Properties configuration
This chapter contains list of configuration properties for Onegini IDP .
- IDP core properties
- IDP extension properties
- Header
- Common
- Authentication
- Caching
- Admin
- Database
- SMS
- SAML
- Remote Cache
- Rest Services
- Account link
- Encryption
- Persons API
- Events API
- Credentials API
- Extension API
- Statistics API
- Configuration API
- rest_api.section.title
- Mobile
- Branding
- Authentication token
- Statistics
- Externally delivered code
- BankId
- Kerberos
- Extension
- Delegated User Management (DUM) module configuration-module-configuration)
- Onegini Insights configuration
- IDP remote cache values encryption
- IDP properties encryption
IDP core properties
The following properties must be defined as environment properties in Onegini IDP Core docker.
Extension wiring
Property | Default | Example | Description |
---|---|---|---|
IDP_EXTENSION_AUTH_USERNAME | extension_api_rest_user | Basic auth username necessary to connect to config extension point | |
IDP_EXTENSION_AUTH_PASSWORD | Y;QEZ^{9H!SSQ.08 | Basic auth password necessary to connect to config extension point | |
IDP_EXTENSION_CONFIG_URL | http://localhost:8181/extension/config | Config extension point URL |
Properties encryption
Property | Default | Example | Description |
---|---|---|---|
PROPERTIES_ENCRYPTION_KEY | password | Encryption key used to encrypt properties' values, eg. it is possible to add encrypted property in a way PROPERTY=ENC(IlHrIsl2cZl5WH0xQmSKC7SimY6yLD7LAWPtGV4DtfpDbmIZDY0aLt6+diHXwxcm) . Encryption is done with PBEWITHSHA256AND256BITAES-CBC-BC alghoritm and Jasypt library. More information can be found in Properties encryption |
Java Key Store
Property | Default | Example | Description |
---|---|---|---|
IDP_KEYSTORE_ALIAS | keystore_alias | Keystore entry alias | |
IDP_KEYSTORE_PASSWORD | password | Keystore entry password |
Logging
Host/Reverse proxy
Property | Default | Example | Description |
---|---|---|---|
IDP_HTTP_ENABLED | true | Enable or disable HTTP port for all connectors | |
IDP_HTTP_PROXY_ENABLED | true | Enable or disable HTTP proxy for personal connector | |
IDP_HTTP_PROXY_PORT | 80 | HTTP proxy port for personal connector | |
IDP_HTTP_PROXY_NAME | idp.dev.onegini.com | HTTP proxy name for personal connector | |
IDP_HTTP_PROXY_SCHEME | http | HTTP Sheme for personal connector | |
IDP_HTTP_PROXY_SECURE | false | Set to true to force HTTPS for personal connector | |
IDP_HTTP_API_ENABLED | true | Enable separate HTTP connector for API and SAML Artifact Resolution Service | |
IDP_HTTP_API_PROXY_ENABLED | true | Enable or disable HTTP proxy for API connector | |
IDP_HTTP_API_PROXY_PORT | 80 | HTTP proxy port for API connector | |
IDP_HTTP_API_PROXY_NAME | idp.dev.onegini.com | HTTP proxy name for API connector | |
IDP_HTTP_API_PROXY_SCHEME | http | HTTP Sheme for API connector | |
IDP_HTTP_API_PROXY_SECURE | false | Set to true to force HTTPS for API connector | |
IDP_HTTP_ADMIN_ENABLED | true | Enable separate HTTP connector for admin panel | |
IDP_HTTP_ADMIN_PROXY_ENABLED | true | Enable or disable HTTP proxy for admin connector | |
