Configuration

IAM service configuration reference

Most IAM configurable aspects are configured via environment variables and Spring profile directives.

Spring profiles

Spring profiles are used to enable/disable group of IAM functionalities. Currently the following profiles are defined:

Profile name Active by default Description
prod no This is the profile you should enable when using IAM
h2-test yes Enables h2 in-memory database, useful for development and testing
mysql-test no Like h2-test, but used to develop against a MySQL database
google no Enables Google authentication
saml no Enables SAML authentication
registration yes Enables user registration and reset password functionalities

Profiles are enabled by setting the spring.profiles.active Java system property when starting the IAM service. This can be done, using the official IAM docker image, by setting the IAM_JAVA_OPTS environment variable as follows:

IAM_JAVA_OPTS="-Dspring.profiles.active=prod,google,saml"

Overriding default configuration templates

Fine-grained control over configuration can be obtained following the rules for spring boot externalized configuration. This basically means defining one or more YAML files to override the default configuration files embedded in the IAM Web Archive (war) package for the Spring profiles activated for your instance. The files must be placed in the IAM configuration directory, which depends on how you deployed IAM:

Deployment type Configuration directory
Docker /indigo-iam/config/
Package (RPM) /etc/indigo-iam/config

IMPORTANT: the default configuration should solve most use cases, override default configuration only if you know what you are doing, and for those scenarios not served by the default templates.

Basic service configuration

# The IAM service will list for requests on this host.
IAM_HOST=localhost

# The IAM service webapp will bind on this port.
IAM_PORT=8080

# The IAM web application base URL
IAM_BASE_URL=http://${IAM_HOST}:8080

# The OpenID Connect issuer configured for this IAM instance.
# This must be equal to IAM_BASE_URL
IAM_ISSUER=http://${IAM_HOST}:8080

# The path to the JSON keystore that holds the keys IAM will use to sign and
# verify token signatures
IAM_KEY_STORE_LOCATION=

# IAM will look for trust anchors in this directory.  These trust anchors are
# needed for TLS operations where the IAM acts as a client (i.e., to
# authenticate to remote SAML Identity providers)
IAM_X509_TRUST_ANCHORS_DIR=/etc/grid-security/certificates

# How frequently (in seconds) should trust anchors be refreshed
IAM_X509_TRUST_ANCHORS_REFRESH=14400

# Use forwarded headers from reverse proxy. Set this to true when deploying the
# service behind a reverse proxy.
IAM_USE_FORWARDED_HEADERS=false

## Tomcat embedded container settings

# Enables the tomcat access log
IAM_TOMCAT_ACCESS_LOG_ENABLED=false

# Directory where the tomcat access log will be written (when enabled)
IAM_TOMCAT_ACCESS_LOG_DIRECTORY=/tmp

## Actuator endpoint settings

# Sets the username of the user allowed to have privileged access to actuator
# endpoints
IAM_SUPERUSER_USERNAME=whatever

# Sets the password of the user allowed to have privileged access to actuator
# endpoints
IAM_SUPERUSER_PASSWORD=whatever

## Local resources configuration

# Enables the serving of resources from the local file system 
IAM_LOCAL_RESOURCES_ENABLE=false

# Sets the directory that contains the local resources that should be exposed
IAM_LOCAL_RESOURCES_LOCATION=file:/indigo-iam/local-resources

Organization configuration

# The name of the organization managed by this IAM instance.
IAM_ORGANISATION_NAME=indigo-dc

# URL of logo image used in the IAM dashboard (by default the INDIGO-Datacloud
# project logo image is used)
IAM_LOGO_URL=resources/images/indigo-logo.png

# Size of the logo image (in pixels)
IAM_LOGO_DIMENSION=200

# Height of the logo image (in pixels)
IAM_LOGO_HEIGTH=150

# Width of the logo image (in pixels)
IAM_LOGO_WIDTH=200

# String displayed into the brower top bar when accessing the IAM dashboard
IAM_TOPBAR_TITLE="INDIGO IAM for ${IAM_ORGANISATION_NAME}"

