-provider
claims/claims-value-provider{id}/authentication-subject-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/authentication-subject-claims-provider
Option: account-manager-claims-provider
Account-manager-claims-provider
claims/claims-value-provider{id}/account-manager-claims-provider
Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/account-manager-claims-provider

Parameters:
  • map-account-to-openid-connect-claims

    boolean

    (default: true)

    Whether an account’s attributes should be mapped to OpenID Connect claims

  • resolve-claims-for-inactive-account

    boolean

    (default: false)

    While this is turned off, the claims provider will not resolve any claims if the account is inactive.

Account-manager
claims/claims-value-provider{id}/account-manager-claims-provider/account-manager
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/account-manager-claims-provider/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Option: script-claims-provider
Script-claims-provider
claims/claims-value-provider{id}/script-claims-provider
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/script-claims-provider
Parameters:procedure

string

(mandatory)

The id used to identify a procedure

Account-manager
claims/claims-value-provider{id}/script-claims-provider/account-manager
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/script-claims-provider/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Bucket
claims/claims-value-provider{id}/script-claims-provider/bucket
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/script-claims-provider/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Data-source
claims/claims-value-provider{id}/script-claims-provider/data-source
Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/script-claims-provider/data-source
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Webservice
claims/claims-value-provider{id}/script-claims-provider/webservice
Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-value-provider{id}/script-claims-provider/webservice

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Claims-mappers

claims/claims-mappers

The mapping to what token or response the claim is used. A claim that is not mapped will not be issued.

Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers
Parameters:default-claims-mapper

leafref ../claims-mapper/id

(optional)

The default claims mapper to use when adding claims to tokens if not defined otherwise in the client.

Claims-mapper
claims/claims-mappers/claims-mapper{id} (keys ['id'])
Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

    The name of the mapper

  • description

    string

    (optional)

    A description for the administrator

Access_token
claims/claims-mappers/claims-mapper{id}/access_token

The claims that go into the default access tokens. This will be the result of the getDefaultAccessTokenData() function.

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/access_token

Parameters:
  • claim

    leafref ../../../../claim/name

    (multi-value) (optional)

  • system-claim

    system-access-token-claim-name aud, client_id, delegationId, exp, iat, iss, nbf, scope, sub, purpose, cnf, jti, dcrm_client, authorization_details

    (multi-value) (default: aud)

    The claims that always will exist on an access token. Not editable

Id_token
claims/claims-mappers/claims-mapper{id}/id_token

The claims that go into the default id tokens. This will be the result of the getDefaultIdTokenData() function.

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/id_token

Parameters:
  • claim

    leafref ../../../../claim/name

    (multi-value) (optional)

  • system-claim

    system-id-token-claim-name iss, sub, aud, exp, iat, auth_time, nonce, acr, amr, azp, nbf, client_id, delegationId, purpose

    (multi-value) (default: iss)

    The claims that always will exist on an ID token. Not editable

Userinfo
claims/claims-mappers/claims-mapper{id}/userinfo

The claims that go into the default user info response. This will be the result of the getDefaultResponseData() function.

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/userinfo

Parameters:
  • claim

    leafref ../../../../claim/name

    (multi-value) (optional)

  • system-claim

    system-id-token-claim-name iss, sub, aud, exp, iat, auth_time, nonce, acr, amr, azp, nbf, client_id, delegationId, purpose

    (multi-value) (default: sub)

    The claims that always will exist on an ID token. Not editable

Wrapper-token
claims/claims-mappers/claims-mapper{id}/wrapper-token

The claims that go into JWT tokens that wrap opaque tokens.This is used by opaque token issuers that are configured to return a wrapper JWT instead of an opaque reference as the token artifact.Adding a claim here does not include it in the wrapped token’s data available via introspection.

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/wrapper-token

Parameters:
  • claim

    leafref ../../../../claim/name

    (multi-value) (optional)

  • system-claim

    system-wrapper-token-claim-name iss, iat, exp, azp, jti, aud

    (multi-value) (default: iss)

    The claims that always will exist on a wrapper JWT token. Not editable

Custom
claims/claims-mappers/claims-mapper{id}/custom{id} (keys ['id'])

The claims that go into custom tokens. This will be the result of the get default data functions such as getDefaultData(‘idOfCustomTokenMapping’) function.

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/custom{id}

Parameters:
  • id

    string

    (mandatory)

    The id of the mapping. Used as key to the getDefaultData functions

  • claims-mapper-type

    enumeration access_token, access-token, id_token, id-token, userinfo, user-info, verifiable-credential

    (default: access_token)

  • claim

    leafref ../../../../claim/name

    (multi-value) (optional)

    The list of claims for this mapping

Selective-disclosure
claims/claims-mappers/claims-mapper{id}/selective-disclosure

defines the selective disclosure, that is, which top-level claims and inner properties should be selectively discloseable

Path :/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/selective-disclosure
Claim
claims/claims-mappers/claims-mapper{id}/selective-disclosure/claim{name} (keys ['name'])

a claim that should be selectively discloseable

Path :

/profiles/profile{id, type}/settings/authorization-server/claims/claims-mappers/claims-mapper{id}/selective-disclosure/claim{name}

Parameters:
  • name

    leafref ../../../../../claim/name

    (mandatory)

    the claim name

  • only-properties

    boolean

    (default: false)

    only claim properties should be selectively discloseable and not the whole claim

  • property-path

    non-empty-string

    (multi-value) (optional)

    the path to a nested property that should be selectively discloseablewhere each path segment is separated by a ‘/’

Expose-metadata

expose-metadata

OAuth metadata endpoint configuration

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata

Parameters:
  • jwks-uri-override

    uri

    (optional)

    An optional value that must contain the full URL to the JWKS endpoint. If this is not set, the URL is established by deriving it from the first anonymous endpoint

  • cache-duration

    uint32

    (default: 600)

    The number of seconds that the metadata can be cached as network resource, as used in HTTP response headers.

Authorize-endpoint

expose-metadata/authorize-endpoint

The authorize-endpoint to include in the published OAuth configuration metadata. This is required when more than one authorize-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/authorize-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Token-endpoint

expose-metadata/token-endpoint

The token-endpoint to include in the published OAuth configuration metadata. This is required when more than one token-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/token-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Revocation-endpoint

expose-metadata/revocation-endpoint

The revocation-endpoint to include in the published OAuth configuration metadata. This is required when more than one revocation-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/revocation-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Introspection-endpoint

expose-metadata/introspection-endpoint

The introspection-endpoint to include in the published OAuth configuration metadata. This is required when more than one introspection-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/introspection-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Assisted-token-endpoint

expose-metadata/assisted-token-endpoint

The assisted-token-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one assisted-token-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/assisted-token-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Dynamic-client-registration-endpoint

expose-metadata/dynamic-client-registration-endpoint

The dynamic client registration endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one dynamic-client-registration endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/dynamic-client-registration-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Device-authorization-endpoint

expose-metadata/device-authorization-endpoint

The device authorization endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one device authorization endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/expose-metadata/device-authorization-endpoint

Parameters:
  • endpoint

    leafref ../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Signed-metadata

expose-metadata/signed-metadata

When present, a signed version of the metadata will be included in the response. The metadata will be included as a JWT, as issued by the default token-issuer of the current profile.

Path :/profiles/profile{id, type}/settings/authorization-server/expose-metadata/signed-metadata
Parameters:valid-for

uint32

(default: 40320)

The number of minutes that the signed metadata JWT can be used before it expires, as used in the JWT’s ‘exp’ claim

Openid-connect

openid-connect
Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect

Parameters:
  • id-token-ttl

    token-time-to-live

    (default: 3600)

    The number of seconds an id token will be valid. Can be overruled by individual client configuration.

  • passthrough-unscoped-claims

    boolean

    (default: false)

    When set, any claim that is not defined by the OpenID Connect specification, but is added by a procedure, is not removed by scope filtering.

Expose-metadata

openid-connect/expose-metadata

This section specifies what metadata is exposed on the OpenID Connect discovery endpoint for this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata

Parameters:
  • jwks-uri-override

    uri

    (optional)

    An optional value that must contain the full URL to the JWKS endpoint. If this is not set, the URL is established by deriving it from the first anonymous endpoint.

  • cache-duration

    uint32

    (default: 600)

    The number of seconds that the metadata can be cached as network resource, as used in HTTP response headers.

Authorize-endpoint
openid-connect/expose-metadata/authorize-endpoint

The authorize-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one authorize-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/authorize-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Token-endpoint
openid-connect/expose-metadata/token-endpoint

The token-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one token-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/token-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Userinfo-endpoint
openid-connect/expose-metadata/userinfo-endpoint

The userinfo-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one userinfo-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/userinfo-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Revocation-endpoint
openid-connect/expose-metadata/revocation-endpoint

The revocation-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one revocation-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/revocation-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Introspection-endpoint
openid-connect/expose-metadata/introspection-endpoint

The introspection-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one introspection-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/introspection-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Assisted-token-endpoint
openid-connect/expose-metadata/assisted-token-endpoint

The assisted-token-endpoint to include in the published OpenID Connect configuration metadata. This is required when more than one assisted-token-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/assisted-token-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Dynamic-client-registration-endpoint
openid-connect/expose-metadata/dynamic-client-registration-endpoint

The dynamic client registration endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one dynamic-client-registration endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/dynamic-client-registration-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Device-authorization-endpoint
openid-connect/expose-metadata/device-authorization-endpoint

The device authorization endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one device authorization endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/device-authorization-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Backchannel-authentication-endpoint
openid-connect/expose-metadata/backchannel-authentication-endpoint

The backchannel authentication endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one backchannel authentication endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/backchannel-authentication-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Session-endpoint
openid-connect/expose-metadata/session-endpoint

The session endpoint to include in the published OpenID Connect configuration metadata.This is required when more than one session endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/session-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Signed-metadata
openid-connect/expose-metadata/signed-metadata

When present, a signed version of the metadata will be included in the response. The metadata will be included as a JWT, as issued by the default token-issuer of the current profile.

Path :/profiles/profile{id, type}/settings/authorization-server/openid-connect/expose-metadata/signed-metadata
Parameters:valid-for

uint32

(default: 40320)

The number of minutes that the signed metadata JWT can be used before it expires, as used in the JWT’s ‘exp’ claim

Require-pairwise-subject-identifiers

openid-connect/require-pairwise-subject-identifiers

Set when clients on this profile must always be issued pairwise pseudonyms for authenticated subjects

Path :/profiles/profile{id, type}/settings/authorization-server/openid-connect/require-pairwise-subject-identifiers

Id-token-encryption

openid-connect/id-token-encryption

Enables the use of issuing encrypted ID tokens.

Path :

/profiles/profile{id, type}/settings/authorization-server/openid-connect/id-token-encryption

Parameters:
  • key-management-algorithm

    allowed-asymmetric-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW

    (multi-value) (optional)

    The whitelist of allowed key-management encryption algorithms. If nothing is selected, all are allowed.

  • content-encryption-algorithm

    allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

    (multi-value) (optional)

    The whitelist of allowed content encryption algorithms. If nothing is selected, all are allowed.

Token-procedure-plugins

token-procedure-plugins
Path :/profiles/profile{id, type}/settings/authorization-server/token-procedure-plugins

Token-procedure-plugin

token-procedure-plugins/token-procedure-plugin{id} (keys ['id'])

Token procedure plugins that issue tokens

Path :/profiles/profile{id, type}/settings/authorization-server/token-procedure-plugins/token-procedure-plugin{id}
Parameters:id

string

(mandatory)

Choice: plugin
Option: upscope
Upscope
token-procedure-plugins/token-procedure-plugin{id}/upscope
Path :

/profiles/profile{id, type}/settings/authorization-server/token-procedure-plugins/token-procedure-plugin{id}/upscope

Parameters:
  • replace-existing-scopes

    boolean

    (default: true)

    Replace all the scopes in the new token with the scopes added by this procedure, if false, the new scopes are appended to the existing scopes instead

  • subject-token-required-scopes

    leafref ../../../../as:scopes/as:scope/as:id

    (multi-value) (optional)

    The scopes required in the subject token to perform the upscope, if empty no scopes are required

  • actor-token-required-scopes

    leafref ../../../../as:scopes/as:scope/as:id

    (multi-value) (optional)

    The scopes required in the actor token to perform the upscope, if empty no actor token scopes are required

  • scopes-to-add

    leafref ../../../../as:scopes/as:scope/as:id

    (multi-value) (optional)

    The scopes to add to the returned token

Consentors

consentors
Path :/profiles/profile{id, type}/settings/authorization-server/consentors

Consentor

consentors/consentor{id} (keys ['id'])

The list of available consentors for the profile

Path :

/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

    The consentor name

  • description

    string

    (optional)

    A readable consentor description, for user presentation. Can be a locale key.

Choice: consentor-type
Signing-consentor
consentors/consentor{id}/signing-consentor

A signing token consentor

Path :

/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}/signing-consentor

Parameters:
  • token-issuer

    leafref /base:profiles/base:profile[base:id=current()/../../../../../../base:id][base:type=current()/../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id

    (optional)

    The token issuer used to sign the JWT that is signed by the consentor

  • text-to-display-procedure

    script

    (mandatory)

    The JavaScript procedure to compute the text to display.

Webservice
consentors/consentor{id}/signing-consentor/webservice

Enable and configure this if the procedure needs access to a web service in its context.

Path :

/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}/signing-consentor/webservice

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Attribute-data-source
consentors/consentor{id}/signing-consentor/attribute-data-source

Enable and configure this if the procedure needs access an attribute data source in its context.

Path :/profiles/profile{id, type}/settings/authorization-server/consentors/consentor{id}/signing-consentor/attribute-data-source
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Choice: signing-consentor-type

Redirect-uri-validation-policies

redirect-uri-validation-policies

Configuration settings for allowing different validation methods for redirect uri’s.

Path :/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies
Parameters:default-redirect-uri-validation-policy

leafref ../redirect-uri-validation-policy/id

(mandatory)

The default redirect-uri validation policy to use for the profile. If not set, redirect-uri’s are validated as exact match.

Redirect-uri-validation-policy

redirect-uri-validation-policies/redirect-uri-validation-policy{id} (keys ['id'])
Path :

/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}

Parameters:
  • id

    string

    (mandatory)

    The name of the redirect-uri-validation-policy

  • description

    string

    (optional)

    A human readable name of the redirect uri validation policy.

Request-validation
redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation

Configure how a redirect_uri is validated when it is being used in a request.

Path :

/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation

Parameters:
  • allow-localhost-variations

    boolean

    (default: false)

    Disable all validations when the URI is localhost, such as port, path etc

  • allow-query-string-variations

    boolean

    (default: true)

    Allow the query string of the redirect_uri to be different per request

Authenticated-authorization-requests
redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation/authenticated-authorization-requests

Configure how a redirect_uri is validated when it is received as part of a request where the client was authenticated, e.g. when it is a PAR or CIBA request.

Path :

/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}/request-validation/authenticated-authorization-requests

Parameters:
  • validate-port

    boolean

    (default: true)

    Consider the port in the URL when comparing the registered URI with the requested redirect_uri

  • validate-path

    boolean

    (default: true)

    Validate the path part of the URI to match exactly the registered path

  • allow-suffix-path

    boolean

    (default: false)

    Allow the registered path to be appended with suffix path parts per request

  • validate-querystring

    boolean

    (default: true)

    Validate the querystring to match (dynamic clients) or start with the configured querystring (static clients). If disabled, any querystring value is acceptable.

  • domain-validation

    enumeration exact, tld-plus-one, tld-plus-two, no-validation

    (default: exact)

    Validation on the domain parts of the URI

Registration-validation
redirect-uri-validation-policies/redirect-uri-validation-policy{id}/registration-validation

Configure how a redirect_uri is validated when it is being used in a registration request.

Path :/profiles/profile{id, type}/settings/authorization-server/redirect-uri-validation-policies/redirect-uri-validation-policy{id}/registration-validation
Parameters:allow-http

boolean

(default: false)

Allow a client to register a non-TLS http redirect_uri

Client-store

client-store
Path :/profiles/profile{id, type}/settings/authorization-server/client-store

Config-backed

client-store/config-backed
Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed
Client
client-store/config-backed/client{id} (keys ['id'])
Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

    The client ID corresponding to the spec

  • client-name

    non-empty-string

    (optional)

    A human readable name of the client

  • description

    string

    (optional)

    A human readable description of the client

  • logo

    string

    (optional)

    A logo of the client, that can shown in user interface templates.

  • application-url

    uri

    (optional)

    This URL is used if a request is made to the OAuth server without the parameters necessary to initiate authentication. In such a case, the user is redirected to this URL, so that a new, properly formed, request can be made to bootstrap a new authentication transaction.

  • enabled

    boolean

    (default: true)

    A settable state of the client, to be able to host disabled clients

  • created-at

    date-and-time

    (optional)

    An operational state, for history purpose

  • created-by

    string

    (optional)

    Describes who was the user that created the client.

  • access-token-ttl

    token-time-to-live

    (default: 300)

    The number of seconds an access token will be valid

  • refresh-token-ttl

    disablable-token-time-to-live

    (default: 3600)

    The number of seconds a refresh token will be valid. If set to ‘disabled’, no refresh tokens will be issued

  • refresh-token-max-rolling-lifetime

    disablable-token-time-to-live

    (optional)

    When set, the refresh-token-ttl is used to set the expiration of new refresh tokens, until this max value is reached.

  • id-token-ttl

    token-time-to-live

    (optional)

    The number of seconds an id token will be valid. If not set, the profile-setting is used.

  • claims-mapper

    leafref ../../../../claims/claims-mappers/claims-mapper/id

    (optional)

    The mapper to use when adding claims to tokens. The mapper decides what claims end up in which token or response. The claims themselves are defined in the scope. If not set, the default-mapper is used

  • require-secured-authorization-response

    empty

    (optional)

    If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification

  • privacy-policy-url

    uri

    (optional)

    An absolute URL that refers to the privacy policy for the client

  • terms-of-service-url

    uri

    (optional)

    An absolute URL that refers to the terms of service of the client

  • validate-port-on-loopback-interfaces

    boolean

    (default: true)

    Whether the port should be validated when a client is configured to redirect to the loopback interface. Defaults to true for backwards compatibility. Future versions may default to false because RFC-8252 (sec. 3) says the port should not be validated and this does not generally reduces the security of local redirects. This option can not be set when the profile enables redirect-uri validation policies. This setting is deprecated in favour of redirect-uri-validation-policies.

  • redirect-uri-validation-policy

    leafref ../../../../redirect-uri-validation-policies/redirect-uri-validation-policy/id

    (optional)

    The redirect uri validation policy to use for this client. This value overrides the profile’s setting for the default redirect uri validation policy.

  • reuse-refresh-tokens

    boolean

    (optional)

    Defines if refresh tokens are created on every refresh or if they are kept, when set this takes precedence over profile setting (reuse-refresh-tokens), when not set profile setting applies

Choice: verifier

Describes how the client is authenticated

param secret:

sha-256-digest-string

(optional)

A password used by the client

param asymmetric-key:
 

leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

(optional)

A public key that corresponds to the private key the client will use to sign a token with to authenticate itself

param jwks:

non-empty-string

(optional)

A JWKS providing keys that can be used to verify JWT assertions. The JSON String should be base64-encoded.

Option: jwks-uri
Jwks-uri
client-store/config-backed/client{id}/jwks-uri

A key present in a JWKS referenced by an URI, accessed via an optional HTTP client ID

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/jwks-uri

Parameters:
  • uri

    uri

    (mandatory)

    The JWKS URI

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    The optional HTTP client used to retrieve the JWKS

  • symmetric-key

    non-empty-string

    (optional)

    A secret key that the client will use to sign or integrity protect a token with to authenticate itself

Mutual-tls-by-proxy
client-store/config-backed/client{id}/mutual-tls-by-proxy

Enable client authentication through mutual-tls by-proxy.

