Advanced config

In the /integrations subfolder you will find a suggested layout for individual files which can be used to manage advanced settings.

Change OTP maximum uses and login attempts


You can make the following additional config to any apps configured in the zfa section (note that this example refers to an app which has been named global for which you should already have specified the client ID and client secret in the core.yaml file):

    max_uses: 1
    max_attempts: 3

Note that otp_endpoint should always be

max_uses controls the number of times an issued OTP can be used before it expires.

max_attempts controls the number of incorrect attempts a user can make before they are blocked. The maximum value for this is 5.

Change log level


  level: INFO
  network: tcp


Note that it should not be set to DEBUG in a production environment.

Stats for system performance


The program uses StatsD to collect usage metrics which can then be used with a StatsD-compatible client such as Graphite to visually render key system performance information such as session starts, logins, communicating with the authentication server, spikes in 404 statuses etc.

An example config would be:

  prefix: srv-idp
  network: udp
  address: :8125

Note that prefix defines the prefix that is given to each bucket of stats. Address can be in the format of 'url:port' or just 'port'.

The above example would be suitable for a Graphite installation, as Graphite listens on port 8125 by default. A useful Docker image for Graphite can be found at

REDIS settings


The system uses Redis to collect data for logged in sessions. Below is the default config. Redis can be used locally or installed on a separate machine. In a production environment, AWS Elasticache may be used.

  network: tcp
  address: :6379
  password: ""