Properties configuration

This chapter contains list of configuration properties for Onegini IDP .

IDP core properties

The following properties must be defined as environment properties in Onegini IDP Core docker.

Extension wiring

Property Default Example Description
IDP_​EXTENSION_​AUTH_​USERNAME extension_​api_​rest_​user Basic auth username necessary to connect to config extension point
IDP_​EXTENSION_​AUTH_​PASSWORD Y;QEZ^{9H!SSQ.08 Basic auth password necessary to connect to config extension point
IDP_​EXTENSION_​CONFIG_​URL http://localhost:8181/extension/config Config extension point URL

Properties encryption

Property Default Example Description
PROPERTIES_​ENCRYPTION_​KEY password Encryption key used to encrypt properties' values, eg. it is possible to add encrypted property in a way PROPERTY=ENC(IlHrIsl2cZl5WH0xQmSKC7SimY6yLD7LAWPtGV4DtfpDbmIZDY0aLt6+diHXwxcm). Encryption is done with PBEWITHSHA256AND256BITAES-CBC-BC alghoritm and Jasypt library. More information can be found in Properties encryption

Java Key Store

Property Default Example Description
IDP_KEYSTORE_ALIAS https://idp-core.dev.onegini.me Alias pointing to one of the keys available in the keystore that is expected to be used by CIM to setup HTTPS or Mutual SSL connections. In case you aim to setup a Mutual SSL (ex. for DigiD IdP) please make sure that the value consists of the CIM public host URI (like shown in the example)
IDP_​KEYSTORE_​PASSWORD password Keystore entry password
IDP_KEYSTORE_FILE /opt/data/keystore/keystore.jks /opt/data/keystore/keystore.jks Keystore file location

Logging

Host/Reverse proxy

Property Default Example Description
IDP_HTTP_ENABLED true Enable or disable HTTP port for all connectors
IDP_​HTTP_​PROXY_​ENABLED true Enable or disable HTTP proxy for personal connector
IDP_HTTP_PROXY_PORT 80 HTTP proxy port for personal connector
IDP_HTTP_PROXY_NAME idp.dev.onegini.com HTTP proxy name for personal connector
IDP_​HTTP_​PROXY_​SCHEME http HTTP Sheme for personal connector
IDP_​HTTP_​PROXY_​SECURE false Set to true to force HTTPS for personal connector
IDP_​HTTP_​API_​ENABLED true Enable separate HTTP connector for API and SAML Artifact Resolution Service
IDP_​HTTP_​API_​PROXY_​ENABLED true Enable or disable HTTP proxy for API connector
IDP_​HTTP_​API_​PROXY_​PORT 80 HTTP proxy port for API connector
IDP_​HTTP_​API_​PROXY_​NAME idp.dev.onegini.com HTTP proxy name for API connector
IDP_​HTTP_​API_​PROXY_​SCHEME http HTTP Sheme for API connector
IDP_​HTTP_​API_​PROXY_​SECURE false Set to true to force HTTPS for API connector
IDP_​HTTP_​ADMIN_​ENABLED true Enable separate HTTP connector for admin panel
IDP_​HTTP_​ADMIN_​PROXY_​ENABLED true Enable or disable HTTP proxy for admin connector
IDP_​HTTP_​ADMIN_​PROXY_​PORT 80 HTTP proxy port for admin connector
IDP_​HTTP_​ADMIN_​PROXY_​NAME idp.dev.onegini.com HTTP proxy name for admin connector
IDP_​HTTP_​ADMIN_​PROXY_​SCHEME http HTTP Sheme for admin connector
IDP_​HTTP_​ADMIN_​PROXY_​SECURE false Set to true to force HTTPS for admin connector
IDP_HTTPS_ENABLED true Enable or disable HTTPS port for all connectors
IDP_​HTTPS_​PERSONAL_​SSL_​PROTOCOL tls Select wicht SSL protocol to use for personal connector
IDP_​HTTPS_​PERSONAL_​SSL_​ENABLED_​PROTOCOLS TLSv1,TLSv1.1,TLSv1.2 Select enabled protocols for connectors
IDP_​HTTPS_​PROXY_​ENABLED true Enable or disable HTTPS proxy for personal connector
IDP_​HTTPS_​PROXY_​PORT 443 HTTPS proxy port for personal connector
IDP_​HTTPS_​PROXY_​NAME idp.dev.onegini.com HTTPS proxy name for personal connector
IDP_​HTTPS_​API_​ENABLED true Enable separate HTTPS connector for API
IDP_​HTTPS_​API_​SSL_​PROTOCOL tls Select wicht SSL protocol to use for API connector
IDP_​HTTPS_​API_​PROXY_​ENABLED true Enable or disable HTTPS proxy for API connector
IDP_​HTTPS_​API_​PROXY_​PORT 443 HTTPS proxy port for API connector
IDP_​HTTPS_​API_​PROXY_​NAME idp.dev.onegini.com HTTPS proxy name for API connector
IDP_​HTTPS_​ADMIN_​ENABLED true Enable separate HTTPS connector for admin panel
IDP_​HTTPS_​ADMIN_​SSL_​PROTOCOL tls Select wicht SSL protocol to use for admin connector
IDP_​HTTPS_​ADMIN_​PROXY_​ENABLED true Enable or disable HTTPS proxy for admin connector
IDP_​HTTPS_​ADMIN_​PROXY_​PORT 443 HTTPS proxy port for admin connector
IDP_​HTTPS_​ADMIN_​PROXY_​NAME idp.dev.onegini.com HTTPS proxy name for admin connector
IDP_​HTTPS_​TRUST_​STORE_​FILE /opt/data/certs/truststore.ts Trustore file in JKS format
IDP_​HTTPS_​TRUST_​STORE_​PASSWORD P2sswor2 Truststore password