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/mutual-tls-by-proxy
Choice: trust
Option: name-and-ca
Choice: name
param client-dn:
 

non-empty-string

(optional)

The DN of the client certificate that the client must identify with.

param client-dns-name:
 

non-empty-string

(optional)

The expected dNSName SAN entry in the certificate that the client must identify with.

param client-uri:
 

uri

(optional)

The expected uniformResourceIdentifier SAN entry in the certificate that the client must identify with.

param client-ip:
 

ip-address

(optional)

The expected IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6) that is expected to be present as an iPAddress SAN entry in the certificate that the client must identify with.

param client-email:
 

non-empty-string

(optional)

The expected rfc822Name SAN entry in the certificate that the client must identify with.

param trusted-ca:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(multi-value) (optional)

The CAs that must be the issuer of the client certificate that can be accepted to authenticate this client. At least one must be set.

Option: pinned-certificate-and-no-ca
param client-certificate:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(optional)

The client certificate that must be used to authenticate the client.

Mutual-tls
client-store/config-backed/client{id}/mutual-tls

Enable client authentication through direct mutual-tls

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/mutual-tls
Choice: trust
Option: name-and-ca
Choice: name
param client-dn:
 

non-empty-string

(optional)

The DN of the client certificate that the client must identify with.

param client-dns-name:
 

non-empty-string

(optional)

The expected dNSName SAN entry in the certificate that the client must identify with.

param client-uri:
 

uri

(optional)

The expected uniformResourceIdentifier SAN entry in the certificate that the client must identify with.

param client-ip:
 

ip-address

(optional)

The expected IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6) that is expected to be present as an iPAddress SAN entry in the certificate that the client must identify with.

param client-email:
 

non-empty-string

(optional)

The expected rfc822Name SAN entry in the certificate that the client must identify with.

param trusted-ca:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(multi-value) (optional)

The CAs that must be the issuer of the client certificate that can be accepted to authenticate this client. At least one must be set.

Option: pinned-certificate-and-no-ca
param client-certificate:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(optional)

The client certificate that must be used to authenticate the client.

param no-authentication:
 

boolean

(default: false)

When no-authentication is selected, the client is a public client. Can only be used for clients that requests tokens, and only makes sense if they use the token endpoint (i.e. use the code flow).

param credential-manager:
 

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(optional)

The Credential Manager to use to transform the client secret. For configured clients, this credential manager is also used to retrieve the client secret from the configured data source on the credential manager

Secondary-authentication-method
client-store/config-backed/client{id}/secondary-authentication-method
Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/secondary-authentication-method
Parameters:expires-on

date-and-time

(optional)

The instant after which the secondary verifier should not be used

Choice: verifier

Describes how the client is authenticated

param secret:

sha-256-digest-string

(optional)

A password used by the client

param asymmetric-key:
 

leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

(optional)

A public key that corresponds to the private key the client will use to sign a token with to authenticate itself

param jwks:

non-empty-string

(optional)

A JWKS providing keys that can be used to verify JWT assertions. The JSON String should be base64-encoded.

Option: jwks-uri
Jwks-uri
client-store/config-backed/client{id}/secondary-authentication-method/jwks-uri

A key present in a JWKS referenced by an URI, accessed via an optional HTTP client ID

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/secondary-authentication-method/jwks-uri

Parameters:
  • uri

    uri

    (mandatory)

    The JWKS URI

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    The optional HTTP client used to retrieve the JWKS

  • symmetric-key

    non-empty-string

    (optional)

    A secret key that the client will use to sign or integrity protect a token with to authenticate itself

Mutual-tls-by-proxy
client-store/config-backed/client{id}/secondary-authentication-method/mutual-tls-by-proxy

Enable client authentication through mutual-tls by-proxy.

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/secondary-authentication-method/mutual-tls-by-proxy
Choice: trust
Option: name-and-ca
Choice: name
param client-dn:
 

non-empty-string

(optional)

The DN of the client certificate that the client must identify with.

param client-dns-name:
 

non-empty-string

(optional)

The expected dNSName SAN entry in the certificate that the client must identify with.

param client-uri:
 

uri

(optional)

The expected uniformResourceIdentifier SAN entry in the certificate that the client must identify with.

param client-ip:
 

ip-address

(optional)

The expected IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6) that is expected to be present as an iPAddress SAN entry in the certificate that the client must identify with.

param client-email:
 

non-empty-string

(optional)

The expected rfc822Name SAN entry in the certificate that the client must identify with.

param trusted-ca:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(multi-value) (optional)

The CAs that must be the issuer of the client certificate that can be accepted to authenticate this client. At least one must be set.

Option: pinned-certificate-and-no-ca
param client-certificate:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(optional)

The client certificate that must be used to authenticate the client.

Mutual-tls
client-store/config-backed/client{id}/secondary-authentication-method/mutual-tls

Enable client authentication through direct mutual-tls

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/secondary-authentication-method/mutual-tls
Choice: trust
Option: name-and-ca
Choice: name
param client-dn:
 

non-empty-string

(optional)

The DN of the client certificate that the client must identify with.

param client-dns-name:
 

non-empty-string

(optional)

The expected dNSName SAN entry in the certificate that the client must identify with.

param client-uri:
 

uri

(optional)

The expected uniformResourceIdentifier SAN entry in the certificate that the client must identify with.

param client-ip:
 

ip-address

(optional)

The expected IP address in either dotted decimal notation (for IPv4) or colon-delimited hexadecimal (for IPv6) that is expected to be present as an iPAddress SAN entry in the certificate that the client must identify with.

param client-email:
 

non-empty-string

(optional)

The expected rfc822Name SAN entry in the certificate that the client must identify with.

param trusted-ca:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(multi-value) (optional)

The CAs that must be the issuer of the client certificate that can be accepted to authenticate this client. At least one must be set.

Option: pinned-certificate-and-no-ca
param client-certificate:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(optional)

The client certificate that must be used to authenticate the client.

param no-authentication:
 

boolean

(default: false)

When no-authentication is selected, the client is a public client. Can only be used for clients that requests tokens, and only makes sense if they use the token endpoint (i.e. use the code flow).

param credential-manager:
 

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(optional)

The Credential Manager to use to transform the client secret. For configured clients, this credential manager is also used to retrieve the client secret from the configured data source on the credential manager

Request-object
client-store/config-backed/client{id}/request-object

Enable request-object support where the client can send in a JWT with the request parameters. If enabled, a request object JWT MUST be provided by the client.

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/request-object

Parameters:
  • issuer

    string

    (optional)

    The issuer of the request object’s JWT. If the issuer is not explicitly set, it must be the same value as the client_id of the client that makes the request.

  • signature-verification-key

    leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

    (optional)

    A public key that corresponds to the private key that the issuer of the request object JWT used to sign the JWT

  • allow-unsigned-for-by-value

    boolean

    (default: false)

    If set to true, then unsigned request objects sent by-value will be accepted.

By-reference
client-store/config-backed/client{id}/request-object/by-reference

Enable the use of request object that are sent by-reference using the request_uri parameter

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/request-object/by-reference

Parameters:
  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    The HTTP client that will be used when fetching the request object from a provided URI

  • allow-unsigned

    boolean

    (default: false)

    If set to true, then unsigned request objects sent by-reference will be accepted.

  • allowed-request-url

    uri

    (multi-value) (optional)

    Whitelist of all locations that can be included in a request_uri parameter. The value ‘*’ allows for any. A wildcard character ‘*’ is also allowed at the end of the uri value.

  • redirect-uris

    uri

    (multi-value) (optional)

    The whitelist of Redirect URIs allowed for the client. If code or Implicit flow is used, this will have a required minimum of 1 items

Consentors
client-store/config-backed/client{id}/user-consent/consentors

The consentors usable with this client. If empty, then all profile consentors will be usable

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/user-consent/consentors
Parameters:consentor

leafref ../../../../../../consentors/consentor/id

(multi-value) (optional)

Proof-key
client-store/config-backed/client{id}/proof-key

Proof Key for Code Exchange (RFC 7636 - PKCE) is a measure for preventing authorization code interception. This is an attack on client systems that allow a malicious application to register itself as a handler for the custom scheme utilized by the legitimate app in the Authorization Code Grant flow.

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/proof-key

Parameters:
  • require-proof-key

    boolean

    (default: false)

    Enforces this client to provide a proof key challenge and -verifier when performing the Authorization Code Grant flow.

  • disallowed-proof-key-challenge-methods

    enumeration plain, S256

    (multi-value) (optional)

    A list of proof key challenge methods the client isn’t allowed to use. Useful when one of the methods provided by the server is deemed insecure for the intended client. This setting would be merged with profile level setting. For example, if profile disallowed plain and client disallowed S256, then both methods are disallowed

  • audience

    string

    (multi-value) (optional)

    The intended audiences for the token. The first element is the default. If none are stipulated, the ID of the client will be used as the audience

  • scope

    leafref ../../../../scopes/scope/id

    (multi-value) (optional)

    A subset of the scopes defined in the profile that this client is allowed to request or all if a subset are not defined here

User-authentication
client-store/config-backed/client{id}/user-authentication
Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/user-authentication

Parameters:
  • context-info

    string

    (default: )

    Information that will be displayed to the user when authenticating the client

  • force-authn

    boolean

    (optional)

    Optional default setting whether user authentication is forced at all times.

  • freshness

    uint32

    (optional)

    Optional maximum age in seconds after which re-authentication must take place.

  • locale

    non-empty-string

    (optional)

    Optional override for default locale.

  • frontchannel-logout-uri

    uri

    (optional)

    Optional uri of the client that is called upon user logout when attempting front channel logout. Requires OpenId Connect to be enabled.

  • backchannel-logout-uri

    uri

    (optional)

    Optional uri of the client that is called upon user logout when attempting back channel logout. Requires OpenId Connect to be enabled.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    The HTTP client that will be used when delivering the logout token to the backchannel logout uri

  • template-area

    non-empty-string

    (optional)

    Optional override for template area

  • allowed-authenticators

    leafref /base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:authenticator/auth:id

    (multi-value) (optional)

    The list of allowed authenticators for this client

  • authenticator-filters

    leafref /base:profiles/base:profile[base:id=current()/../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticator-filters/auth:authenticator-filter/auth:id

    (multi-value) (optional)

    The list of authenticator-filters for this client

  • required-claims

    string

    (multi-value) (optional)

    A list of named claims that must be required by the authenticator when authenticating the user.

  • allowed-post-logout-redirect-uris

    uri

    (multi-value) (optional)

    The optional list of URIs that is allowed for the client to use as post logout redirect uri. Requires OpenId Connect to be enabled.

  • allowed-origins

    non-empty-string

    (multi-value) (optional)

    The optional list of URIs or URI-patterns that is allowed to embed the rendered pages inside an iframe, be a trusted source or be used for CORS.

Capabilities
client-store/config-backed/client{id}/capabilities

OAuth capabilities that this client is allowed to perform

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities

Parameters:
  • implicit

    empty

    (optional)

    Allows implicit flow

  • client-credentials

    empty

    (optional)

    Allows for the Client Credentials Grant

  • introspection

    empty

    (optional)

    Allows the client to use token introspection

  • assisted-token

    empty

    (optional)

    The assisted-token capability allows the client to use a helper endpoint to use simplified OAuth flows.

  • token-exchange

    empty

    (optional)

    Allows the client to use exchange tokens for other tokens

  • oauth-token-exchange

    empty

    (optional)

    Allows the client to exchange tokens using the OAuth 2.0 Token Exchange grant

  • device-authorization

    empty

    (optional)

    Allows the client to use the device flow

Code
client-store/config-backed/client{id}/capabilities/code

Allows code flow

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/code
Require-pushed-authorization-requests
client-store/config-backed/client{id}/capabilities/code/require-pushed-authorization-requests

The client is required to use Pushed Authorization Requests when starting a code flow.

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/code/require-pushed-authorization-requests
Parameters:allow-per-request-redirect-uris

boolean

(default: false)

When enabled, the client can use per-request redirect-uri’s when using pushed authorization requests. Defaults to false.This setting is deprecated in favour of redirect-uri-validation-policies.

Resource-owner-password-credentials
client-store/config-backed/client{id}/capabilities/resource-owner-password-credentials

Allows ROPC grant-type

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/resource-owner-password-credentials
Parameters:credential-manager

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(optional)

The optional credential manager to use when authenticating the user using Resource Owner Password Credentials

Backchannel-authentication
client-store/config-backed/client{id}/capabilities/backchannel-authentication

Allows the client to perform backchannel authentication

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/backchannel-authentication
Parameters:allowed-authenticators

leafref /base:profiles/base:profile[base:id=current()/../../../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:backchannel-authenticator/auth:id

(multi-value) (optional)

A list of backchannel enabled authenticators that the client is allowed to use. Should be a subset of backchannel authenticators from the linked authentication profile. If nothing is set, all backchannel-authenticators from the linked authentication profile will be available for this client to use.

Assertion
client-store/config-backed/client{id}/capabilities/assertion

Allows the client to use JWT assertions as grant

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/assertion
Jwt
client-store/config-backed/client{id}/capabilities/assertion/jwt

Configure the assertion grant for JWT assertions.

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/assertion/jwt
Parameters:allow-reuse

boolean

(default: false)

Allow a client to reuse the same JWT assertion to make multiple token requests.

Trust
client-store/config-backed/client{id}/capabilities/assertion/jwt/trust
Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/assertion/jwt/trust
Parameters:issuer

non-empty-string

(optional)

When set, a JWT that is used as assertion must have an issuer claim that matches the configured value.

Choice: signing
param asymmetric-signing-key:
 

leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

(optional)

A public key that corresponds to the private key that the issuer of the assertion used to sign the JWT

Option: jwks-uri
Jwks-uri
client-store/config-backed/client{id}/capabilities/assertion/jwt/trust/jwks-uri

A key present in a JWKS referenced by an URI, accessed via an optional HTTP client ID

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/assertion/jwt/trust/jwks-uri

Parameters:
  • uri

    uri

    (mandatory)

    The JWKS URI

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    The optional HTTP client used to retrieve the JWKS

  • jwks

    non-empty-string

    (mandatory)

    A JWKS providing a key that can be used to sign JWTs. The JSON String should be base64-encoded.

  • symmetric-signing-key

    leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

    (optional)

Haapi
client-store/config-backed/client{id}/capabilities/haapi

Allows the client to use the hypermedia authentication API

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/haapi

Parameters:
  • allow-without-attestation

    boolean

    (default: false)

    When enabled, a HAAPI token can be issued to clients based on client authentication instead of based on client attestation. To set this option, a client must have credentials and can not be configured with attestation settings.

  • use-legacy-dpop

    boolean

    (default: false)

    Use an older version of the DPoP processing, which is not nonce-based. This may be required if the client uses an older version of the HAAPI SDK. Refer to the HAAPI SDK documentation for details.

  • issue-token-bound-authorization-code

    boolean

    (default: false)

    When enabled, the authorization code and refresh token that are issued will be bound to the proof token’s DPoP key. This token binding will not be compatible with legacy DPoP. By default, it is disabled.

Dynamic-client-registration-template
client-store/config-backed/client{id}/dynamic-client-registration-template

Enable client as template for Dynamic Client Registration

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/dynamic-client-registration-template
Choice: client-authentication-method
How the dynamically registered client based on this template can authenticate. Default is secret
Option: secret
param secret:

empty

(optional)

param credential-manager:
 

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(optional)

The credential manager that should be used to verify and manage templatized dynamic clients’ secrets. Note that the data source on the credential manager (if configured) is not used. Only the transformation algorithm. The secret is stored with the client metadata in the dynamic client registration data source.

Choice: authentication-method
param authenticate-user-by:
 

leafref ../../../client/id

(multi-value) (optional)

Reference to other OAuth clients in the profile that may be used to authenticate the user and obtain the initial access token necessary for a new client to register based on this client as a template.

param authenticate-client-by:
 

leafref ../../../client/id

(multi-value) (optional)

Reference to other OAuth clients in the profile that may be used to authenticate using client-credentials to obtain the initial access token necessary for a new client to register based on this client as a template

Use-pairwise-subject-identifiers
client-store/config-backed/client{id}/use-pairwise-subject-identifiers

Enable this when the client must always be issuing pairwise pseudonym subject identifiers instead of public identifiers.

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/use-pairwise-subject-identifiers
Parameters:sector-identifier

non-empty-string

(optional)

The sector identifier that is used to derive the pairwise pseudonym from, i.e. the pairwise pseudonym is defined for the pair of sector identifier and subject

Signed-userinfo
client-store/config-backed/client{id}/signed-userinfo

Enable support for returning userinfo as signed JWT

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/signed-userinfo
Parameters:userinfo-token-issuer

leafref /base:profiles/base:profile[base:id=current()/../../../../../../../base:id][base:type=current()/../../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id

(mandatory)

A token issuer with a purpose of userinfo

Id-token-encryption
client-store/config-backed/client{id}/id-token-encryption

Enable Id token encryption as per JWE specification

Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/id-token-encryption

Parameters:
  • encryption-key

    leafref /base:facilities/base:crypto/base:encryption-keys/base:encryption-key/base:id

    (mandatory)

    The reference to encryption keystore containing encryption key

  • content-encryption-algorithm

    allowed-content-encryption-algorithms A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

    (mandatory)

    The encryption algorithm used to encrypt the payload of the JWE token

  • key-management-algorithm

    allowed-asymmetric-key-management-algorithms RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW

    (mandatory)

    The encryption algorithm for encrypting the content encryption key.Only asymmetric algorithms are supported as of 6.5.0

Attestation
client-store/config-backed/client{id}/attestation
Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/attestation
Parameters:disable-attestation-validation

boolean

(default: false)

If set to true, allow the client to use HAAPI, but disable the validation of the attestation data. This is unsafe and must not be used in production.

Choice: attestation-type
Web
client-store/config-backed/client{id}/attestation/web
Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/attestation/web
Parameters:web-policy

leafref /base:facilities/base:client-attestation/cat:web-policy/cat:id

(optional)

Link to the Web policy to use for this client. If not set, a default policy is used.

Android
client-store/config-backed/client{id}/attestation/android
Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/attestation/android

Parameters:
  • android-policy

    leafref /base:facilities/base:client-attestation/cat:android-policy/cat:id

    (optional)

    Link to the Android policy to use for this client. If not set, a default policy is used.

  • package-name

    non-empty-string

    (multi-value) (optional)

    Android package name this client can be used from

  • signature-digest

    non-empty-string

    (multi-value) (optional)

    SHA-256 digest of the certificate used to sign approved Android packages, encoded in base64

Ios
client-store/config-backed/client{id}/attestation/ios
Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/attestation/ios

Parameters:
  • app-id

    non-empty-string

    (mandatory)

    The iOS App ID is the concatenation of the 10-digit team identifier, a period, and the app’s bundle identifier; e.g. ABCDE12345.com.example.app

  • ios-policy

    leafref /base:facilities/base:client-attestation/cat:ios-policy/cat:id

    (optional)

    Link to the iOS policy to use for this client. If not set, a default policy is used.

Properties
client-store/config-backed/client{id}/properties

List of properties that can be configured on a client. These properties can be used from procedures to retrieve properties of the configured client.

Path :/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/properties
Property
client-store/config-backed/client{id}/properties/property{key} (keys ['key'])
Path :

/profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/properties/property{key}

Parameters:

Dynamic-client-registration

dynamic-client-registration
Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration
Parameters:client-data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

Reference to a datasource that stores clients; this datasource is also used to store clients that are registered through Dynamic Client Registration

Templatized

dynamic-client-registration/templatized

Newly registered clients must use an existing one as a sort of template to determine which capabilities, authentication methods, etc. are allowed

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/templatized

Non-templatized

dynamic-client-registration/non-templatized

Allow new clients to be registered which are not based on any existing client configuration

Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized

Parameters:
  • require-secured-authorization-response

    empty

    (optional)

    If set, then all authorization responses need to be protected according to the ‘JWT Secured Authorization Response Mode for OAuth 2.0’ (JARM) specification

  • require-request-object

    empty

    (optional)

    If set, all authorization requests made by non-templatized dynamic clients must include a request object

  • require-id-token-encryption

    empty

    (optional)

    If set, a client must register with ID token encryption settings. Requires OpenId Connect to be enabled for the profile and the openid scope to be allowed by DCR.

