10.1.0 10.0.210.0.110.0.09.7.19.7.09.6.09.5.09.4.09.3.09.2.29.2.19.2.09.1.19.1.09.0.29.0.19.0.08.7.18.7.08.6.38.6.28.6.18.6.08.5.48.5.38.5.28.5.18.5.08.4.28.4.18.4.08.3.38.3.28.3.18.3.08.2.28.2.18.2.08.1.38.1.28.1.18.1.08.0.18.0.07.6.17.6.07.5.27.5.17.5.07.4.47.4.37.4.27.4.17.4.07.3.47.3.37.3.27.3.17.3.07.2.37.2.27.2.17.2.07.1.27.1.17.1.07.0.47.0.47.0.37.0.27.0.17.0.0

• Home

Table of Contents

• System Admin Guide
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
      • Batching Log Messages for performance
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • account-deleted
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
    • User Account Credentials
    • Credential Policies
      • Managing Credential Rules State
      • Data source requirements
    • Credential Migration
    • Credential Rehashing
    • Maximum Credential Length (system-wide)
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • Credential Data Access
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Credential Data Access
      • Configuration
    • MongoDB
      • Collections management
      • Multi-Tenancy
      • Database maintenance
      • Credential Data Access
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Distributed Service
      • Node Communication
      • Security
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
      • Embedded Content
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
    • Metrics
  • Observability
    • Alarms
      • Overview
      • Alarm Types
      • Alarm Handlers
      • Testing Alarms
    • Logging
      • Log Levels
      • Configuration Overview
      • Appenders
      • Loggers
      • Logging Incorrect Cookies
      • Masking
      • Shipping Logs
      • Log4j Scripting Languages
      • Files Not Configurable by Log4j
    • Monitoring
      • JMX
      • Tracing
      • Java Flight Recorder
      • Status Endpoint
      • Prometheus-compliant Metrics
    • OpenTelemetry
      • Configuration
      • Note about unstable components
    • Server Events
      • Event Listener Types
      • Types of Events
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 10.0.X to 10.1.0
      • Passkeys and WebAuthn Authenticators
      • HTTP Server Header Size Limit
      • OAuth Client Basic HTTP Authentication - URL decoding of client secret
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • Upgrading from 7.4.X to 7.5.0
      • HTTP Client Default Timeouts
    • Upgrading from 7.5.X to 7.6.0
      • Systemd config file update
      • New SAML Authenticator
    • Upgrading from 7.6.X to 8.0.0
      • Upgrading the XML Configuration
      • Authorization custom token procedures update
      • DynamoDB schema changes
      • WebAuthn authenticator
      • HAAPI capability and use of legacy DPOP
      • Microsoft SQL Server JDBC driver
      • Changes to HAAPI responses
      • Password-based PBES2 JWE algorithms
      • Windows Connector Failover Update
    • Upgrading from 8.0.X to 8.1.0
      • Database Changes
      • Custom Token Issuers
      • Email Authenticator
    • Upgrading from 8.1.X to 8.2.0
      • User consent template
      • SDK Changes
      • Token Procedure Plugin Configuration
      • Claims
    • Upgrading from 8.2.X to 8.3.0
    • Upgrading from 8.3.X to 8.4.0
      • SDK
      • Database Changes
      • Deprecation notice
      • Logging Incorrect Cookies
    • Upgrading from 8.4.X to 8.5.0
      • Template Changes
      • Deprecation notice
    • Upgrading from 8.5.X to 8.6.0
      • Deprecation notice
    • Upgrading from 8.6.X to 8.7.0
      • Hypermedia API external browser flow
      • HAAPI authorization code and refresh token binding
    • Upgrading from 8.7.X to 9.0.0
      • JDBC data source - database schema changes
      • User management
      • Service name
      • Attribute Authorization Manager
      • Updates on Docker images
      • SDK changes
      • Events and audit data
      • Token Issuers Data Sources
      • Custom Claims
      • Database client change
      • HTML Forms authenticator
      • Logging Incorrect Cookies
      • SAML Authenticator removal
    • Upgrading from 9.0.X to 9.1.0
      • JDBC data source
      • HTML Forms authenticator
      • SDK changes
    • Upgrading from 9.1.X to 9.2.0
      • JDBC data source - database schema changes
      • Template Changes
      • SDK changes
    • Upgrading from 9.2.X to 9.3.0
      • JDBC data source: multi-tenancy and discoverable credentials support
      • DynamoDB Database changes
      • SDK changes
      • Token Handler Applications
    • Upgrading from 9.3.X to 9.4.0
      • JDBC data source: multi-tenancy support for delegations
      • Template Changes
      • Token Handler Applications
      • SDK
    • Upgrading from 9.4.X to 9.5.0
      • Passkeys Authenticator
    • Upgrading from 9.5.X to 9.6.0
      • SDK
      • Template Changes
      • DynamoDB data source: credential data access
    • Upgrading from 9.6.X to 9.7.0
      • Maximum length of inputs used for secret/password validation
      • User Info claims
    • Upgrading from 9.7.X to 10.0.0
      • Token Handler Applications
      • OpenID Connect Authenticator - Signed UserInfo Responses
      • Email Authenticator
      • BankID Authenticator
      • JDBC Data Source - Deprecation of old credential storage schema and related credential modes
      • User Management - Username updates and account deletion with legacy credential data sources
      • OAuth Client Authentication
      • SDK
      • Original Query parameter encoding
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Application Service Admin Guide
  • Overview
    • Token Handler Application
      • Creating a Token Handler Application
      • Configuring a Token Handler Application
      • Token Handler Application API
      • SPA Integration
  • Defining an Application Service Profile
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Multi-Tenancy
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • Risk Assessment
      • IP address check on same device
      • BankID on the Phone
      • BankID Backchannel Authenticator
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
      • Launch behavior
      • Change specific browser behavior
      • Disable autostart
      • Debugging the templates
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • Hyperlink
      • One Time Password (OTP) Code
      • Inactive Accounts
      • Email Throttling
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • The Data Deletion Request Callback URL