IDP extension properties

The following are the properties that must be defined as environment properties in Onegini IDP Extension docker. The properties are propagated from Onegini IDP Extension to Onegini IDP Core as described in Applications setup section.

Property Default Example Description
IDP_​HEADER_​INTERCEPTOR_​XFRAMEOPTIONS ALLOW-FROM Allowed values:
  • `ALLOW-FROM`
  • `ALLOWALL`
  • `ALLOW_ALL`
  • `DENY`
  • `SAMEORIGIN`
IDP_​HEADER_​INTERCEPTOR_​P3PPOLICY
IDP_​HEADER_​INTERCEPTOR_​STRICTTRANSPORTSECURITY HTTP Strict Transport Security

Common

Property Default Example Description
IDP_DEFAULT_LOCALE en Default locale to be used in the application
IDP_​SECURE_​SESSIONCOOKIE true If true only HTTPS is allowed
IDP_​TEMPPIN_​VALIDITY_​TIME_​MILLIS 300000
IDP_​CODE_​VERIFICATION_​THRESHOLD 5
IDP_​PASSWORD_​VERIFICATION_​THRESHOLD 15
IDP_​LASTLOGINS_​LIMIT 10
IDP_​ONETIMEPASSWORD_​LABEL Example.com
IDP_HOST_URL http://login.example.com URL of Onegini IDP
IDP_​PROPERTY_​VALIDATION_​ENABLED false false Gives possibility to enable/disable properties validation
IDP_​DOMAIN_​COOKIE_​TTL_​MIN 30 30 Max age of domain cookie in minutes

Authentication

Property Default Example Description
IDP_​AUTHENTICATION_​PASSWORD_​ENCRYPTION_​KEY hex:C6544F0748C1BDB2654F8C729A4B731D //128 bit key 128, 192 or 256 bit key used for password encryption in hexadecimal or string represension. For hexadecimal representation please use HEX: or hex: prefix, if no prefix is used then value is applied as string representation
IDP_​RECAPTCHA_​VERIFY_​URL https://www.google.com/recaptcha/api/siteverify URL to verify reCAPTCHA response (https://developers.google.com/recaptcha/docs/verify)
IDP_​PASSWORD_​ENCODING_​COMPATIBILITY_​FALLBACK_​ENABLED false Flag which turns on rewriting password hash with non-ascii characters for existing users. If property is undefined it is set to true for existing CIM installations and to false for new installations.

Caching

Property Default Example Description
IDP_CACHING_ENABLED false Do not change this
IDP_CACHING_SECONDS 10 Do not change this

Admin

Property Default Example Description
IDP_​ADMIN_​LOGIN_​FAILURE_​LIMIT 3 Admin login attempts
IDP_​ADMIN_​EMAILNOTIFICATIONS_​TOADDRESS [email protected] Notification email after failed loggin attempts
IDP_ADMIN_URL http://dev.onegini.me:8992/admin Admin panel URL
IDP_​HEADER_​AUTH_​ENABLED false false Flag to enable or disable the header authentication. By default it is disabled.
IDP_​HEADER_​AUTH_​PRINCIPAL_​HEADER remote-user remote-user The name of the header where the admin username is retrieved from.
IDP_​HEADER_​AUTH_​GROUP_​HEADER remote-groups remote-groups The name of the header where the group memberships of the admin user are retrieved from
IDP_​HEADER_​AUTH_​CLIENTIP_​HEADER x-forwarded-for x-forwarded-for The header to get the actual client ip from. We assume that the value is according to the (defacto) x-forwarded-for format: client, proxy1, proxy2
IDP_​HEADER_​AUTH_​FAIL_​IF_​HEADER_​MISSING false false A flag indicating if the application should fail if a header with the username is missing. When this setting is enabled a missing (or empty) header value will result in authentication failure. If this setting is disabled, other authenticators can function as a fallback authentication mechanism.

