Parameter list¶
Tip
Click on a column header to sort table. The attribute key
name can be used directly in lemonldap-ng.ini or in Perl scripts to
override configuration parameters (see
configuration location).
Main parameters¶
| Key name | Documentation | Portal | Handler | Manager | ini file only |
|---|---|---|---|---|---|
| ADPwdExpireWarning | AD password expire warning | ✔ | |||
| ADPwdMaxAge | AD password max age | ✔ | |||
| AuthLDAPFilter | LDAP filter for auth search | ✔ | |||
| LDAPFilter | Default LDAP filter | ✔ | |||
| SMTPAuthPass | Password to use to send mails | ✔ | |||
| SMTPAuthUser | Login to use to send mails | ✔ | |||
| SMTPPort | Fix SMTP port | ✔ | |||
| SMTPServer | SMTP Server | ✔ | |||
| SMTPTLS | TLS protocol to use with SMTP | ✔ | |||
| SMTPTLSOpts | TLS/SSL options for SMTP | ✔ | |||
| SSLAuthnLevel | Mutual TLS authentication level | ✔ | |||
| SSLIssuerVar | ✔ | ||||
| SSLVar | ✔ | ||||
| SSLVarIf | ✔ | ||||
| activeTimer | Enable timers on portal pages | ✔ | |||
| adaptativeAuthenticationLevelRules | Adaptative authentication level rules | ✔ | |||
| adminLogoutServerSecret | REST OIDC token revocation secret | ✔ | |||
| apacheAuthnLevel | Apache authentication level | ✔ | |||
| appAccessHistoryEnabled | Shall OIDC/SAML/CAS protected apps access be recorded to session? | ✔ | |||
| applicationList | Applications list | ✔ | |||
| authChoiceAuthBasic | Auth module used by AuthBasic handler | ✔ | |||
| authChoiceFindUser | Auth module used by FindUser plugin | ✔ | |||
| authChoiceModules | Hash list of Choice strings | ✔ | |||
| authChoiceParam | Applications list | ✔ | |||
| authChoiceSelectOnly | Automatically select only available choice | ✔ | |||
| authentication | Authentication module | ✔ | |||
| autoSigninRules | List of auto signin rules | ✔ | |||
| available2F | Available second factor modules | ✔ | ✔ | ||
| available2FSelfRegistration | Available self-registration modules for second factor | ✔ | ✔ | ||
| avoidAssignment | Avoid assignment in expressions | ✔ | ✔ | ||
| browsersDontStorePassword | Avoid browsers to store users password | ✔ | |||
| bruteForceProtection | Enable brute force attack protection | ✔ | |||
| bruteForceProtectionIncrementalTempo | Enable incremental lock time for brute force attack protection | ✔ | |||
| bruteForceProtectionLockTimes | Incremental lock time values for brute force attack protection | ✔ | |||
| bruteForceProtectionMaxAge | Max age between current and first failed login | ✔ | |||
| bruteForceProtectionMaxFailed | Max allowed failed login | ✔ | |||
| bruteForceProtectionMaxLockTime | Max lock time | ✔ | |||
| bruteForceProtectionTempo | Lock time | ✔ | |||
| cacheTagSalt | Salt value for cache busting tag | ✔ | |||
| captcha | Captcha backend module | ✔ | ✔ | ||
| captchaOptions | Captcha module options | ✔ | ✔ | ||
| captcha_login_enabled | Captcha on login page | ✔ | |||
| captcha_mail_enabled | Captcha on password reset page | ✔ | |||
| captcha_register_enabled | Captcha on account creation page | ✔ | |||
| captcha_size | Captcha size | ✔ | |||
| casAccessControlPolicy | CAS access control policy | ✔ | |||
| casAppMetaDataOptions | Root of CAS app options | ✔ | [1] | ||
| casAttr | Pivot attribute for CAS | ✔ | |||
| casAttributes | CAS exported attributes | ✔ | |||
| casAuthnLevel | CAS authentication level | ✔ | |||
| casBackChannelSingleLogout | Enable CAS (Back-Channel) Single Logout | ✔ | |||
| casSrvMetaDataOptions | Root of CAS server options | ✔ | [1] | ||
| casStorage | Apache::Session module to store CAS user data | ✔ | |||
| casStorageOptions | Apache::Session module parameters | ✔ | |||
| casStrictMatching | Disable host-based matching of CAS services | ✔ | |||
| casTicketExpiration | Expiration time of Service and Proxy tickets | ✔ | |||
| cda | Enable Cross Domain Authentication | ✔ | ✔ | ||
| certificateResetByMailCeaAttribute | ✔ | ||||
| certificateResetByMailCertificateAttribute | ✔ | ||||
| certificateResetByMailStep1Body | Custom Certificate reset mail body | ✔ | |||