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Binding Message
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • JWKS Endpoint
      • Returned attributes
      • Parameter Mappings
      • Configuration
    • OpenID Wallet
      • Configuring OpenID Wallet Authenticator
      • Anonymous JWKS Endpoint
      • Further Reading
    • Passkeys
      • Configuring a Passkeys authenticator
      • Registering devices
      • Hypermedia Authentication API
      • Discoverable Credentials
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML2
      • Paths
      • Validation Scripts
      • Configuration
      • SAML2 dynamic authenticator
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Multiple Device registration
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
      • Actions prompts and backwards navigation
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
      • User Confirmation
    • Bundle Action
      • Configuration
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
      • Subject Check
      • Use SSO on second factor
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Account
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Single Sign-On of second factors
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Registered Passkey
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Request Acknowledgement
      • Localization
      • Configuration
    • Require Active Account
      • Configuration
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Restart Action
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Sign-In Selector
      • Configuration
    • Signup
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Multi-Tenancy
    • Requirements to Multi-Tenancy
    • Configuring Multi-Tenancy
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • OAuth 2.0 Token Exchange
      • Default OAuth 2.0 Token Exchange Behaviour
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
      • Introspect with application/jwt as accept header
    • Json Web Key Set (JWKS)
    • Device Authorization Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
    • Claim configuration
      • Claim mappers
      • Claim value providers
      • Configuring a claim
      • Claim Type
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • OAuth Metadata
  • OpenID Connect Metadata
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • Database Client Management
    • Database Client VS DCR
    • Enabling Database Clients
    • Configuring a Data Source
    • Create a Database Client Endpoint
    • Authorization Access
    • Managing Database Clients in the DevOps Dashboard
    • Configuring Clients
    • Warnings
    • Database Client Limitations
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
    • User Info
    • Dynamic Client Registration
    • Database Client Management
    • Device Authorization
    • OpenID Connect Sessions
    • Backchannel Authentication
    • Verifiable Credentials
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
    • Database Clients upload client certificate PEM
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
  • Token Procedure Plugins
    • Configuring and using Token Procedure Plugins
    • Developing Token Procedure Plugins
      • Using Custom Token Issuers
      • Using Custom Token Introspecters
  • Verifiable Credential Issuance
    • Pre-authorized Code Flow
      • Pre-authorized Code and User PIN Issuance
    • Rich Authorization Requests (RAR) support
    • Formats and data models
      • W3C data model
      • SD-JWT VC data model
    • Endpoints
      • Token procedures
    • Credential Request Handling
      • jwt_vc_json format - W3C data model
      • vc+sd-jwt format - SD-JWT VC data model
      • Token Issuers
      • Authorization Requests
    • Configuration Model Summary
    • Configuration Example
  • Granted Authorization GraphQL API
    • Endpoint
    • Access Control
    • Licensing
    • Limitations
      • Granted Authorization Queries
      • Granted Authorization Mutations
      • GraphQLObligation.CanDeleteAttributes obligation
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
      • Sorting
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • Data Sources
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
    • User Credentials
      • Password validation
    • Username updates
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
    • OAuth 2.0 Token Exchange Customization
      • Introspection of provided tokens
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Authentication Service Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with Velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customize branding per Application
    • Customizing the Look and Feel
      • Creating Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Assets
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Right-to-left languages
      • How Curity supports Right-to-left languages
      • Set up the language
      • Default RTL Languages
      • Message Files
      • CSS Logical Properties
      • Custom Styling
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Plugin Services
      • Service Restrictions by Plugin Type
      • Service Restrictions in ManagedObject
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
      • Attestation fallback and dynamically registered clients
    • Authorization code and refresh token binding
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
    • Mutation Errors
    • DynamoDB limitations
      • User Management service limitations
      • Dynamic Client Registration service limitations
      • Database Client limitations
    • MongoDB limitations
      • Starts With Filter Type
    • GraphQL error for unsupported features
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • Curity Admin Web UI
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Invoking YANG Actions Using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
      • Re-encrypting custom Plugin configuration
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Environment
      • Localization
      • White-listed-proxies
      • Distributed-service
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
      • Telemetry
    • Profile
      • User-management-service
      • Apps-service
      • Authentication-service
      • Authorization-server
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
      • Credential-policies
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

