9.1.0

• Home

Table of Contents

• System Admin Guide
  • Alarms
    • Overview
      • Terminology
      • The Alarm Object
      • Sliding Window Alarms
      • Managing Alarms
      • Notifications
      • Clusters
    • Alarm Types
      • Expiry
      • Failed Authentication
      • Failed Communication
      • Failed Connection
      • Slow Connection
    • Alarm Handlers
      • Email Notifier
      • Webhook Notifier
      • Slack Notifier
      • PagerDuty Notifier
    • Testing Alarms
      • Testing Alarms using the Web UI
      • Testing Alarms using the CLI
      • Verifying the alarm
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
      • Batching Log Messages for performance
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
    • User Account Credentials
    • Credential Policies
      • Data source requirements
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • Credential Data Access
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL and CockroachDB
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Credential Data Access
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
    • Metrics
  • Logging
    • Log Levels
    • Configuration Overview
    • Appenders
      • Standard Out
      • Cluster Log
      • Request Log
      • Audit Log
      • Metrics
    • Loggers
    • Logging Incorrect Cookies
    • Masking
    • Shipping Logs
    • Log4j Scripting Languages
    • Files Not Configurable by Log4j
      • Configuration Service Logs
  • Monitoring
    • JMX
    • Tracing
    • Zulu Flight Recorder
      • Starting a Recording Manually
      • Starting a Recording from the Command Line
      • Starting a Recording on Startup
    • Status Endpoint
      • Command line tool
    • Prometheus-compliant Metrics
      • Common Alerts
      • Configuration
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • Server Events
    • Event Listener Types
      • Script EventListeners
      • EventListener Plugins
    • Types of Events
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • Upgrading from 7.4.X to 7.5.0
      • HTTP Client Default Timeouts
    • Upgrading from 7.5.X to 7.6.0
      • Systemd config file update
      • New SAML Authenticator
    • Upgrading from 7.6.X to 8.0.0
      • Upgrading the XML Configuration
      • Authorization custom token procedures update
      • DynamoDB schema changes
      • WebAuthn authenticator
      • HAAPI capability and use of legacy DPOP
      • Microsoft SQL Server JDBC driver
      • Changes to HAAPI responses
      • Password-based PBES2 JWE algorithms
      • Windows Connector Failover Update
    • Upgrading from 8.0.X to 8.1.0
      • Database Changes
      • Custom Token Issuers
      • Email Authenticator
    • Upgrading from 8.1.X to 8.2.0
      • User consent template
      • SDK Changes
      • Token Procedure Plugin Configuration
      • Claims
    • Upgrading from 8.2.X to 8.3.0
    • Upgrading from 8.3.X to 8.4.0
      • SDK
      • Database Changes
      • Deprecation notice
      • Logging Incorrect Cookies
    • Upgrading from 8.4.X to 8.5.0
      • Template Changes
      • Deprecation notice
    • Upgrading from 8.5.X to 8.6.0
      • Deprecation notice
    • Upgrading from 8.6.X to 8.7.0
      • Hypermedia API external browser flow
      • HAAPI authorization code and refresh token binding
    • Upgrading from 8.7.X to 9.0.0
      • JDBC data source - database schema changes
      • User management
      • Service name
      • Attribute Authorization Manager
      • Updates on Docker images
      • SDK changes
      • Events and audit data
      • Token Issuers Data Sources
      • Custom Claims
      • Database client change
      • HTML Forms authenticator
      • Logging Incorrect Cookies
      • SAML Authenticator removal
    • Upgrading from 9.0.X to 9.1.0
      • JDBC data source
      • HTML Forms authenticator
      • SDK changes
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • BankID Version 6 API
      • BankID on the Phone
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
      • Launch behavior
      • Change specific browser behavior
      • Disable autostart
      • Debugging the templates
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Base Configuration
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • Hyperlink
      • Inactive Accounts
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • The Data Deletion Request Callback URL
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Binding Message
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • JWKS Endpoint
      • Configuration
    • OpenID Wallet
      • Configuring OpenID Wallet Authenticator
      • Anonymous JWKS Endpoint
      • Further Reading
    • Passkeys
      • Configuring a Passkeys authenticator
      • Registering devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML2
      • Paths
      • Validation Scripts
      • Configuration
      • SAML2 dynamic authenticator
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
      • User Confirmation
    • Bundle Action
      • Configuration
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
      • Subject Check
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Account
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Single Sign-On of second factors
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Request Acknowledgement
      • Localization
      • Configuration
    • Require Active Account
      • Configuration
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Restart Action
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Signup
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
      • Introspect with application/jwt as accept header
    • Json Web Key Set (JWKS)
    • Device Authorization Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
    • Claim configuration
      • Claim mappers
      • Claim value providers
      • Configuring a claim
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • OAuth Metadata
  • OpenID Connect Metadata
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • Database Client Management
    • Database Client VS DCR
    • Enabling Database Clients
    • Configuring a Data Source
    • Create a Database Client Endpoint
    • Authorization Access
    • Managing Database Clients in the DevOps Dashboard
    • Configuring Clients
    • Warnings
    • Database Client Limitations
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
    • User Info
    • Dynamic Client Registration
    • Database Client Management
    • Device Authorization
    • OpenID Connect Sessions
    • Backchannel Authentication
    • Verifiable Credentials
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
  • Token Procedure Plugins
    • Configuring and using Token Procedure Plugins
    • Developing Token Procedure Plugins
      • Using Custom Token Issuers
      • Using Custom Token Introspecters
  • Verifiable Credential Issuance
    • Pre-authorized Code Flow
      • Pre-authorized Code and User PIN Issuance
    • Rich Authorization Requests (RAR) support
    • Formats and data models
    • Endpoints
      • Token procedures
    • Credential Request Handling
      • Subject and issuer DID methods
      • Token Issuers
      • Authorization Requests
    • Configuration Model Summary
    • Configuration Example
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • Data Sources
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
    • Password validation
    • Username updates
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Authentication Service Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with Velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customizing the Look and Feel
      • Creating Custom Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Assets
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Plugin Services
      • Service Restrictions by Plugin Type
      • Service Restrictions in ManagedObject
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
    • Authorization code and refresh token binding
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
    • Mutation Errors
    • DynamoDB limitations
      • User Management service limitations
      • Dynamic Client Registration service limitations
      • Database Client limitations
    • GraphQL error for unsupported features
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Invoking YANG Actions Using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
      • Re-encrypting custom Plugin configuration
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Environment
      • Localization
      • White-listed-proxies
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
    • Profile
      • Authentication-service
      • Authorization-server
      • User-management-service
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
      • Credential-policies
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