IDP_HTTP_ADMIN_PROXY_PORT | 80 | HTTP proxy port for admin connector | |
IDP_HTTP_ADMIN_PROXY_NAME | idp.dev.onegini.com | HTTP proxy name for admin connector | |
IDP_HTTP_ADMIN_PROXY_SCHEME | http | HTTP Sheme for admin connector | |
IDP_HTTP_ADMIN_PROXY_SECURE | false | Set to true to force HTTPS for admin connector | |
IDP_HTTPS_ENABLED | true | Enable or disable HTTPS port for all connectors | |
IDP_HTTPS_PERSONAL_SSL_PROTOCOL | tls | Select wicht SSL protocol to use for personal connector | |
IDP_HTTPS_PERSONAL_SSL_ENABLED_PROTOCOLS | TLSv1,TLSv1.1,TLSv1.2 | Select enabled protocols for connectors | |
IDP_HTTPS_PROXY_ENABLED | true | Enable or disable HTTPS proxy for personal connector | |
IDP_HTTPS_PROXY_PORT | 443 | HTTPS proxy port for personal connector | |
IDP_HTTPS_PROXY_NAME | idp.dev.onegini.com | HTTPS proxy name for personal connector | |
IDP_HTTPS_API_ENABLED | true | Enable separate HTTPS connector for API | |
IDP_HTTPS_API_SSL_PROTOCOL | tls | Select wicht SSL protocol to use for API connector | |
IDP_HTTPS_API_PROXY_ENABLED | true | Enable or disable HTTPS proxy for API connector | |
IDP_HTTPS_API_PROXY_PORT | 443 | HTTPS proxy port for API connector | |
IDP_HTTPS_API_PROXY_NAME | idp.dev.onegini.com | HTTPS proxy name for API connector | |
IDP_HTTPS_ADMIN_ENABLED | true | Enable separate HTTPS connector for admin panel | |
IDP_HTTPS_ADMIN_SSL_PROTOCOL | tls | Select wicht SSL protocol to use for admin connector | |
IDP_HTTPS_ADMIN_PROXY_ENABLED | true | Enable or disable HTTPS proxy for admin connector | |
IDP_HTTPS_ADMIN_PROXY_PORT | 443 | HTTPS proxy port for admin connector | |
IDP_HTTPS_ADMIN_PROXY_NAME | idp.dev.onegini.com | HTTPS proxy name for admin connector | |
IDP_HTTPS_TRUST_STORE | /opt/data/certs/truststore.ts | Trustore file in JKS format | |
IDP_HTTPS_TRUST_STORE_PASSWORD | P2sswor2 | Truststore password |
IDP extension properties
The following are the properties that must be defined as environment properties in Onegini IDP Extension docker. The properties are propagated from Onegini IDP Extension to Onegini IDP Core as described in Applications setup section.
Header
Property | Default | Example | Description |
---|---|---|---|
IDP_HEADER_INTERCEPTOR_XFRAMEOPTIONS | ALLOW-FROM | Allowed values:
|
|
IDP_HEADER_INTERCEPTOR_P3PPOLICY | |||
IDP_HEADER_INTERCEPTOR_STRICTTRANSPORTSECURITY | HTTP Strict Transport Security |
Common
Property | Default | Example | Description |
---|---|---|---|
IDP_DEFAULT_LOCALE | en | Default locale to be used in the application | |
IDP_SECURE_SESSIONCOOKIE | true | If true only HTTPS is allowed | |
IDP_TEMPPIN_VALIDITY_TIME_MILLIS | 300000 | ||
IDP_CODE_VERIFICATION_THRESHOLD | 5 | ||
IDP_PASSWORD_VERIFICATION_THRESHOLD | 15 | ||
IDP_LASTLOGINS_LIMIT | 10 | ||
IDP_ONETIMEPASSWORD_LABEL | Example.com | ||
IDP_HOST_URL | http://login.example.com | URL of Onegini IDP | |
IDP_PROPERTY_VALIDATION_ENABLED | false | false | Gives possibility to enable/disable properties validation |
IDP_DOMAIN_COOKIE_TTL_MIN | 30 | 30 | Max age of domain cookie in minutes |
Authentication
Property | Default | Example | Description |
---|---|---|---|