Monitoring

This section of the admin guide describes information related to monitoring the Curity Identity Server.

Tip

🔥🔥🔥 If you just want to know how to determine if your instance of Curity is unhealthy and on fire, refer to the information below. 🔥🔥🔥

JMX

Java Management Extensions (JMX) is a commonly used interface for monitoring the internals of a Java-based application like the Curity Identity Server. This ability to peer inside the application, however, can be dangerous. It is for this reason that JMX is disabled by default. To enable it, the ENABLE_JMX can be set before starting the Curity Identity Server; the value is ignored and can can be any non-empty value (e.g., true, 1, etc.). This can be done on the command line like this, for instance:

Listing 80 Example of how to enable JMX from the command line by setting the ENABLE_JMX environment variable

$ ENABLE_JMX=1 idsvr

Copy

With JMX enabled, the following can be monitored and, in some cases, changed:

• LDAP connection pools
• JDBC (database) connection pools
• Web server information (thread pools, object pools, ciphers, etc.)
• JVM settings (e.g., memory, CPU usage, etc.)
• Logging settings (including log levels per logger)

Note that serialization must be enabled for the javax.management.* classes in order for JMX to function properly. This should be handled automatically in typical scenarios.

Tracing

To make tracing easier, Curity has support for adding a HTTP response header containing the node’s service-id, which is a unique string based on the service-name (see Setup Nodes for more information), to every HTTP response.

To enable this header, set the system property called se.curity:identity-server:http:service-id-header when starting up Curity. The value of this property should be the name of the header you want to contain the service-id.