JDBC

The JDBC data source supports a number of backing SQL databases out of the box. Depending on driver and connection string the JDBC data source will change the dialect to match the target system.

• MariaDB
• MySQL
• PostgreSQL
• Microsoft SQL Server
• Oracle
• HsqlDb
• CockroachDB

Before configuring a data source see the details for each vendor below.

Table management

Curity is shipped with initialization scripts for each supported database type. These contain the table definitions and indexing needed for a standard Curity setup. Depending on target system and target usage additional indexing might be required. Please contact Curity support if you are uncertain if additional setup is required.

The table definitions are found in the installation under <IDSVR>/etc. Each target system is represented by it’s own setup script:

• mysql-create_database.sql
• mssql-create_database.sql
• postgres-create_database.sql
• oracle-create_database.sql
• hsqldb-create_database.sql
• cockroach-create_database.sql

Make sure these are executed on the target database before connecting Curity.

Database maintenance

Curity relies on external maintenance. Therefore it is important to setup janitor procedures before going into production. The following tables need to be maintained and cleaned up.

Table	Data Lifetime
delegations	Long lived. Each entry is set to expire when Refresh Token expires. See configuration
tokens	Mixed. Refresh tokens may live long but access tokens shorter
nonces	Short. Usually valid in the range of minutes
sessions	Short. Usually valid in the range of hours.

The interval for cleanup and how old data needs to be before cleaning depends on the data management policy of the organization. Some organizations are required to store data longer and others are prevented from doing so. Please consult with your local database administrators or data officers when setting a maintenance strategy.

See each vendor type below for examples on how to clean up the DB.

Important

Cleaning up tokens and delegations can have a legal impact since possible auditable data is lost. Therefore consult your organisations policy on data storage when deciding how to clean data.