IDP_AUTHENTICATION_PASSWORD_ENCRYPTION_KEY | hex:C6544F0748C1BDB2654F8C729A4B731D //128 bit key |
128, 192 or 256 bit key used for password encryption in hexadecimal or string represension. For hexadecimal representation please use HEX: or hex: prefix, if no prefix is used then value is applied as string representation |
|
IDP_RECAPTCHA_VERIFY_URL | https://www.google.com/recaptcha/api/siteverify | URL to verify reCAPTCHA response (https://developers.google.com/recaptcha/docs/verify) |
Caching
Property | Default | Example | Description |
---|---|---|---|
IDP_CACHING_ENABLED | false | Do not change this | |
IDP_CACHING_SECONDS | 10 | Do not change this |
Admin
Property | Default | Example | Description |
---|---|---|---|
IDP_ADMIN_LOGIN_FAILURE_LIMIT | 3 | Admin login attempts | |
IDP_ADMIN_EMAILNOTIFICATIONS_TOADDRESS | [email protected] | Notification email after failed loggin attempts | |
IDP_ADMIN_URL | http://dev.onegini.me:8992/admin | Admin panel URL |
Database
Property | Default | Example | Description |
---|---|---|---|
IDP_DATABASE_MIGRATIONS_FOLDER | /db/scrips/oracle | Database migration folder Allowed values:
|
|
IDP_DATABASE_DRIVER | oracle.jdbc.driver.OracleDriver | Database driver Allowed values:
|
|
IDP_DATABASE_USER | dbuser | Database username | |
IDP_DATABASE_PASSWORD | dbpassword | Database password | |
IDP_DATABASE_URL | jdbc:oracle:thin:@//<URL_IP>:1521/<DATABASE NAME> | JDBC URL connection string | |
IDP_DATABASE_VALIDATION_QUERY | select 1 from DUAL | Test query | |
IDP_DATABASE_PLATFORM | org.hibernate.dialect.Oracle10gDialect | Database dialect Allowed values:
|
|
IDP_DATABASE_TYPE | ORACLE | Database type Allowed values:
|
|
IDP_DATABASE_TRANSACTION_ISOLATION | -1 | 4 | Database transaction isolation, by default undefined -1 |
IDP_QUARTZ_JDBC_DELEGATE | org.quartz.impl.jdbcjobstore.StdJDBCDelegate | JDBC delegate class used by quartz. In most cases it will be org.quartz.impl.jdbcjobstore.StdJDBCDelegate but some databases needs other implementations, eg. org.quartz.impl.jdbcjobstore.oracle.OracleDelegate Allowed values:
|
SMS
Property | Default | Example | Description |
---|---|---|---|
IDP_SMS_CM_URL | https://secure.cmtechnology.com/smssgateway/cm/gateway.ashx | ||
IDP_SMS_CM_CUSTOMERID | 1234 | ||
IDP_SMS_CM_LOGIN | username | ||
IDP_SMS_CM_PASSWORD | password | ||
IDP_SMS_TWILIO_SID | abcd1234 | ||
IDP_SMS_TWILIO_AUTHTOKEN | defgh1234 | ||
IDP_SMS_FROMNUMBER | +31612345678 | ||
IDP_SMS_PROVIDER | cmSmsGateway | Allowed values:
|
|
IDP_SMS_VALIDITYTIME_MILLIS | 600000 | ||
IDP_SMS_ABUSE_THRESHOLD | 3 | ||
IDP_EXECUTION_RETRY_SMS_DELAY_MS | 2000 | 2000 | Delay between attempts to send SMS |
IDP_EXECUTION_RETRY_SMS_RETRY_ATTEMPTS | 2 | 2 | Number of attempts to send SMS |
Property | Default | Example | Description |
---|---|---|---|
IDP_EMAIL_FROM | <![CDATA[onegini.me <[email protected]>]]> | ||
IDP_EMAIL_REPLYTO | <![CDATA[Support onegini.me <[email protected]>]]> | ||
IDP_EMAIL_VALIDITYTIME_MILLIS | 7200000 | ||
IDP_SMTP_HOST | 10.0.1.15 | SMTP URL or IP | |
IDP_SMTP_PORT | 2525 | SMTP port | |
IDP_SMTP_USERNAME | [email protected] | Username required by SMTP server | |