Listing 81 Example of how to enable the service-id response header in a Curity node.

$ JAVA_OPTS="-Dse.curity:identity-server:http:service-id-header=X-Service-Id" idsvr

Copy

When that’s done, every Curity response will contain a header like X-Service-Id: the-service-id, making it easier to trace requests to particular Curity nodes.

Note

Refer to OpenTelemetry for more comprehensive support for tracing.

Java Flight Recorder

The Curity Identity Server ships with support for Java Flight Recorder and Java Mission Control. These are branded, fully-tested builds of the open-source JDK Flight Recorder and JDK Mission Control which Oracle released in 2018. Coupled with the instrumentation and data collection performed by Flight Recorder inside of Curity, Java Mission Control provides monitoring and management possibilities with very little impact on Curity’s performance.

Java Mission Control can be downloaded from Adoptium’s Web site.[1] Once it is installed and started, you can use it to attach to an instance of Curity if JMX is enabled (as described above). This will allow you to monitor, in real-time, such things as CPU, memory, threads, garbage collections, and much, much more.

You can also record the performance for later analysis. This can be very helpful in difficult support cases, for instance. This can be done in Java Mission Control or by using the jcmd command that is shipped with Curity. Using either is a two-step process:

1. Start the recording
2. Stop the recording and save the results to a file

Starting a Recording Manually

To start a recording or to connect to a remote instance of Curity using Java Mission Control requires additional parameters to be provided when starting that instance. Refer to the Monitoring and Management section of the Java SE documentation for details of what these parameters are. As an example, running Curity in a local Docker container (which effectively makes it remote), it is possible to connect to it from Java Mission Control if it is started with additional parameters that can be passed using the JAVA_OPTS environment variable like this:

Listing 82 Starting Curity in a Docker container with remote monitoring enabled

$ docker run -it \
    -e ENABLE_JMX=1 \
    -e JAVA_OPTS="-Dcom.sun.management.jmxremote.ssl=false
        -Dcom.sun.management.jmxremote.authenticate=false
        -Dcom.sun.management.jmxremote.port=7091
        -Dcom.sun.management.jmxremote.rmi.port=7091
        -Djava.rmi.server.hostname=localhost
        -Dcom.sun.management.jmxremote.local.only=false" \
    -e PASSWORD=$PASSWORD \
    -p 6749:6749 \
    -p 7091:7091 \
    -p 8443:8443 \
    curity/idsvr:latest

Copy

Warning

The example in listing Listing 82 is provided only for demonstration, and more secure options should be used in production.

With remote access enabled, a connection can be made using Java Mission Control by selecting the Connect… menu option in the File menu, or by selecting New Connection from the context menu of the JVM Browser, or by clicking the New Connect button from the toolbar shown in figure Fig. 28:

Fig. 28 Creating a new connection to a remote instance of Curity

Whichever method is used, the following dialogue page will be shown:

Fig. 29 JMX connection modal in Java Mission Control

Clicking the Test connection button should briefly flicker a status dialogue box and then the Status field should be changed to OK. If so, click Finish. Otherwise, tweak the settings used when starting the instance of Curity and refer to the Java Monitoring and Management documentation for additional guidance and troubleshooting tips. Baring any connectivity issues, a new JVM should be shown in JVM Browser treeview:

Fig. 30 JVM Browser showing new connection to Curity instance

If the MBean Server child node of this new connection is clicked, a dashboard is shown, like that of figure Fig. 31:

Fig. 31 Dashboard showing memory, JVM CPU, remaining heap memory, and other aspects of the running instance of Curity

To start a recording in Java Mission Control, right-click the Flight Recorder item in the JVM Browser treeview under the established connection, as shown in Fig. 30, and then select Start Flight Recording…. The following dialogue will be shown:

Fig. 32 Starting a recording of the performance of an instance of Curity using Java Mission Control

Select Finish to accept the defaults or make adjustments on the current or subsequent pages as required.

