8.1.0

• Home

Table of Contents

• System Admin Guide
  • Alarms
    • Overview
      • Terminology
      • The Alarm Object
      • Sliding Window Alarms
      • Managing Alarms
      • Notifications
      • Clusters
    • Alarm Types
      • Expiry
      • Failed Authentication
      • Failed Communication
      • Failed Connection
      • Slow Connection
    • Alarm Handlers
      • Email Notifier
      • Webhook Notifier
      • Slack Notifier
      • PagerDuty Notifier
    • Testing Alarms
      • Testing Alarms using the Web UI
      • Testing Alarms using the CLI
      • Verifying the alarm
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL and CockroachDB
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
    • Metrics
  • Logging
    • Log Levels
    • Configuration Overview
    • Appenders
      • Standard Out
      • Cluster Log
      • Request Log
      • Audit Log
      • Metrics
    • Loggers
    • Masking
    • Shipping Logs
    • Log4j Scripting Languages
    • Files Not Configurable by Log4j
      • Configuration Service Logs
  • Monitoring
    • JMX
    • Tracing
    • Zulu Flight Recorder
      • Starting a Recording Manually
      • Starting a Recording from the Command Line
      • Starting a Recording on Startup
    • Status Endpoint
      • Command line tool
    • Prometheus-compliant Metrics
      • Common Alerts
      • Configuration
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • Server Events
    • Event Listener Types
      • Script EventListeners
      • EventListener Plugins
    • Types of Events
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 6.0.X to 6.1.0
      • Apache Velocity Engine
    • Upgrading from 6.1.X to 6.2.0
      • Upgrading the XML Configuration
      • Logging of BankID messages
    • Upgrading from 6.2.X to 6.3.0
      • Upgrading the XML Configuration
      • Updating Templates
      • RESTCONF Conformance Updates
      • TLS 1.0 and 1.1 Disabled
      • SDK
    • Upgrading from 6.3.X to 6.4.0
      • Default Java Options Changed
      • Java Upgraded to Version 11
      • SDK
      • Changes to the HAAPI Web SDK
      • DPoP Proof Token Clock Skew
      • DN Certificate Validation
    • Upgrading from 6.4.X to 6.5.0
      • BankID Authenticator and Signing Consentor Messages
      • Logging Changes
    • Upgrading from 6.5.X to 6.6.0
      • Relaxation of DN Certificate Validation
      • Changed Default for Maximum Number of Request Threads
    • Upgrading from 6.6.X to 6.7.0
      • Updating Databases
      • Removal of OpenSSL dependency
      • Redirect URI validation
      • Template Updates
    • Upgrading from 6.7.X to 6.8.0
      • SDK Changes
      • Serialization
      • TLS
      • RESTCONF
      • Template Updates
      • Deprecation of the Net iD Authenticator
      • BankID authenticator
      • BankID Consentor
    • Upgrading from 6.8.X to 7.0.0
      • Upgrading the XML Configuration
      • SDK Changes
      • Java Upgraded to Version 17
      • Procedures API Changes
      • Log4j2 Changes
      • Database Changes
      • Prometheus Metrics
      • Validation for Endpoint URIs Changed
      • NetiD Access Authenticator
      • BankID Authenticator and Signing Consentor
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • Upgrading from 7.4.X to 7.5.0
      • HTTP Client Default Timeouts
    • Upgrading from 7.5.X to 7.6.0
      • Systemd config file update
      • New SAML Authenticator
    • Upgrading from 7.6.X to 8.0.0
      • Upgrading the XML Configuration
      • Authorization custom token procedures update
      • DynamoDB schema changes
      • WebAuthn authenticator
      • HAAPI capability and use of legacy DPOP
      • Microsoft SQL Server JDBC driver
      • Changes to HAAPI responses
      • Password-based PBES2 JWE algorithms
      • Windows Connector Failover Update
    • Upgrading from 8.0.X to 8.1.0
      • Database Changes
      • Custom Token Issuers
      • Email Authenticator
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Base Configuration
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • Hyperlink
      • Inactive Accounts
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • JWKS Endpoint
      • Configuration
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML
      • Paths
      • Validation Scripts
      • Configuration
      • Known limitations
    • SAML2
      • Paths
      • Validation Scripts
      • Configuration
      • SAML2 dynamic authenticator
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn / Passkeys
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
      • User Confirmation
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
      • Subject Check
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Account
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Request Acknowledgement
      • Localization
      • Configuration
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Restart Action
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
    • Json Web Key Set (JWKS)
    • Device Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
      • Claim mappers
      • Claim value providers
      • Configuring a claim
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
  • Token Procedure Plugins
    • Configuring and using Token Procedure Plugins
    • Developing Token Procedure Plugins
    • Known limitations
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • Data Sources
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customizing the Look and Feel
      • Creating Custom Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Sass to CSS
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Plugin Services
      • Service Restrictions by Plugin Type
      • Service Restrictions in ManagedObject
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
    • Mutation Errors
    • DynamoDB limitations
      • User Management service limitations
      • Dynamic Client Registration service limitations
      • GraphQL error for unsupported features
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Environment
      • Localization
      • White-listed-proxies
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
    • Profile
      • Authentication-service
      • User-management-service
      • Authorization-server
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure-plugin
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