IDP_SMTP_PASSWORD | Qwerty1234/ | Password required by SMTP server | |
IDP_MAIL_SMTP_AUTH | false | true | Attempt to authenticate the user using the AUTH command |
IDP_MAIL_SMTP_STARTTLS_ENABLE | false | true | Enables the use of the STARTTLS command (if supported by the server) to switch the connection to a TLS-protected connection before issuing any login commands |
IDP_MAIL_SMTP_STARTTLS_REQUIRED | false | true | Requires the use of the STARTTLS command. If the server doesn't support the STARTTLS command, or the command fails, the connect method will fail |
SAML
Property | Default | Example | Description |
---|---|---|---|
IDP_SAML_ARTIFACT_RESOLUTION_PROTOCOL | http | In case API is served on a separate port, this property defines protocol for SAML Artifact Resolution Service | |
IDP_SAML_ARTIFACT_RESOLUTION_HOST | example.org:8080 | In case API is served on a separate port, this property defines host for SAML Artifact Resolution Service | |
IDP_SAML_ENTITY_PROTOCOL | http | In case API is served on a separate port, this property defines SAML Entity ID protocol | |
IDP_SAML_ENTITY_HOST | example.org:23456 | In case API is served on a separate port, this property defines SAML Entity ID host | |
IDP_SAML_CLOCKSKEW_TIME_SECONDS | 300 | ||
IDP_SAML_CHECKVALIDITY_TIME_SECONDS | 90 | ||
IDP_SAML_REPLAYCACHE_MILLIS | 14400000 | ||
IDP_SAML_SUPPORT_NAME | example.com | ||
IDP_SAML_SUPPORT_EMAIL | [email protected] | ||
IDP_SAML_SIGNING_PRIVATEKEY | MIIEpAIBAAKCAQEAwKOfMrOlrd0FOeGlRetxpLhayhu23ahM/iARWmQxiM0fEG+61bajx0lcO2eNGoGwvd2rEB6ZZlDHbSSPutP6aH1biwIKAXK2tLyCcTBJuZS8S9dAQbgkynekQPOKCJgtE7pj/KBMQk8MSzsWXlD4PjPOaANad4eYNRiGFQMe8P9+pZED3oZZkObsIQIefhc3tebncrVe8cEDCxYug5gOPXHsYYxc7VvEB4izauzbzq2RaPi9+CT8R_UfAJF40WKtIIynDUFGCYlfkGWC5I7jyYMH+noZE3Tj5YYLgoyuwsz7dZAfvBtk2190cLD9O6XQFXSOg0OAdDDcyAimwE149QIDAQABAoIBABUFxinSURJYPGnEpjSrLQu80qubuqkV5NEWzs3+gSlcuTch+lG4TMdCyj3xXwS1goQ13KU1safoyNqwUr8gwwMEKylQX6cozaeLqvCPRHxsLuBX7Ts+zUULKXGtIjMt6D1u6dp349qYpc7P8/D3BSBEpxHSy9yff4zL0FYasRW7m3y7pF8Y8+NO4H2/Pw0NcNstAJwkvEGO3EeFiYyz8vmJfVR2rA1KhSaCZQbALIOIZ+HXso8mKtiJVzS6mLTVbK0PDiWbwSkxrJCZufQbzBlETKJkiVaIJcgQSaL0FQ/64NbnqY5qYyxB7Y3Ci8VFh4w0WTtw49lCwsrT7kL6LUECgYEA8tcRQSpfNjERcUOLJTYG6JZHeUKqDe9HWluUUMERfImQBnTX1/bi68M7XouFXdLY9c+Z08Z2D04R9c1drJ8XCpluUSGXMxTvOnECJeCVuQr5QjUumZvkgDhwNKj4czyaz+qjzTAk9lQBIXGWJaORVaIjQjau7GT0YPAU+Lxd8Q8CgYEAyxQdNybKQLdb7hmbvdo6w6W2fVLJuimYFv1UlYTDSaGurnIAq8PWrmwfGiEUVTBX6/vkMq7LNAnF9kxWQHnzYku1s611JIhCUJEhsm0lQgtEQ4bT9HnNOm8EBkTBwxw/UCHQPkjQk4RShNVLLl2eCrXmAdrSdMUe2CK8X+FFbbsCgYEA1V0drfH6wfSO7MN5yHIV09nmZqaqH6AzQzLft6xLHu8G+oVC+F_VtWxOB53yyiLtudxzvdzL8lqX8S5Ftdv6NLfmc6Zd4OXt451TU9Bl/LWlmAR+Mz0DoZz1CW_FDAsdwrzYuvooH75jV+0jDWMP2PuimxTM0KtLBLks0/c9WwUCgYEAp3GVSUU1nLjTFvaMgLTwoSMA3kKlzFbBbatB0+rc7theZL3hKb9XQwgpeOzvi/JJfG18UgHn0KeCT7vPnmgvMsxELLuIDDBBpZaVFz6BavxJM/h2yWyouFaTFewZa5vd5F+NCd4WBJwlQhtwWvGb/y7OUJcx0lA6R3IUqmXfTkMCgYAFoTcL5LiLYtd0UkSgsnUeaYNtZj2raUo7TGl566g9BEe3ZvKjVq6Ix1K4w1pf0uXtD12bY42OSSw5Dzv1Df5/FI8p/yzx4pfYyK5M3mthscrdczapQEPS0UGJ2JazZBNnQGAHceLOVwpu4aZ5oI6MnGFxJJuhsW2X7+REcK8WjA== | ||