Starting a Recording from the Command Line

When shell access to the machine running Curity is available, an alternative to start a recording is to use jcmd. With this tool, you need the process ID of the instance of the Curity Identity Server to be profiled or you can use the package name of its bootstrapper. Both alternatives work but only the latter is shown in the following listings:

$ jcmd se.curity.identityserver.app.Bootstrapper JFR.start

Copy

Note

The jcmd command is included in various versions of the JDK, but is not directly provided by Curity. The various options and subcommands supported by this tool can be found in the jcmd documentation.

After the JFR.start subcommand is run, it will print the command necessary to dump a snapshot of analysis data. It will be something like this:

$ jcmd 59896 JFR.dump name=1 filename=FILEPATH # where 59896 is the process ID of Curity

Copy

The state of recording can be checked using the JFR.check subcommand with either the process ID or the bootstrapper package name like this:

$ jcmd se.curity.identityserver.app.Bootstrapper JFR.check

Copy

If recording is not currently underway, this command will provide the instructions on how to start one.

When the dump subcommand is run, the recording will be captured in the specified file. At that point, the file can be opened in Java Mission Control or other tools that support the JDK Flight Recorder format.

Dumping the recording to a file does not stop the recording. To do that, use the JFR.stop subcommand. This also accepts a filename and name parameter like JFR.dump does except that it stops the recording and the filename parameter is optional. If the filename is not provided, then a dump will not be simultaneously made. An example of stopping a recording named 1 is shown in the following listing:

$ jcmd se.curity.identityserver.app.Bootstrapper name=1 filename=/tmp/recording_1.jfr

Copy

Starting a Recording on Startup

It is also possible to start a recording by providing certain command line options to the Curity Identity Server. This can be done in various ways. For example, this can be achieved by configuring the JVM options. A better way typically though is to set the JAVA_OPTS environment variable to include the parameters necessary to start the recording when the Curity Identity Server starts. Either way, the parameters will be something like these:

-XX:StartFlightRecording=filename=my-good-file.jfr,duration=10m

Copy

For information about available flags that can be passed when starting a recording, refer to the flight recorder command reference.

Using either Java Mission Control, command line options provided to the Curity Identity Server, or jcmd, the resulting file can be analyzed and potentially shared with support. This will give a lot of insight into the source of potential issues. For more information on Flight Controller and Mission Control, refer to the following sources:

• Oracle JMC and Flight Recorder Demo Series
• Java Mission Control for Earthlings presentation

Status Endpoint

Curity Identity Server contains an HTTP endpoint providing node status information. Its operation is configured by the following environment variables.

Environment variable	Description	Default value
STATUS_CMD_ENABLED	Endpoint enable state	true
STATUS_CMD_PORT	HTTP port to bind to	4465
STATUS_CMD_HOST	Network host or address to listen on	0.0.0.0
STATUS_CMD_MAX_THREADS	Maximum thread number	16

By default, this status endpoint is enabled, however it can be disabled by setting the STATUS_CMD_ENABLED environment variable to false or by starting idsvr with the --no-status parameter.

The status endpoint supports HTTP GET and HEAD requests to the / path. The response will have status code:

• 200 if the node is started and configured. Note that a 200 status code means the node is configured but doesn’t ensure the server is listening for functional requests. For instance, the node may have a service role that is disabled or the internal HTTP server may still be starting/reconfiguring. To know if a node is ready to serve functional requests use the isServing JSON field or the /serving request path (see below).
• 503 if the node is not started or not yet configured.

In both cases, the response body will contain a JSON representation of the node status, containing the following fields:

• isReady

  • false - the node is not ready to process requests (e.g. it is still booting or is shutting down).
  • true - the node is ready to receive and process requests (but may be disconnected from the admin).

• nodeState

  • BOOTING - the node is starting up and not ready to process requests.
  • WAITING - the node is ready to process requests with the latest configuration that is has; however, it is still waiting to connect to the admin, so configuration may be stale.
  • RUNNING - the node is ready to process requests and is connected to the admin node.
  • ERROR - the node is in an unrecoverable error state.
  • STOPPING - the node is shutting down and not able to process requests.