Access token contents configuration

## Token content settings 

# Include authentication claims in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_AUTHN_INFO=false

# Includes the scope in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_SCOPE=false

# Includes the nbf claim in issued access tokens
IAM_ACCESS_TOKEN_INCLUDE_NBF=false

Database configuration

# The host where the MariaDB/MySQL daemon is running
IAM_DB_HOST=

# The database port
IAM_DB_PORT=3306

# The database name
IAM_DB_NAME=iam

# The database username
IAM_DB_USERNAME=iam

# The database password 
IAM_DB_PASSWORD=pwd

## Database connection pool options

# Maximum number of active connections to the database
IAM_DB_MAX_ACTIVE=50

# Maximum number of idle connections in the pool 
IAM_DB_MAX_IDLE=5

# Initial size of the database connection pool
IAM_DB_INITIAL_SIZE=8

# Should idle connections in the pool be tested?
IAM_DB_TEST_WHILE_IDLE=true

# Should connections in the pool be tested when borrowed?
IAM_DB_TEST_ON_BORROW=true

# Which SQL query should be used to test connections?
IAM_DB_VALIDATION_QUERY=SELECT 1

# Time between database connection pool eviction runs (in msec)
IAM_DB_TIME_BETWEEN_EVICTION_RUNS_MILLIS=5000

# The minimum amount of time a connection may be idle in the pool
# before it is considered for eviction (in msec)
IAM_DB_MIN_EVICTABLE_IDLE_TIME_MILLIS=60000

Google authentication settings

# The Google OAuth client id
IAM_GOOGLE_CLIENT_ID=

# The OAuth client secret
IAM_GOOGLE_CLIENT_SECRET=

For more information and examples, see the OpenID Connect Authentication section.

SAML authentication settings

# The SAML entity ID for this IAM instance
IAM_SAML_ENTITY_ID=

# Text shown in the SAML login button on the IAM login page
IAM_SAML_LOGIN_BUTTON_TEXT=Sign in with SAML

## SAML keystore settings

# The keystore holding certificates and keys used for SAML crypto
IAM_SAML_KEYSTORE= 

# The SAML keystore password
IAM_SAML_KEYSTORE_PASSWORD=

# The identifier of the key that should be used to sign requests/assertions
IAM_SAML_KEY_ID=

# The password of the SAML key that will be used to sign requests/assertions
IAM_SAML_KEY_PASSWORD=

## Metadata settings

# a URL pointing to the SAML federation or IdP metadata
IAM_SAML_IDP_METADATA=

# Metadata refresh period (in seconds)
IAM_SAML_METADATA_LOOKUP_SERVICE_REFRESH_PERIOD_SEC=600

# Should signature validity checks be enforced on metadata?
IAM_SAML_METADATA_REQUIRE_VALID_SIGNATURE=false

# Trust only IdPs that have SIRTFI compliance
IAM_SAML_METADATA_REQUIRE_SIRTFI=false

# Comma-separated IDP entity ID whitelist. When empty
# all IdPs included in the metadata are whitelisted
IAM_SAML_IDP_ENTITY_ID_WHITELIST=

## Assertion validity settings

# Maxixum allowed assertion time (in seconds)
IAM_SAML_MAX_ASSERTION_TIME=3000

# Maximum authentication age (in seconds)
IAM_SAML_MAX_AUTHENTICATION_AGE=86400

## Other settings

# List of attribute aliases that are looked up in assertion to identify the 
# user authenticated with SAML
IAM_SAML_ID_RESOLVERS=eduPersonUniqueId,eduPersonTargetedId,eduPersonPrincipalName

For more information and examples, see the SAML Authentication section.

Notification service settings

## SMTP mail server settings 

# SMTP server hostname 
IAM_MAIL_HOST=localhost

# SMTP server port 
IAM_MAIL_PORT=25

# SMTP server username
IAM_MAIL_USERNAME=

# SMTP server password
IAM_MAIL_PASSWORD=

## IAM notification settings

# Should the notification server be disabled?
# When set to true, notifications are not sent to the mail server (but
# printed to the logs)
IAM_NOTIFICATION_DISABLE=false

# The email address used as the sender in IAM email notifications
IAM_NOTIFICATION_FROM=indigo@localhost

# The email address used as the recipient in IAM email notifications
IAM_NOTIFICATION_ADMIN_ADDRESS=indigo-alerts@localhost

# Time interval, in milliseconds, between two consecutive runs of IAM notification 
# dispatch task 
IAM_NOTIFICATION_TASK_DELAY=30000

# Retention of delivered messages, in days
IAM_NOTIFICATION_CLEANUP_AGE=30

Account linking settings

# Should account linking be disabled? When set to true users cannot
# link external accounts (Google, SAML) to their local IAM account
IAM_ACCOUNT_LINKING_DISABLE=false 

Privacy policy settings

# An URL pointing to a privacy policy document which applies
# to this IAM instance. When left blank, no privacy policy link 
# is displayed in the login page
IAM_PRIVACY_POLICY_URL=

# The text displayed in the login page for the privacy policy URL specified
# above
IAM_PRIVACY_POLICY_TEXT=Privacy policy
Last modified September 9, 2021: Massive renaming (6830714)