Quoted identifiers

As the list of databases supported by Curity has grown, so has the need to enforce common behaviour in some of the areas the SQL standard has left to the various implementations to decide on. One such item is case sensitivity, where the SQL standard mandates (unquoted) identifiers to be treated in a case insensitive manner. This however does not translate well when used in case sensitive contexts like tokens (or any attributes stored in JSON) where case sensitivity is mandated. For this reason as well as to avoid special treatment of certain databases (some identifiers used by Curity have special meaning in some databases but not in others) Curity consistently uses quoting around identifiers, both in the table definitions provided as well as the queries sent from Curity to the databases it communicates with.

Configuration

The SQL datasource is based on a JDBC datasource. This means that at a minimum it requires a configured connection-string, driver, username and password.

Tip

The full configuration reference is found in the configuration section

Connection Pool

By default, the server uses a connection pool to manage the connections to a SQL backend. The default pool settings provide a starting point for many deployments, but there are many options to tweak the behaviour of the connection pool, for example the minimum and maximum size of the connection pool, connection time-out settings, etc. See the data-source reference for a full overview of the configuration options.

Custom Queries

Each SQL datasource type also has the option to configure a number of custom queries, that you can use to integrate a custom database schema with the Curity Identity Server. These queries are listed in the table below.

Query	Parameters	Description
custom-credential-query*	:subjectId, :password	Either verifies a password for a user-id, or resolves the user’s password credential to verify using a Credential Manager’s configured Password Translator. All the attributes returned by this query can be used for further processing, i.e. as custom claims in issued tokens
custom-attribute-query	:subject	Retrieves all the attributes for a given user-id

* Custom credential queries are only supported in the default credentials mode.

The custom attribute query can be useful when certain attributes for the account are found in another table or database. Setup a new data source with a custom query for the attributes, and use it in a transformer or token procedure to retrieve the extra details about the user.

Audit

A SQL datasource can be configured to collect Audit Events by toggling the use-for-audit configuration parameter. Only a single SQL datasource can have this feature enabled at a time.

Note

If you are using PostgreSQL or CockroachDB datasource to log audit events, please see PostgreSQL and CockroachDB Audit Log Configuration.

Clustering

Depending on the backend type the clustering can look different. However the most common setup is to use an Active-Active cluster where the data is replicated in real-time. Curity should be configured to either communicate with a load balancer for the DB or to load balance using the connection string configuration. It is not recommended to use a round robin load-balancing since that is known to cause race conditions in Active-Active clusters. A better approach is to use a failover setup where one DB node gets more traffic and then Curity fails over to the secondary nodes when needed. See the data base vendor’s documentation for how to setup the failover and loadbalancing using the JDBC connection string.

Connection Pool Metrics

The data source can be configured to expose metrics of the underlying connection pool via the enable-pool-metrics setting. The available metrics are described in the following table:

Metric Name	Meaning
idsvr_datasource_jdbc_pool_connection_acquired	How long (in seconds) requesting threads are waiting for a connection from the pool.
idsvr_datasource_jdbc_pool_connection_usage	How long (in seconds) each connection is used before being returned to the pool.
idsvr_datasource_jdbc_pool_connection_timeout_total	The number of timeouts while waiting for a connection from the pool.
idsvr_datasource_jdbc_pool_connections	The total number of connections in the pool.
idsvr_datasource_jdbc_pool_active_connections	The number of active (in-use) connections in the pool.
idsvr_datasource_jdbc_pool_pending_threads	The number of threads awaiting connections from the pool.

All metrics include the ds_id label and are exposed alongside other node metrics, as described in Monitoring.

Credential Data Access

By default, the query used to retrieve credential data checks the account status, and no data is returned for inactive accounts. In such cases, the credential verification done by the Curity Identity Server always fails.

Credential Modes

In recent versions of the Curity Identity Server the database schema was subject to some changes to better fit scenarios where user accounts and their passwords are stored in different databases/data-sources and to support new features around credential management (namely password policies). The JDBC data source can be configured with a “credentials mode”, which determines the expected schema and how the data source interacts with the database for credential data access. If nothing is configured, the previous behavior is kept.