• clusterState

  • STANDALONE - the node has clustering disabled.
  • CONNECTING_TO_CLUSTER - the node is not an admin node and is trying to connect (for the first time) or reconnect to the admin node.
  • CONNECTED - the node is not admin and is connected to the admin node.
  • ADMIN - the node is an admin node.
  • ERROR - an unexpected error occurred when checking the cluster state.

• configurationState

  • UNINITIALIZED - the node is not configured and therefore unable to correctly process requests.
  • CONFIGURED - the node is fully configured.
  • RECONFIGURING - the node is currently consuming a new configuration. A previous configuration is still valid and will be used in the meanwhile for any request processing.

• transactionId - an opaque string identifier for the last committed transaction seen by the current node.

• isServing

  • false - the node’s HTTP server that serves the runtime endpoints is not running.
  • true - the node’s HTTP server that serves the runtime endpoints is running.

• isAdminServing (this field is returned only on admin nodes)

  • false - the node’s HTTP server that serves the admin endpoints (i.e. an endpoint serving Admin UI requests) is not running.
  • true - the node’s HTTP server that serves the admin endpoints is running.

• pluginsInitialized

  • true - all the plugins installed in the node are done initializing.
  • false - some plugins installed in the node are still initializing.

The status endpoint also contains the /serving and /admin-serving paths to expose the isServing and isAdminServing information respectively via the status code, which is useful if the probing system is unable to process JSON representations. These paths accept both GET and HEAD requests. The response for the /serving path will have an empty body and status code:

• 200 - the node’s HTTP server that serves the runtime endpoints is running.
• 503 - the node’s HTTP server that serves the runtime endpoints is not running.

The response for the /admin-serving path will have an empty body and status code:

• 200 - the node’s HTTP server that serves the admin endpoints is running.
• 503 - the node’s HTTP server that serves the admin endpoints is not running.
• 404 - the node is not admin.

Note that the /admin-serving path is only served on admin nodes. On runtime nodes, a request to this path will return 404.

Command line tool

The Curity Identity Server installation also contains the bin/status command line tool that can be used to probe the HTTP status endpoint. It uses the same environment variables the server uses and has two invocation parameters:

• -j or --json - if present, the response written to the standard output is in the JSON format; otherwise it is written in plain text.
• -h or --help - prints the synopsis of the tool
• -v - not used but maintained for backward compatibility reasons

The status tool performs a request to the local node status endpoint and writes the response body to the standard output. The tool exit code is described in the following table.

Exit code	Description
0	The probed node is ready.
1	The status endpoint is disabled and was not probed.
4	There was an IO error while communicating with the status endpoint.
103	A response with a 3xx status was received from the status endpoint.
104	A response with a 4xx status was received from the status endpoint.
105	A response with a 5xx status was received from the status endpoint.

Prometheus-compliant Metrics

Each run-time and admin node exposes an endpoint where certain information is published in a Prometheus-compliant format (i.e., Prometheus’ OpenMetrics format). This allows the Prometheus monitoring tool (or others that can process data in this format) to monitor certain metrics about the behavior of the node. This endpoint is exposed over HTTP and listening on the same interface as the status endpoint described above. The port used is one greater than the status endpoint (4466 by default). The URI is /metrics, so, for example, the URL of the data would be https://localhost:4466/metrics.

