Config file complete ref

Key Detail
remoteConfigProvider Remote configuration source (if any)

Type : string

remoteConfigEndpoint Remote configuration URL (ip:port)

Type : string

remoteConfigPath Remote configuration path in which to search for the configuration file (e.g. '/config/srv-idp')

Type : string

remoteConfigSecretKeyring Path to the openpgp secret keyring used to decrypt the remote configuration data (e.g. '/etc/srv-idp/configkey.gpg'); if empty a non secure connection will be used instead

Type : string

serverAddress Internal HTTP address (ip:port) or just (:port)

Type : string

Default : :8000

serverPublicAddress Public HTTP API URL

Type : string

Default : http://127.0.0.1:8000

errorPageURL (OPTIONAL) URL of the error page where the users are redirected in case of error. The JSON error message will be compressed with FLATE, encoded in base64 and added as a query parameter 'e'. Leave this parameter empty to disable the redirection.

Type : string

errorPageTemplate (OPTIONAL) HTML template page used to display error messages in alternative of using the errorPageURL redirection. If this and the errorPageURL are both empty, then a JSON object is returned instead. Predefined template variables are: Program, Version, Release, DateTime, Timestamp, Status, Code, Message and Data. The field 'Data' contains the error message.

Type : string

Default : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SSO ERROR</title></head><body><h1>SSO ERROR</h1><h2>{{.Data}}</h2><div><a href="{{.URL}}/services" title="SSO Login">SSO LOGIN</a> <a href="{{.URL}}/logout" title="Terminate the main SSO session">SSO LOGOUT</a></div><div><table><tr><th>FIELD</th><th>VALUE</th></tr><tr><td>Program</td><td>{{.Program}}</td></tr><tr><td>Version</td><td>{{.Version}}</td></tr><tr><td>Release</td><td>{{.Release}}</td></tr><tr><td>IdP URL</td><td>{{.URL}}</td></tr><tr><td>DateTime</td><td>{{.DateTime}}</td></tr><tr><td>Timestamp</td><td>{{.Timestamp}}</td></tr><tr><td>Status</td><td>{{.Status}}</td></tr><tr><td>Code</td><td>{{.Code}}</td></tr><tr><td>Message</td><td>{{.Message}}</td></tr><tr><td>Data</td><td>{{.Data}}</td></tr></table></div></body></html>

logoutPageURL (OPTIONAL) URL of the logout page where the users are redirected after calling the logout endpoint. A JSON struct containing a map of logout links for each Service Provider will be compressed with FLATE, encoded in base64 and added as a query parameter 'x'. Leave this parameter empty to disable the redirection.

Type : string

logoutPageTemplate (OPTIONAL) HTML template page used to display a logout page in alternative of using the logoutPageURL redirection. If this and the logoutPageURL are both empty, then a JSON object is returned instead. The predefined template variable maps the Service Provider names with their logout links.

Type : string

Default : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SSO LOGOUT</title></head><body><h1>SSO LOGOUT</h1><h2>The IDP Session has been successfully deleted</h2><div><a href="{{.URL}}/services" title="SSO Login">SSO LOGIN</a></div><h3>Logout links of visited Service Providers:</h3><ul>{{ range $name, $logout := .SPList }}<li><a href="{{ $logout }}" title="Logout from {{ $name }}" target="_blank">{{ $name }}</a></li>{{ end }}</ul></body></html>

servicesPageURL (OPTIONAL) URL of the services page where the users are redirected after calling the services endpoint. A JSON struct containing a map of authorized Service Providers for the current user will be compressed with FLATE, encoded in base64 and added as a query parameter 'x'. Leave this parameter empty to disable the redirection.

Type : string

servicesPageTemplate (OPTIONAL) HTML template page used to display page containing the list of authorized Service Providers for the current user. This can be used in place of *logoutPageURL* redirection. If this and the *logoutPageURL* are both empty, then a JSON object is returned instead.