The possible modes are described in the following table:

Mode	Description
credentials-in-accounts-table	The current default mode, using the schema from before credential modes were introduced. The main account data and the corresponding password are stored in the accounts table. When credentials data access targets a different database, the accounts table is still used in that database. The table contains the password, but some columns are left null/empty.
standard	In this mode a new credentials table is added to the schema. The main account data is stored in the accounts table, but the password column is not used. Instead, passwords are stored in the credentials table. When credentials data access targets a different database, only the credentials table is used. This is the recommended mode. In an upcoming release of the Curity Identity Server, this mode will become the default when a new instance of the data source is added.
credentials-migration	This mode is meant for migrating data from the schema used by the credentials-in-accounts-table mode to what’s expected by the standard mode. Passwords are copied on-the-fly from accounts into credentials and the two tables are kept in sync, to also allow rollbacks.

Important notes:

• The bundled SQL files containing the schema definition were updated to be compatible with all the modes. Refer to upgrade guides for more details.
• The standard mode must be configured in order to use Credential Policies, as this is the only mode that supports storing credential attributes.

MySQL and MariaDB

When using MySQL or MariaDB the driver needs to be downloaded from Oracle or MariaDB.

Installation

1. Run the init db script from $IDSVR_HOME/etc/mysql-create_database.sql to setup the tables
2. Download the driver from the MySQL website and place the JAR file in $IDSVR_HOME/lib/plugins/data.access.jdbc. (all nodes)
3. Restart the server
4. Configure the data-source

Minimal configuration:

Parameter	Value
connection-string	jdbc:mysql://MYSQL_HOST:3306/se_curity_store?useSSL=false
driver	com.mysql.jdbc.Driver
username	The db user
password	The db user’s password

Note

The connection string is not optimized and only provided as an example.

Table maintenance examples

Note

If done infrequently these procedures should limit the number of entries they operate on since they often lock the table.

Listing 31 Clean up nonce table

USE se_curity_store;
DELETE FROM nonces WHERE status = 'used';

Listing 32 Clean up sessions table

USE se_curity_store;
DELETE FROM sessions WHERE expires < unix_timestamp(now()))

Listing 33 Clean up tokens table

USE se_curity_store;
DELETE FROM tokens WHERE expires < unix_timestamp(now()))

Listing 34 Clean up delegations table

USE se_curity_store;
DELETE FROM delegations WHERE expires < unix_timestamp(now()))

Microsoft SQL Server

Microsoft SQL server can be run either as on premise or in Azure as a cloud instance. Both are configured with the same drivers.

The driver is shipped with Curity, but if you need to upgrade the driver to a later version it is found in $IDSVR_HOME/lib/plugins/data.access.jdbc. Simply repace the existing jar with the new one. It is important to remove the current driver so that there only exists one. Then restart the nodes.

To configure the following is a minimal non-optimized configuration for SQL Server.

Parameter	Value
connection-string	jdbc:sqlserver://MSSQL_HOST:MSSQL_PORT;databaseName=se_curity_store;sendStringParametersAsUnicode=false;
driver	com.microsoft.sqlserver.jdbc.SQLServerDriver
username	The db user
password	The db user’s password

Note

The connection string is not optimized and only provided as an example. We recommend that you consult the vendors documentation when configuring the JDBC driver.

VARCHAR vs NVARCHAR

Curity uses VARCHAR for compatibility reasons. There are some known performance issues whith prepared statements in the SQLServer driver from Microsoft, where the server converts unicode strings to ascii-strings before running the statement. This causes indexes to not be used as expected and can cause table scans. To avoid this the jdbc driver can be configured with sendStringParametersAsUnicode=false. This works well for western european languages, but is not tested with asian or non-latin character languages. If that is needed we suggest that to use another database or consult Microsoft.

Tip

Enable sendStringParametersAsUnicode=false in the jdbc driver settings to avoid performance issues with indexes.

Table maintenance examples

Note

If done infrequently these procedures should limit the number of entries they operate on since they often lock the table.