The metrics exposed and their meanings is described in the following table:

Metric Name	Type	Labels	Meaning
idsvr_authentication_login_total	Counter	acr, profile_id	The number of authentication events that have occurred
idsvr_authentication_sso_total	Counter	acr, profile_id	The number of Single Sign-on events that have occurred
idsvr_cpu_usage	Gauge		The amount of CPU used (0 <= x <= 1) by the Java process that the node started
idsvr_datasource_account_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all account data sources are taking
idsvr_datasource_account_count	Counter	ds_id, ds_type	The number of occurrences that all account data sources are taking
idsvr_datasource_attribute_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all attribute data sources are taking
idsvr_datasource_attribute_count	Counter	ds_id, ds_type	The number of occurrences that all attribute data sources are taking
idsvr_datasource_credential_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all credential data sources are taking
idsvr_datasource_credential_count	Counter	ds_id, ds_type	The number of occurrences that all credential data sources are taking
idsvr_datasource_database_client_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all database client data sources are taking
idsvr_datasource_database_client_count	Counter	ds_id, ds_type	The number of occurrences that all database client data sources are taking
idsvr_datasource_dcr_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all dynamic client registration data sources are taking
idsvr_datasource_dcr_count	Counter	ds_id, ds_type	The number of occurrences that all dynamic client registration data sources are taking
idsvr_datasource_delegation_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all delegation data sources are taking
idsvr_datasource_delegation_count	Counter	ds_id, ds_type	The number of occurrences that all delegation data sources are taking
idsvr_datasource_device_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all device data sources are taking
idsvr_datasource_device_count	Counter	ds_id, ds_type	The number of occurrences that all device data sources are taking
idsvr_datasource_nonce_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all nonce data sources are taking
idsvr_datasource_nonce_count	Counter	ds_id, ds_type	The number of occurrences that all nonce data sources are taking
idsvr_datasource_session_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all session data sources are taking
idsvr_datasource_session_count	Counter	ds_id, ds_type	The number of occurrences that all session data sources are taking
idsvr_datasource_token_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all token data sources are taking
idsvr_datasource_token_count	Counter	ds_id, ds_type	The number of occurrences that all token data sources are taking
idsvr_datasource_bucket_sum	Counter	ds_id, ds_type	The sum of total time (in seconds) that all bucket data sources are taking
idsvr_datasource_bucket_count	Counter	ds_id, ds_type	The number of occurrences that all bucket data sources are taking
idsvr_http_server_request_time_sum	Counter		The number of and amount of time (in seconds) that all HTTP requests are taking
idsvr_http_server_request_time_count	Counter		The number of HTTP requests that have been made
idsvr_jvm_memory_used	Gauge	memory_id, memory_area	The amount of memory used (in bytes) by the Java process that the node started
log4j2_appender_total	Counter	level	The number and severity of log messages which have been written since start up
idsvr_oauth_delegation_issued_total	Counter	client_id, profile_id	The number of delegations issued
idsvr_oauth_delegation_revoked_total	Counter	client_id, profile_id	The number of delegations revoked
idsvr_oauth_token_issued_total	Counter	client_id, token_type, profile_id	The number of OAuth tokens (access, ID, refresh) issued
idsvr_oauth_token_revoked_total	Counter	client_id, token_type, profile_id	The number of OAuth tokens revoked event counter
idsvr_oauth_introspection_denied_total	Counter	client_id, profile_id	The number of Introspections denied because of tokens not being active
idsvr_http_client_request_successful_sum	Counter	http_client_id, authority	The total duration of requests issued by an HTTP client resulting in a response with a successful status code.
idsvr_http_client_request_successful_count	Counter	http_client_id, authority	The number of requests issued by an HTTP client resulting in a response with a successful status code.
idsvr_http_client_request_client_error_sum	Counter	http_client_id, authority	The total duration of requests issued by an HTTP client resulting in a response with a client error status code (4xx).
idsvr_http_client_request_client_error_count	Counter	http_client_id, authority	The number of requests issued by an HTTP client resulting in a response with a client error status code (4xx).
idsvr_http_client_request_server_error_sum	Counter	http_client_id, authority	The total duration of requests issued by an HTTP client resulting in a response with a server error status code (5xx).
idsvr_http_client_request_server_error_count	Counter	http_client_id, authority	The number of requests issued by an HTTP client resulting in a response with a server error status code (5xx).
idsvr_http_client_pool_connections	Gauge	http_client_id	The total number of connections in the connection pool of an HTTP client.
idsvr_http_client_pool_active_connections	Gauge	http_client_id	The number of active (in-use) connections in the connection pool of an HTTP client.
idsvr_credential_verification_successful_total	Counter	credential_manager_id	The number of successful credential verifications done by a credential manager.
idsvr_credential_verification_failed_total	Counter	credential_manager_id	The number of failed credential verifications done by a credential manager.
idsvr_request_pool_threads	Gauge		The total number of threads in request thread pool.
idsvr_request_pool_available_threads	Gauge		The number of threads in request thread pool that are available to handle requests.
idsvr_request_pool_active_threads	Gauge		The number of threads in request thread pool that are in use.
idsvr_request_pool_queue_size	Gauge		Request thread pool’s queue size (i.e. number of requests waiting for a thread)