Type Reference

Types

resource

This is an identification of the alarming resource, such as an interface. It should be as fine-grained as possible to both guide the operator and guarantee uniqueness of the alarms. If the alarming resource is modeled in YANG, this type will be an instance-identifier. If the resource is an SNMP object, the type will be an ‘object-identifier’. If the resource is anything else, for example, a distinguished name or a Common Information Model (CIM) path, this type will be a string. If the alarming object is identified by a Universally Unique Identifier (UUID), use the uuid type. Be cautious when using this type, since a UUID is hard to use for an operator. If the server supports several models, the precedence should be in the order as given in the union definition.

resource-match

This type is used to match resources of type ‘resource’. Since the type ‘resource’ is a union of different types, the ‘resource-match’ type is also a union of corresponding types. If the type is given as an XPath 1.0 expression, a resource of type ‘instance-identifier’ matches if the instance is part of the node set that is the result of evaluating the XPath 1.0 expression. For example, the XPath 1.0 expression: /ietf-interfaces:interfaces/ietf-interfaces:interface [ietf-interfaces:type=’ianaift:ethernetCsmacd’] would match the resource instance-identifier: /if:interfaces/if:interface[if:name=’eth1’], assuming that the interface ‘eth1’ is of type ‘ianaift:ethernetCsmacd’. If the type is given as an object identifier, a resource of type ‘object-identifier’ matches if the match object identifier is a prefix of the resource’s object identifier. For example, the value: 1.3.6.1.2.1.2.2 would match the resource object identifier: 1.3.6.1.2.1.2.2.1.1.5 If the type is given as an UUID or a string, it is interpreted as an XML Schema regular expression, which matches a resource of type ‘yang:uuid’ or ‘string’ if the given regular expression matches the resource string. If the type is given as an XPath expression, it is evaluated in the following XPath context: o The set of namespace declarations is the set of prefix and namespace pairs for all YANG modules implemented by the server, where the prefix is the YANG module name and the namespace is as defined by the ‘namespace’ statement in the YANG module. If a leaf of this type is encoded in XML, all namespace declarations in scope on the leaf element are added to the set of namespace declarations. If a prefix found in the XML is already present in the set of namespace declarations, the namespace in the XML is used. o The set of variable bindings is empty. o The function library is the core function library, and the functions are defined in Section 10 of RFC 7950. o The context node is the root node in the data tree.

alarm-text

Base Type :string

The string used to inform operators about the alarm. This MUST contain enough information for an operator to be able to understand the problem and how to resolve it. If this string contains structure, this format should be clearly documented for programs to be able to parse that information.

severity

Base Type :enumeration Values :indeterminate, warning, minor, major, critical

The severity level of the alarm. Note well that the value ‘clear’ is not included. Whether or not an alarm is cleared is a separate boolean flag.

severity-with-clear

The severity level of the alarm including clear. This is used only in notifications reporting state changes for an alarm.