Database

Property Default Example Description
IDP_​DATABASE_​MIGRATIONS_​FOLDER /db/scrips/oracle Database migration folder

Allowed values:
  • `/db/scripts/mssql`
  • `/db/scripts/mysql`
  • `/db/scripts/oracle`
IDP_DATABASE_DRIVER oracle.jdbc.driver.OracleDriver Database driver

Allowed values:
  • `com.microsoft.sqlserver.jdbc.SQLServerDriver`
  • `com.mysql.jdbc.Driver`
  • `oracle.jdbc.driver.OracleDriver`
  • `org.mariadb.jdbc.Driver`
IDP_DATABASE_USER dbuser Database username
IDP_​DATABASE_​PASSWORD dbpassword Database password
IDP_DATABASE_URL jdbc:oracle:thin:@//<URL_IP>:1521/<DATABASE NAME> JDBC URL connection string
IDP_​DATABASE_​VALIDATION_​QUERY select 1 from DUAL Test query
IDP_​DATABASE_​PLATFORM org.hibernate.dialect.Oracle10gDialect Database dialect

Allowed values:
  • `com.innovation_district.common.jdbc.MySQL5BitBooleanInnoDBDialect`
  • `org.hibernate.dialect.Oracle10gDialect`
  • `org.hibernate.dialect.SQLServer2008Dialect`
IDP_DATABASE_TYPE ORACLE Database type

Allowed values:
  • `MYSQL`
  • `ORACLE`
  • `SQL_SERVER`
IDP_​DATABASE_​TRANSACTION_​ISOLATION -1 4 Database transaction isolation, by default undefined -1
IDP_​QUARTZ_​JDBC_​DELEGATE org.quartz.impl.jdbcjobstore.StdJDBCDelegate JDBC delegate class used by quartz. In most cases it will be org.quartz.impl.jdbcjobstore.StdJDBCDelegate but some databases needs other implementations, eg. org.quartz.impl.jdbcjobstore.oracle.OracleDelegate

Allowed values:
  • `org.quartz.impl.jdbcjobstore.MSSQLDelegate`
  • `org.quartz.impl.jdbcjobstore.StdJDBCDelegate`
  • `org.quartz.impl.jdbcjobstore.oracle.OracleDelegate`

SMS

Property Default Example Description
IDP_SMS_CM_URL https://secure.cmtechnology.com/smssgateway/cm/gateway.ashx
IDP_​SMS_​CM_​CUSTOMERID 1234
IDP_SMS_CM_LOGIN username
IDP_SMS_CM_PASSWORD password
IDP_SMS_TWILIO_SID abcd1234
IDP_​SMS_​TWILIO_​AUTHTOKEN defgh1234
IDP_SMS_FROMNUMBER +31612345678
IDP_SMS_PROVIDER cmSmsGateway Allowed values:
  • `cmSmsGateway`
  • `twilioSmsGateway`
IDP_​SMS_​VALIDITYTIME_​MILLIS 600000
IDP_​SMS_​ABUSE_​THRESHOLD 3
IDP_​EXECUTION_​RETRY_​SMS_​DELAY_​MS 2000 2000 Delay between attempts to send SMS
IDP_​EXECUTION_​RETRY_​SMS_​RETRY_​ATTEMPTS 2 2 Number of attempts to send SMS

Email

Property Default Example Description
IDP_EMAIL_FROM <![CDATA[onegini.me <[email protected]>]]>
IDP_EMAIL_REPLYTO <![CDATA[Support onegini.me <[email protected]>]]>
IDP_​EMAIL_​VALIDITYTIME_​MILLIS 7200000
IDP_SMTP_HOST 10.0.1.15 SMTP URL or IP
IDP_SMTP_PORT 2525 SMTP port
IDP_SMTP_USERNAME [email protected] Username required by SMTP server
IDP_SMTP_PASSWORD Qwerty1234/ Password required by SMTP server
IDP_MAIL_SMTP_AUTH false true Attempt to authenticate the user using the AUTH command
IDP_​MAIL_​SMTP_​STARTTLS_​ENABLE false true Enables the use of the STARTTLS command (if supported by the server) to switch the connection to a TLS-protected connection before issuing any login commands
IDP_​MAIL_​SMTP_​STARTTLS_​REQUIRED false true Requires the use of the STARTTLS command. If the server doesn't support the STARTTLS command, or the command fails, the connect method will fail