Type : string

Default : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SSO Authorized Service Providers</title></head><body><h1>SSO Authorized Service Providers</h1><div><a href="{{.URL}}/logout" title="Terminate the main SSO session">SSO LOGOUT</a></div><ul>{{ range $sp := .SPList }}<li><strong>{{ $sp.Name }}</strong><br /><em>{{ $sp.Description }}</em><ul><li><a href="{{ $sp.IDPLogin }}" title="IdP-Login: {{ $sp.Description }}" target="_blank">IdP-initiated login</a></li><li><a href="{{ $sp.Login }}" title="Login: {{ $sp.Description }}" target="_blank">Login Page</a></li><li><a href="{{ $sp.Logout }}" title="Logout: {{ $sp.Description }}" target="_blank">Logout</a></li></ul></li>{{ end }}</ul></body></html>

log
level Defines the default log level

Type : string

Default : INFO

network (OPTIONAL) Network type used by the Syslog

Type : string

address (OPTIONAL) Network address of the Syslog daemon (ip:port) or just (:port)

Type : string

stats
prefix StatsD client's string prefix that will be used in every bucket name

Type : string

Default : srv-idp

network Network type used by the StatsD client

Type : string

Default : udp

address Network address of the StatsD daemon (ip:port) or just (:port)

Type : string

Default : :8125

flush_period Sets how often (in milliseconds) the StatsD client's buffer is flushed. When 0 the buffer is only flushed when it is full

Type : integer

Default : 100

redis
network Network type used by the REDIS server

Type : string

Default : tcp

address Network address (ip:port) or just (:port)

Type : string

Default : :6379

database Database to select when dialing a REDIS connection

Type : integer

password Password

Type : string

connect_timeout Timeout for connecting to the Redis server [seconds] (0 = disabled)

Type : integer

read_timeout Timeout for reading a single Redis command reply [seconds] (0 = disabled)

Type : integer

write_timeout Timeout for writing a single Redis command reply [seconds] (0 = disabled)

Type : integer

pool_max_idle Maximum number of idle connections in the Redis pool (0 = disabled)

Type : integer

pool_max_active Maximum number of connections allocated by the Redis pool at a given time (0 = disabled)

Type : integer

pool_idle_timeout RedisPoolIdleTimeout is the default time after remaining idle connections are closed [seconds]. If the value is zero, then idle connections are not closed. Applications should set the timeout to a value less than the server's timeout value.

Type : integer

max_age Amount of time for a session to expire [seconds]

Type : integer

Default : 3600

zfa
client_id Client ID

Type : string

client_secret Client secret

Type : string

backend URL of the ZFA backend

Type : string

Default : https://api.mpin.io

idp
private_key Private key

Type : string

public_certificate Public certificate

Type : string

metadata XML template for the Identity Provider SAML Metadata (EntityDescriptor)

Type : string

Default : <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="{{.ValidUntil}}" cacheDuration="{{.CacheDuration}}" entityID="{{.EntityID}}"><IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><KeyDescriptor use="signing"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>{{.SigningCertificate}}</X509Certificate></X509Data></KeyInfo></KeyDescriptor><KeyDescriptor use="encryption"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>{{.EncryptionCertificate}}</X509Certificate></X509Data></KeyInfo><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"></EncryptionMethod><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"></EncryptionMethod><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></EncryptionMethod><EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"></EncryptionMethod></KeyDescriptor><NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="{{.SsoRedirectLocation}}"></SingleSignOnService><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="{{.SsoPostLocation}}"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor>

response_form HTML form template used to redirect the user to the ACS endpoint location

Type : string

Default : <?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr"><head><title>SSO REDIRECT TO: {{.URL}}</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta name="language" content="en" /><meta name="description" content="Redirect the user to the Service Provider: {{.URL}}" /></head><body onload="document.getElementById('SAMLResponseForm').submit()"><form method="post" action="{{.URL}}" id="SAMLResponseForm"><div><input type="hidden" name="SAMLResponse" id="SAMLResponse" value="{{.SAMLResponse}}" /><input type="hidden" name="RelayState" id="RelayState" value="{{.RelayState}}" /><input type="submit" value="Continue" /></div></form></body></html>

cache_duration Maximum length of time in hours a consumer should cache the metadata

Type : integer

Default : 48

max_sp_delay Maximum allowed time difference in seconds between the messages exchanged by the IDP and the SP

Type : integer

Default : 90

profile
assertion
global Global (default) profile

Type : string

Default : <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="{{.ID}}" IssueInstant="{{.TimeNow}}" Version="2.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">{{.MetadataEntityID}}</Issuer>{{.SignatureBlock}}<Subject>{{.NameID}}<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData NotOnOrAfter="{{.TimeExpire}}" Address="{{.RecipientIP}}" Recipient="{{.Recipient}}" {{if not (eq .AuthnRequestID "")}}InResponseTo="{{.AuthnRequestID}}"{{end}}/></SubjectConfirmation></Subject><Conditions NotBefore="{{.TimeNow}}" NotOnOrAfter="{{.TimeExpire}}"><AudienceRestriction><Audience>{{.SPEntityID}}</Audience></AudienceRestriction></Conditions><AuthnStatement AuthnInstant="{{.SessionCreateTime}}" SessionIndex="{{.SessionIndex}}" SessionNotOnOrAfter="{{.TimeExpire}}"><SubjectLocality Address="{{.RemoteAddress}}" /><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef></AuthnContext></AuthnStatement>{{.AttributeStatement}}</Assertion>