  • default-refresh-token-ttl

    uint32

    (default: 3600)

    The number of seconds the refresh token will be valid. This value can be overridden by the client in the registration request. Setting this value to 0 means that it no refreshtoken will be issued by default.

  • default-refresh-token-max-rolling-lifetime

    uint32

    (optional)

    When set, the default-refresh-token-ttl or the registration overridden value are used to set the expiration of new refresh tokens, until this max value defined in seconds is reached.

  • enable-subject-dn-as-client-id-override

    boolean

    (default: true)

    When enabled, the certificate that a client uses for mutual-tls for authentication (direct or by proxy) will be processed such that if its Subject DN contains an OrganizationID (i.e. an RDN with OID 2.5.4.97), this OrganizationID will be used as the client_id that the new client is registered with. When disabled, the a client_id is generated. Defaults to true.

  • credential-manager

    leafref /base:processing/base:credential-managers/base:credential-manager/base:id

    (optional)

    The credential manager that should be used to verify and manage non-templatized dynamic clients’ secrets(notice that this setting is obsolete)

  • validate-port-on-loopback-interfaces

    boolean

    (default: true)

    Whether the port should be validated when a client is configured to redirect to the loopback interface. Defaults to true for backwards compatibility. Future versions may default to false because RFC-8252 (sec. 3) says the port should not be validated and this does not generally reduces the security of local redirects. This option can not be set when a redirect-uri-validation-policy is set, in which case the chosen redirect-uri-validation-policy is used. If validate-port-on-loopback-interfaces is not set, the default redirect-uri-validation-policy of the profile will be used. This setting is deprecated in favour of redirect-uri-validation-policies.

  • redirect-uri-validation-policy

    leafref ../../../redirect-uri-validation-policies/redirect-uri-validation-policy/id

    (optional)

    The redirect uri validation policy to use for all non-templatized clients. This can not be overridden by a non-templatized client.

Capabilities
dynamic-client-registration/non-templatized/capabilities
Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/capabilities

Parameters:
  • code

    empty

    (optional)

    Enables the new client to be registered with the code flow capability

  • implicit

    empty

    (optional)

    Enables the new client to be registered with the implicit flow capability

  • resource-owner-password-credentials

    empty

    (optional)

    Enables the new client to be registered with the password (ROPC) flow capability

  • assisted-token

    empty

    (optional)

    Enables the new client to be registered with the assisted token flow capability. Note that a new client must be registered with at least one framable origin for this capability to be usable.

  • device-authorization

    empty

    (optional)

    Enabled the new client to be registered with the device flow capability

  • client-credentials

    empty

    (optional)

    Enabled the new client to be registered with the client credentials capability

  • backchannel-authentication

    empty

    (optional)

    Enabled the new client to be registered with the backchannel authentication capability

Scopes
dynamic-client-registration/non-templatized/scopes

The scopes that new clients may register with

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/scopes
Choice: all-or-selected
Option: all
param all:

empty

(optional)

Option: selected
param scope:

leafref ../../../../scopes/scope/id

(multi-value) (optional)

Authenticators
dynamic-client-registration/non-templatized/authenticators

The authenticators that new clients may authenticate with

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/authenticators
Choice: all-or-selected
Option: selected
param authenticator:
 

leafref /base:profiles/base:profile[base:id=current()/../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:authenticator/auth:id

(multi-value) (optional)

An authenticator that new clients may use to authenticate with

Option: all
param all:

empty

(optional)

Backchannel-authenticators
dynamic-client-registration/non-templatized/backchannel-authenticators

The backchannel authenticators that new clients may authenticate with

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/backchannel-authenticators
Choice: all-or-selected
Option: selected
param authenticator:
 

leafref /base:profiles/base:profile[base:id=current()/../../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticators/auth:backchannel-authenticator/auth:id

(multi-value) (optional)

An authenticator that new clients may use to authenticate with

Option: all
param all:

empty

(optional)

param authenticator-filters:
 

leafref /base:profiles/base:profile[base:id=current()/../../../authentication-service/authentication-profile]/base:settings/auth:authentication-service/auth:authenticator-filters/auth:authenticator-filter/auth:id

(multi-value) (optional)

A subset of the authenticator-filters that new clients may use to filter out certain authenticators during login

Client-authentication-method
dynamic-client-registration/non-templatized/client-authentication-method

Configures how a client authenticates to token, introspect, etc. endpoints.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/client-authentication-method
Secret
dynamic-client-registration/non-templatized/client-authentication-method/secret

When this is set, dynamically registered clients can be authenticated with a secret.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/client-authentication-method/secret
Parameters:credential-manager

leafref /base:processing/base:credential-managers/base:credential-manager/base:id

(optional)

The credential manager that should be used to verify and manage non-templatized dynamic clients’ secrets.Note that the data source on the credential manager (if configured) is not used. Only the transformation algorithm. The secret is stored with the client metadata in the dynamic client registration data source.

Mutual-tls
dynamic-client-registration/non-templatized/client-authentication-method/mutual-tls

When this is set, dynamically registered client can be authenticated with a client certificate. Depending on the profile settings, this is received through either mutual-tls or mutual-tls-by-proxy

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/client-authentication-method/mutual-tls
Trusted-cas
dynamic-client-registration/non-templatized/client-authentication-method/mutual-tls/trusted-cas
Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/client-authentication-method/mutual-tls/trusted-cas
Choice: all-or-selected
Option: selected
param trusted-ca:
 

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(multi-value) (optional)

The CA’s that can be the issuer of the client certificate that can be accepted to authenticate this client.

Option: all
param all:

empty

(optional)

param match-rdn:
 

union

(multi-value) (optional)

Attribute of the subject to match, instead of matching the full subject of the certificate. Could be used to allow a certificate to change, but allow a specific part to stay the same. If multiple attributes are configured, they all have to match.

Asymmetrically-signed-jwt
dynamic-client-registration/non-templatized/client-authentication-method/asymmetrically-signed-jwt

When this is set, dynamically registered clients can be authenticated with an asymmetrically signed JWT.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/client-authentication-method/asymmetrically-signed-jwt
Signature-algorithms
dynamic-client-registration/non-templatized/client-authentication-method/asymmetrically-signed-jwt/signature-algorithms

The allowed signature algorithms used for JWT based authentication

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/client-authentication-method/asymmetrically-signed-jwt/signature-algorithms
Choice: all-or-selected
Option: selected
param signature-algorithm:
 

enumeration RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, ES512, EdDSA

(multi-value) (optional)

The signature algorithms to allow

Option: all
param all:

empty

(optional)

Choice: authentication-method

Configure the authentication method that is needed to make the call to register a new client

param no-authentication:
 

empty

(optional)

When set, no initial token is required for a new client to register

Mutual-tls
dynamic-client-registration/non-templatized/mutual-tls

When set, mutual TLS is required for registration

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/mutual-tls
Parameters:trusted-issuers

leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

(multi-value) (optional)

A list of client certificate issuers to trust with client registration.An empty list will mean all configured ssl client truststores.

Mutual-tls-by-proxy
dynamic-client-registration/non-templatized/mutual-tls-by-proxy

Allow mutual TLS to be terminated in a proxy instead of directly within the identity server

Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/mutual-tls-by-proxy

Parameters:
  • userid

    string

    (optional)

    User ID credential that the proxy uses to authenticate using HTTP Basic authentication through a Proxy-Authorization header.

  • password

    non-empty-string

    (optional)

    Password credential that the proxy uses to authenticate using HTTP Basic authentication through a Proxy-Authorization header.

  • client-certificate-http-header

    non-empty-string

    (mandatory)

    Name of the HTTP header that the proxy uses to include the PEM- or base64-encoded DER representation of the client certificate in the forwarded request. Must be set for mutual-tls by-proxy to work.

  • trusted-issuers

    leafref /base:facilities/base:crypto/base:ssl/base:client-truststore/base:client-certificate/base:id

    (multi-value) (optional)

    A list of client certificate issuers to trust with client registration.An empty list will mean all configured ssl client truststores.

  • authenticate-user-by

    leafref ../../../client-store/config-backed/client/id

    (multi-value) (optional)

    Reference to other OAuth clients in the profile that may be used to authenticate the user and obtain the initial access token necessary for a new client to register

  • authenticate-client-by

    leafref ../../../client-store/config-backed/client/id

    (multi-value) (optional)

    Reference to other OAuth clients in the profile that may be used to authenticate using client-credentials to obtain the initial access token necessary for a new client to register

Sector-identifier-http-clients
dynamic-client-registration/non-templatized/sector-identifier-http-clients

A list of sectors and their associated HTTP client that will be used to validate a request for a dynamic client to be in a certain sector. When a non-templatized request is made for some sector that is not configured, the default SSL context, name verifier, trust anchors, etc. will be used.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/sector-identifier-http-clients
Sector-identifier-http-client
dynamic-client-registration/non-templatized/sector-identifier-http-clients/sector-identifier-http-client{sector-identifier} (keys ['sector-identifier'])

An mapping of a sector identifier to the HTTP client that will be used to validate requests from a non-templatized dynamic client wishing to join that sector

Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/sector-identifier-http-clients/sector-identifier-http-client{sector-identifier}

Parameters:
  • sector-identifier

    uri

    (mandatory)

    The sector identifier for which the HTTP client should be used

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    The HTTP client that will be used to resolve the JSON necessary to validate a non-templatized client’s request to be in the associated sector.

Http-client-mappings
dynamic-client-registration/non-templatized/http-client-mappings

The list of HTTP client mappings. Each mapping associates an URL and an usage set to the HTTP client ID that should be used in that context

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/http-client-mappings
Http-client-mapping
dynamic-client-registration/non-templatized/http-client-mappings/http-client-mapping{url} (keys ['url'])

The list of HTTP clients mappings. When looking up the HTTP client ID to use, this list is processed in sequence

Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/http-client-mappings/http-client-mapping{url}

Parameters:
  • url

    uri

    (mandatory)

    The allowed URL for the mapping’s HTTP client ID. Can have an wildcard at the end of the path.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    The HTTP client ID to use if the mapping URL and usage match the requirements

  • usage

    enumeration sector-verification, request-object, jwks, backchannel-logout

    (multi-value) (optional)

    The allowed usages for the associated HTTP client ID

Consentors
dynamic-client-registration/non-templatized/user-consent/consentors

The default consentors for a dynamic registered client. If empty, then all the profile’s consentors will be used

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/user-consent/consentors
Parameters:consentor

leafref ../../../../../consentors/consentor/id

(multi-value) (optional)

A consentor that new clients may use.

Signed-userinfo-token-issuers
dynamic-client-registration/non-templatized/signed-userinfo-token-issuers

Enable support for returning userinfo as signed JWT

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/signed-userinfo-token-issuers
Choice: all-or-selected
Option: all
param all:

empty

(optional)

Option: selected
param token-issuer:
 

leafref /base:profiles/base:profile[base:id=current()/../../../../../../base:id][base:type=current()/../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id

(multi-value) (optional)

A token issuer that can be selected to issue userinfo as signed JWT

Signed-id-token-issuers
dynamic-client-registration/non-templatized/signed-id-token-issuers

Configure how a signed id-token can be returned for dynamically registered clients. If this container is not present, the profile’s token issuer settings will be applicable.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/signed-id-token-issuers
Choice: profile-or-all-or-selected
param profile:

empty

(optional)

Use the default JWT token issuer settings of the profile to issue id tokens

All
dynamic-client-registration/non-templatized/signed-id-token-issuers/all

All token issuers with purpose ‘id_token’ can be used by dynamically registered clients

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/signed-id-token-issuers/all
Parameters:default-token-issuer

leafref /base:profiles/base:profile[base:id=current()/../../../../../../../base:id][base:type=current()/../../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id

(optional)

The default id-token-issuer to use when nothing is specified explicitly during client registration

Selected
dynamic-client-registration/non-templatized/signed-id-token-issuers/selected

Selection of token issuers with purpose ‘id_token’ can be used by dynamically registered clients

Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/signed-id-token-issuers/selected

Parameters:
  • default-token-issuer

    leafref ../token-issuer

    (optional)

    The default id-token-issuer to use when nothing is specified explicitly

  • token-issuer

    leafref /base:profiles/base:profile[base:id=current()/../../../../../../../base:id][base:type=current()/../../../../../../../base:type]/base:token-issuers/base:custom-token-issuer/base:id

    (multi-value) (optional)

    A token issuer that can be selected to issue a signed id token

Require-pushed-authorization-requests
dynamic-client-registration/non-templatized/require-pushed-authorization-requests

Clients must register with require-pushed-authorization-requests; if this is not enabled here, the profile settings for require-pushed-authorization-requests are followed.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/non-templatized/require-pushed-authorization-requests
Parameters:allow-per-request-redirect-uris

boolean

(default: false)

Allow clients to register with the allow per request redirect uri setting. Can only be enabled for the code flow with pushed authorization requests and when this setting is allowed on the profile. Defaults to false. This setting is deprecated in favour of redirect-uri-validation-policies.

Client-management

dynamic-client-registration/client-management

Enable, to allow dynamically registered clients to update their configuration and delete themselves.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/client-management
Registration-token
dynamic-client-registration/client-management/registration-token

Registration access token settings (e.g., how long it should last, etc.)

Path :

/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/client-management/registration-token

Parameters:
  • ttl

    uint32

    (default: 365)

    The TTL (in days) of the Registration Token.

  • read-write-ttl

    uint32

    (default: 28)

    The period of time (in days) a Registration Token can be used for updating and reading the configuration of dynamically registered clients. After this expiration, a Registration Token can only be used for deleting a client.

  • confirm-certificate-binding

    boolean

    (default: false)

    When set to true, any Mutual-TLS certificate binding present on the Registration Token will be confirmed. If present, Mutual-TLS bindings on Management Tokens issued to Management Clients will always be confirmed regardless of this setting.

  • reuse

    boolean

    (default: false)

    Defines if the access token is created on every read/update or not

Management-clients
dynamic-client-registration/client-management/management-clients

The OAuth clients allowed to manage ALL dynamically registered clients.

Path :/profiles/profile{id, type}/settings/authorization-server/dynamic-client-registration/client-management/management-clients
Parameters:management-client

leafref ../../../../client-store/config-backed/client/id

(multi-value) (optional)

An OAuth client allowed to manage ALL dynamically registered clients.

Dpop

dpop

Configure custom DPoP behavior

Path :/profiles/profile{id, type}/settings/authorization-server/dpop
Parameters:proof-token-clock-skew

uint32

(default: 10)

Maximum allowed clock skew for DPoP proof tokens, in the future or in the past.

Verifiable-credentials

verifiable-credentials

Container with the configuration of all the different types of Verifiable Credentials

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials
Parameters:name

non-empty-string

(optional)

The name for credential issuer

W3c

verifiable-credentials/w3c

container for settings shared by one or more verifiable-credential entries using the W3C data model

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/w3c
Type
verifiable-credentials/w3c/type{id} (keys ['id'])
Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/w3c/type{id}

Parameters:
Claim
verifiable-credentials/w3c/type{id}/claim{name} (keys ['name'])

A claim associated to this type

Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/w3c/type{id}/claim{name}

Parameters:
  • name

    leafref ../../../../../claims/claim/name

    (mandatory)

    the claim name

  • mandatory

    boolean

    (default: false)

    Defines if the claim is mandatory for the current type

  • scope

    leafref ../../../../scopes/scope/id

    (multi-value) (optional)

    All the claims of this scope will be associated to this type. These claims will be non-mandatory, unless directly associated to this type with the ‘mandatory’ setting set to true

Vc-sd-jwt

verifiable-credentials/vc-sd-jwt

container for settings shared by one or more verifiable-credential entries using the SD-JWT VC data model

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/vc-sd-jwt
Type
verifiable-credentials/vc-sd-jwt/type{id} (keys ['id'])
Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/vc-sd-jwt/type{id}
Parameters:id

uri

(mandatory)

The verifiable credential type identifier, used in the ‘vct’ claim defined by SD-JWT VC

Claim
verifiable-credentials/vc-sd-jwt/type{id}/claim{name} (keys ['name'])

A claim associated to this type

Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/vc-sd-jwt/type{id}/claim{name}

Parameters:
  • name

    leafref ../../../../../claims/claim/name

    (mandatory)

    the claim name

  • mandatory

    boolean

    (default: false)

    Defines if the claim is mandatory for the current type

Selective-disclosure
verifiable-credentials/vc-sd-jwt/type{id}/claim{name}/selective-disclosure
Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/vc-sd-jwt/type{id}/claim{name}/selective-disclosure

Parameters:
  • only-properties

    boolean

    (default: false)

    only claim properties should be selectively discloseable and not the whole claim

  • property-path

    non-empty-string

    (multi-value) (optional)

    the path to a nested property that should be selectively discloseablewhere each path segment is separated by a ‘/’

Verifiable-credential

verifiable-credentials/verifiable-credential{id} (keys ['id'])

The settings for a specific type of verifiable credential

Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

    The unique identifier for this type of verifiable credential

  • name

    non-empty-string

    (mandatory)

    The name for this type of verifiable credential

  • description

    non-empty-string

    (optional)

    The description of this type of verifiable credential

  • logo

    string

    (optional)

    A logo for this type of verifiable credential

  • credential-ttl

    token-time-to-live

    (mandatory)

    Defines the duration of the credential before expiration, in seconds

Choice: data-model
Option: w3c-vc
W3c-vc
verifiable-credentials/verifiable-credential{id}/w3c-vc

Settings specific to the W3C Verifiable Credential data model

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}/w3c-vc
Context
verifiable-credentials/verifiable-credential{id}/w3c-vc/context{id} (keys ['id'])

A Verifiable Credential context to be added to the @context’ field

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}/w3c-vc/context{id}
Parameters:id

non-empty-string

(mandatory)

Choice: context-type
Option: uri
param uri:

uri

(optional)

The context’s URI

param type:

leafref ../../../w3c/type/id

(multi-value) (optional)

A type of the verifiable credential, to be added on the ‘type’ field. The verifiable credential types also define the included subject claims.

Schema
verifiable-credentials/verifiable-credential{id}/w3c-vc/schema{id} (keys ['id'])

A credential schema

Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}/w3c-vc/schema{id}

Parameters:
  • id

    uri

    (mandatory)

    The schema id (URI identifying the schema file)

  • type

    non-empty-string

    (mandatory)

    The schema type, such as ‘JsonSchemaValidator2018’

  • token-issuer

    leafref ../../../../../../base:token-issuers/base:custom-token-issuer/base:id

    (multi-value) (optional)

    Token issuer used to create the signed verifiable credential

Issuer
verifiable-credentials/verifiable-credential{id}/w3c-vc/issuer

The verifiable credential issuer ID

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}/w3c-vc/issuer
Choice: issuer-source
Option: infer-from-kid
param infer-from-kid:
 

empty

(optional)

Infer the issuer ID from the KID, when the KID is a DID URL

Option: uri
param uri:

uri

(optional)

Explicit issuer URI

Allowed-subject-did-methods
verifiable-credentials/verifiable-credential{id}/w3c-vc/allowed-subject-did-methods

Allowed DID methods for credential subject binding

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}/w3c-vc/allowed-subject-did-methods
Choice: all-or-list
Option: all
param all:

empty

(optional)

allow all supported DID methods

Option: selected
param method:

enumeration ebsi, key, jwk

(multi-value) (optional)

Option: vc-sd-jwt
Vc-sd-jwt
verifiable-credentials/verifiable-credential{id}/vc-sd-jwt

Settings specific to the SD-JWT VC data model

Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/verifiable-credential{id}/vc-sd-jwt

Parameters:
  • type

    leafref ../../../vc-sd-jwt/type/id

    (mandatory)

    The type of the verifiable credential, to be added on the ‘vct’ field. The verifiable credential types also define the included subject claims.

  • token-issuer

    leafref ../../../../../../base:token-issuers/base:custom-token-issuer/base:id

    (mandatory)

    Token issuer used to create the signed verifiable credential

Expose-metadata

verifiable-credentials/expose-metadata

This section specifies what metadata is exposed for the verifiable credentials issuer

Path :/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/expose-metadata
Parameters:cache-duration

uint32

(default: 600)

The number of seconds that the metadata can be cached as network resource, as used in HTTP response headers.