SAML

Property Default Example Description
IDP_​SAML_​ARTIFACT_​RESOLUTION_​PROTOCOL http In case API is served on a separate port, this property defines protocol for SAML Artifact Resolution Service
IDP_​SAML_​ARTIFACT_​RESOLUTION_​HOST example.org:8080 In case API is served on a separate port, this property defines host for SAML Artifact Resolution Service
IDP_​SAML_​ENTITY_​PROTOCOL http In case API is served on a separate port, this property defines SAML Entity ID protocol
IDP_​SAML_​ENTITY_​HOST example.org:23456 In case API is served on a separate port, this property defines SAML Entity ID host
IDP_​SAML_​CLOCKSKEW_​TIME_​SECONDS 300
IDP_​SAML_​CHECKVALIDITY_​TIME_​SECONDS 90
IDP_​SAML_​REPLAYCACHE_​MILLIS 14400000
IDP_​SAML_​SUPPORT_​NAME example.com
IDP_​SAML_​SUPPORT_​EMAIL [email protected]
IDP_​SAML_​SIGNING_​PRIVATEKEY MIIEpAIBAAKCAQEAwKOfMrOlrd0FOeGlRetxpLhayhu23ahM/iARWmQxiM0fEG+61bajx0lcO2eNGoGwvd2rEB6ZZlDHbSSPutP6aH1biwIKAXK2tLyCcTBJuZS8S9dAQbgkynekQPOKCJgtE7pj/KBMQk8MSzsWXlD4PjPOaANad4eYNRiGFQMe8P9+pZED3oZZkObsIQIefhc3tebncrVe8cEDCxYug5gOPXHsYYxc7VvEB4izauzbzq2RaPi9+CT8R_UfAJF40WKtIIynDUFGCYlfkGWC5I7jyYMH+noZE3Tj5YYLgoyuwsz7dZAfvBtk2190cLD9O6XQFXSOg0OAdDDcyAimwE149QIDAQABAoIBABUFxinSURJYPGnEpjSrLQu80qubuqkV5NEWzs3+gSlcuTch+lG4TMdCyj3xXwS1goQ13KU1safoyNqwUr8gwwMEKylQX6cozaeLqvCPRHxsLuBX7Ts+zUULKXGtIjMt6D1u6dp349qYpc7P8/D3BSBEpxHSy9yff4zL0FYasRW7m3y7pF8Y8+NO4H2/Pw0NcNstAJwkvEGO3EeFiYyz8vmJfVR2rA1KhSaCZQbALIOIZ+HXso8mKtiJVzS6mLTVbK0PDiWbwSkxrJCZufQbzBlETKJkiVaIJcgQSaL0FQ/64NbnqY5qYyxB7Y3Ci8VFh4w0WTtw49lCwsrT7kL6LUECgYEA8tcRQSpfNjERcUOLJTYG6JZHeUKqDe9HWluUUMERfImQBnTX1/bi68M7XouFXdLY9c+Z08Z2D04R9c1drJ8XCpluUSGXMxTvOnECJeCVuQr5QjUumZvkgDhwNKj4czyaz+qjzTAk9lQBIXGWJaORVaIjQjau7GT0YPAU+Lxd8Q8CgYEAyxQdNybKQLdb7hmbvdo6w6W2fVLJuimYFv1UlYTDSaGurnIAq8PWrmwfGiEUVTBX6/vkMq7LNAnF9kxWQHnzYku1s611JIhCUJEhsm0lQgtEQ4bT9HnNOm8EBkTBwxw/UCHQPkjQk4RShNVLLl2eCrXmAdrSdMUe2CK8X+FFbbsCgYEA1V0drfH6wfSO7MN5yHIV09nmZqaqH6AzQzLft6xLHu8G+oVC+F_VtWxOB53yyiLtudxzvdzL8lqX8S5Ftdv6NLfmc6Zd4OXt451TU9Bl/LWlmAR+Mz0DoZz1CW_FDAsdwrzYuvooH75jV+0jDWMP2PuimxTM0KtLBLks0/c9WwUCgYEAp3GVSUU1nLjTFvaMgLTwoSMA3kKlzFbBbatB0+rc7theZL3hKb9XQwgpeOzvi/JJfG18UgHn0KeCT7vPnmgvMsxELLuIDDBBpZaVFz6BavxJM/h2yWyouFaTFewZa5vd5F+NCd4WBJwlQhtwWvGb/y7OUJcx0lA6R3IUqmXfTkMCgYAFoTcL5LiLYtd0UkSgsnUeaYNtZj2raUo7TGl566g9BEe3ZvKjVq6Ix1K4w1pf0uXtD12bY42OSSw5Dzv1Df5/FI8p/yzx4pfYyK5M3mthscrdczapQEPS0UGJ2JazZBNnQGAHceLOVwpu4aZ5oI6MnGFxJJuhsW2X7+REcK8WjA==
IDP_​SAML_​SIGNING_​CERTIFICATE MIIDrDCCApQCCQCr/xHEBpqyVDANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwHhcNMTMwMjExMTMzMzI1WhcNMjMwMjA5MTMzMzI1WjCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAo58ys6Wt3QU54aVF63GkuFrKG7bdqEz+IBFaZDGIzR8Qb7rVtqPHSVw7Z40agbC93asQHplmUMdtJI+60/pofVuLAgoBcra0vIJxMEm5lLxL10BBuCTKd6RA84oImC0TumP8oExCTwxLOxZeUPg+M85oA1p3h5g1GIYVAx7w/36lkQPehlmQ5uwhAh5+Fze15udytV7xwQMLFi6DmA49cexhjFztW8QHiLNq7NvOrZFo+L34JPxH9R8AkXjRYq0gjKcNQUYJiV+QZYLkjuPJgwf6ehkTdOPlhguCjK7CzPt1kB+8G2TbX3RwsP07pdAVdI6DQ4B0MNzICKbATXj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAMARp0pV9dFmAM5+YtEogOblzwpjGi+42qd902L0+Q+NHkJ+qb+b/IBRbBBGc8dR0pXwl+h+shOTYp08Y0J80I9a+nRQiwOe62zKCA+ac7K+vjQBXyHTe/np8kQCJ0jvkDuh1qSHdkTPiNNA/8nrU0KqjMmvDQY6kkVeYRYAtJ925EKzLIryFQTVvuojmR8qgICYFc9RHGDnKAEuEtFi6sR5kGbIfulqH/qpaM_UTFmmMH5q0KkIkf64r2UW0eR+kzuy+4YxpSNcTa3eea6naiqD268H2LutZl+q3zjFmbTpTJKPoqONlxzreOCKuOLzQlm/4tlAJ_KL324oGlI9U4c=
IDP_​SAML_​ENCRYPTION_​PRIVATEKEY MIIEpAIBAAKCAQEAwKOfMrOlrd0FOeGlRetxpLhayhu23ahM/iARWmQxiM0fEG+61bajx0lcO2eNGoGwvd2rEB6ZZlDHbSSPutP6aH1biwIKAXK2tLyCcTBJuZS8S9dAQbgkynekQPOKCJgtE7pj/KBMQk8MSzsWXlD4PjPOaANad4eYNRiGFQMe8P9+pZED3oZZkObsIQIefhc3tebncrVe8cEDCxYug5gOPXHsYYxc7VvEB4izauzbzq2RaPi9+CT8R_UfAJF40WKtIIynDUFGCYlfkGWC5I7jyYMH+noZE3Tj5YYLgoyuwsz7dZAfvBtk2190cLD9O6XQFXSOg0OAdDDcyAimwE149QIDAQABAoIBABUFxinSURJYPGnEpjSrLQu80qubuqkV5NEWzs3+gSlcuTch+lG4TMdCyj3xXwS1goQ13KU1safoyNqwUr8gwwMEKylQX6cozaeLqvCPRHxsLuBX7Ts+zUULKXGtIjMt6D1u6dp349qYpc7P8/D3BSBEpxHSy9yff4zL0FYasRW7m3y7pF8Y8+NO4H2/Pw0NcNstAJwkvEGO3EeFiYyz8vmJfVR2rA1KhSaCZQbALIOIZ+HXso8mKtiJVzS6mLTVbK0PDiWbwSkxrJCZufQbzBlETKJkiVaIJcgQSaL0FQ/64NbnqY5qYyxB7Y3Ci8VFh4w0WTtw49lCwsrT7kL6LUECgYEA8tcRQSpfNjERcUOLJTYG6JZHeUKqDe9HWluUUMERfImQBnTX1/bi68M7XouFXdLY9c+Z08Z2D04R9c1drJ8XCpluUSGXMxTvOnECJeCVuQr5QjUumZvkgDhwNKj4czyaz+qjzTAk9lQBIXGWJaORVaIjQjau7GT0YPAU+Lxd8Q8CgYEAyxQdNybKQLdb7hmbvdo6w6W2fVLJuimYFv1UlYTDSaGurnIAq8PWrmwfGiEUVTBX6/vkMq7LNAnF9kxWQHnzYku1s611JIhCUJEhsm0lQgtEQ4bT9HnNOm8EBkTBwxw/UCHQPkjQk4RShNVLLl2eCrXmAdrSdMUe2CK8X+FFbbsCgYEA1V0drfH6wfSO7MN5yHIV09nmZqaqH6AzQzLft6xLHu8G+oVC+F_VtWxOB53yyiLtudxzvdzL8lqX8S5Ftdv6NLfmc6Zd4OXt451TU9Bl/LWlmAR+Mz0DoZz1CW_FDAsdwrzYuvooH75jV+0jDWMP2PuimxTM0KtLBLks0/c9WwUCgYEAp3GVSUU1nLjTFvaMgLTwoSMA3kKlzFbBbatB0+rc7theZL3hKb9XQwgpeOzvi/JJfG18UgHn0KeCT7vPnmgvMsxELLuIDDBBpZaVFz6BavxJM/h2yWyouFaTFewZa5vd5F+NCd4WBJwlQhtwWvGb/y7OUJcx0lA6R3IUqmXfTkMCgYAFoTcL5LiLYtd0UkSgsnUeaYNtZj2raUo7TGl566g9BEe3ZvKjVq6Ix1K4w1pf0uXtD12bY42OSSw5Dzv1Df5/FI8p/yzx4pfYyK5M3mthscrdczapQEPS0UGJ2JazZBNnQGAHceLOVwpu4aZ5oI6MnGFxJJuhsW2X7+REcK8WjA==
IDP_​SAML_​ENCRYPTION_​CERTIFICATE MIIDrDCCApQCCQCr/xHEBpqyVDANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwHhcNMTMwMjExMTMzMzI1WhcNMjMwMjA5MTMzMzI1WjCBlzELMAkGA1UEBhMCTkwxEDAOBgNVBAgTB1V0cmVjaHQxEDAOBgNVBAcTB1dvZXJkZW4xITAfBgNVBAoTGElubm92YXRpb24gRGlzdHJpY3QgQi5WLjELMAkGA1UECxMCSVQxFDASBgNVBAMTC29uZWdpbmktYWNjMR4wHAYJKoZIhvcNAQkBFg9pbmZvQG9uZWdpbmkubWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAo58ys6Wt3QU54aVF63GkuFrKG7bdqEz+IBFaZDGIzR8Qb7rVtqPHSVw7Z40agbC93asQHplmUMdtJI+60/pofVuLAgoBcra0vIJxMEm5lLxL10BBuCTKd6RA84oImC0TumP8oExCTwxLOxZeUPg+M85oA1p3h5g1GIYVAx7w/36lkQPehlmQ5uwhAh5+Fze15udytV7xwQMLFi6DmA49cexhjFztW8QHiLNq7NvOrZFo+L34JPxH9R8AkXjRYq0gjKcNQUYJiV+QZYLkjuPJgwf6ehkTdOPlhguCjK7CzPt1kB+8G2TbX3RwsP07pdAVdI6DQ4B0MNzICKbATXj1AgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAMARp0pV9dFmAM5+YtEogOblzwpjGi+42qd902L0+Q+NHkJ+qb+b/IBRbBBGc8dR0pXwl+h+shOTYp08Y0J80I9a+nRQiwOe62zKCA+ac7K+vjQBXyHTe/np8kQCJ0jvkDuh1qSHdkTPiNNA/8nrU0KqjMmvDQY6kkVeYRYAtJ925EKzLIryFQTVvuojmR8qgICYFc9RHGDnKAEuEtFi6sR5kGbIfulqH/qpaM_UTFmmMH5q0KkIkf64r2UW0eR+kzuy+4YxpSNcTa3eea6naiqD268H2LutZl+q3zjFmbTpTJKPoqONlxzreOCKuOLzQlm/4tlAJ_KL324oGlI9U4c=