writable-operator-state

Base Type :enumeration Values :none, ack, closed

Operator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.

operator-state

Operator states on an alarm. The ‘closed’ state indicates that an operator considers the alarm being resolved. This is separate from the alarm’s ‘is-cleared’ leaf.

alarm-type-id

Identifies an alarm type. The description of the alarm type id MUST indicate whether or not the alarm type is abstract. An abstract alarm type is used as a base for other alarm type ids and will not be used as a value for an alarm or be present in the alarm inventory.

alarm-type-qualifier

Base Type :string

If an alarm type cannot be fully specified at design time by ‘alarm-type-id’, this string qualifier is used in addition to fully define a unique alarm type. The definition of alarm qualifiers is considered to be part of the instrumentation and is out of scope for this module. An empty string is used when this is part of a key.

any-scope-including-none

An empty string which can be helpful for defining ‘catch-all’ rules

asymmetric-key-type

Base Type :enumeration Values :rsa, elliptic-curve, dsa, eddsa

allowed-key-management-algorithms

Base Type :enumeration Values :RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, A128KW, A192KW, A256KW, A128GCMKW, A192GCMKW, A256GCMKW

Algorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header

allowed-asymmetric-key-management-algorithms

Base Type :enumeration Values :RSA1_5, RSA-OAEP, RSA-OAEP-256, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW

Algorithms supported to encrypt the content encryption key, present as ‘alg’ in JWE header

allowed-content-encryption-algorithms

Base Type :enumeration Values :A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM

Supported content encryption algorithms, present as ‘enc’ in JWE header

script

Base Type :string

scope

endpoint-types

Base Type :enumeration Values :oauth-token, oauth-authorize, oauth-revoke, oauth-introspect, oauth-assisted-token, oauth-anonymous, oauth-userinfo, oauth-dynamic-client-registration, oauth-device-authorization, oauth-session, oauth-backchannel-authentication, auth-authentication, auth-registration, auth-anonymous, um-api, um-graphql-api

profile-type

base64-encoded-string

token-issuer-type

Base Type :enumeration Values :jwt, opaque, wrapped-opaque

Defines the type of tokens this issuer produces (format)

token-purpose-type

Base Type :enumeration Values :access_token, refresh_token, id_token, nonce, generic, userinfo

token-credential-verifier-type

Base Type :enumeration Values :static, sql, ldap

A type for a credential-verifier

jwt-algorithm

Base Type :enumeration Values :RS256, RS384, RS512, PS256, PS384, PS512, HS256, HS384, HS512, ES256, ES384, ES512, EdDSA

Available JWT signing algorithms (ref rfc7518, https://tools.ietf.org/html/rfc7518)

elliptic-curve-name

Base Type :enumeration Values :P-256, P-384, P-521

Supported elliptic curve names (see https://tools.ietf.org/html/rfc7518#section-3.4)

eddsa-curve-name

Base Type :enumeration Values :Ed25519, Ed448

Supported EdDSA curve names (curves taken from supported algorithms, see https://tools.ietf.org/html/rfc8037#section-3.1)

culture

Base Type :enumeration Values :sv-SE, en-US, en-GB

conf-timeout

Base Type :uint8 Values :1 to 20

Valid configuration operation timeout in seconds

token-time-to-live

Base Type :uint32 Values :10 to 4294967295

A type that defines valid token time-to-live values

disablable-token-time-to-live

A type that defines token time-to-live values. If set to ‘disabled’, then the token type to’ which this setting refers will not be issued at all.

non-empty-string

attribute-path

attribute-name

system-access-token-claim-name

Base Type :enumeration Values :aud, client_id, delegationId, exp, iat, iss, nbf, scope, sub, purpose, cnf, jti, dcrm_client

system-id-token-claim-name

Base Type :enumeration Values :iss, sub, aud, exp, iat, auth_time, nonce, acr, amr, azp, nbf, client_id, delegationId, purpose

system-user-info-endpoint-claim-name

Base Type :enumeration Values :sub

system-wrapper-token-claim-name

Base Type :enumeration Values :iss, iat, exp, azp, jti, aud

delegation-claim-name

Base Type :enumeration Values :owner, created, expires, scope, claims, clientId, redirectUri, status, authorizationCodeHash, authenticationAttributes, requestedClaims, mtlsClientCertificate, mtlsClientCertificateThumbprintS256, mtlsClientCertificateDN

attribute-location

Base Type :enumeration Values :subject-attributes, context-attributes, action-attributes