Credential-endpoint
verifiable-credentials/expose-metadata/credential-endpoint

The oauth-credential-endpoint to include in the published OpenID4VCI metadata. This is required when more than one oauth-credential-endpoint is deployed on this profile.

Path :

/profiles/profile{id, type}/settings/authorization-server/verifiable-credentials/expose-metadata/credential-endpoint

Parameters:
  • endpoint

    leafref ../../../../../../base:endpoints/base:endpoint/base:id

    (mandatory)

    The endpoint ID

  • base-url

    uri

    (optional)

    The external base URL to report for this endpoint

Endpoints

endpoints

Endpoints describe an instance of an endpoint kindIt ties together the endpoint-kind with a profile and a URIThe endpoint is then deployed on a service

Path :/profiles/profile{id, type}/endpoints

Endpoint

endpoints/endpoint{id} (keys ['id'])
Path :

/profiles/profile{id, type}/endpoints/endpoint{id}

Parameters:
  • id

    string

    (mandatory)

  • uri

    uri

    (mandatory)

    The URI endpoint that will respond to requests for this endpoint

  • client-authentication

    enumeration disallow, allow, require

    (default: disallow)

    Specify whether mutual TLS is required, allowed, or not allowed when accessing this endpoint

  • endpoint-kind

    endpoint-types oauth-token, oauth-authorize, oauth-revoke, oauth-introspect, oauth-assisted-token, oauth-anonymous, oauth-userinfo, oauth-dynamic-client-registration, oauth-device-authorization, oauth-session, oauth-backchannel-authentication, oauth-client-graphql-api, oauth-verifiable-credential, auth-authentication, auth-registration, auth-anonymous, um-api, um-graphql-api, apps-anonymous

    (mandatory)

    The definition needed for this endpoint

  • pre-processing-procedure

    leafref /processing/procedures/pre-processing-procedure/id

    (optional)

  • post-processing-procedure

    leafref /processing/procedures/post-processing-procedure/id

    (optional)

Authorize-endpoint-procedures

endpoints/endpoint{id}/authorize-endpoint-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/authorize-endpoint-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin

The assigned procedure as a JavaScript or a plugin

param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(optional)

The JavaScript token procedure to use

Token-endpoint-procedures

endpoints/endpoint{id}/token-endpoint-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/token-endpoint-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin

The assigned procedure as a JavaScript or a plugin

param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(optional)

The JavaScript token procedure to use

Introspect-endpoint-procedures

endpoints/endpoint{id}/introspect-endpoint-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/introspect-endpoint-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin

The assigned procedure as a JavaScript or a plugin

param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(optional)

The JavaScript token procedure to use

Assisted-token-endpoint-procedures

endpoints/endpoint{id}/assisted-token-endpoint-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/assisted-token-endpoint-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin

The assigned procedure as a JavaScript or a plugin

param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(optional)

The JavaScript token procedure to use

Userinfo-endpoint-procedures

endpoints/endpoint{id}/userinfo-endpoint-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/userinfo-endpoint-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin

The assigned procedure as a JavaScript or a plugin

param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(optional)

The JavaScript token procedure to use

Verifiable-credential-endpoint-procedures

endpoints/endpoint{id}/verifiable-credential-endpoint-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/verifiable-credential-endpoint-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin
param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(mandatory)

Device-authorization-procedures

endpoints/endpoint{id}/device-authorization-procedures{flow} (keys ['flow'])
Path :/profiles/profile{id, type}/endpoints/endpoint{id}/device-authorization-procedures{flow}
Parameters:flow

identityref

(mandatory)

Choice: procedure-or-plugin

The assigned procedure as a JavaScript or a plugin

param procedure:
 

leafref /processing/procedures/token-procedure[flow=current()/../flow]/id

(optional)

The JavaScript token procedure to use

Token-issuers

token-issuers

Issuers of tokens for this profile

Path :/profiles/profile{id, type}/token-issuers

Custom-token-issuer

token-issuers/custom-token-issuer{id, issuer-type, purpose-type} (keys ['id', 'issuer-type', 'purpose-type'])

All custom token issuers

Path :

/profiles/profile{id, type}/token-issuers/custom-token-issuer{id, issuer-type, purpose-type}

Parameters:
  • id

    string

    (mandatory)

    The unique identifier of the issuer (per profile)

  • issuer-type

    token-issuer-type jwt, opaque, wrapped-opaque, sd-jwt

    (mandatory)

    This indicates the type of issuer this is, it affects the settings (jwt, ref, etc)

  • purpose-type

    token-purpose-type access_token, refresh_token, id_token, nonce, generic, userinfo, verifiable_credential

    (mandatory)

    The usage is the purpose of the token produced by this issuer

Data-sources

token-issuers/custom-token-issuer{id, issuer-type, purpose-type}/data-sources
Path :/profiles/profile{id, type}/token-issuers/custom-token-issuer{id, issuer-type, purpose-type}/data-sources
Parameters:tokens-data-source-id

leafref /facilities/data-sources/data-source/id

(optional)

The data source used for token persistence, which can be different from the delegation data source.

Jwt

token-issuers/custom-token-issuer{id, issuer-type, purpose-type}/jwt
Path :

/profiles/profile{id, type}/token-issuers/custom-token-issuer{id, issuer-type, purpose-type}/jwt

Parameters:
  • clock-skew

    uint32

    (default: 60)

    The number of seconds that token lifetimes and issue times should be skewed to accommodate for clocks that may be out of sync

  • include-key-identifier

    boolean

    (default: true)

    Indicate whether to include the ‘kid’-claim in the JWT header.

  • include-sha-1-thumbprint

    boolean

    (default: true)

    Indicate whether to include the ‘x5t’-claim in the JWT header, that contains the SHA-1 thumbprint of the X.509 certificate.

  • include-sha-256-thumbprint

    boolean

    (default: false)

    Indicate whether to include the ‘x5t#S256’-claim in the JWT header, that contains the SHA-256 thumbprint of the X.509 certificate.

  • include-x509-certificate-chain

    boolean

    (default: false)

    Indicate whether to include the ‘x5c’-claim in the JWT header, that contains the X.509 public key certificate or certificate chain.

  • include-jwks

    boolean

    (default: false)

    Indicate whether to include the ‘jwk’-claim in the JWT header, that contains the verification or the key that was used to encrypt the JWT.

  • include-jwks-uri

    boolean

    (default: false)

    Indicate whether to onclude the ‘jku’-claim in the JWT header, that contains the URL to the JWK Set resource that contains the verification key or the key that was used to encrypt the JWT. Note that tokens that are not issued in OpenId Connect or OAuth context, will not be able to include this field in the JWT header.

  • include-x5t-in-jwks

    boolean

    (default: true)

    Indicate whether to include the certificate thumbprint (‘x5t’) in the JWKS endpoint

  • include-x5c-in-jwks

    boolean

    (default: false)

    Indicate whether to include the certificate (‘x5c’) in the JWKS endpoint

  • algorithm

    jwt-algorithm RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, EdDSA

    (default: RS256)

    The signing algorithm to use

  • signing-key-id

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    A reference to a signing key entry in crypto facilities. Also used for signature verification if no signature verification key is selected.

  • verification-keystore-id

    leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

    (optional)

    A reference to the key used to verify a signature issued by this token issuer. Must be of the same type as the selected signing key.

Default-token-issuer

token-issuers/default-token-issuer

These settings are used to define the default Token issuers. They are needed, if no custom issuer is mapped. The default Token Procedures assume that these are available

Path :

/profiles/profile{id, type}/token-issuers/default-token-issuer

Parameters:
  • access-token-as-jwt

    empty

    (optional)

    Indicates whether to issue the Access Token as JWT

  • default-data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (mandatory)

    The default data-source used for token persistence

  • use-wrapped-opaque-tokens

    empty

    (optional)

    Indicates whether the default token issuers return a wrapper JWT instead of an opaque reference as the token artifact. The claims that go into this JWT can be configured using claim mappers. Note that these claims are different from the claims that go into the main token data, which are available via token introspection. This applies to all default access tokens, refresh tokens and authorization codes, with the exception of DCR Management tokens which are always reference tokens.

Jwt-issuer-settings

token-issuers/default-token-issuer/jwt-issuer-settings
Path :

/profiles/profile{id, type}/token-issuers/default-token-issuer/jwt-issuer-settings

Parameters:
  • clock-skew

    uint32

    (default: 3)

    The number of seconds that token lifetimes and issue times should be skewed to accommodate for clocks that may be out of sync

  • include-key-identifier

    boolean

    (default: true)

    Indicate whether to include the ‘kid’-claim in the JWT header.

  • include-sha-1-thumbprint

    boolean

    (default: true)

    Indicate whether to include the ‘x5t’-claim in the JWT header, that contains the SHA-1 thumbprint of the X.509 certificate.

  • include-sha-256-thumbprint

    boolean

    (default: false)

    Indicate whether to include the ‘x5t#S256’-claim in the JWT header, that contains the SHA-256 thumbprint of the X.509 certificate.

  • include-x509-certificate-chain

    boolean

    (default: false)

    Indicate whether to include the ‘x5c’-claim in the JWT header, that contains the X.509 public key certificate or certificate chain.

  • include-jwks

    boolean

    (default: false)

    Indicate whether to include the ‘jwk’-claim in the JWT header, that contains the verification or the key that was used to encrypt the JWT.

  • include-jwks-uri

    boolean

    (default: false)

    Indicate whether to onclude the ‘jku’-claim in the JWT header, that contains the URL to the JWK Set resource that contains the verification key or the key that was used to encrypt the JWT. Note that tokens that are not issued in OpenId Connect or OAuth context, will not be able to include this field in the JWT header.

  • include-x5t-in-jwks

    boolean

    (default: true)

    Indicate whether to include the certificate thumbprint (‘x5t’) in the JWKS endpoint

  • include-x5c-in-jwks

    boolean

    (default: false)

    Indicate whether to include the certificate (‘x5c’) in the JWKS endpoint

  • algorithm

    jwt-algorithm RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, EdDSA

    (default: RS256)

    The signing algorithm to use

  • signing-key-id

    leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

    (mandatory)

    A reference to a signing key entry in crypto facilities. Also used for signature verification if no signature verification key is selected.

  • verification-keystore-id

    leafref /base:facilities/base:crypto/base:signature-verification-keys/base:signature-verification-key/base:id

    (optional)

    A reference to the key used to verify a signature issued by this token issuer. Must be of the same type as the selected signing key.

Use-caching-services

token-issuers/default-token-issuer/use-caching-services

Use the system’s default caching data source, instead of the default token data source, to store short-lived tokens.

Path :/profiles/profile{id, type}/token-issuers/default-token-issuer/use-caching-services
Parameters:nonces

boolean

(default: true)

Use the system’s default caching data source to store single-use tokens, such as authorization codes and device codes.

Facilities

facilities

This is a collection of helper functions available in the system

Path :/facilities

Cache

http/cache{id} (keys ['id'])

HTTP client cache

Path :/facilities/http/cache{id}
Parameters:id

string

(mandatory)

Choice: cache-type

In-memory-cache

http/cache{id}/in-memory-cache
Path :

/facilities/http/cache{id}/in-memory-cache

Parameters:
  • max-entries

    uint32

    (default: 1024)

    Maximum number of cache entries

  • max-object-size

    uint32

    (default: 1024)

    Maximum size for each cache entry, in KiB

  • shared

    boolean

    (default: true)

    Whether the cache is shared between users. If a Cache-Control response header has the ‘private’ directive, the client will only use the cache if this setting is set to false. In such case, care must be taken to only use the cache for HTTP Clients that use the same user credentials or API key.

Client

client (keys: ['id'])

This section defines an Http client. These clients are used by subsystems when accessing web resources, such as Scim server or other services. The important settings are authentication and TLS settings, such as which trust stores to use.

Path :

/facilities/http/client{id}

Parameters:
  • id

    string

    (mandatory)

  • cache

    leafref ../../cache/id

    (optional)

    The HTTP client cache to use for this client

  • scheme

    enumeration http, https

    (default: https)

  • connect-timeout

    uint8

    (default: 10)

    Http client connect timeout. Determines the timeout in seconds until a connection is established. A timeout value of zero indicates an infinite timeout. The default is 10. The timeout is applicable per connection, i.e. if the client has both IPv4 and IPv6 protocols available, the client will try to start a new connection using IPv6 if the initiated connection using IPv4 timed out and vice-versa, each of which will use the configured connect-timeout.

  • socket-timeout

    uint8

    (default: 10)

    Http client socket timeout. Determines the timeout in seconds for the maximum period of inactivity while waiting for data or between two consecutive data packets. A timeout value of zero indicates an infinite timeout. The default is 10.

  • include-client-info

    boolean

    (default: false)

    Relay information about the upstream client (e.g., IP address, HTTP protocol, etc.)

  • enable-metrics

    boolean

    (default: false)

    Whether request metrics for this HTTP client are published by the server.

Connection-pool

connection-pool
Path :

/facilities/http/client{id}/connection-pool

Parameters:
  • max-connections

    uint16

    (default: 100)

    Maximum total number of connections

  • max-connections-per-route

    uint16

    (default: 6)

    Maximum connections per HTTP route

  • idle-connection-timeout

    conf-timeout

    (default: 5)

    Maximum time to keep idle connections alive, in seconds

Choice: http-authentication

The authentication method to use

Http-basic-authn

http-basic-authn
Path :

/facilities/http/client{id}/http-basic-authn

Parameters:
  • username

    string

    (mandatory)

    when set, uses this as username for http basic authentication to the webservice

  • password

    string

    (optional)

    when set, uses this as password for http basic authentication to the webservice

Oauth-credentials

oauth-credentials

This enables the HTTP client to use OAuth 2.0 client credentials flow to obtain an access token for endpoint access

Path :

/facilities/http/client{id}/oauth-credentials

Parameters:
  • client-id

    non-empty-string

    (mandatory)

    The client id to use when obtaining an OAuth 2.0 access token

  • client-secret

    non-empty-string

    (mandatory)

    The client secret to use when obtaining an OAuth 2.0 access token

  • send-client-credentials-in-authorization-header

    boolean

    (default: false)

    Passes the OAuth credentials in the Authorization header instead of POST body

  • token-endpoint

    uri

    (mandatory)

    The complete url to the token endpoint of the OAuth server used to retrieve the access token

  • scope

    scope

    (multi-value) (optional)

    Scopes to request when requesting a new access token from the OAuth 2.0 client

Choice: inner-client-or-legacy-settings

param http-client:
 

leafref ../../../client/id

(optional)

The HTTP client used to do the OAuth 2.0 token requests.

Token-endpoint-tls

oauth-credentials/token-endpoint-tls
Path :

/facilities/http/client{id}/oauth-credentials/token-endpoint-tls

Parameters:
  • disable-hostname-verification

    boolean

    (default: false)

    When set, hostname verification is disabled for TLS connections

  • use-truststore

    boolean

    (default: false)

    When set, uses the crypto server truststore, otherwise uses system default trust (cacerts)

Tls

tls
Path :

/facilities/http/client{id}/tls

Parameters:
  • disable-hostname-verification

    boolean

    (default: false)

    When set, hostname verification is disabled for TLS connections

  • use-truststore

    boolean

    (default: false)

    When set, uses the crypto server truststore, otherwise uses system default trust (cacerts)

  • client-keystore

    leafref /facilities/crypto/ssl/client-keystores/client-keystore/id

    (optional)

    This keystore is used to manage the cryptographic material that can be used for client authentication using certificates. AKA client certificate

Proxy

proxy

Settings for the proxy the client should forward its requests through.

Path :

/facilities/http/client{id}/proxy

Parameters:
  • scheme

    enumeration http, https

    (default: https)

    The scheme that should be used when connecting to the proxy.

  • hostname

    host

    (mandatory)

    The hostname of the proxy.

  • port

    port-number

    (optional)

    The port of the proxy. If not set, the port will default to a value corresponding to the selected scheme; 443 for ‘https’, 80 for ‘http’

  • username

    non-empty-string

    (optional)

    The username to use when authenticating to the proxy.

  • password

    non-empty-string

    (optional)

    The password to use when authenticating to the proxy.

Client-alarms

client-alarms

Toggle what alarms this HTTP client can trigger

Path :

/facilities/http/client{id}/client-alarms

Parameters:
  • enable-failed-authentication-alarm

    boolean

    (default: false)

    Raise failed-authentication alarm when receiving a 401 status code from the remote HTTP server

  • enable-failed-communication-alarm

    boolean

    (default: true)

    Raise failed-communication alarm when receiving a 500-599 status code from the remote HTTP server

  • raise-failed-communication-alarms-http-client-errors

    boolean

    (default: false)

    Additionally raise failed-communication alarm when receiving 400,402-499 status codes from the remote HTTP server.

Failed-communication-alarm

client-alarms/failed-communication-alarm

This alarm enforces a sliding window; to be raised, a set number of faults must occur within a set time-frame (the sliding window).

Path :/facilities/http/client{id}/client-alarms/failed-communication-alarm
Sliding-window
client-alarms/failed-communication-alarm/sliding-window

Alarms that enforce a sliding window require a set amount of faults to occur within a set time-frame of each other (the sliding window) before they are raised.

Path :

/facilities/http/client{id}/client-alarms/failed-communication-alarm/sliding-window

Parameters:
  • faults-to-raise-alarm

    uint16

    (default: 2)

    The number of faults required to occur within the span of the sliding window for an alarm to be raised. Setting this value to 1 effectively disables the sliding window; raising alarms immediately as faults occur.

  • sliding-window-duration

    uint16

    (default: 10)

    The size, in seconds, of the sliding window applied to the alarm. Not all alarms enforce sliding windows; those that do are especially noted in their description.Setting this value to 0 effectively disables the sliding window; raising alarms immediately as faults occur.

Retry-on-failures

retry-on-failures

Enables retry after a network error (while connecting, reading, writing on the socket) or a temporary HTTP error: 502 (Bad Gateway), 503 (Service Unavailable), 504 (Gateway Timeout). A configurable delay, (one second by default) is awaited before each retry. By default, a single retry is attempted.Note: When enabling retries, it is advised to reduce the Connect and Socket timeouts to decrease the time the user is waiting for an error in case of long lasting network problem.

Path :

/facilities/http/client{id}/retry-on-failures

Parameters:
  • max-retries

    uint8

    (default: 1)

    The maximum number of retries that are attempted. A value of 0 means that a single request is attempted, with no retries.

  • retry-interval

    uint16

    (default: 1000)

    The time interval before retrying the request, in milliseconds

Data-source

data-source (keys: ['id'])

Data sources is a heterogeneous list of data sources. Each DS is defined by which choice is made in the select

Path :/facilities/data-sources/data-source{id}
Parameters:id

string

(mandatory)

Data-source-alarms

data-source-alarms

Toggle what alarms this data source client can trigger

Path :/facilities/data-sources/data-source{id}/data-source-alarms
Parameters:enable-slow-connection-alarm

boolean

(default: true)

Raise slow-connection alarm when requests take too much time before completing

Slow-connection-alarm

data-source-alarms/slow-connection-alarm

slow-connection alarm configuration specific to this data source. This alarm enforces a sliding window; to be raised, a set number of faults must occur within a set time-frame (the sliding window).

Path :/facilities/data-sources/data-source{id}/data-source-alarms/slow-connection-alarm
Thresholds
data-source-alarms/slow-connection-alarm/thresholds

Thresholds for raising slow-connection alarms

Path :

/facilities/data-sources/data-source{id}/data-source-alarms/slow-connection-alarm/thresholds

Parameters:
  • warning

    int32

    (default: 2)

    Threshold for raising slow-connection alarms of warning severity, in seconds

  • minor

    int32

    (default: 5)

    Threshold for raising slow-connection alarms of minor severity, in seconds

  • major

    int32

    (default: 10)

    Threshold for raising slow-connection alarms of major severity, in seconds

  • critical

    int32

    (default: 31)

    Threshold for raising slow-connection alarms of critical severity, in seconds

Sliding-window
data-source-alarms/slow-connection-alarm/sliding-window

Alarms that enforce a sliding window require a set amount of faults to occur within a set time-frame of each other (the sliding window) before they are raised.