any

Type : string

nameid
global Global (default) profile

Type : string

Default : <NameID NameQualifier="{{.MetadataEntityID}}" SPNameQualifier="{{.SPEntityID}}" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">{{.ServiceProviderUserID}}</NameID>

any

Type : string

attribute
global Global (default) profile

Type : string

Default : <AttributeStatement>{{ if not (eq .ServiceProviderUserID "")}}<Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" XMLSchema-instance:type="xs:string">{{.ServiceProviderUserID}}</AttributeValue></Attribute>{{end}}{{ if not (eq .SessionUserEmail "")}}<Attribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" XMLSchema-instance:type="xs:string">{{.SessionUserEmail}}</AttributeValue></Attribute><Attribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><AttributeValue xmlns:XMLSchema-instance="http://www.w3.org/2001/XMLSchema-instance" XMLSchema-instance:type="xs:string">{{.SessionUserEmail}}</AttributeValue></Attribute>{{end}}</AttributeStatement>

any

Type : string

response
global Global (default) profile

Type : string

Default : <Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Version="2.0" Destination="{{.Destination}}" {{if not (eq .AuthnRequestID "")}}InResponseTo="{{.AuthnRequestID}}"{{end}} IssueInstant="{{.TimeNow}}" ID="{{.ID}}">{{if not (eq .MetadataEntityID "")}}<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">{{.MetadataEntityID}}</Issuer>{{end}}{{.SignatureBlock}}<Status xmlns="urn:oasis:names:tc:SAML:2.0:protocol"><StatusCode xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Value="{{.StatusCodeTL}}">{{if not (eq .StatusCodeSL "")}}<StatusCode xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Value="{{.StatusCodeSL}}" />{{end}}</StatusCode>{{if not (eq .StatusMessage "")}}<StatusMessage xmlns="urn:oasis:names:tc:SAML:2.0:protocol">{{.StatusMessage}}</StatusMessage>{{end}}</Status>{{.Assertion}}</Response>

any

Type : string

signature
global Global (default) profile

Type : string

Default : <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></SignatureMethod><Reference URI="{{.ReferenceURI}}"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue></DigestValue></Reference></SignedInfo><SignatureValue></SignatureValue><KeyInfo><X509Data><X509Certificate>{{.Certificate}}</X509Certificate></X509Data></KeyInfo></Signature>

any

Type : string

ldap
server
global
method Method (use 'none' to disable this LDAP profile, 'plain' for unencrypted connection and 'tls' for TLS mode.)

Type : string

Default : none

address Host address (ip:port)

Type : string

Default : 127.0.0.1:389

user User.

Type : string

Default : cn=Directory Manager

password Password

Type : string

Default : secret

any
method Method (use 'none' to disable this LDAP profile, 'plain' for unencrypted connection and 'tls' for TLS mode.)

Type : string

Default : none

address Host address (ip:port)

Type : string

user User

Type : string

password Password

Type : string

query
global
server Name of the LDAP server as defined in the server section

Type : string

Default : global

search
any
server Name of the LDAP server as defined in the server section

Type : string

Default : global

search
sp
any
description SP description

Type : string

issuer SP key, as returned by SAML Issuer.XCDATA or Issuer.SPProvidedID

Type : string

relay_state Static RelayState used in IdP-initiated login

Type : string

Default : /

idp_initiated_acs_index Index of <AssertionConsumerService> to use for idp initiated login

Type : integer

login_url SP login page URL (optional).

Type : string

logout_url SP logout page URL used during IdP-initiated logout (optional)

Type : string

slo_url SP SLO (Single LogOut) URL (optional). URL Location where the SLO (Single LogOut) Response from the IdP will be returned

Type : string

metadata Metadata XML Template (Entity Descriptor)

Type : string

sign_response Indicates if the SAML response should be signed

Type : boolean

sign_assertion Indicates if each SAML assertion should be signed

Type : boolean

encrypt_assertion Indicates if each SAML assertion should be encrypted

Type : boolean

user_id_transform
authorize
profile
assertion Assertion template name

Type : string

Default : global

nameid NameID template name

Type : string

Default : global

attribute AttributeStatement template name

Type : string

Default : global

response Response template name

Type : string

Default : global

signature Signature template name

Type : string

Default : global

Top