Configuration reference

All configurable aspects of the IAM are configured via environment variables and Spring profile directives.

IAM Spring profiles

Spring profiles are used to enable/disable group of IAM functionalities. Currently the following profiles are defined:

Profile name Active by default Description
prod no This is the profile you should enable when using IAM
h2-test yes Enables h2 in-memory database, useful for development and testing
mysql-test no Like h2-test, but used to develop against a MySQL database
google no Enables Google authentication
saml no Enables SAML authentication
registration yes Enables user registration and reset password functionalities

Profiles are enabled by setting the spring.profiles.active Java system property when starting the IAM service. This can be done, using the official IAM docker image, by setting the IAM_JAVA_OPTS environment variable as follows:

IAM_JAVA_OPTS="-Dspring.profiles.active=prod,google,saml"

Basic service configuration

# The IAM service will list for requests on this host.
IAM_HOST=localhost

# The IAM service webapp will bind on this port.
IAM_PORT=8080

# The IAM web application base URL
IAM_BASE_URL=http://${IAM_HOST}:8080

# The OpenID Connect issuer configured for this IAM instance.
# This must be equal to IAM_BASE_URL
IAM_ISSUER=http://${IAM_HOST}:8080

# The path to the JSON keystore that holds the keys IAM will use to sign and
# verify token signatures
IAM_KEY_STORE_LOCATION=

# IAM will look for trust anchors in this directory.  These trust anchors are
# needed for TLS operations where the IAM acts as a client (i.e., to
# authenticate to remote SAML Identity providers)
IAM_X509_TRUST_ANCHORS_DIR=/etc/grid-security/certificates

# How frequently (in seconds) should trust anchors be refreshed
IAM_X509_TRUST_ANCHORS_REFRESH=14400

# Use forwarded headers from reverse proxy. Set this to true when deploying the
# service behind a reverse proxy.
IAM_USE_FORWARDED_HEADERS=false

## Tomcat embedded container settings

# Enables the tomcat access log
IAM_TOMCAT_ACCESS_LOG_ENABLED=false

# Directory where the tomcat access log will be written (when enabled)
IAM_TOMCAT_ACCESS_LOG_DIRECTORY=/tmp

## Token content settings 

# Include authentication claims in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_AUTHN_INFO=false

Organization configuration

# The name of the organization managed by this IAM instance.
IAM_ORGANISATION_NAME=indigo-dc

# URL of logo image used in the IAM dashboard (by default the INDIGO-Datacloud
# project logo image is used)
IAM_LOGO_URL=resources/images/indigo-logo.png

# String displayed into the brower top bar when accessing the IAM dashboard
IAM_TOPBAR_TITLE="INDIGO IAM for ${IAM_ORGANISATION_NAME}"

Database configuration

# The host where the MariaDB/MySQL daemon is running
IAM_DB_HOST=

# The database port
IAM_DB_PORT=3306

# The database name
IAM_DB_NAME=iam

# The database username
IAM_DB_USERNAME=iam

# The database password 
IAM_DB_PASSWORD=pwd

## Database connection pool options

# Maximum number of active connections to the database
IAM_DB_MAX_ACTIVE=50

# Maximum number of idle connections in the pool 
IAM_DB_MAX_IDLE=5

# Initial size of the database connection pool
IAM_DB_INITIAL_SIZE=8

# Should idle connections in the pool be tested?
IAM_DB_TEST_WHILE_IDLE=true

# Should connections in the pool be tested when borrowed?
IAM_DB_TEST_ON_BORROW=true

# Which SQL query should be used to test connections?
IAM_DB_VALIDATION_QUERY=SELECT 1

# Time between database connection pool eviction runs (in msec)
IAM_DB_TIME_BETWEEN_EVICTION_RUNS_MILLIS=5000

# The minimum amount of time a connection may be idle in the pool
# before it is considered for eviction (in msec)
IAM_DB_MIN_EVICTABLE_IDLE_TIME_MILLIS=60000

Google authentication settings

# The Google OAuth client id
IAM_GOOGLE_CLIENT_ID=

# The OAuth client secret
IAM_GOOGLE_CLIENT_SECRET=

For more information and examples, see the Enabling Google Authentication section.

SAML authentication settings

# The SAML entity ID for this IAM instance
IAM_SAML_ENTITY_ID=

# Text shown in the SAML login button on the IAM login page
IAM_SAML_LOGIN_BUTTON_TEXT=Sign in with SAML

## SAML keystore settings

# The keystore holding certificates and keys used for SAML crypto
IAM_SAML_KEYSTORE= 

# The SAML keystore password
IAM_SAML_KEYSTORE_PASSWORD=

# The identifier of the key that should be used to sign requests/assertions
IAM_SAML_KEY_ID=

# The password of the SAML key that will be used to sign requests/assertions
IAM_SAML_KEY_PASSWORD=

## Metadata settings

# a URL pointing to the SAML federation or IdP metadata
IAM_SAML_IDP_METADATA=

# Metadata refresh period (in seconds)
IAM_SAML_METADATA_LOOKUP_SERVICE_REFRESH_PERIOD_SEC=600

# Should signature validity checks be enforced on metadata?
IAM_SAML_METADATA_REQUIRE_VALID_SIGNATURE=false

# Trust only IdPs that have SIRTFI compliance
IAM_SAML_METADATA_REQUIRE_SIRTFI=false

# Comma-separated IDP entity ID whitelist. When empty
# all IdPs included in the metadata are whitelisted
IAM_SAML_IDP_ENTITY_ID_WHITELIST=

## Assertion validity settings

# Maxixum allowed assertion time (in seconds)
IAM_SAML_MAX_ASSERTION_TIME=3000

# Maximum authentication age (in seconds)
IAM_SAML_MAX_AUTHENTICATION_AGE=86400

## Other settings

# List of attribute aliases that are looked up in assertion to identify the 
# user authenticated with SAML
IAM_SAML_ID_RESOLVERS=eduPersonUniqueId,eduPersonTargetedId,eduPersonPrincipalName

For more information and examples, see the Enabling SAML Authentication section.

Notification service settings

## SMTP mail server settings 

# SMTP server hostname 
IAM_MAIL_HOST=localhost

# SMTP server port 
IAM_MAIL_PORT=25

# SMTP server username
IAM_MAIL_USERNAME=

# SMTP server password
IAM_MAIL_PASSWORD=

## IAM notification settings

# Should the notification server be disabled?
# When set to true, notifications are not sent to the mail server (but
# printed to the logs)
IAM_NOTIFICATION_DISABLE=false

# The email address used as the sender in IAM email notifications
IAM_NOTIFICATION_FROM=indigo@localhost

# The email address used as the recipient in IAM email notifications
IAM_NOTIFICATION_ADMIN_ADDRESS=indigo-alerts@localhost

# Time interval, in milliseconds, between two consecutive runs of IAM notification 
# dispatch task 
IAM_NOTIFICATION_TASK_DELAY=30000

# Retention of delivered messages, in days
IAM_NOTIFICATION_CLEANUP_AGE=30

Account linking settings

# Should account linking be disabled? When set to true users cannot
# link external accounts (Google, SAML) to their local IAM account
IAM_ACCOUNT_LINKING_DISABLE=false

results matching ""

    No results matching ""