Path :

/facilities/data-sources/data-source{id}/data-source-alarms/slow-connection-alarm/sliding-window

Parameters:
  • faults-to-raise-alarm

    uint16

    (default: 2)

    The number of faults required to occur within the span of the sliding window for an alarm to be raised. Setting this value to 1 effectively disables the sliding window; raising alarms immediately as faults occur.

  • sliding-window-duration

    uint16

    (default: 10)

    The size, in seconds, of the sliding window applied to the alarm. Not all alarms enforce sliding windows; those that do are especially noted in their description.Setting this value to 0 effectively disables the sliding window; raising alarms immediately as faults occur.

Failed-communication-alarm

data-source-alarms/failed-communication-alarm

This alarm enforces a sliding window; to be raised, a set number of faults must occur within a set time-frame (the sliding window).

Path :/facilities/data-sources/data-source{id}/data-source-alarms/failed-communication-alarm
Sliding-window
data-source-alarms/failed-communication-alarm/sliding-window

Alarms that enforce a sliding window require a set amount of faults to occur within a set time-frame of each other (the sliding window) before they are raised.

Path :

/facilities/data-sources/data-source{id}/data-source-alarms/failed-communication-alarm/sliding-window

Parameters:
  • faults-to-raise-alarm

    uint16

    (default: 2)

    The number of faults required to occur within the span of the sliding window for an alarm to be raised. Setting this value to 1 effectively disables the sliding window; raising alarms immediately as faults occur.

  • sliding-window-duration

    uint16

    (default: 10)

    The size, in seconds, of the sliding window applied to the alarm. Not all alarms enforce sliding windows; those that do are especially noted in their description.Setting this value to 0 effectively disables the sliding window; raising alarms immediately as faults occur.

Choice: data-source-type

Option: multi-zone

Multi-zone

multi-zone
Path :/facilities/data-sources/data-source{id}/multi-zone
Parameters:default-datasource

leafref /base:facilities/base:data-sources/base:data-source/base:id

(optional)

Id of the data source used as a fallback when a match is not found in the zone mappings. If a match is not found and this option is not set, a runtime error will occur.

Zone-mapping

multi-zone/zone-mapping{zone} (keys ['zone'])

Maps a zone to the data source that should be used with it

Path :

/facilities/data-sources/data-source{id}/multi-zone/zone-mapping{zone}

Parameters:
  • zone

    leafref /base:environments/base:environment/base:services/base:zones/base:zone/base:id

    (mandatory)

    Id of the zone

  • data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (mandatory)

    Id of the data source to be used for the zone

Option: scim2

Scim2

scim2
Path :

/facilities/data-sources/data-source{id}/scim2

Parameters:
  • supports-http-patch

    boolean

    (optional)

    A flag to indicate whether or not the server supports the HTTP PATCH method. If set to false,the client will use GET to get the full object, and then do a full update with PUT. If not set, the client will query the ServiceProviderConfig endpoint of the SCIM 2.0 server. If set to true, no query will be made to the SCIM server and PATCH will be assumed to be supported.

  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Account

scim2/account

Enable configuration of SCIM 2.0 Account- and Credential Data Access Provider

Path :

/facilities/data-sources/data-source{id}/scim2/account

Parameters:
  • verify-password-filter

    non-empty-string

    (default: userName eq “:username” and password eq “:password” and active eq true)

    The filter string to use to verify the username and password against the SCIM 2.0 server. Use “:username” and “:password” to substitute username and password

  • search-filter-mail

    non-empty-string

    (default: emails.value eq “:email” and emails.primary eq true)

    The filter string used to find a user based on the email address. Use “:email” to substitute the email

  • search-filter-phone

    non-empty-string

    (default: phone.value eq “:phone” and phone.primary eq true)

    The filter string used to find a user based on the phone number. Use “:phone” to substitute the phone number

Attributes

scim2/attributes

Enable configuration for SCIM 2.0 Attribute Data Access Provider

Path :

/facilities/data-sources/data-source{id}/scim2/attributes

Parameters:
  • search-filter

    non-empty-string

    (default: userName eq “:username”)

    The filter to use when searching attributes for a subject. The placeholder is being replaced with the authenticated subject. i.e. userName eq “:username”

  • scim-attribute-to-fetch

    non-empty-string

    (multi-value) (optional)

    A multi-valued list of strings indicating the names of resource attributes to return in the response, overriding the set of attributes that would be returned by default.

  • scim-excluded-attribute-to-fetch

    non-empty-string

    (multi-value) (optional)

    A multi-valued list of strings indicating the names of resource attributes to be removed from the default set of attributes to return. This parameter SHALL have no effect on attributes whose schema “returned” setting is “always”.

Option: ldap

Ldap

ldap
Path :

/facilities/data-sources/data-source{id}/ldap

Parameters:
  • ldap-server-type

    enumeration active-directory, generic

    (default: generic)

  • connection-timeout

    int32

    (default: 30)

    Idle timeout in seconds for connections in the connection pool (zero value indicates infinite timeout)

  • validate-connections

    boolean

    (default: true)

    Validate connections before fetching them from the connection pool

  • time-between-eviction-runs

    int32

    (default: -1)

    How often idle connections are checked for in seconds. If set to -1, eviction will not occur. This is preferred as it will increase throughput by avoiding contention with object usage and idleness checking.

  • detect-user-must-reset-password

    boolean

    (default: false)

    In case the server type is Active Directory, a SimpleBind operation can return with LDAP_INVALID_CREDENTIALS even when the credentials were accepted, when the account has the UserMustResetPassword flag set on it. To detect this, the diagnostics message string will be used to detect whether the reason for failure was that this flag was set, and authentication was considered acceptable. In that case, the resulting SubjectAttributes of the authentication attempt will contain a _userMustResetPassword attribute that indicates this state. This setting can only be enabled when the server type is Active Directory, and defaults to false.

  • detect-user-password-expired

    boolean

    (default: false)

    Enable Active Directory specific password expiration handling. If set, and the server type is Active Directory, authentication will be considered acceptable even if the password has expired. The resulting SubjectAttributes of the authentication attempt will contain a _userMustResetPassword attribute to indicate this. This setting defaults to false.

  • hostname

    host

    (mandatory)

    Sets the hostname or IP-address of the LDAP Directory Server

  • port

    uint16

    (optional)

    The port of the LDAP Directory Server. Defaults to 389, or when ldaps is enabled, it defaults to 636.

  • ldaps

    boolean

    (default: false)

    Indicates whether the server communicates with LDAPS

  • client-id

    string

    (optional)

    The client id used to bind to the LDAP Directory Server. When not set, an anonymous bind is performed.

  • client-secret

    string

    (optional)

    The client secret used to authenticate the client id.

  • default-root

    string

    (mandatory)

    The default search root DN where searches are based off of, i.e. ou=People,dc=example,dc=com

  • search-scope

    enumeration one, sub

    (default: sub)

    The search scope, relative to the default root. Default is to search the sub-tree.

  • initial-connections

    uint8

    (default: 5)

    Initial number of connections to hold in the connection pool

  • max-connections

    uint8

    (default: 10)

    Maximum number of connections to hold in the connection pool

Account

ldap/account
Path :

/facilities/data-sources/data-source{id}/ldap/account

Parameters:
  • account-id-attribute

    string

    (optional)

    The attribute that the LDAP Directory Server returns, and is to be considered the account Id for the user entry. If nothing is set, ‘uid’ will be used for directory type ‘generic’, and sAMAccountName for ‘active-directory’

  • username-attribute

    string

    (optional)

    The attribute that the LDAP Directory Server returns, and is to be considered the username for the user entry. If nothing is set, ‘uid’ will be used for directory type ‘generic’, and sAMAccountName for ‘active-directory’

  • search-filter-account-id

    string

    (optional)

    The filter to use when searching for a user in the LDAP Directory Server by its account Id, i.e. ‘uid={}’, or for active-directory it’s usually ‘sAMAccountName={}’. If not set, will default to (<account-id-attribute>={})

  • search-filter-username

    string

    (optional)

    The filter to use when searching for a user in the LDAP Directory Server by its username, i.e. ‘uid={}’, or for active-directory it’s usually ‘sAMAccountName={}’. If not set, will default to (<username-attribute>={})

  • search-filter-mail

    string

    (default: (mail={}))

    The filter to use when searching for a user by its email address. The default is ‘(mail={})’

  • search-filter-phone

    string

    (default: (telephoneNumber={}))

    The filter to use when searching for a user by its phone number. The default is ‘(telephoneNumber={})’

  • active-state-attribute

    string

    (default: carLicense)

    The attribute to use to store the active state of the account. When Active Directory the active state attribute will always be ‘userAccountControl’ and this setting is ignored.

  • active-state-attribute-value

    non-empty-string

    (default: true)

    The attribute value that indicates that the account is active (e.g., ‘ACTIVE’), Any other value will be treated as inactive.Ignored when Active Directory is used.

  • inactive-state-attribute-value

    non-empty-string

    (default: false)

    The attribute value that indicates that the account is inactive (e.g., ‘INACTIVE’). This is used when creating disabled accounts or disabling accounts through the user-management profile. Ignored when Active Directory is used.

  • mobile-phone-number-attribute

    string

    (default: telephoneNumber)

    The attribute where the mobile phone number is set. This is only required if the number used for authentication is stored in a different attribute than ‘telephoneNumber’

  • email-attribute

    string

    (default: mail)

    The attribute where the email-address is set. This is only required if the email address used for authentication is stored in a different attribute than ‘mail’.

  • ldap-attribute-to-fetch

    non-empty-string

    (multi-value) (optional)

    List of user-attributes that are requested as part of user authentication.

Attributes

ldap/attributes
Path :

/facilities/data-sources/data-source{id}/ldap/attributes

Parameters:
  • search-filter

    string

    (optional)

    The filter to use when searching attributes for a subject. The placeholder is being replaced with the authenticated subject. i.e. ‘uid={}’

  • ldap-attribute-to-fetch

    non-empty-string

    (multi-value) (optional)

    List of attributes that are requested when the LDAP data-source acts as an Attribute Provider.

Credentials

ldap/credentials
Path :/facilities/data-sources/data-source{id}/ldap/credentials
Use-attribute-replacement
ldap/credentials/use-attribute-replacement

Use attribute replacement strategy instead of the default modify-password extended operation for password updates

Path :

/facilities/data-sources/data-source{id}/ldap/credentials/use-attribute-replacement

Parameters:
  • password-attribute

    string

    (default: userPassword)

    The attribute the password is stored in.

  • password-encoding

    enumeration plaintext, md5, smd5, sha, ssha, sha256, ssha256, sha384, ssha384, sha512, ssha512, crypt

    (default: crypt)

    Select the transformation to use for encoding the password value of the ‘userPassword’ attribute.

  • ldap-attribute-to-fetch

    non-empty-string

    (multi-value) (optional)

    List of attributes that are requested when the LDAP data-source acts as an Credential Manager.

Tls

ldap/tls

Configure TLS settings when the server uses a SSL/TLS encrypted connection

Path :

/facilities/data-sources/data-source{id}/ldap/tls

Parameters:
  • disable-hostname-verification

    boolean

    (default: false)

    When set, hostname verification is disabled for TLS connections

  • use-truststore

    boolean

    (default: false)

    When set, uses the crypto server truststore, otherwise uses system default trust (cacerts)

  • client-keystore

    leafref /base:facilities/base:crypto/base:ssl/base:client-keystores/base:client-keystore/base:id

    (optional)

    This keystore is used to manage the cryptographic material that can be used for client authentication using certificates. AKA client certificate

Option: scim

Scim

scim
Path :

/facilities/data-sources/data-source{id}/scim

Parameters:
  • use-scim-2-search-for-credential-validation

    boolean

    (default: false)

    This enables the username password validation to use the Search for from 2.0 instead of 1.1

  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Option: json

Json

json
Path :/facilities/data-sources/data-source{id}/json

Web-service-client

json/web-service-client
Path :

/facilities/data-sources/data-source{id}/json/web-service-client

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Attributes

json/attributes
Path :/facilities/data-sources/data-source{id}/json/attributes
Parameter-mappings
json/attributes/parameter-mappings
Path :/facilities/data-sources/data-source{id}/json/attributes/parameter-mappings
Parameter-mapping
json/attributes/parameter-mappings/parameter-mapping{parameter-name} (keys ['parameter-name'])

Specifies a parameter name and how to get the value for it.

Path :/facilities/data-sources/data-source{id}/json/attributes/parameter-mappings/parameter-mapping{parameter-name}
Parameters:parameter-name

string

(mandatory)

The name of the parameter. The value of the authentication attribute with the same name will be mapped.

Choice: value
Option: static-value
param static-value:
 

string

(optional)

A static string to use as the value.

Option: use-value-of-attribute
param use-value-of-attribute:
 

string

(optional)

The name of the attribute to get the value from. Will be fetched from the attributes available from the authentication.

Choice: provide-subject
Option: parameter
Parameter
json/attributes/parameter
Path :

/facilities/data-sources/data-source{id}/json/attributes/parameter

Parameters:
  • provide-as

    enumeration query-parameter, header-parameter

    (default: header-parameter)

  • tenant-id-parameter

    string

    (optional)

    Name of the parameter that will be used to provide the tenant ID to the remote service at the configured url-path.

  • url-path

    string

    (default: /users)

    The path relative to the webservice context, that makes up the subject’s attribute location that a GET-request will be made to. Defaults to ‘/users’.

  • username-parameter

    string

    (mandatory)

    Name of the parameter that will be used to provide the username to the remote service at the configured url-path.

Option: url-path
param url-path:

string

(default: /users/:subject)

The path relative to the webservice context, that makes up the subject’s attribute location that a GET-request will be made to. The path may contain the :subject placeholder, where the username is substituted. If it doesn’t contain that placeholder, use the username-parameter parameter to configure how the username is sent over. Defaults to ‘/users/:subject’. The path may also optionally contain the :tenantId placeholder for example ‘/users/:tenantId/:subject’

Buckets

json/buckets
Path :/facilities/data-sources/data-source{id}/json/buckets
Clear
json/buckets/clear

Configuration used to clear the bucket.

Path :

/facilities/data-sources/data-source{id}/json/buckets/clear

Parameters:
  • method

    enumeration get, post, put, delete

    (default: delete)

    The HTTP method to use in the requests.

  • url

    string

    (default: /buckets?subject=:subject&purpose=:purpose)

    The template for the URL to used in the requests. It may contain path and query, and should use the :subject, :purpose and optionally :tenantId placeholders.

Fetch
json/buckets/fetch

Configuration used to fetch attributes from the bucket.

Path :

/facilities/data-sources/data-source{id}/json/buckets/fetch

Parameters:
  • method

    enumeration get, post, put, delete

    (default: get)

    The HTTP method to use in the requests.

  • url

    string

    (default: /buckets?subject=:subject&purpose=:purpose)

    The template for the URL to used in the requests. It may contain path and query, and should use the :subject, :purpose and optionally :tenantId placeholders.

Store
json/buckets/store

Configuration used to store attributes in the bucket.

Path :

/facilities/data-sources/data-source{id}/json/buckets/store

Parameters:
  • method

    enumeration get, post, put, delete

    (default: put)

    The HTTP method to use in the requests.

  • url

    string

    (default: /buckets?subject=:subject&purpose=:purpose)

    The template for the URL to used in the requests. It may contain path and query, and should use the :subject, :purpose and optionally :tenantId placeholders.

Credential-access

json/credential-access
Path :

/facilities/data-sources/data-source{id}/json/credential-access

Parameters:
  • backend-verifies-password

    boolean

    (default: true)

    If set to true, the backend will verify the password. It is required the server responds with HTTP Success to indicate a successful password verification.If set to false the password will not be sent to the server and the response should contain both the username, password and the status of the account.

  • password-parameter

    string

    (default: password)

    Name of the parameter that will contain the password in a query.

  • submit-as

    enumeration post-as-json, post-as-urlencoded-formdata, get-as-querystring

    (default: post-as-json)

    Specify how username and password are provided to the server. This sets both the HTTP method that is used, as well as the content-type that the data is encoded with

  • tenant-id-parameter

    string

    (optional)

    Name of the parameter that will contain the tenant ID in a query.

  • url-path

    string

    (default: /)

    The path relative to the webservice context to make the request to. The path may contain the :subject, :password and :tenantId placeholders, which are substituted with username, password and tenant ID, respectively. On password verification, the :password placeholder is only substituted when ‘backend-verifies-password’ is set to true (the default).

  • username-parameter

    string

    (default: username)

    Name of the parameter that will contain the username in a query.

Option: dynamodb

Dynamodb

dynamodb
Path :

/facilities/data-sources/data-source{id}/dynamodb

Parameters:
  • allow-table-scans

    boolean

    (default: false)

    Allow use of table scans to fulfill resource queries

  • api-call-attempt-timeout

    int64

    (optional)

    Amount of time in seconds to wait for each individual request to complete. If not set, DynamoDB’s default is used.

  • api-call-timeout

    int64

    (optional)

    Amount of time in seconds to wait for the execution of an API call to complete, including retries. If not set, DynamoDB’s default is used.

  • aws-region

    enumeration ap-south-1, eu-south-1, us-gov-east-1, ca-central-1, eu-central-1, us-west-1, us-west-2, af-south-1, eu-north-1, eu-west-3, eu-west-2, eu-west-1, ap-northeast-2, ap-northeast-1, me-south-1, sa-east-1, ap-east-1, cn-north-1, us-gov-west-1, ap-southeast-1, ap-southeast-2, us-iso-east-1, us-east-1, us-east-2, cn-northwest-1, us-isob-east-1, aws-global, aws-cn-global, aws-us-gov-global, aws-iso-global, aws-iso-b-global

    (mandatory)

    The AWS Region where DynamoDB is deployed.

  • delegations-ttl-retain-duration

    int64

    (default: 31536000)

    Delegations additional retain duration (in seconds)

  • devices-ttl-retain-duration

    int64

    (default: 2592000)

    Devices additional retain duration (in seconds)

  • endpoint-override

    string

    (optional)

    Override the endpoint used to connect to DynamoDB. Useful for testing.

  • nonces-ttl-retain-duration

    int64

    (default: 86400)

    Nonces additional retain duration (in seconds)

  • sessions-ttl-retain-duration

    int64

    (default: 86400)

    Sessions additional retain duration (in seconds)

  • table-name-prefix

    string

    (optional)

    Table name prefix. If defined, all the DynamoDB tables used by this plugin will have this string prefixed into the name

  • tokens-ttl-retain-duration

    int64

    (default: 172800)

    Tokens additional retain duration (in seconds)

Choice: dynamodb-access-method

Option: access-key-id-and-secret

Access-key-id-and-secret

dynamodb/access-key-id-and-secret
Path :

/facilities/data-sources/data-source{id}/dynamodb/access-key-id-and-secret

Parameters:
  • access-key-id

    string

    (mandatory)

    AWS Access Key ID.

  • access-key-secret

    string

    (mandatory)

    AWS Access Key Secret.

  • aws-role-arn

    string

    (optional)

    Optional role ARN used when requesting temporary credentials, ex. arn:aws:iam::123456789012:role/dynamodb-role

Option: awsprofile

Awsprofile

dynamodb/awsprofile
Path :

/facilities/data-sources/data-source{id}/dynamodb/awsprofile

Parameters:
  • aws-profile-name

    string

    (mandatory)

    AWS Profile name. Retrieves credentials from the system (~/.aws/credentials).

  • aws-role-arn

    string

    (optional)

    Optional role ARN used when requesting temporary credentials, ex. arn:aws:iam::123456789012:role/dynamodb-role

Option: default-credentials-provider

Default-credentials-provider

dynamodb/default-credentials-provider

Use the default credential provider that automatically looks for available credentials in multiple places, namely: java system properties, environment variables, Web Identity Token, credential profiles, and EC2 metadata service.

Path :/facilities/data-sources/data-source{id}/dynamodb/default-credentials-provider
Parameters:reuse-last-provider

boolean

(default: true)

Controls whether the provider should reuse the last successful credentials provider in the chain. By default it is enabled

Option: ec2-instance-profile

param ec2-instance-profile:
 

boolean

(optional)

EC2 instance that the Curity Identity Server is running on has been assigned an IAM Role with permissions to DynamoDB.