Listing 35 Clean up nonce table

USE se_curity_store;
DELETE FROM nonces WHERE status = 'used';

Listing 36 Clean up sessions table (with a limit)

DELETE TOP (10000) FROM se_curity_store.dbo.sessions
WHERE expires < DATEDIFF(s, '1970-01-01 00:00:00', CURRENT_TIMESTAMP)

Listing 37 Clean up tokens table (with a limit)

DELETE TOP (10000) FROM se_curity_store.dbo.tokens
WHERE expires < DATEDIFF(s, '1970-01-01 00:00:00', CURRENT_TIMESTAMP)

Listing 38 Clean up delegations table (with a limit)

DELETE TOP (10000) FROM se_curity_store.dbo.delegations
WHERE expires < DATEDIFF(s, '1970-01-01 00:00:00', CURRENT_TIMESTAMP)

PostgreSQL and CockroachDB

PostgreSQL and compatible databases such as CockroachDB can be configured with the driver shipped with Curity.

If you need to upgrade the driver to a later version it is found in $IDSVR_HOME/lib/plugins/data.access.jdbc. Simply replace the existing jar with the new one. It is important to remove the current driver so that there only exists one. Then restart the nodes.

To configure the following is a minimal non-optimized configuration for PostgreSQL and CockroachDB.

Note

If using CockroachDB, a flag needs to be added to the connection-string cockroach=true, i.e. jdbc:postgresql://POSTGRES_HOST:POSTGRES_PORT/se_curity_store;cockroach=true.

Parameter	Value
connection-string	jdbc:postgresql://POSTGRES_HOST:POSTGRES_PORT/se_curity_store jdbc:postgresql://POSTGRES_HOST:POSTGRES_PORT/se_curity_store;cockroach=true (if using CockroachDB)
driver	org.postgresql.Driver
username	The db user
password	The db user’s password

Note

The connection string is not optimized and only provided as an example.

Oracle

When using Oracle the driver needs to be downloaded from Oracle.

Installation

1. Run the init db script from $IDSVR_HOME/etc/oracle-create_database.sql to setup the tables
2. Download the driver from the Oracle website and place the JAR file in $IDSVR_HOME/lib/plugins/data.access.jdbc. (all nodes)
3. Restart the server
4. Configure the data-source

Minimal configuration:

Parameter	Value
connection-string	jdbc:oracle:thin:@ORACLE_HOST:1521:ORCLCDB
driver	oracle.jdbc.OracleDriver
username	The db user
password	The db user’s password

Note

The connection string is not optimized and only provided as an example.

Table maintenance examples

Note

If done infrequently these procedures should limit the number of entries they operate on since they often lock the table.

Listing 39 Clean up nonce table

DELETE FROM "nonces" WHERE "status" = 'used';

Listing 40 Clean up sessions table

DELETE FROM "sessions" WHERE "expires" < (SELECT ROUND((CURRENT_DATE - date '1970-01-01' ) * 60 * 60 * 24) FROM dual)

Listing 41 Clean up tokens table

DELETE FROM "tokens" WHERE "expires" < (SELECT ROUND((CURRENT_DATE - date '1970-01-01' ) * 60 * 60 * 24) FROM dual)

Listing 42 Clean up delegations table

DELETE FROM "delegations" WHERE expires < (SELECT ROUND((CURRENT_DATE - date '1970-01-01' ) * 60 * 60 * 24) FROM dual)

Oracle Driver and class serialization

The Oracle driver internally requires serializability of some of its classes. Since Curity restricts which Java types can be serialized by default, this will break the Oracle driver. To fix this, Java must be told to allow serializability of the Oracle driver’s classes. This can be done by including the Java system property se.curity:identity-server:serialFilter=oracle.jdbc.** when starting the Curity Identity Server, which can be done by setting the JAVA_OPTS environment variable (e.g., JAVA_OPTS=-Dse.curity:identity-server:serialFilter=oracle.jdbc.** idsvr)

See enable Java serialization for more details.

HsqlDB

HsqlDB is a file based database that cannot be used in production. It is shipped as a small getting started DB only. To setup HsqlDB on a new system use the following settings:

Parameter	Value
connection-string	jdbc:hsqldb:file:${se.curity:identity-server:db};ifexists=true;hsqldb.lock_file=false
driver	org.hsqldb.jdbc.JDBCDriver
username	SA

Curity will replace the inline variable in the jdbc string with the file based db delivered with the system.

The database does not support running Curity in a clustered mode, only single node operation is supported.

Warning

HsqlDB cannot be used in production. It is available for development purposes only.