A location from where to retrieve or add attributes

Identities

al:alarm type id

al:alarm-type-id

Base identity for alarm types. A unique identification of the alarm, not including the resource. Different resources can share alarm types. If the resource reports the same alarm type, it is considered to be the same alarm. The alarm type is a simplification of the different X.733 and 3GPP Alarm IRP correlation mechanisms, and it allows for hierarchical extensions. A string-based qualifier can be used in addition to the identity in order to have different alarm types based on information not known at design time, such as values in textual SNMP Notification varbinds. Standards and vendors can define sub-identities to clearly identify specific alarm types. This identity is abstract and MUST NOT be used for alarms.

alde:external-service

Base Type :al:alarm-type-id

Alarms related to usages of external services

alde:failed-communication

Base Type :alde:external-service

A failure to communicate with an external service

alde:failed-connection

Base Type :alde:external-service

A failure to connect to an external service

alde:slow-connection

Base Type :alde:external-service

Communication with the external service is slower than acceptable

alde:failed-authentication

Base Type :alde:external-service

Authentication failed when establishing a connection to the external service

alde:system

Base Type :al:alarm-type-id

Alarms related to the internals of Curity

alde:expiry

Base Type :alde:system

Expiry (i.e., expiration) of some resource has or will soon occur

base:flow identity

base:flow-identity

This is the base for all oauth flows

base:token-endpoint-identity

Base Type :base:flow-identity

This is the base identity for all token endpoint flows

base:oauth-token-authorization-code

Base Type :base:token-endpoint-identity

The Authorization Code flow grant type on the token endpoint

base:oauth-token-client-credentials

Base Type :base:token-endpoint-identity

The Client Credentials grant type on the token endpoint

base:oauth-token-refresh

Base Type :base:token-endpoint-identity

The Refresh token grant type on the token endpoint

base:oauth-token-resource-owner-password-credentials

Base Type :base:token-endpoint-identity

The OAuth Resource Owner Password credentials grant type on the token endpoint

base:oauth-token-token-exchange

Base Type :base:token-endpoint-identity

The Token Exchange grant type on the token endpoint

base:oauth-token-device-code

Base Type :base:token-endpoint-identity

The Device Code grant type on the token endpoint

base:oauth-token-assertion

Base Type :base:token-endpoint-identity

The Assertion grant type on the token endpoint

base:oauth-token-backchannel-authentication

Base Type :base:token-endpoint-identity

The Backchannel Authentication (CIBA) grant type on the token endpoint

base:authorize-endpoint-identity

Base Type :base:flow-identity

This is the base identity for all authorize endpoint flows

base:oauth-authorize-authorization-code

Base Type :base:authorize-endpoint-identity

The Authorization Code flow on the authorization endpoint

base:oauth-authorize-implicit

Base Type :base:authorize-endpoint-identity

The Implicit flow on the authorization endpoint

base:openid-authorize-hybrid

Base Type :base:authorize-endpoint-identity

The Hybrid flow on the authorization endpoint

base:introspect-endpoint-identity

Base Type :base:flow-identity

This is the base identity for all introspection endpoint flows

base:oauth-introspect

Base Type :base:introspect-endpoint-identity

The introspect token flow on the introspection endpoint

base:oauth-introspect-application-jwt

Base Type :base:introspect-endpoint-identity

The introspect token flow on the introspection endpoint (serving Content-Type ‘application/jwt’)