Note

The client_id of the idsvr_oauth_token_issued metric for ID tokens will be that of the requesting client (i.e., the authorized party). For all other tokens, the client_id is the ID of the client to whom the token was issued.

Note

Request thread pool metrics (whose name starts with idsvr_request_pool_) are only available when JMX is enabled.

In addition to the global metrics described above, some plugins may contribute with metrics related to their particular usage. Namely, the JDBC data source plugin exposes metrics of the underlying connection pool.

The labels in the previous table have the meanings described in the following table:

Label Name	Meaning
acr	The authentication class context reference (ACR) of the authenticator used for login or SSO (as applicable)
client_id	The identifier of the OAuth client to which the metric is related. This is disabled by default.
ds_id	The identifier of the data source to which the metric is related
ds_type	The type of data source to which the metric is related (e.g., ldap, jdbc, etc.)
level	The level of the log message (e.g., error, warn, etc.)
memory_id	The identifier representing the pool of memory being measured (e.g., G1 Old Gen, etc.)
memory_area	The type of memory being measured (heap, non-heap, etc.)
token_type	The type of token to which the measurement is related (e.g., access_token, etc.)
profile_id	The identifier of the profile to which the metric is related. This is disabled by default.
http_client_id	The identifier of the HTTP client to which the metric is related
authority	The authority (hostname and port) used to contact the target system to which the metric is related.
credential_manager_id	The identifier of the credential manager to which the metric is related.

Note

By default no unique values are reported for client_id to prevent value explosion which Prometheus has a hard time handling. If the system only contains a small number of clients then this can be enabled by setting the system property se.curity:identity-server:reporting:include-client-id-label=true when starting the Curity Identity Server.

Gathering of data can be disabled. If this is set when the node starts, no data will be published. To disable gathering of data, in the admin UI, go to System ‣ General. There, toggle off Enable Reporting. Once that change is committed, all nodes will stop gathering data.

Common Alerts

If you want to setup certain alerts when things go wrong in the Curity Identity Server, you can simply setup the following:

• If datasource_*_sum / datasource_*_count >= 800 since the last poll to the metrics endpoint, your database is having issues. The result of this arithmetic is the average response time from the Curity Identity Server to the database (for the given period).
• If log4j2_appender_total with a label of error is > 0, call support!
• If log4j2_appender_total with a label of warn is greater than the last poll, look into the issue immediately, and raise a support case if you can’t figure out the problem.
• If cpu_usage is >= 95% at an unexpected time or for a prolonged period of time, you should take action.
• If http_server_request_time_sum / http_server_request_time_count >= 1000 since the last poll to the metrics endpoint. The result of this arithmetic is the average HTTP response time to the the Curity Identity Server Web server (for the given period).

[1]	The Adoptium Working Group is the provider of the Eclipse Temurin JDK, the Java Platform which Curity delivers.

Configuration

Configuring Prometheus metrics is done under /environments/environment/reporting section.

Parameter	Description
enable	Flag to enable/disable gathering of Prometheus metrics
include-profile-id	Flag indicating whether profile_id label should be enabled

Listing 83 A configured reporting shown in the CLI

% show environments environment reporting
enable             true;
include-profile-id true;

Copy