IDP_SAML_SIGNING_CERTIFICATE | MIIDrDCCApQCCQCr/xHEBpqyVDANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwHhcNMTMwMjExMTMzMzI1WhcNMjMwMjA5MTMzMzI1WjCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAo58ys6Wt3QU54aVF63GkuFrKG7bdqEz+IBFaZDGIzR8Qb7rVtqPHSVw7Z40agbC93asQHplmUMdtJI+60/pofVuLAgoBcra0vIJxMEm5lLxL10BBuCTKd6RA84oImC0TumP8oExCTwxLOxZeUPg+M85oA1p3h5g1GIYVAx7w/36lkQPehlmQ5uwhAh5+Fze15udytV7xwQMLFi6DmA49cexhjFztW8QHiLNq7NvOrZFo+L34JPxH9R8AkXjRYq0gjKcNQUYJiV+QZYLkjuPJgwf6ehkTdOPlhguCjK7CzPt1kB+8G2TbX3RwsP07pdAVdI6DQ4B0MNzICKbATXj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAMARp0pV9dFmAM5+YtEogOblzwpjGi+42qd902L0+Q+NHkJ+qb+b/IBRbBBGc8dR0pXwl+h+shOTYp08Y0J80I9a+nRQiwOe62zKCA+ac7K+vjQBXyHTe/np8kQCJ0jvkDuh1qSHdkTPiNNA/8nrU0KqjMmvDQY6kkVeYRYAtJ925EKzLIryFQTVvuojmR8qgICYFc9RHGDnKAEuEtFi6sR5kGbIfulqH/qpaM_UTFmmMH5q0KkIkf64r2UW0eR+kzuy+4YxpSNcTa3eea6naiqD268H2LutZl+q3zjFmbTpTJKPoqONlxzreOCKuOLzQlm/4tlAJ_KL324oGlI9U4c= | ||
IDP_SAML_ENCRYPTION_PRIVATEKEY | MIIEpAIBAAKCAQEAwKOfMrOlrd0FOeGlRetxpLhayhu23ahM/iARWmQxiM0fEG+61bajx0lcO2eNGoGwvd2rEB6ZZlDHbSSPutP6aH1biwIKAXK2tLyCcTBJuZS8S9dAQbgkynekQPOKCJgtE7pj/KBMQk8MSzsWXlD4PjPOaANad4eYNRiGFQMe8P9+pZED3oZZkObsIQIefhc3tebncrVe8cEDCxYug5gOPXHsYYxc7VvEB4izauzbzq2RaPi9+CT8R_UfAJF40WKtIIynDUFGCYlfkGWC5I7jyYMH+noZE3Tj5YYLgoyuwsz7dZAfvBtk2190cLD9O6XQFXSOg0OAdDDcyAimwE149QIDAQABAoIBABUFxinSURJYPGnEpjSrLQu80qubuqkV5NEWzs3+gSlcuTch+lG4TMdCyj3xXwS1goQ13KU1safoyNqwUr8gwwMEKylQX6cozaeLqvCPRHxsLuBX7Ts+zUULKXGtIjMt6D1u6dp349qYpc7P8/D3BSBEpxHSy9yff4zL0FYasRW7m3y7pF8Y8+NO4H2/Pw0NcNstAJwkvEGO3EeFiYyz8vmJfVR2rA1KhSaCZQbALIOIZ+HXso8mKtiJVzS6mLTVbK0PDiWbwSkxrJCZufQbzBlETKJkiVaIJcgQSaL0FQ/64NbnqY5qYyxB7Y3Ci8VFh4w0WTtw49lCwsrT7kL6LUECgYEA8tcRQSpfNjERcUOLJTYG6JZHeUKqDe9HWluUUMERfImQBnTX1/bi68M7XouFXdLY9c+Z08Z2D04R9c1drJ8XCpluUSGXMxTvOnECJeCVuQr5QjUumZvkgDhwNKj4czyaz+qjzTAk9lQBIXGWJaORVaIjQjau7GT0YPAU+Lxd8Q8CgYEAyxQdNybKQLdb7hmbvdo6w6W2fVLJuimYFv1UlYTDSaGurnIAq8PWrmwfGiEUVTBX6/vkMq7LNAnF9kxWQHnzYku1s611JIhCUJEhsm0lQgtEQ4bT9HnNOm8EBkTBwxw/UCHQPkjQk4RShNVLLl2eCrXmAdrSdMUe2CK8X+FFbbsCgYEA1V0drfH6wfSO7MN5yHIV09nmZqaqH6AzQzLft6xLHu8G+oVC+F_VtWxOB53yyiLtudxzvdzL8lqX8S5Ftdv6NLfmc6Zd4OXt451TU9Bl/LWlmAR+Mz0DoZz1CW_FDAsdwrzYuvooH75jV+0jDWMP2PuimxTM0KtLBLks0/c9WwUCgYEAp3GVSUU1nLjTFvaMgLTwoSMA3kKlzFbBbatB0+rc7theZL3hKb9XQwgpeOzvi/JJfG18UgHn0KeCT7vPnmgvMsxELLuIDDBBpZaVFz6BavxJM/h2yWyouFaTFewZa5vd5F+NCd4WBJwlQhtwWvGb/y7OUJcx0lA6R3IUqmXfTkMCgYAFoTcL5LiLYtd0UkSgsnUeaYNtZj2raUo7TGl566g9BEe3ZvKjVq6Ix1K4w1pf0uXtD12bY42OSSw5Dzv1Df5/FI8p/yzx4pfYyK5M3mthscrdczapQEPS0UGJ2JazZBNnQGAHceLOVwpu4aZ5oI6MnGFxJJuhsW2X7+REcK8WjA== | ||
IDP_SAML_ENCRYPTION_CERTIFICATE | MIIDrDCCApQCCQCr/xHEBpqyVDANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwHhcNMTMwMjExMTMzMzI1WhcNMjMwMjA5MTMzMzI1WjCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAo58ys6Wt3QU54aVF63GkuFrKG7bdqEz+IBFaZDGIzR8Qb7rVtqPHSVw7Z40agbC93asQHplmUMdtJI+60/pofVuLAgoBcra0vIJxMEm5lLxL10BBuCTKd6RA84oImC0TumP8oExCTwxLOxZeUPg+M85oA1p3h5g1GIYVAx7w/36lkQPehlmQ5uwhAh5+Fze15udytV7xwQMLFi6DmA49cexhjFztW8QHiLNq7NvOrZFo+L34JPxH9R8AkXjRYq0gjKcNQUYJiV+QZYLkjuPJgwf6ehkTdOPlhguCjK7CzPt1kB+8G2TbX3RwsP07pdAVdI6DQ4B0MNzICKbATXj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAMARp0pV9dFmAM5+YtEogOblzwpjGi+42qd902L0+Q+NHkJ+qb+b/IBRbBBGc8dR0pXwl+h+shOTYp08Y0J80I9a+nRQiwOe62zKCA+ac7K+vjQBXyHTe/np8kQCJ0jvkDuh1qSHdkTPiNNA/8nrU0KqjMmvDQY6kkVeYRYAtJ925EKzLIryFQTVvuojmR8qgICYFc9RHGDnKAEuEtFi6sR5kGbIfulqH/qpaM_UTFmmMH5q0KkIkf64r2UW0eR+kzuy+4YxpSNcTa3eea6naiqD268H2LutZl+q3zjFmbTpTJKPoqONlxzreOCKuOLzQlm/4tlAJ_KL324oGlI9U4c= |