base:device-authorization-identity

Base Type :base:flow-identity

This is the base identity for device authorization flow endpoints

base:oauth-device-authorization

Base Type :base:device-authorization-identity

The device code issuance flow of device verification

base:userinfo-endpoint-identity

Base Type :base:flow-identity

This is the base identity for all userinfo endpoint flows

base:openid-userinfo

Base Type :base:userinfo-endpoint-identity

The UserInfo flow on the userinfo endpoint

base:assisted-token-endpoint-identity

Base Type :base:flow-identity

This is the base identity for all assisted token endpoint flows

base:oauth-assisted-token

Base Type :base:assisted-token-endpoint-identity

The Assisted token flow on the assisted token endpoint

base:session-endpoint-identity

Base Type :base:flow-identity

This is the base identity for all the session endpoint flows

base:openid-session-logout

Base Type :base:session-endpoint-identity

The Logout token flow on the session endpoint

base:backchannel-authentication-identity

Base Type :base:flow-identity

The is the base identity for backchannel authentication (CIBA) flow endpoints

base:oauth-backchannel-authentication

Base Type :base:backchannel-authentication-identity

The backchannel authentication endpoint for initiating a CIBA flow

sc:profile identity

sc:profile-identity

This is the base identity for all profiles

auth:authentication-service

Base Type :sc:profile-identity

The Authentication service identity

um:user-management-service

Base Type :sc:profile-identity

The User Management service identity

as:oauth-service

Base Type :sc:profile-identity

The OAuth service identity

sc:authorization actions

sc:authorization-actions

All actions that can be authorized by an authorization manager

um:authorization-actions.user-management

Base Type :sc:authorization-actions

All user-management-related actions that can be authorized by an authorization manager

um:authorization-actions.user-management.admin

Base Type :um:authorization-actions.user-management

The actions that an admin may perform in the user management service that an authorization manager may authorize

um:authorization-actions.user-management.admin.read

Base Type :um:authorization-actions.user-management.admin

The action that is used for all read-only operations in the user management service that an authorization manager may authorize

um:authorization-actions.user-management.admin.write

Base Type :um:authorization-actions.user-management.admin

The action that is used for all write operations in the user management service that an authorization manager may authorize

um:authorization-actions.user-management.delegations

Base Type :um:authorization-actions.user-management

The actions that may be performed in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.admin

Base Type :um:authorization-actions.user-management.delegations

The actions that an admin may perform in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.admin.write

Base Type :um:authorization-actions.user-management.delegations.admin

The actions that is used for all admin write operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.admin.read

Base Type :um:authorization-actions.user-management.delegations.admin

The actions that is used for all admin read operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.user

Base Type :um:authorization-actions.user-management.delegations

The action that is used for all read-only operations in the delegations endpoint service that an authorization manager may authorize

um:authorization-actions.user-management.delegations.user.read

Base Type :um:authorization-actions.user-management.delegations.user

The actions that is used for all user read operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.delegations.user.write

Base Type :um:authorization-actions.user-management.delegations.user

The actions that is used for all user write operations in the delegations endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users

Base Type :um:authorization-actions.user-management

The actions that may be performed in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.admin

Base Type :um:authorization-actions.user-management.users

The actions that an admin may perform in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.admin.write

Base Type :um:authorization-actions.user-management.users.admin

The actions that is used for all admin write operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.admin.read

Base Type :um:authorization-actions.user-management.users.admin

The actions that is used for all admin read operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.user

Base Type :um:authorization-actions.user-management.users

The action that is used for all read-only operations in the users endpoint service that an authorization manager may authorize

um:authorization-actions.user-management.users.user.read

Base Type :um:authorization-actions.user-management.users.user

The actions that is used for all user read operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.users.user.write

Base Type :um:authorization-actions.user-management.users.user

The actions that is used for all user write operations in the users endpoint that an authorization manager may authorize

um:authorization-actions.user-management.read

Base Type :sc:authorization-actions

The action that is used for read-only operations for any type of user

um:authorization-actions.user-management.write

Base Type :sc:authorization-actions

The action that is used for write-only operations for any type of user

as:authorization-actions.oauth

Base Type :sc:authorization-actions

All oauth-related actions that can be authorized by an authorization manager

as:authorization-actions.oauth.user-read

Base Type :as:authorization-actions.oauth

The action that is used for all user read operations in the user info endpoint that an authorization manager may authorize