| certificateResetByMailStep1Subject | Mail subject for certificate reset email | ✔ | |||
| certificateResetByMailStep2Body | Custom confirm Certificate reset mail body | ✔ | |||
| certificateResetByMailStep2Subject | Mail subject for reset confirmation | ✔ | |||
| certificateResetByMailURL | URL of certificate reset page | ✔ | |||
| certificateResetByMailValidityDelay | ✔ | ||||
| cfgAuthor | Name of the author of the current configuration | ✔ | ✔ | ||
| cfgAuthorIP | Uploader IP address of the current configuration | ✔ | ✔ | ||
| cfgDate | Timestamp of the current configuration | ✔ | ✔ | ||
| cfgLog | Configuration update log | ✔ | ✔ | ||
| cfgNum | Enable Cross Domain Authentication | ✔ | ✔ | ||
| cfgVersion | Version of LLNG which build configuration | ✔ | ✔ | ||
| checkDevOps | Enable check DevOps | ✔ | |||
| checkDevOpsCheckSessionAttributes | Check if session attributes exist | ✔ | |||
| checkDevOpsDisplayNormalizedHeaders | Display normalized headers | ✔ | |||
| checkDevOpsDownload | Enable check DevOps download field | ✔ | |||
| checkEntropy | Enable entropy check of password | ✔ | |||
| checkEntropyRequired | Require entropy check to pass | ✔ | |||
| checkEntropyRequiredLevel | Minimal entropy required for the password to be accepted | ✔ | |||
| checkHIBP | Enable check HIBP | ✔ | |||
| checkHIBPRequired | Require HIBP check to pass | ✔ | |||
| checkHIBPURL | URL of Have I Been Pwned API | ✔ | |||
| checkMsg | Timeout to check new evant | ✔ | ✔ | ✔ | |
| checkState | Enable CheckState plugin | ✔ | |||
| checkStateSecret | Secret token for CheckState plugin | ✔ | |||
| checkTime | Timeout to check new configuration in local cache | ✔ | ✔ | ✔ | |
| checkUser | Enable check user | ✔ | |||
| checkUserDisplayComputedSession | Display empty headers rule | ✔ | |||
| checkUserDisplayEmptyHeaders | Display empty headers rule | ✔ | |||
| checkUserDisplayEmptyValues | Display session empty values rule | ✔ | |||
| checkUserDisplayHiddenAttributes | Display hidden attributes rule | ✔ | |||
| checkUserDisplayHistory | Display history rule | ✔ | |||
| checkUserDisplayNormalizedHeaders | Display normalized headers rule | ✔ | |||
| checkUserDisplayPersistentInfo | Display persistent session info rule | ✔ | |||
| checkUserHiddenAttributes | Attributes to hide in CheckUser plugin | ✔ | |||
| checkUserHiddenHeaders | Header values to hide if not empty | ✔ | |||
| checkUserIdRule | checkUser identities rule | ✔ | |||
| checkUserSearchAttributes | Attributes used for retrieving sessions in user DataBase | ✔ | |||
| checkUserUnrestrictedUsersRule | checkUser unrestricted users rule | ✔ | |||
| checkXSS | Check XSS | ✔ | |||
| combModules | Combination module description | ✔ | |||
| combination | Combination rule | ✔ | |||
| compactConf | Compact configuration | ✔ | |||
| configStorage | Configuration storage | ✔ | ✔ | ✔ | ✔ |
| confirmFormMethod | HTTP method for confirm page form | ✔ | |||
| contextSwitchingAllowed2fModifications | Allowed SFA modifications | ✔ | |||
| contextSwitchingIdRule | Context switching identities rule | ✔ | |||
| contextSwitchingPrefix | Prefix to store real session Id | ✔ | ✔ | ||
| contextSwitchingRule | Context switching activation rule | ✔ | |||
| contextSwitchingStopWithLogout | Stop context switching by logout | ✔ | |||
| contextSwitchingUnrestrictedUsersRule | Context switching unrestricted users rule | ✔ | |||
| cookieExpiration | SSO cookie expiration | ✔ | ✔ | ||
| cookieName | Name of the SSO cookie | ✔ | ✔ | ||
| corsAllow_Credentials | Allow credentials for Cross-Origin Resource Sharing | ✔ | |||
| corsAllow_Headers | Allowed headers for Cross-Origin Resource Sharing | ✔ | |||
| corsAllow_Methods | Allowed methods for Cross-Origin Resource Sharing | ✔ | |||
| corsAllow_Origin | Allowed origine for Cross-Origin Resource Sharing | ✔ | |||
| corsEnabled | Enable Cross-Origin Resource Sharing | ✔ | |||
| corsExpose_Headers | Exposed headers for Cross-Origin Resource Sharing | ✔ | |||