Remote Cache

Property Default Example Description
IDP_​REDIS_​SENTINEL_​NODES redis.example.com:16379,redis.example.com:26379 Redis sentinel server address
IDP_​REDIS_​SENTINEL_​MASTER_​ID mymaster Redis Master Id
IDP_REDIS_PASSWORD passwordToRedis Password to Redis
CACHE_​ENCRYPTION_​KEY encryptionKey Encryption key used to encrypt cache' values. Encryption is done using PBEWITHSHA256AND256BITAES-CBC-BC alghoritm and Jasypt library. Cache value encryption is done in a same way as properties encryption, more information can be found in IDP remote cache values encryption

Rest Services

Property Default Example Description
IDP_​RESTSERVICES_​CONNECT_​TIMEOUT_​MILLIS 30000
IDP_​RESTSERVICES_​READ_​TIMEOUT_​MILLIS 30000
Property Default Example Description
IDP_​ACCOUNTLINK_​PASSPHRASE

Encryption

Property Default Example Description
IDP_​ENCRYPTION_​KEY_​ITERATIONS 2000
IDP_​ENCRYPTION_​KEY_​LENGTH 256
IDP_​ENCRYPTION_​KEY_​FACTORY PBEWITHSHA256AND256BITAES-CBC-BC
IDP_​ENCRYPTION_​CIPHER AES_CBC_PKCS5Padding
IDP_​ENCRYPTION_​JCE_​PROVIDER BC
IDP_​ENCRYPTION_​PASSWORD password
IDP_​ENCRYPTION_​POOLSIZE 4

Persons API

Property Default Example Description
IDP_​PERSONS_​API_​REST_​USERNAME persons_​api_​rest_​user
IDP_​PERSONS_​API_​REST_​PASSWORD password

Events API

Property Default Example Description
IDP_​EVENTS_​API_​REST_​USERNAME events_​api_​rest_​user
IDP_​EVENTS_​API_​REST_​PASSWORD password

Credentials API

Property Default Example Description
IDP_​CREDENTIALS_​API_​REST_​USERNAME credentials_​api_​rest_​user
IDP_​CREDENTIALS_​API_​REST_​PASSWORD password

Extension API

Property Default Example Description
IDP_​EXTENSION_​API_​REST_​USERNAME extension_​api_​rest_​user
IDP_​EXTENSION_​API_​REST_​PASSWORD password

Statistics API

Property Default Example Description
IDP_​STATISTICS_​API_​REST_​USERNAME statistics_​api_​rest_​user
IDP_​STATISTICS_​API_​REST_​PASSWORD password

Configuration API

Property Default Example Description
IDP_​CONFIGURATION_​API_​REST_​USERNAME configuration_​api_​rest_​user
IDP_​CONFIGURATION_​API_​REST_​PASSWORD password

Rest API

Property Default Example Description
IDP_​API_​REST_​USERNAME api_rest_user
IDP_​API_​REST_​PASSWORD password

Branding

Property Default Example Description
IDP_BRANDING_NAME Example.com
IDP_​BRANDING_​SUPPORT_​EMAIL [email protected]

Token

Authentication and action token configuration properties

Property Default Example Description
IDP_​AUTH_​TOKEN_​EXPIRATION_​TIME_​PERIOD_​SECONDS 2592000 Authentication token expiration time period in seconds.
IDP_​EXPIRED_​TOKEN_​CRON_​DEFINITION 0 0 0 1/1 ? 0 0 2 ? Cron definition that says how often authentication and action tokens should be cleared.
IDP_​TOKEN_​LOGIN_​TTL_​SECONDS 2592000 Login token expiration time period in seconds.

Statistics

Property Default Example Description
IDP_​STATISTICS_​GENERATION_​CRON_​DEFINITION 0 0/5 * ? Cron expression triggering statistics generation

Externally delivered code

Property Default Example Description
IDP_​EXTERNALLYDELIVEREDCODE_​INITIAL_​UNAVAILABILITY_​TIME_​PERIOD_​MILLIS 30000 Time for which externally delivered code will be unavailable. It is counted from the moment of generating the code.
IDP_​EXTERNALLYDELIVEREDCODE_​VALIDITY_​TIME_​PERIOD_​MILLIS 600000 Time for which externally delivered code will be valid. It is counted from the moment of generating the code so it should be higher that "initial unavalability time".

BankId

Property Default Example Description
IDP_​BANKID_​WEBSERVICE_​URI https://appapi.test.bankid.com/rp/v4 BankID webservice URL
IDP_​BANKID_​CLIENT_​PRIVATEKEY Client private key
IDP_​BANKID_​CLIENT_​CERTIFICATE Client certificate
IDP_​BANKID_​SERVER_​CERTIFICATE BankId server certificate

Kerberos

In order to allow users to authenticate over Kerberos protocol, the application requires a valid path to keytab file. The keytab file can be provided either by the use of persistable properties functionality or by mounting a volume from the Docker Host. In case the second solution (volume) would be picked, the PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_PATH and PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_CONTENTS properties are not required.

Property Default Example Description
PERSISTABLE_​PROPERTY_​KERBEROS_​KEYTAB_​PATH /etc/kerberos/tomcat.keytab Path where Kerberos keytab file should be persisted
PERSISTABLE_​PROPERTY_​KERBEROS_​KEYTAB_​CONTENTS cGVyc2lzdGFibGUgcHJvcGVydHkgdmFsdWU= Base64 encoded Kerberos keytab file contents that should be persisted
KERBEROS_​SERVER_​PRINCIPAL HTTP/[email protected] Kerberos service principal identity
KERBEROS_​SERVER_​KEYTAB_​PATH /etc/kerberos/tomcat.keytab Kerberos keytab file location, should be equal to PERSISTABLE_PROPERTY_KERBEROS_KEYTAB_PATH if defined