Option: web-identity-token-file

Web-identity-token-file

dynamodb/web-identity-token-file

Use the Web Identity Token File credentials provider. Reads web identity token file path, aws role arn and aws session name from system properties or environment variables for using web identity token credentials.

Path :/facilities/data-sources/data-source{id}/dynamodb/web-identity-token-file

Option: jdbc

Jdbc

jdbc
Path :

/facilities/data-sources/data-source{id}/jdbc

Parameters:
  • attribute-query

    string

    (default: SELECT linked_accounts. FROM linked_accounts JOIN accounts ON accounts.account_id = linked_accounts.account_id WHERE accounts.username = :subject)*

    A custom search query for attribute searches. It should contain a statement that marks the subject as :subject to be the replaced variable. Example: SELECT * FROM user_attributes WHERE subject = :subject. :subject will be mapped against the value given when the query is called.

  • connection-string

    string

    (mandatory)

    The JDBC connection string.

  • connection-timeout

    int64

    (default: 30000)

    The time in milliseconds that a client waits for a connection from the pool before giving up.

  • driver

    union

    (mandatory)

    The JDBC driver to use. Must be present in the $IDSVR_HOME/lib/plugins/data.access.jdbc directory when the plugin is loaded. The ones listed are those shipped with the server.

  • enable-pool-metrics

    boolean

    (default: false)

    Whether connection pool metrics are published by the server.

  • idle-timeout

    int64

    (default: 600000)

    The maximum amount of time in milliseconds that a connection is allowed to sit idle in the pool. A value of 0 means that idle connections are never removed from the pool.

  • max-lifetime

    int64

    (default: 1800000)

    The maximum lifetime in milliseconds of a connection in the pool. When a connection reaches this timeout it will be retired from the pool, subject to a maximum variation of +30 seconds. We strongly recommend setting this value, and it should be at least 30 seconds less than any database-level connection timeout.

  • max-pool-size

    int32

    (default: 20)

    Maximum number of connections to keep in the connection pool, counting both idle and active.

  • min-idle-pool-size

    int32

    (default: 10)

    Minimum number of connections to keep in the connection pool.

  • multi-tenant-mode

    boolean

    (default: false)

    When enabled the JDBC data source stores data for multiple tenants and all issued queries will isolate results for tenant configured on profile or parent service. The database schema needs to be migrated before enabling multi-tenant mode. When false, the database only stores data for default tenant.

  • password

    string

    (default: )

    Password to use when connecting to this data source.

  • use-for-audit

    boolean

    (default: false)

    When this is set to true, this JDBC data source will be used by log4j2 to store audit messages

  • username

    string

    (default: )

    Username to use when connecting to this data source.

Choice: credentials-mode

Option: credentials-in-accounts-table-mode

param credential-query:
 

string

(default: SELECT account_id AS accountId, username AS userName, password FROM accounts WHERE username = :subjectId AND active = 1)

Query to execute to verify or retrieve the password and account claims to verify

param custom-query-verifies-password:
 

boolean

(default: false)

Whether the custom credential query verifies the password or not

param insert-credentials-when-not-found:
 

boolean

(default: false)

Whether insert-or-update semantics should be used when updating credentials in the accounts table. When set to true, a credential update inserts a new record in the accounts table if a matching record is not found.

Option: credentials-migration-mode

Credentials-migration-mode

jdbc/credentials-migration-mode

Use both the accounts table and the credentials table to store passwords, keeping them in sync. Passwords are migrated when used, both on update and verify. This mode is suitable for migration scenarios.

Path :/facilities/data-sources/data-source{id}/jdbc/credentials-migration-mode
Parameters:insert-credentials-when-not-found

boolean

(default: false)

Whether insert-or-update semantics should be used when updating credentials in the accounts table. When set to true, a credential update inserts a new record in the accounts table if a matching record is not found.

Option: standard-credentials-mode

Standard-credentials-mode

jdbc/standard-credentials-mode

Use the standard data model for credential storage, using the credentials table to store passwords and the associated data.

Path :/facilities/data-sources/data-source{id}/jdbc/standard-credentials-mode
Parameters:check-account-status

boolean

(default: true)

When accounts and credentials tables are stored in the same data source, allows to check the account status while fetching the credentials. When true a credential is only considered valid by the data source when its owning account is active. This setting allows to do an early check of the status and avoids to configure check-account-status flag on credential manager.

Email-provider

email-provider (keys: ['id'])

The configuration of a service that can send emails

Path :/facilities/email-providers/email-provider{id}
Parameters:id

string

(mandatory)

Choice: provider-type

Smtp

smtp
Path :

/facilities/email-providers/email-provider{id}/smtp

Parameters:
  • smtp-host

    host

    (mandatory)

    The SMTP host

  • smtp-port

    port-number

    (default: 587)

    Sending port

  • enable-tls

    boolean

    (default: true)

    Should this email-subsystem use TLS

  • default-sender

    string

    (mandatory)

    An RFC822 email address that will be used as the from name when sending emails

  • username

    string

    (optional)

    Optional username for smtp connection

  • password

    string

    (optional)

    Optional password for smtp connection

Dkim

smtp/dkim

DKIM configuraiton settings

Path :/facilities/email-providers/email-provider{id}/smtp/dkim
Parameters:selector

non-empty-string

(optional)

The selector to use when signing the message

Signing-key
smtp/dkim/signing-key

A reference to a signing key

Path :/facilities/email-providers/email-provider{id}/smtp/dkim/signing-key
Parameters:id

leafref /base:facilities/base:crypto/base:signing-keys/base:signing-key/base:id

(mandatory)

A reference to a Signing Keystore with an asymmetric key

Tls

smtp/tls

TLS configuration settings

Path :/facilities/email-providers/email-provider{id}/smtp/tls
Choice: mode
Secure connection mode (STARTTLS or direct TLS)
Option: direct-tls
param direct-tls:
 

empty

(optional)

Connection to SMTP server will be immediately established using TLS

Option: start-tls
param start-tls:
 

empty

(optional)

Connection to SMTP server will be initially insecure and then transition to secure via STARTTLS (RFC 3207)

Trusted-ca
smtp/tls/trusted-ca

Enable to choose a custom server trust certificate. If disable, the default server trust will be used

Path :/facilities/email-providers/email-provider{id}/smtp/tls/trusted-ca
Parameters:id

leafref /base:facilities/base:crypto/base:ssl/base:server-truststore/base:server-certificate/base:id

(mandatory)

A reference to a Server Truststore

Sms-provider

sms-provider (keys: ['id'])

A message service that can send sms messages

Path :/facilities/sms-providers/sms-provider{id}
Parameters:id

string

(mandatory)

Choice: provider-type

Twilio

twilio
Path :

/facilities/sms-providers/sms-provider{id}/twilio

Parameters:
  • from-number

    string

    (mandatory)

    The number that appears as sender of the SMS

  • account-sid

    string

    (mandatory)

    The account SID to use with Twilio

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (optional)

    A reference to the Http Client to use. If not defined, the default HTTP client is used

Choice: auth-token-or-api-key

The credentials to be used when communicating with the Twilio API

param auth-token:
 

string

(mandatory)

The Auth Token to be used when communicating with the Twilio API

Option: api-key

Api-key

twilio/api-key

The API Key to be used when communicating with the Twilio API

Path :

/facilities/sms-providers/sms-provider{id}/twilio/api-key

Parameters:
  • key-sid

    string

    (mandatory)

    The API Key SID

  • key-secret

    string

    (mandatory)

    The API Key Secret

Option: rest

Rest

rest
Path :/facilities/sms-providers/sms-provider{id}/rest

Web-service-client

rest/web-service-client
Path :

/facilities/sms-providers/sms-provider{id}/rest/web-service-client

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Crypto

crypto

All crypto services are described below this sectionthis is a restricted section, all nodes will not see all things here

Path :/facilities/crypto

Hardware-security-module

hardware-security-module

The Hardware Security Module (HSM) that may be used in the system

Path :

/facilities/crypto/hardware-security-module

Parameters:
  • hsm-load-timeout

    conf-timeout

    (default: 5)

    The timeout for loading HSM

  • library

    string

    (mandatory)

    The path (as applicable on a run-time node) to the shared library that implements PKCS#11

  • include-compatibility-attributes

    boolean

    (default: true)

    Whether or not certain attributes should be exchanged with the PKCS#11 provider to ensure that maximum compatibility is possible

Choice: slot

The interface or port used to connect the HSM to the host computer

param slot-id:

int8

(default: 0)

The slot ID (e.g., 1 or 0) where the HSM is connected

param slot-list-index:
 

int8

(default: 0)

The index into the list of all slots exposed by the PKCS#11 provider

Choice: mechanisms

A list of PKCS#11 mechanisms

param enabled-pkcs11-mechanisms:
 

string

(multi-value) (optional)

Enable only certain PKCS#11 mechanisms despite what may be supported by the HSM

param disabled-pkcs11-mechanisms:
 

string

(multi-value) (optional)

Disable certain PKCS#11 mechanisms that are supported by the HSM

Ssl

ssl

A list of available server keys to be used by ‘services’, it’s only use TLS

Path :/facilities/crypto/ssl

Server-keystore

ssl/server-keystore{id} (keys ['id'])

A base64 encoded PKCS12 file containing the server keys

Path :

/facilities/crypto/ssl/server-keystore{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    Only show when certs are stored in config

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

  • stored-in-hardware-security-module

    boolean

    (default: false)

    Whether or not the key is stored in the HSM

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Server-truststore

ssl/server-truststore

The server certificates that we trust

Path :/facilities/crypto/ssl/server-truststore
Server-certificate
ssl/server-truststore/server-certificate{id} (keys ['id'])
Path :

/facilities/crypto/ssl/server-truststore/server-certificate{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    The keystore containing the keys

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Client-truststore

ssl/client-truststore

The client certificates that we trust, as they are provided when setting up mutual TLS to Curity

Path :/facilities/crypto/ssl/client-truststore
Client-certificate
ssl/client-truststore/client-certificate{id} (keys ['id'])
Path :

/facilities/crypto/ssl/client-truststore/client-certificate{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    The keystore containing the keys

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Client-keystores

ssl/client-keystores

This keystore is used to manage the cryptographic material that can be used for client authentication using certificates.

Path :/facilities/crypto/ssl/client-keystores
Client-keystore
ssl/client-keystores/client-keystore{id} (keys ['id'])
Path :

/facilities/crypto/ssl/client-keystores/client-keystore{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    Only show when certs are stored in config

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

  • stored-in-hardware-security-module

    boolean

    (default: false)

    Whether or not the key is stored in the HSM

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Signing-keys

signing-keys

Keys used for signing tokens issued by this system

Path :/facilities/crypto/signing-keys

Signing-key

signing-keys/signing-key{id} (keys ['id'])
Path :

/facilities/crypto/signing-keys/signing-key{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    Only show when certs are stored in config

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

  • stored-in-hardware-security-module

    boolean

    (default: false)

    Whether or not the key is stored in the HSM

  • external-id

    non-empty-string

    (optional)

    An optional external key id that is used when the key is published externally, e.g. as JWKS or referenced from a JWT. When not set, a key id is derived from the key.

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Signature-verification-keys

signature-verification-keys

Keys used for verifying tokens issued by other systems

Path :/facilities/crypto/signature-verification-keys

Signature-verification-key

signature-verification-keys/signature-verification-key{id} (keys ['id'])
Path :

/facilities/crypto/signature-verification-keys/signature-verification-key{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    The keystore containing the keys

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

  • external-id

    non-empty-string

    (optional)

    An optional external key id that is used when the key is published externally, e.g. as JWKS or referenced from a JWT. When not set, a key id is derived from the key.

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Signer-truststores

signer-truststores

Trust roots used for signature verification for a specific purpose (e.g. verify signature of SAML token by an upstream authentication provider.

Path :/facilities/crypto/signer-truststores

Issuer-certificate

signer-truststores/issuer-certificate{id} (keys ['id'])
Path :

/facilities/crypto/signer-truststores/issuer-certificate{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    The keystore containing the keys

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Encryption-keys

encryption-keys

Keys used for encryption

Path :/facilities/crypto/encryption-keys

Encryption-key

encryption-keys/encryption-key{id} (keys ['id'])
Path :

/facilities/crypto/encryption-keys/encryption-key{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    Only show when certs are stored in config

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

  • stored-in-hardware-security-module

    boolean

    (default: false)

    Whether or not the key is stored in the HSM

  • external-id

    non-empty-string

    (optional)

    An optional external key id that is used when the key is published externally, e.g. as JWKS or referenced from a JWT. When not set, a key id is derived from the key.

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Decryption-keys

decryption-keys

Keys used for decryption

Path :/facilities/crypto/decryption-keys

Decryption-key

decryption-keys/decryption-key{id} (keys ['id'])
Path :

/facilities/crypto/decryption-keys/decryption-key{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of the keystore. It is only used internally.

  • keystore

    non-empty-string

    (mandatory)

    Only show when certs are stored in config

  • type

    enumeration rsa, elliptic-curve, dsa, symmetric, eddsa

    (default: rsa)

    The type of key

  • stored-in-hardware-security-module

    boolean

    (default: false)

    Whether or not the key is stored in the HSM

  • external-id

    non-empty-string

    (optional)

    An optional external key id that is used when the key is published externally, e.g. as JWKS or referenced from a JWT. When not set, a key id is derived from the key.

Choice: size-or-curve
param size:

uint16

(default: 2048)

The key size (in bits)

param curve-name:
 

non-empty-string

(optional)

The name of the elliptic curve

param eddsa-curve-name:
 

non-empty-string

(optional)

The name of the EdDSA curve

Credentials

credentials

A list of available credentials to be used by ‘services’

Path :/facilities/crypto/credentials

Credential

credentials/credential{id} (keys ['id'])
Path :

/facilities/crypto/credentials/credential{id}

Parameters:
  • id

    string

    (mandatory)

    The ID of this credential

  • username

    string

    (optional)

    The ID (i.e., username, user ID, key ID, etc.) of the key

  • password

    string

    (mandatory)

    The key value (i.e., password, secret, API key, etc.)

Certificate-alarms

certificate-alarms

Settings related to alarms for certificate expirations

Path :

/facilities/crypto/certificate-alarms

Parameters:
  • warning-threshold

    uint16

    (default: 30)

    The number of days before expiration from which a warning alarm is triggered. If set to 0 this alarm is disabled.

  • minor-threshold

    uint16

    (default: 14)

    The number of days before expiration from which a minor alarm is triggered. If set to 0 this alarm is disabled.

  • major-threshold

    uint16

    (default: 7)

    The number of days before expiration from which a major alarm is triggered. If set to 0 this alarm is disabled.

  • disable-critical

    boolean

    (default: false)

    Disable critical alarms when certificates are expired.

Caching-services

caching-services
Path :/facilities/caching-services
Parameters:rolling-session-period

int16

(default: 1800)

The number of seconds that a user’s authentication transaction session will roll for

Default-caching-service

caching-services/default-caching-service
Path :/facilities/caching-services/default-caching-service
Parameters:data-source

leafref /facilities/data-sources/data-source/id

(optional)

Data Source used for by Caching Service to store sessions, nonces and other ephemeral data.

Client-attestation

client-attestation
Path :/facilities/client-attestation

Android-policy

client-attestation/android-policy{id} (keys ['id'])

Client Attestation Policy for Android Clients

Path :

/facilities/client-attestation/android-policy{id}

Parameters:
  • verify-boot-state

    boolean

    (default: true)

    Verify Android device boot state. This setting should only be used for automated testing purposes. This setting should not be set to ‘false’ in production environments.

  • minimum-security-level

    enumeration software, trusted-env, strong-box

    (default: trusted-env)

    The minimum security level allowed for an Android application to authenticate an user

  • id

    non-empty-string

    (mandatory)

  • haapi-access-token-ttl

    uint32

    (default: 600)

    The number of seconds a HAAPI access token will be valid when issued to clients using this policy.

Override-certificate-chain-validation

client-attestation/android-policy{id}/override-certificate-chain-validation
Path :/facilities/client-attestation/android-policy{id}/override-certificate-chain-validation
Choice: validation-strategy
param do-not-validate-certificate-chain:
 

empty

(optional)

Do not perform Android certificate chain validation. This is unsafe and should not be used in production environments.

Trust-anchors
client-attestation/android-policy{id}/override-certificate-chain-validation/trust-anchors
Path :/facilities/client-attestation/android-policy{id}/override-certificate-chain-validation/trust-anchors
Trust-anchor-certificate
client-attestation/android-policy{id}/override-certificate-chain-validation/trust-anchors/trust-anchor-certificate{id} (keys ['id'])

The Android trust-store certificates

Path :

/facilities/client-attestation/android-policy{id}/override-certificate-chain-validation/trust-anchors/trust-anchor-certificate{id}

Parameters:

Web-policy

client-attestation/web-policy{id} (keys ['id'])

Client Attestation Policy for Web Browser Clients

Path :

/facilities/client-attestation/web-policy{id}

Parameters:
  • disable-origin-verification

    boolean

    (default: false)

    Allow a browser client to obtain attestation from any origin. This setting should not be set to ‘true’ in production environments.

  • id

    non-empty-string

    (mandatory)

  • haapi-access-token-ttl

    uint32

    (default: 600)

    The number of seconds a HAAPI access token will be valid when issued to clients using this policy.

Ios-policy

client-attestation/ios-policy{id} (keys ['id'])

Client Attestation Policy for iOS Clients

Path :

/facilities/client-attestation/ios-policy{id}

Parameters:
  • mode

    enumeration production, non-production

    (default: production)

    Whether the iOS app is built for production or development

  • id

    non-empty-string

    (mandatory)

  • haapi-access-token-ttl

    uint32

    (default: 600)

    The number of seconds a HAAPI access token will be valid when issued to clients using this policy.

Override-certificate-chain-validation

client-attestation/ios-policy{id}/override-certificate-chain-validation
Path :/facilities/client-attestation/ios-policy{id}/override-certificate-chain-validation
Choice: validation-strategy
param do-not-validate-certificate-chain:
 

empty

(optional)

Do not perform iOS certificate chain validation. This is unsafe and should not be used in production environments.

Trust-anchors
client-attestation/ios-policy{id}/override-certificate-chain-validation/trust-anchors
Path :/facilities/client-attestation/ios-policy{id}/override-certificate-chain-validation/trust-anchors
Trust-anchor-certificate
client-attestation/ios-policy{id}/override-certificate-chain-validation/trust-anchors/trust-anchor-certificate{id} (keys ['id'])

The iOS trust-store certificates

Path :

/facilities/client-attestation/ios-policy{id}/override-certificate-chain-validation/trust-anchors/trust-anchor-certificate{id}

Parameters:

Processing

processing

Processing functions that provide extension points for issuance and validation

Path :/processing
Parameters:license-key

string

(default: )

The license key

Token-procedure

procedures/token-procedure{id, flow} (keys ['id', 'flow'])

Token procedures that issue tokens

Path :

/processing/procedures/token-procedure{id, flow}

Parameters:
  • id

    string

    (mandatory)

  • flow

    union

    (mandatory)

  • script

    script

    (mandatory)

    A JavaScript procedure that can be used to issue tokens. It should be base-64 encoded to avoid encoding issues

Global-script

procedures/global-script{id} (keys ['id'])

Scripts that provide functions that will be available in all procedures

Path :

/processing/procedures/global-script{id}

Parameters:
  • id

    string

    (mandatory)

  • script

    script

    (mandatory)

    JavaScript code containing global functions. It should be base-64 encoded to avoid encoding issues

Validation-procedure

procedures/validation-procedure{id} (keys ['id'])

Procedures used to validate input data

Path :

/processing/procedures/validation-procedure{id}

Parameters:
  • id

    string

    (mandatory)

  • script

    script

    (mandatory)

    A JavaScript procedure that can be used to validate data. It should be base-64 encoded to avoid encoding issues

  • type

    enumeration request

    (default: request)

Transformation-procedure

procedures/transformation-procedure{id} (keys ['id'])

Procedures used to transform a map of data into another map of data.A specialized version if this is name transformation, where the input data contains a subjectand the output contains a transformed version of that subject.