Remote Cache
Property | Default | Example | Description |
---|---|---|---|
IDP_REDIS_SENTINEL_NODES | redis.example.com:16379,redis.example.com:26379 | Redis sentinel server address | |
IDP_REDIS_SENTINEL_MASTER_ID | mymaster | Redis Master Id | |
IDP_REDIS_PASSWORD | passwordToRedis | Password to Redis | |
CACHE_ENCRYPTION_KEY | encryptionKey | Encryption key used to encrypt cache' values. Encryption is done using PBEWITHSHA256AND256BITAES-CBC-BC alghoritm and Jasypt library. Cache value encryption is done in a same way as properties encryption, more information can be found in IDP remote cache values encryption |
Rest Services
Property | Default | Example | Description |
---|---|---|---|
IDP_RESTSERVICES_CONNECT_TIMEOUT_MILLIS | 30000 | ||
IDP_RESTSERVICES_READ_TIMEOUT_MILLIS | 30000 |
Account link
Property | Default | Example | Description |
---|---|---|---|
IDP_ACCOUNTLINK_PASSPHRASE |
Encryption
Property | Default | Example | Description |
---|---|---|---|
IDP_ENCRYPTION_KEY_ITERATIONS | 2000 | ||
IDP_ENCRYPTION_KEY_LENGTH | 256 | ||
IDP_ENCRYPTION_KEY_FACTORY | PBEWITHSHA256AND256BITAES-CBC-BC | ||
IDP_ENCRYPTION_CIPHER | AES_CBC_PKCS5Padding | ||
IDP_ENCRYPTION_JCE_PROVIDER | BC | ||
IDP_ENCRYPTION_PASSWORD | password | ||
IDP_ENCRYPTION_POOLSIZE | 4 |
Persons API
Property | Default | Example | Description |
---|---|---|---|
IDP_PERSONS_API_REST_USERNAME | persons_api_rest_user | ||
IDP_PERSONS_API_REST_PASSWORD | password |
Events API
Property | Default | Example | Description |
---|---|---|---|
IDP_EVENTS_API_REST_USERNAME | events_api_rest_user | ||
IDP_EVENTS_API_REST_PASSWORD | password |
Credentials API
Property | Default | Example | Description |
---|---|---|---|
IDP_CREDENTIALS_API_REST_USERNAME | credentials_api_rest_user | ||
IDP_CREDENTIALS_API_REST_PASSWORD | password |
Extension API
Property | Default | Example | Description |
---|---|---|---|
IDP_EXTENSION_API_REST_USERNAME | extension_api_rest_user | ||
IDP_EXTENSION_API_REST_PASSWORD | password |
Statistics API
Property | Default | Example | Description |
---|---|---|---|
IDP_STATISTICS_API_REST_USERNAME | statistics_api_rest_user | ||
IDP_STATISTICS_API_REST_PASSWORD | password |
Configuration API
Property | Default | Example | Description |
---|---|---|---|
IDP_CONFIGURATION_API_REST_USERNAME | configuration_api_rest_user | ||
IDP_CONFIGURATION_API_REST_PASSWORD | password |
rest_api.section.title
rest_api.section.description
Property | Default | Example | Description |
---|---|---|---|
IDP_API_REST_USERNAME | api_rest_user | ||
IDP_API_REST_PASSWORD | password |
Mobile
Property | Default | Example | Description |
---|---|---|---|
IDP_MOBILE_AUTH_API_USERNAME | username | Token Server's API Basic auth username | |
IDP_MOBILE_AUTH_API_PASSWORD | password | Token Server's API Basic auth password | |