Extension

Property Default Example Description
IDP_​EXTENSION_​PROTOCOL https Protocol used to connect to extension
IDP_​EXTENSION_​BASEURL extension.host.example.org:8080 Host and port used to connect to extension
IDP_​EXTENSION_​ACCOUNTLINK_​ENABLED true Enable account link extension
IDP_​EXTENSION_​AUTHENTICATION_​ENABLED true Enable authentication extension
IDP_​EXTENSION_​DELIVEREXTERNALCODE_​ENABLED true Enable external code delivery extension
IDP_​EXTENSION_​EMAILGATEWAY_​ENABLED true Enable email gateway extension
IDP_​EXTENSION_​PROFILEATTRIBUTESUPDATE_​ENABLED true Enable profile attributes update extension
IDP_​EXTENSION_​RESOURCES_​ENABLED true Enable resources extension
IDP_​EXTENSION_​USERINFO_​ENABLED true Enable user info extension
IDP_​EXTENSION_​USERNAMEVALIDATION_​ENABLED true Enable username validation extension
IDP_​EXTENSION_​MIGRATION_​DEFAULTPROCESSING_​ENABLED true Enable default processing for just-in-time migration
IDP_​EXTENSION_​MIGRATION_​PASSWORDRESETMIGRATION_​ENABLED true Enable just-in-time migration on password reset
IDP_​PARTITIONING_​PERSONS_​ENABLED false false Enable persons partitioning feature
IDP_​EXTENSION_​PROFILE_​ATTRIBUTES_​TRANSFORMATION_​ENABLED false false Enable profile attributes transformation feature

Delegated User Management (DUM) module configuration

Property Default Example Description
IDP_DUM_ENGINE_URL http://dum-engine.dev.onegini.me:8484 Host and port used to connect to DUM-Engine module
IDP_​DUM_​ENGINE_​AUTH_​USERNAME dum_api_rest_user Basic auth username necessary to connect to DUM-Engine APIs
IDP_​DUM_​ENGINE_​AUTH_​PASSWORD KWNCw5AWtDsD1fYQ Basic auth password necessary to connect to DUM-Engine APIs

Onegini Insights configuration

Configure the following properties to show Onegini Insights in the Admin console.

Property Default Example Description
IDP_​INSIGHTS_​API_​BASE_​URI http://insights Base URL for all requests being forwarded to the Onegini Insights application.
IDP_​INSIGHTS_​API_​USERNAME insights The username that is used in basic authentication with the Onegini Insights application.
IDP_​INSIGHTS_​API_​PASSWORD password The password that is used in basic authentication with the Onegini Insights application.
IDP_​INSIGHTS_​USER_​ACTIVE_​PERIOD_​SECONDS 2592000 2592000 Period length in seconds in which person is treated as active.

IDP remote cache values encryption

The Onegini IDP supports cached values encryption, which means that each value stored within a remote cache may be encrypted. Cache value encryption is done in a same way as properties encryption, more information on this topic can be found in Idp properties encryption.

IDP properties encryption

The Onegini IDP supports properties encryption, it means that each property passed to the application can be encrypted. The open source library Jasypt is used for this with a strong encryption algorithm, which is not present in the standard JRE security provider implementation. For this reason we use the BouncyCastle security provider implementation.

Prerequisities

As wrote above Jasypt is used for property encryption. Please download it and install, it only needs to be extracted. Unzip the library into a directory of your choice, e.g. the /opt directory.

Encryption used by Onegini IDP requires additional library (Bouncy Castle) to be installed. Download the latest version of it and place the jar file into /lib/.

Property values encryption

Property encryption is done by script provided with Jasypt library so please navigate to the directory where it is installed.

Generate a master password used for encryption and execute the following command

cd <JASYPT_PATH>/bin/
./encrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CBC-BC" verbose="false" password='<MASTER_PASSWORD>' input='<TEXT_TO_ENCRYPT>'

Note: Do not forget to use generated master password as value for PROPERTIES_ENCRYPTION_KEY property.

If the password or the input contain a single quote you will need to provide each separate single quote with the following sequence: '"'"'

When the above command is executed the encrypted property value is printed to the screen. The last step is to configure the encrypted value as the actual value in the property file. The value has to be surrounded by ENC(). Below is an example of an encrypted property:

IDP_BRANDING_NAME=ENC(IlHrIsl2cZl5WH0xQmSKC7SimY6yLD7LAWPtGV4DtfpDbmIZDY0aLt6+diHXwxcm)

You can verify the encryption by running

./decrypt.sh providerClassName="org.bouncycastle.jce.provider.BouncyCastleProvider" algorithm="PBEWITHSHA256AND256BITAES-CB