Path :

/processing/procedures/transformation-procedure{id}

Parameters:
  • id

    string

    (mandatory)

  • script

    script

    (mandatory)

    A JavaScript procedure that can be used to transform attributes. It should be base-64 encoded to avoid encoding issues

Filter-procedure

procedures/filter-procedure{id} (keys ['id'])

Procedures used for filtering. The procedure’s result function should return a boolean where true means keep. A common use of filter procedures is to filter authenticators for OAuth clients or Service Providers.

Path :

/processing/procedures/filter-procedure{id}

Parameters:
  • id

    string

    (mandatory)

  • script

    script

    (mandatory)

    A JavaScript procedure that can be used to filter items. It should be base-64 encoded to avoid encoding issues

  • type

    enumeration authenticator

    (default: authenticator)

    The type of the items filtered by this filter.

Event-listener-procedure

procedures/event-listener-procedure{id} (keys ['id'])

The Event procedures are used with event listeners to execute code on certain events such as authentication complete or system started

Path :

/processing/procedures/event-listener-procedure{id}

Parameters:
  • id

    string

    (mandatory)

  • script

    script

    (mandatory)

    A JavaScript procedure that can handle events. It should be base-64 encoded to avoid encoding issues

Claims-provider-procedure

procedures/claims-provider-procedure{id} (keys ['id'])

Procedure used to provide values for claims

Path :

/processing/procedures/claims-provider-procedure{id}

Parameters:
  • id

    string

    (mandatory)

  • script

    script

    (mandatory)

    A javascript procedure that can be used to set values for claims

Credential-transformation-procedure

procedures/credential-transformation-procedure{id} (keys ['id'])

Procedures used by credential managers to transform the password

Path :

/processing/procedures/credential-transformation-procedure{id}

Parameters:
  • id

    string

    (mandatory)

    The name or id of the procedure

  • script

    script

    (mandatory)

    A JavaScript procedure that can transform/hash a password

Pre-processing-procedure

procedures/pre-processing-procedure{id} (keys ['id'])

Pre processing script applied for specific endpoints

Path :

/processing/procedures/pre-processing-procedure{id}

Parameters:
  • id

    string

    (mandatory)

    The name or id of the procedure

  • script

    script

    (mandatory)

    A JavaScript procedure that can enrich/transform the request

Post-processing-procedure

procedures/post-processing-procedure{id} (keys ['id'])

Post-processing script applied for specific endpoints

Path :

/processing/procedures/post-processing-procedure{id}

Parameters:
  • id

    string

    (mandatory)

    The name or id of the procedure

  • script

    script

    (mandatory)

    A JavaScript procedure that is executed after processing the request and before sending the response

Authorization-manager

authorization-manager (keys: ['id'])

Authorization managers can be used to make enquiries about access control decisions.

Path :/processing/authorization-managers/authorization-manager{id}
Parameters:id

string

(mandatory)

This is the unique id of the authorization manager

Choice: authorization-manager-type

Option: scopes

Policies

scopes/policies
Path :/processing/authorization-managers/authorization-manager{id}/scopes/policies

Policy

scopes/policies/policy{action} (keys ['action'])

The ordered list of applicable rules of the policy; processing will stop once the list is completely traversed or an allow decision is reached

Path :

/processing/authorization-managers/authorization-manager{id}/scopes/policies/policy{action}

Parameters:
  • action

    identityref

    (mandatory)

    The action that is being performed which requires authorization

  • combine-rules-by

    enumeration overriding-with-deny, overriding-with-allow, using-first-applicable, allow-unless-deny

    (default: overriding-with-deny)

    How rules should be combined when multiple ones are defined and evaluated

Rules
scopes/policies/policy{action}/rules{id} (keys ['id'])

A condition that stipulates whether all scopes or any must be provided in order to arrive at an authorization decision

Path :

/processing/authorization-managers/authorization-manager{id}/scopes/policies/policy{action}/rules{id}

Parameters:
  • id

    non-empty-string

    (mandatory)

  • authorization-decision

    enumeration allow, deny, not-applicable

    (default: not-applicable)

    The resulting authorization decision to use when any of the scopes in this condition are included in the authorization request

  • applicability

    enumeration any-of, all-of

    (default: any-of)

    Whether the rule should apply when all or any scopes match the ones for this rule

  • scope

    union

    (multi-value) (optional)

    The set of scopes that are considered for this rule

Option: groups

Groups

groups
Path :/processing/authorization-managers/authorization-manager{id}/groups
Parameters:scope

union

(multi-value) (optional)

A set of scopes required in the context to authorize this request. All scopes in the list are required

Group

groups/group{name} (keys ['name'])

User groups that are allowed access. Users with multiple groups get access to the combination of all access granted by each group.

Path :/processing/authorization-managers/authorization-manager{id}/groups/group{name}
Parameters:name

non-empty-string

(mandatory)

The name of this group. A wildcard ‘*’ value includes users belonging to any groups, including no groups at all.

Allows
groups/group{name}/allows

Operations allowed for users in this group.

Path :/processing/authorization-managers/authorization-manager{id}/groups/group{name}/allows
Create
groups/group{name}/allows/create
Path :/processing/authorization-managers/authorization-manager{id}/groups/group{name}/allows/create
Read
groups/group{name}/allows/read
Path :/processing/authorization-managers/authorization-manager{id}/groups/group{name}/allows/read
Update
groups/group{name}/allows/update
Path :/processing/authorization-managers/authorization-manager{id}/groups/group{name}/allows/update
Delete
groups/group{name}/allows/delete
Path :/processing/authorization-managers/authorization-manager{id}/groups/group{name}/allows/delete

Option: attribute

Attribute

attribute
Path :/processing/authorization-managers/authorization-manager{id}/attribute

Rule-list

attribute/rule-list{name} (keys ['name'])

The list of rule-lists that attribute authorization manager should evaluate. First matched rule is applied. If no rule-list matches, the not_applicable authorization result is used.

Path :

/processing/authorization-managers/authorization-manager{id}/attribute/rule-list{name}

Parameters:
  • name

    string

    (mandatory)

    The name of the rule-list. Must be unique within the configuration.

  • description

    string

    (optional)

    The description of the rule-list.

Enforcement-restrictions
attribute/rule-list{name}/enforcement-restrictions

Enforcement restrictions for the rule-list.

Path :

/processing/authorization-managers/authorization-manager{id}/attribute/rule-list{name}/enforcement-restrictions

Parameters:
  • default-allow-read

    boolean

    (default: false)

    The decision to be used for read operations when no rule is matched in the rule-list.

  • default-allow-write

    boolean

    (default: false)

    The decision to be used for write (includes create, update and delete) operations when no rule is matched in the rule-list.

  • require-subject-match

    boolean

    (default: true)

    Whether the subject in the token has to match the subject used in the request. When set to ‘true’ only requests operating on ‘self’ will be allowed.

Rule
attribute/rule-list{name}/rule{name} (keys ['name'])

The list of rules to evaluate. Once the first matched rule-list is picked, only rules from that rule-list are evaluated. The first matched rule is applied. If no rule matches, enforcement restrictions are applied.

Path :

/processing/authorization-managers/authorization-manager{id}/attribute/rule-list{name}/rule{name}

Parameters:
  • name

    string

    (mandatory)

    The name the rule. Must be unique within the rule-list.

  • decision

    enumeration allow, deny

    (mandatory)

    The decision to be used when the rule is applied.

  • description

    string

    (optional)

    The description of the rule.

  • access-operation

    enumeration create, read, update, delete

    (multi-value) (optional)

    The list of access operations. The rule will be applied only for these operations.

  • attribute

    string

    (multi-value) (optional)

    The list of attributes. The rule will be applied only for these attributes. Also free text is supported in addition to provided values. If provided attribute has nested sub-attributes, they will be matched too.

Select-rule-list-when
attribute/rule-list{name}/select-rule-list-when

Requirements used to find matching rule-lists. All requirements must be satisfied in order for the rule-list to apply.

Path :/processing/authorization-managers/authorization-manager{id}/attribute/rule-list{name}/select-rule-list-when
Claim-requirement
attribute/rule-list{name}/select-rule-list-when/claim-requirement{name} (keys ['name'])

The list of claim requirements to be used when evaluating which rule-list is going to be applied.

Path :

/processing/authorization-managers/authorization-manager{id}/attribute/rule-list{name}/select-rule-list-when/claim-requirement{name}

Parameters:
  • name

    string

    (mandatory)

    The name of the claim to be used when evaluating which rule-list is going to be applied.

  • applicability

    enumeration all-of, any-of

    (default: all-of)

    Whether all of claim values should be present or just any of them is sufficient for the rule-list to apply.

  • value

    string

    (multi-value) (optional)

    The list of claim values to be used when evaluating which rule-list is going to be applied.

  • context-requirement

    enumeration dcr-graphql, user-management-graphql, user-management-scim, db-clients, openid-userinfo

    (multi-value) (optional)

    The list of contexts rule-list is relevant in. The rule-list is going to be matched only in these contexts.

Scope-requirement
attribute/rule-list{name}/select-rule-list-when/scope-requirement

The optional scope requirement to be used when evaluating which rule-list is going to be applied.

Path :

/processing/authorization-managers/authorization-manager{id}/attribute/rule-list{name}/select-rule-list-when/scope-requirement

Parameters:
  • applicability

    enumeration all-of, any-of

    (default: all-of)

    Whether all of scopes should be present or just any of them is sufficient for the rule-list to apply.

  • scope

    string

    (multi-value) (optional)

    The list of scopes to be used when evaluating which rule-list is going to be applied.

Event-listener

event-listener (keys: ['id'])

An event listener is a component that will handle certain kinds of events that occur in the system. These can include login, account creation, activation, and more.

Path :/processing/event-listeners/event-listener{id}
Parameters:id

string

(mandatory)

Choice: event-listener-type

Audit-to-data-source

audit-to-data-source

Stores each auditable event in the designated data source

Path :/processing/event-listeners/event-listener{id}/audit-to-data-source
Parameters:data-source

leafref /facilities/data-sources/data-source/id

(optional)

The data source to store the audit event in

Option: script-event-listener

Script-event-listener

script-event-listener

Executes the procedure when the events are triggered

Path :/processing/event-listeners/event-listener{id}/script-event-listener
Parameters:procedure

leafref /base:processing/base:procedures/base:event-listener-procedure/base:id

(mandatory)

The procedure to run on events

Webservice

script-event-listener/webservice

Enable and configure this if the procedure needs access to a web service in it’s context.

Path :

/processing/event-listeners/event-listener{id}/script-event-listener/webservice

Parameters:
  • hostname

    host

    (mandatory)

    sets the hostname or ip-address of the webservice service, e.g. ‘localhost’ or ‘127.0.0.1’

  • port

    port-number

    (default: 80)

    sets the port of the webservice service, e.g. 80 or 443.

  • context

    string

    (default: /)

    sets the main context of the webservice service, e.g. ‘/scim’.

  • http-client

    leafref /base:facilities/base:http/base:client/base:id

    (mandatory)

    A reference to the Http Client

Sms-sender

script-event-listener/sms-sender

Enable and configure this if the procedure needs access to an sms-sender in it’s context

Path :/processing/event-listeners/event-listener{id}/script-event-listener/sms-sender
Parameters:id

leafref /base:facilities/base:sms-providers/base:sms-provider/base:id

(mandatory)

A reference to the SMS-Provider

Email-sender

script-event-listener/email-sender

Enable and configure this if the procedure needs access to an email-sender in it’s context

Path :/processing/event-listeners/event-listener{id}/script-event-listener/email-sender
Parameters:id

leafref /base:facilities/base:email-providers/base:email-provider/base:id

(mandatory)

A reference to the Email-Provider

Account-manager

script-event-listener/account-manager

Enable and configure this if the procedure needs access to an account-manager in it’s context

Path :/processing/event-listeners/event-listener{id}/script-event-listener/account-manager
Parameters:id

leafref /base:processing/base:account-managers/base:account-manager/base:id

(mandatory)

A reference to an Account Manager

Bucket

script-event-listener/bucket

Enable and configure this to let the procedure use buckets for storing and reading arbitrary data

Path :/processing/event-listeners/event-listener{id}/script-event-listener/bucket
Parameters:data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

A reference to a data source

Account-manager

account-managers/account-manager{id} (keys ['id'])

Account managers manage all communication with the Data layers on behalf of the account. Creating and updating the account.

Path :

/processing/account-managers/account-manager{id}

Parameters:
  • id

    string

    (mandatory)

    The given ID of an account manager instance

  • username-is-email

    boolean

    (default: false)

    When this is set to true, the username attribute of the account will be considered the primary email. This will make the search based on email use the same method as search by username.Cannot be used with the account source being Active Directory, since that requires a username that is not an email.

  • account-data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (mandatory)

    A data source for the account-manager, used to provide account info to authentication methods,i.e. a phone number or email. If this is not configured, only the credential is possible.

  • device-data-source

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (optional)

    The ID of the devices data-source. If not set and a account data source has been configured, then that data source will be used to fetch devices.

Enable-registration

account-managers/account-manager{id}/enable-registration
Path :

/processing/account-managers/account-manager{id}/enable-registration

Parameters:
  • account-verification-method

    enumeration no-verification, email-verification, totp-email-verification

    (mandatory)

    If the account should be verified, this is the verification method to be used

  • max-verification-period

    int32

    (default: 1140)

    The maximum period of time that an activation will be valid for. Defaults to 19 minutes, which is inspired by regarding the activation code as a nonce, which lifetime should not be longer than necessary.

  • set-password-after-activation

    boolean

    (default: false)

    When this is set to true, the user will not be able to set the password during registration but instead it will be requested to set the password after clicking the activation page. When set to true the variable $_showPasswordFields will be set to false in the registration templates. The same variable will also be available in the activation templates but with the opposite value.

  • email-provider

    leafref /facilities/email-providers/email-provider/id

    (optional)

    Optional email-provider to use when using email as part of the registration procedure. This overrides the default email provider that is configured for the zone.

Credential-manager

credential-manager (keys: ['id'])

Credential managers communicate with backend systems to validate and manage credentials

Path :

/processing/credential-managers/credential-manager{id}

Parameters:
  • id

    string

    (mandatory)

    This is the unique id of the credential manager

  • min-time-on-fail

    uint32

    (default: 1500)

    The number of milliseconds that a failed attempt to verify a credential is guaranteed to take. This provides an option to prevent brute force credential guessing attempts, or it could provide a way to hide how long it really took to verify a credential, mitigating side channel timing leaks.

Credential-verification-type

credential-verification-type

The type of credential verification to be performed

Path :/processing/credential-managers/credential-manager{id}/credential-verification-type

Choice: credential-type

Choose one and only one of the credential verification types

param any:

empty

(optional)

Use the credential manager for any kind of verification

Client-credentials-only

credential-verification-type/client-credentials-only

This section determines how credentials are verified when the credential manager is used for client credential verification.

Path :/processing/credential-managers/credential-manager{id}/credential-verification-type/client-credentials-only
Choice: verification-strategy

The options for how to verify credentials

param verify-using-all-algorithms:
 

empty

(optional)

Match the stored password pattern against the ShaCrypt password format and use the appropriate algorithm. Eg. if password is $5$… then pick SHA256 and if it starts with $6$ then pick SHA512 etc.

param verify-using-single-algorithm:
 

empty

(optional)

Only use the selected algorithm when matching passwords.

Choice: algorithm

Choose one and only one of the algorithms to use with the credential-manager

Plaintext

plaintext

Specifies that the input will be matched verbatim without without any transformation

Path :/processing/credential-managers/credential-manager{id}/plaintext

Bcrypt

BCrypt
Path :/processing/credential-managers/credential-manager{id}/BCrypt
Parameters:cost

uint32

(default: 10)

Specifies the key expansion iteration count as a power of two. For example, cost 10, indicates 2^10 key expansion rounds. Keep in mind that increasing the cost will greatly increase the complexity and the processing time when creating or validating passwords.

Phpass

phpass

MD5-based salted and variable iteration count password hashes

Path :/processing/credential-managers/credential-manager{id}/phpass
Parameters:iterations

uint32

(default: 8)

Specifies the number of iterations the PHPass algorithm does for password hashing. Keep in mind that increasing the cost will greatly increase the complexity and the processing time when creating or validating passwords.

Sha2withsha256

Sha2WithSha256
Path :

/processing/credential-managers/credential-manager{id}/Sha2WithSha256

Parameters:
  • rounds

    uint32

    (default: 20000)

    The number of times the Sha256 encryption will be applied

  • salt

    string

    (optional)

    A predefined salt. If left empty the salt will be generated for each password (recommended)

Sha2withsha512

Sha2WithSha512
Path :

/processing/credential-managers/credential-manager{id}/Sha2WithSha512

Parameters:
  • rounds

    uint32

    (default: 20000)

    The number of times the Sha512 encryption will be applied

  • salt

    string

    (optional)

    A predefined salt. If left empty the salt will be generated for each password (recommended)

Pbkdf2

PBKDF2

PBKDF2 algorithm as defined in https://www.ietf.org/rfc/rfc2898.txt, using ‘Modular Crypt Format’ as the encoding format

Path :

/processing/credential-managers/credential-manager{id}/PBKDF2

Parameters:
  • iteration-count

    uint32

    (default: 600000)

    The iteration count provided to the PBKDF2 algorithm, sometimes also referred as rounds

  • salt-length

    uint16

    (default: 32)

    The salt size in bytes

  • prf

    enumeration hmac-sha-256, hmac-sha-512

    (default: hmac-sha-256)

    The PRF (pseudo random function) to use

Credential-transformation-procedure

credential-transformation-procedure

Specifies that a procedure should be used to transform the credential

Path :/processing/credential-managers/credential-manager{id}/credential-transformation-procedure
Parameters:procedure

leafref /processing/procedures/credential-transformation-procedure/id

(mandatory)

The credential transformation procedure to use for password hashing

Choice: data-source

Data-source-backed

data-source-backed

The data source used to store the credential that the manager will verify and update.

Path :/processing/credential-managers/credential-manager{id}/data-source-backed
Parameters:data-source-id

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

The data source to be used

Check-account-status

data-source-backed/check-account-status

Configures the credential manager to additionally check the status of user accounts, using the provided subject as the username. Credentials are deemed invalid for inactive accounts. Refer to the documentation of each Data Source to determine when this may be needed.

Path :/processing/credential-managers/credential-manager{id}/data-source-backed/check-account-status
Parameters:account-data-source

leafref /base:facilities/base:data-sources/base:data-source/base:id

(mandatory)

Data source used to lookup accounts.

Config-backed

config-backed

Users are created here by the admin, this primarily for debug/test purpose

Path :/processing/credential-managers/credential-manager{id}/config-backed

Users

config-backed/users{username} (keys ['username'])

The list of users that can be verified

Path :

/processing/credential-managers/credential-manager{id}/config-backed/users{username}

Parameters:
  • username

    string

    (mandatory)

  • password

    string

    (optional)

Credential-policy

credential-policy
Path :

/processing/credential-managers/credential-manager{id}/credential-policy

Parameters:
  • policy

    leafref /processing/credential-policies/credential-policy/id

    (mandatory)

    The policy to use when handling credentials.

  • credential-attributes-store

    leafref /base:facilities/base:data-sources/base:data-source/base:id

    (optional)

    Optional bucket to store Credential Policy state. Required when the credential manager data source does not support storing credential attributes. Refer to the documentation of each Data Source to determine when this may be needed.

Credential-policies

credential-policies
Path :/processing/credential-policies

Credential-policy

credential-policies/credential-policy{id} (keys ['id'])
Path :/processing/credential-policies/credential-policy{id}
Parameters:id

string

(mandatory)

Complexity

credential-policies/credential-policy{id}/complexity

Enable password complexity rules. If a password doesn’t meet the configured requirements, any password update will be denied.

Path :

/processing/credential-policies/credential-policy{id}/complexity

Parameters:
  • min-length

    uint16

    (optional)

    The minimum length that a password must have.