IDP_MOBILE_AUTH_API_URL | http://10.6.10.65:8086/oauth | Token Server's API base URL | |
IDP_MOBILE_AUTH_TYPE | step_up_push | Step-up authentication configuration name (Authorization properties name as definied in the Token Server's admin console) |
|
IDP_MOBILE_AUTH_MESSAGE | CIM Step-up request | Step-up message to be shown on the end-user's mobile device | |
IDP_MOBILE_LOGIN_AUTH_TYPE | mobile_login_auth_type | Mobile-login authentication configuration name (Authorization properties name as defined in the Token Server's admin console) |
|
IDP_MOBILE_LOGIN_AVAILABILITY_AUTH_TYPE | mobile_login_auth_type | Mobile-login alternative authentication type | |
IDP_MOBILE_LOGIN_MESSAGE | CIM Mobile login request | Mobile-login message to be shown on the end-user's mobile device | |
IDP_MOBILE_LOGIN_ALLOWED_ATTEMPTS | 3 | 3 | Allowed number of failing / invalid login attempts occurring one after another with Mobile-login functionality. Accepted values must be ranged [1-9] |
Branding
Property | Default | Example | Description |
---|---|---|---|
IDP_BRANDING_NAME | Example.com | ||
IDP_BRANDING_SUPPORT_EMAIL | [email protected] |
Authentication token
Authentication token is used by cookie based authentication and mobile login.
Property | Default | Example | Description |
---|---|---|---|
IDP_AUTH_TOKEN_EXPIRATION_TIME_PERIOD_SECONDS | 2592000 | Authentication token expiration time period in seconds. | |
IDP_EXPIRED_TOKEN_CRON_DEFINITION | 0 0 0 1/1 ? | 0 0 2 ? | Cron definition that says how often authentication and action tokens should be cleared. |
IDP_TOKEN_LOGIN_TTL_SECONDS | 2592000 | Login token expiration time period in seconds. |
Statistics
Property | Default | Example | Description |
---|---|---|---|
IDP_STATISTICS_GENERATION_CRON_DEFINITION | 0 0/5 * ? | Cron expression triggering statistics generation |
Externally delivered code
Property | Default | Example | Description |
---|---|---|---|
IDP_EXTERNALLYDELIVEREDCODE_INITIAL_UNAVAILABILITY_TIME_PERIOD_MILLIS | 30000 | Time for which externally delivered code will be unavailable. It is counted from the moment of generating the code. | |
IDP_EXTERNALLYDELIVEREDCODE_VALIDITY_TIME_PERIOD_MILLIS | 600000 | Time for which externally delivered code will be valid. It is counted from the moment of generating the code so it should be higher that "initial unavalability time". |
BankId
Property | Default | Example | Description |
---|---|---|---|
IDP_BANKID_WEBSERVICE_URI | https://appapi.test.bankid.com/rp/v4 | BankID webservice URL | |
IDP_BANKID_CLIENT_PRIVATEKEY | Client private key | ||
IDP_BANKID_CLIENT_CERTIFICATE | Client certificate | ||
IDP_BANKID_SERVER_CERTIFICATE | BankId server certificate |
Kerberos
In order to allow users to authenticate over Kerberos protocol, the application requires a valid path to keytab file. The keytab file can be provided either by the use of persistable properties functionality or by mounting a volume from the Docker Host. In case the second solution (volume) would be picked, the PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_PATH
and PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_CONTENTS
properties are not required.