  • min-lower-case-characters

    uint16

    (optional)

    The minimum number of lower case characters that a password must contain.

  • min-upper-case-characters

    uint16

    (optional)

    The minimum number of upper case characters that a password must contain.

  • min-digits

    uint16

    (optional)

    The minimum number of digit characters that a password must contain.

  • min-special-characters

    uint16

    (optional)

    The minimum number of special characters that a password must contain.

  • min-unique-characters

    uint16

    (optional)

    The minimum number of unique characters that a password must contain.

  • max-sequence

    uint16

    (optional)

    The maximum number of sequential characters that a password may contain. The considered character sequences are: english alphabet, numerical, and letters of the QWERTY keyboard layout. Validation is case-insensitive and considers reverse order.

Temporary-lockout

credential-policies/credential-policy{id}/temporary-lockout

Enable temporary lockout after a number of failed attempts.

Path :

/processing/credential-policies/credential-policy{id}/temporary-lockout

Parameters:
  • failed-attempts

    uint8

    (default: 5)

    Number of failed attempts the user may make before the credential is temporarily locked out.

  • duration

    uint32

    (default: 300)

    The time in seconds the user should not be able to use the credential.

Aging

credential-policies/credential-policy{id}/aging

Enable maximum password age. When a password is older than allowed, any access attempt is denied and a new password must be set.

Path :

/processing/credential-policies/credential-policy{id}/aging

Parameters:
  • max-age

    uint16

    (default: 90)

    The number of days a password is allowed to be used.

  • notification-period

    uint16

    (optional)

    If a password expires in less than the configured number of days, additional details about the upcoming expiry are addded to credential verification results. Note that it is up to consumers of the Credential Manager services to actually use that additional information.

History

credential-policies/credential-policy{id}/history

Enable password history when setting new passwords.

Path :

/processing/credential-policies/credential-policy{id}/history

Parameters:
  • length

    uint8

    (default: 3)

    The number of passwords to keep in history, i.e. the number of unique passwords that must be used before one can be reused.

  • remove-older-than

    uint16

    (optional)

    The number of days a password is kept in history since it was set.

Alarms

alarms

The top container for this module.

Path :/alarms

Control

alarms/control

Configuration to control the alarm behavior.

Path :

/alarms/control

Parameters:
  • max-alarm-status-changes

    union

    (default: 32)

    The ‘status-change’ entries are kept in a circular list per alarm. When this number is exceeded, the oldest status change entry is automatically removed. If the value is ‘infinite’, the status-change entries are accumulated infinitely.

  • notify-status-changes

    enumeration all-state-changes, raise-and-clear, severity-level

    (default: all-state-changes)

    This leaf controls the notifications sent for alarm status updates. There are three options: 1. Notifications are sent for all updates, severity-level changes, and alarm-text changes. 2. Notifications are only sent for alarm raise and clear. 3. Notifications are sent for status changes equal to or above the specified severity level. Clear notifications shall always be sent. Notifications shall also be sent for state changes that make an alarm less severe than the specified level. For example, in option 3, assume that the severity level is set to major and that the alarm has the following state changes: [(Time, severity, clear)]: [(T1, major, -), (T2, minor, -), (T3, warning, -), (T4, minor, -), (T5, major, -), (T6, critical, -), (T7, major. -), (T8, major, clear)] In that case, notifications will be sent at times T1, T2, T5, T6, T7, and T8.

  • notify-severity-level

    severity indeterminate, warning, minor, major, critical

    (optional)

    Only send notifications for alarm-state changes crossing the specified level. Always send clear notifications.

Alarm-shelving

alarms/control/alarm-shelving

The ‘alarm-shelving/shelf’ list is used to shelve (block/filter) alarms. The conditions in the shelf criteria are logically ANDed. The first matching shelf is used, and an alarm is shelved only for this first match. Matching alarms MUST appear in the /alarms/shelved-alarms/shelved-alarm list, and non-matching /alarms MUST appear in the /alarms/alarm-list/alarm list. The server does not send any notifications for shelved alarms. The server MUST maintain states (e.g., severity changes) for the shelved alarms. Alarms that match the criteria shall have an operator state ‘shelved’. When the shelf configuration removes an alarm from the shelf, the server shall add the operator state ‘un-shelved’.

Path :/alarms/control/alarm-shelving

Shelf

alarms/control/alarm-shelving/shelf{name} (keys ['name'])

Each entry defines the criteria for shelving alarms. Criteria are ANDed. If no criteria are specified, all alarms will be shelved.

Path :

/alarms/control/alarm-shelving/shelf{name}

Parameters:
  • name

    string

    (mandatory)

    An arbitrary name for the alarm shelf.

  • description

    string

    (optional)

    An optional textual description of the shelf. This description should include the reason for shelving these alarms.

  • resource

    resource-match

    (multi-value) (optional)

    Shelve alarms for matching resources.

Alarm-type
alarms/control/alarm-shelving/shelf{name}/alarm-type{alarm-type-id, alarm-type-qualifier-match} (keys ['alarm-type-id', 'alarm-type-qualifier-match'])

Any alarm matching the combined criteria of ‘alarm-type-id’ and ‘alarm-type-qualifier-match’ MUST be matched.

Path :

/alarms/control/alarm-shelving/shelf{name}/alarm-type{alarm-type-id, alarm-type-qualifier-match}

Parameters:
  • alarm-type-id

    alarm-type-id

    (mandatory)

    Shelve all alarms that have an ‘alarm-type-id’ that is equal to or derived from the given ‘alarm-type-id’.

  • alarm-type-qualifier-match

    string

    (mandatory)

    An XML Schema regular expression that is used to match an alarm type qualifier. Shelve all alarms that match this regular expression for the alarm type qualifier.

Alarm-inventory

alarms/alarm-inventory

The ‘alarm-inventory/alarm-type’ list contains all possible alarm types for the system. If the system knows for which resources a specific alarm type can appear, it is also identified in the inventory. The list also tells if each alarm type has a corresponding clear state. The inventory shall only contain concrete alarm types. The alarm inventory MUST be updated by the system when new alarms can appear. This can be the case when installing new software modules or inserting new card types. A notification ‘alarm-inventory-changed’ is sent when the inventory is changed.

Path :/alarms/alarm-inventory

Alarm-type

alarms/alarm-inventory/alarm-type{alarm-type-id, alarm-type-qualifier} (keys ['alarm-type-id', 'alarm-type-qualifier'])

An entry in this list defines a possible alarm.

Path :

/alarms/alarm-inventory/alarm-type{alarm-type-id, alarm-type-qualifier}

Parameters:
  • alarm-type-id

    alarm-type-id

    (mandatory)

    The statically defined alarm type identifier for this possible alarm.

  • alarm-type-qualifier

    alarm-type-qualifier

    (mandatory)

    The optionally dynamically defined alarm type identifier for this possible alarm.

  • will-clear

    boolean

    (mandatory)

    This leaf tells the operator if the alarm will be cleared when the correct corrective action has been taken. Implementations SHOULD strive for detecting the cleared state for all alarm types. If this leaf is ‘true’, the operator can monitor the alarm until it becomes cleared after the corrective action has been taken. If this leaf is ‘false’, the operator needs to validate that the alarm is no longer active using other mechanisms. Alarms can lack a corresponding clear due to missing instrumentation or no logical corresponding clear state.

  • description

    string

    (mandatory)

    A description of the possible alarm. It SHOULD include information on possible underlying root causes and corrective actions.

  • resource

    resource-match

    (multi-value) (optional)

    Optionally, specifies for which resources the alarm type is valid.

  • severity-level

    severity indeterminate, warning, minor, major, critical

    (multi-value) (optional)

    This leaf-list indicates the possible severity levels of this alarm type. Note well that ‘clear’ is not part of the severity type. In general, the severity level should be defined by the instrumentation based on the dynamic state, rather than being defined statically by the alarm type, in order to provide a relevant severity level based on dynamic state and context. However, most alarm types have a defined set of possible severity levels, and this should be provided here.

Summary

alarms/summary

This container gives a summary of the number of alarms.

Path :/alarms/summary
Parameters:shelves-active

empty

(optional)

This is a hint to the operator that there are active alarm shelves. This leaf MUST exist if the /alarms/shelved-alarms/number-of-shelved-alarms is > 0.

Alarm-summary

alarms/summary/alarm-summary{severity} (keys ['severity'])

A global summary of all alarms in the system. The summary does not include shelved alarms.

Path :

/alarms/summary/alarm-summary{severity}

Parameters:
  • severity

    severity indeterminate, warning, minor, major, critical

    (mandatory)

    Alarm summary for this severity level.

  • total

    gauge32

    (optional)

    Total number of alarms of this severity level.

  • not-cleared

    gauge32

    (optional)

    Total number of alarms of this severity level that are not cleared.

  • cleared

    gauge32

    (optional)

    For this severity level, the number of alarms that are cleared.

  • cleared-not-closed

    gauge32

    (optional)

    For this severity level, the number of alarms that are cleared but not closed.

  • cleared-closed

    gauge32

    (optional)

    For this severity level, the number of alarms that are cleared and closed.

  • not-cleared-closed

    gauge32

    (optional)

    For this severity level, the number of alarms that are not cleared but closed.

  • not-cleared-not-closed

    gauge32

    (optional)

    For this severity level, the number of alarms that are not cleared and not closed.

Alarm-list

alarms/alarm-list

The alarms in the system.

Path :

/alarms/alarm-list

Parameters:
  • number-of-alarms

    gauge32

    (optional)

    This object shows the total number of alarms in the system, i.e., the total number of entries in the alarm list.

  • last-changed

    date-and-time

    (optional)

    A timestamp when the alarm list was last changed. The value can be used by a manager to initiate an alarm resynchronization procedure.

Alarm

alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier} (keys ['resource', 'alarm-type-id', 'alarm-type-qualifier'])

The list of alarms. Each entry in the list holds one alarm for a given alarm type and resource. An alarm can be updated from the underlying resource or by the user. The following leafs are maintained by the resource: ‘is-cleared’, ‘last-change’, ‘perceived-severity’, and ‘alarm-text’. An operator can change ‘operator-state’ and ‘operator-text’. Entries appear in the alarm list the first time an alarm becomes active for a given alarm type and resource. Entries do not get deleted when the alarm is cleared. Clear status is represented as a boolean flag. Alarm entries are removed, i.e., purged, from the list by an explicit purge action. For example, purge all alarms that are cleared and in closed operator state that are older than 24 hours. Purged alarms are removed from the alarm list. If the alarm resource state changes after a purge, the alarm will reappear in the alarm list. Systems may also remove alarms based on locally configured policies; this is out of scope for this module.

Path :

/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}

Parameters:
  • time-created

    date-and-time

    (mandatory)

    The timestamp when this alarm entry was created. This represents the first time the alarm appeared; it can also represent that the alarm reappeared after a purge. Further state changes of the same alarm do not change this leaf; these changes will update the ‘last-changed’ leaf.

  • self-test

    boolean

    (default: false)

    True if this alarm was triggered by a self test operation. Self test alarms do not indicate any issues in the system.

  • impact-tree

    string

    (optional)

  • description

    string

    (optional)

  • resource-type

    string

    (optional)

  • resource

    resource

    (mandatory)

    The alarming resource. See also ‘alt-resource’. This could be, for example, a reference to the alarming interface

  • alarm-type-id

    alarm-type-id

    (mandatory)

    This leaf and the leaf ‘alarm-type-qualifier’ together provide a unique identification of the alarm type.

  • alarm-type-qualifier

    alarm-type-qualifier

    (mandatory)

    This leaf is used when the ‘alarm-type-id’ leaf cannot uniquely identify the alarm type. Normally, this is not the case, and this leaf is the empty string.

  • is-cleared

    boolean

    (mandatory)

    Indicates the current clearance state of the alarm. An alarm might toggle from active alarm to cleared alarm and back to active again.

  • last-raised

    date-and-time

    (mandatory)

    An alarm may change severity level and toggle between active and cleared during its lifetime. This leaf indicates the last time it was raised (‘is-cleared’ = ‘false’).

  • last-changed

    date-and-time

    (mandatory)

    A timestamp when the ‘status-change’ or ‘operator-state-change’ list was last changed.

  • perceived-severity

    severity indeterminate, warning, minor, major, critical

    (mandatory)

    The last severity of the alarm. If an alarm was raised with severity ‘warning’ but later changed to ‘major’, this leaf will show ‘major’.

  • alarm-text

    alarm-text

    (mandatory)

    The last reported alarm text. This text should contain information for an operator to be able to understand the problem and how to resolve it.

Operator-state-change

alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time} (keys ['time'])

This list is used by operators to indicate the state of human intervention on an alarm. For example, if an operator has seen an alarm, the operator can add a new item to this list indicating that the alarm is acknowledged.

Path :

/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time}

Parameters:
  • time

    date-and-time

    (mandatory)

    Timestamp for operator action on the alarm.

  • operator

    string

    (mandatory)

    The name of the operator that has acted on this alarm.

  • state

    operator-state

    (mandatory)

    The operator’s view of the alarm state.

  • text

    string

    (optional)

    Additional optional textual information provided by the operator.

  • alt-resource

    resource

    (multi-value) (optional)

    Used if the alarming resource is available over other interfaces. This field can contain SNMP OIDs, CIM paths, or 3GPP distinguished names, for example.

Status-change

alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time} (keys ['time'])

A list of status-change events for this alarm. The entry with latest timestamp in this list MUST correspond to the leafs ‘is-cleared’, ‘perceived-severity’, and ‘alarm-text’ for the alarm. This list is ordered according to the timestamps of alarm state changes. The first item corresponds to the latest state change. The following state changes create an entry in this list: - changed severity (warning, minor, major, critical) - clearance status; this also updates the ‘is-cleared’ leaf - alarm-text update

Path :

/alarms/alarm-list/alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time}

Parameters:
  • time

    date-and-time

    (mandatory)

    The time the status of the alarm changed. The value represents the time the real alarm-state change appeared in the resource and not when it was added to the alarm list. The /alarm-list/alarm/last-changed MUST be set to the same value.

  • perceived-severity

    severity-with-clear

    (mandatory)

    The severity of the alarm as defined by X.733. Note that this may not be the original severity since the alarm may have changed severity.

  • alarm-text

    alarm-text

    (mandatory)

    A user-friendly text describing the alarm-state change.

Shelved-alarms

alarms/shelved-alarms

The shelved alarms. Alarms appear here if they match the criteria in /alarms/control/alarm-shelving. This list does not generate any notifications. The list represents alarms that are considered not relevant by the operator. Alarms in this list have an ‘operator-state’ of ‘shelved’. This cannot be changed.

Path :

/alarms/shelved-alarms

Parameters:
  • number-of-shelved-alarms

    gauge32

    (optional)

    This object shows the total number of current alarms, i.e., the total number of entries in the alarm list.

  • shelved-alarms-last-changed

    date-and-time

    (optional)

    A timestamp when the shelved-alarm list was last changed. The value can be used by a manager to initiate an alarm resynchronization procedure.

Shelved-alarm

alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier} (keys ['resource', 'alarm-type-id', 'alarm-type-qualifier'])

The list of shelved alarms. Shelved alarms can only be updated from the underlying resource; no operator actions are supported.

Path :

/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}

Parameters:
  • shelf-name

    leafref /alarms/control/alarm-shelving/shelf/name

    (optional)

    The name of the shelf.

  • resource

    resource

    (mandatory)

    The alarming resource. See also ‘alt-resource’. This could be, for example, a reference to the alarming interface

  • alarm-type-id

    alarm-type-id

    (mandatory)

    This leaf and the leaf ‘alarm-type-qualifier’ together provide a unique identification of the alarm type.

  • alarm-type-qualifier

    alarm-type-qualifier

    (mandatory)

    This leaf is used when the ‘alarm-type-id’ leaf cannot uniquely identify the alarm type. Normally, this is not the case, and this leaf is the empty string.

  • is-cleared

    boolean

    (mandatory)

    Indicates the current clearance state of the alarm. An alarm might toggle from active alarm to cleared alarm and back to active again.

  • last-raised

    date-and-time

    (mandatory)

    An alarm may change severity level and toggle between active and cleared during its lifetime. This leaf indicates the last time it was raised (‘is-cleared’ = ‘false’).

  • last-changed

    date-and-time

    (mandatory)

    A timestamp when the ‘status-change’ or ‘operator-state-change’ list was last changed.

  • perceived-severity

    severity indeterminate, warning, minor, major, critical

    (mandatory)

    The last severity of the alarm. If an alarm was raised with severity ‘warning’ but later changed to ‘major’, this leaf will show ‘major’.

  • alarm-text

    alarm-text

    (mandatory)

    The last reported alarm text. This text should contain information for an operator to be able to understand the problem and how to resolve it.

Operator-state-change

alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time} (keys ['time'])

This list is used by operators to indicate the state of human intervention on an alarm. For shelved alarms, the system has set the list item in the list to ‘shelved’.

Path :

/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/operator-state-change{time}

Parameters:
  • time

    date-and-time

    (mandatory)

    Timestamp for operator action on the alarm.

  • operator

    string

    (mandatory)

    The name of the operator that has acted on this alarm.

  • state

    operator-state

    (mandatory)

    The operator’s view of the alarm state.

  • text

    string

    (optional)

    Additional optional textual information provided by the operator.

  • alt-resource

    resource

    (multi-value) (optional)

    Used if the alarming resource is available over other interfaces. This field can contain SNMP OIDs, CIM paths, or 3GPP distinguished names, for example.

Status-change

alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time} (keys ['time'])

A list of status-change events for this alarm. The entry with latest timestamp in this list MUST correspond to the leafs ‘is-cleared’, ‘perceived-severity’, and ‘alarm-text’ for the alarm. This list is ordered according to the timestamps of alarm state changes. The first item corresponds to the latest state change. The following state changes create an entry in this list: - changed severity (warning, minor, major, critical) - clearance status; this also updates the ‘is-cleared’ leaf - alarm-text update

Path :

/alarms/shelved-alarms/shelved-alarm{resource, alarm-type-id, alarm-type-qualifier}/status-change{time}

Parameters:
  • time

    date-and-time

    (mandatory)

    The time the status of the alarm changed. The value represents the time the real alarm-state change appeared in the resource and not when it was added to the alarm list. The /alarm-list/alarm/last-changed MUST be set to the same value.

  • perceived-severity

    severity-with-clear

    (mandatory)

    The severity of the alarm as defined by X.733. Note that this may not be the original severity since the alarm may have changed severity.

  • alarm-text

    alarm-text

    (mandatory)

    A user-friendly text describing the alarm-state change.

Alarm-profile

alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource} (keys ['alarm-type-id', 'alarm-type-qualifier-match', 'resource'])

This list is used to assign further information or configuration for each alarm type. This module supports a mechanism where the client can override the system-default alarm severity levels. The ‘alarm-profile’ is also a useful augmentation point for specific additions to alarm types.

Path :

/alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource}

Parameters:
  • alarm-type-id

    alarm-type-id

    (mandatory)

    The alarm type identifier to match.

  • alarm-type-qualifier-match

    string

    (mandatory)

    An XML Schema regular expression that is used to match the alarm type qualifier.

  • resource

    resource-match

    (mandatory)

    Specifies which resources to match.

  • description

    string

    (mandatory)

    A description of the alarm profile.

Alarm-severity-assignment-profile

alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource}/alarm-severity-assignment-profile

The client can override the system-default severity level.

Path :/alarms/alarm-profile{alarm-type-id, alarm-type-qualifier-match, resource}/alarm-severity-assignment-profile
Parameters:severity-level

severity indeterminate, warning, minor, major, critical

(multi-value) (optional)

Specifies the configured severity level(s) for the matching alarm. If the alarm has several severity levels, the leaf-list shall be given in rising severity order. The original M3100/M3160 ASAP function only allows for a one-to-one mapping between alarm type and severity, but since YANG module supports stateful alarms, the mapping must allow for several severity levels. Assume a high-utilization alarm type with two thresholds with the system-default severity levels of threshold1 = warning and threshold2 = minor. Setting this leaf-list to (minor, major) will assign the severity levels as threshold1 = minor and threshold2 = major