Property | Default | Example | Description |
---|---|---|---|
PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_PATH | /etc/kerberos/tomcat.keytab | Path where Kerberos keytab file should be persisted | |
PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_CONTENTS | cGVyc2lzdGFibGUgcHJvcGVydHkgdmFsdWU= | Base64 encoded Kerberos keytab file contents that should be persisted | |
KERBEROS_SERVER_PRINCIPAL | HTTP/[email protected] | Kerberos service principal identity | |
KERBEROS_SERVER_KEYTAB_PATH | /etc/kerberos/tomcat.keytab | Kerberos keytab file location, should be equal to PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_PATH if defined |
Extension
Property | Default | Example | Description |
---|---|---|---|
IDP_EXTENSION_PROTOCOL | https | Protocol used to connect to extension | |
IDP_EXTENSION_BASEURL | extension.host.example.org:8080 | Host and port used to connect to extension | |
IDP_EXTENSION_ACCOUNTLINK_ENABLED | true | Enable account link extension | |
IDP_EXTENSION_AUTHENTICATION_ENABLED | true | Enable authentication extension | |
IDP_EXTENSION_DELIVEREXTERNALCODE_ENABLED | true | Enable external code delivery extension | |
IDP_EXTENSION_EMAILGATEWAY_ENABLED | true | Enable email gateway extension | |
IDP_EXTENSION_PROFILEATTRIBUTESUPDATE_ENABLED | true | Enable profile attributes update extension | |
IDP_EXTENSION_RESOURCES_ENABLED | true | Enable resources extension | |
IDP_EXTENSION_USERINFO_ENABLED | true | Enable user info extension | |
IDP_EXTENSION_USERNAMEVALIDATION_ENABLED | true | Enable username validation extension | |
IDP_EXTENSION_MIGRATION_DEFAULTPROCESSING_ENABLED | true | Enable default processing for just-in-time migration | |
IDP_EXTENSION_MIGRATION_PASSWORDRESETMIGRATION_ENABLED | true | Enable just-in-time migration on password reset |
Delegated User Management (DUM) module configuration
Property | Default | Example | Description |
---|---|---|---|
IDP_DUM_ENGINE_URL | http://dum-engine.dev.onegini.me:8484 | Host and port used to connect to DUM-Engine module | |
IDP_DUM_ENGINE_AUTH_USERNAME | dum_api_rest_user | Basic auth username necessary to connect to DUM-Engine APIs | |
IDP_DUM_ENGINE_AUTH_PASSWORD | KWNCw5AWtDsD1fYQ | Basic auth password necessary to connect to DUM-Engine APIs |
Onegini Insights configuration
Configure the following properties to show Onegini Insights in the Admin console.
Property | Default | Example | Description |
---|---|---|---|
IDP_INSIGHTS_API_BASE_URI | http://insights | Base URL for all requests being forwarded to the Onegini Insights application. | |
IDP_INSIGHTS_API_USERNAME | insights | The username that is used in basic authentication with the Onegini Insights application. | |
IDP_INSIGHTS_API_PASSWORD | password | The password that is used in basic authentication with the Onegini Insights application. | |
IDP_INSIGHTS_USER_ACTIVE_PERIOD_SECONDS | 2592000 | 2592000 | Period length in seconds in which person is treated as active. |
IDP remote cache values encryption
The Onegini IDP supports cached values encryption, which means that each value stored within a remote cache may be encrypted. Cache value encryption is done in a same way as properties encryption, more information on this topic can be found in Idp properties encryption.
IDP properties encryption
The Onegini IDP supports properties encryption, it means that each property passed to the application can be encrypted. The open source library Jasypt is used for this with a strong encryption algorithm, which is not present in the standard JRE security provider implementation. For this reason we use the BouncyCastle security provider implementation.
Prerequisities
As wrote above Jasypt is used for property encryption. Please download it and install, it only needs to be extracted. Unzip the library into a directory of your choice, e.g. the /opt directory.
Encryption used by Onegini IDP requires additional library (Bouncy Castle) to be installed. Download the latest version of it and place the jar file into
Property values encryption
Property encryption is done by script provided with Jasypt library so please navigate to the directory where it is installed.
Generate a master password used for encryption and execute the following command
cd <JASYPT_PATH>/bin/
./encrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_ENCRYPT>'
Note: Do not forget to use generated master password as value for PROPERTIES_ENCRYPTION_KEY property.
If the password or the input contain a single quote you will need to provide each separate single quote with the following sequence: '"'"'
When the above command is executed the encrypted property value is printed to the screen. The last step is to configure the encrypted value as the actual value in the property file. The value has to be surrounded by ENC(). Below is an example of an encrypted property:
IDP_BRANDING_NAME=ENC(IlHrIsl2cZl5WH0xQmSKC7SimY6yLD7LAWPtGV4DtfpDbmIZDY0aLt6+diHXwxcm)
You can verify the encryption by running
./decrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CB