| corsMax_Age | Max-age for Cross-Origin Resource Sharing | ✔ | |||
| crowdSecAgentResponseCode | Crowdsec ban response code | ✔ | |||
| crowdSecAgentResponseValue | Crowdsec ban response text | ✔ | |||
| crowdsec | CrowdSec bouncer activation | ✔ | |||
| crowdsecAction | CrowdSec action | ✔ | |||
| crowdsecAgent | Enable plugin to report auth failures to Crowdsec (simple alert) | ✔ | |||
| crowdsecBlockDelay | Crowdsec-Agent check delay | ✔ | |||
| crowdsecFilters | Crowdsec filters directory | ✔ | |||
| crowdsecIgnoreFailures | Ignore Crowdsec errors | ✔ | |||
| crowdsecKey | CrowdSec API key | ✔ | |||
| crowdsecMachineId | Crowdsec machine ID to send alerts | ✔ | |||
| crowdsecMaxFailures | Crowdesc-Agent maximum failures allowed during delay | ✔ | |||
| crowdsecPassword | Crowdsec password to send alerts | ✔ | |||
| crowdsecUrl | Base URL of CrowdSec local API | ✔ | |||
| cspConnect | Authorized Ajax destination for Content-Security-Policy | ✔ | |||
| cspDefault | Default value for Content-Security-Policy | ✔ | |||
| cspFont | Font source for Content-Security-Policy | ✔ | |||
| cspFormAction | Form action destination for Content-Security-Policy | ✔ | |||
| cspFrameAncestors | Frame-Ancestors for Content-Security-Policy | ✔ | |||
| cspImg | Image source for Content-Security-Policy | ✔ | |||
| cspScript | Javascript source for Content-Security-Policy | ✔ | |||
| cspStyle | Style source for Content-Security-Policy | ✔ | |||
| customAddParams | Custom additional parameters | ✔ | |||
| customAuth | Custom auth module | ✔ | |||
| customFunctions | List of custom functions | ✔ | ✔ | ✔ | |
| customPassword | Custom password module | ✔ | |||
| customPlugins | Custom plugins | ✔ | |||
| customPluginsParams | Custom plugins parameters | ✔ | |||
| customRegister | Custom register module | ✔ | |||
| customResetCertByMail | Custom certificateResetByMail module | ✔ | |||
| customToTrace | Session parameter used to fill REMOTE_CUSTOM | ✔ | ✔ | ||
| customUserDB | Custom user DB module | ✔ | |||
| dbiAuthChain | ✔ | ||||
| dbiAuthLoginCol | ✔ | ||||
| dbiAuthPassword | ✔ | ||||
| dbiAuthPasswordCol | ✔ | ||||
| dbiAuthPasswordHash | ✔ | ||||
| dbiAuthTable | ✔ | ||||
| dbiAuthUser | ✔ | ||||
| dbiAuthnLevel | DBI authentication level | ✔ | |||
| dbiDynamicHashEnabled | ✔ | ||||
| dbiDynamicHashNewPasswordScheme | ✔ | ||||
| dbiDynamicHashValidSaltedSchemes | ✔ | ||||
| dbiDynamicHashValidSchemes | ✔ | ||||
| dbiExportedVars | DBI exported variables | ✔ | |||
| dbiPasswordMailCol | ✔ | ||||
| dbiUserTable | ✔ | ||||
| decryptValueFunctions | Custom function used for decrypting values | ✔ | |||
| decryptValueRule | Decrypt value activation rule | ✔ | |||
| defaultNewKeySize | Default size for new RSA key helper | ✔ | ✔ | ||
| demoExportedVars | Demo exported variables | ✔ | |||
| disablePersistentStorage | Enabled persistent storage | ✔ | |||
| disabledPlugins | Disabled plugins | ✔ | |||
| displaySessionId | Display _session_id with sessions explorer | ✔ | |||
| domain | DNS domain | ✔ | ✔ | ||
| eventQueueName | Event channel name | ✔ | |||
| eventStatus | Push status into message broker | ✔ | ✔ | ||
| exportedAttr | List of attributes to export by SOAP or REST servers | ✔ | |||
| exportedVars | Main exported variables | ✔ | |||
| ext2FSendCommand | Send command of External second factor | ✔ | |||
| ext2FValidateCommand | Validation command of External second factor | ✔ | |||
| ext2fActivation | External second factor activation | ✔ | |||
| ext2fAuthnLevel | Authentication level for users authentified by External second factor | ✔ | |||
| ext2fCodeActivation | OTP generated by Portal | ✔ | |||
| ext2fLabel | Portal label for External second factor | ✔ | |||
| ext2fLogo | Custom logo for External 2F | ✔ | |||
| ext2fResendInterval | Delay before user is allowed to resend code | ✔ | |||
| facebookAppId | ✔ | ||||
| facebookAppSecret | ✔ | ||||
| facebookAuthnLevel | Facebook authentication level | ✔ | |||
| facebookExportedVars | Facebook exported variables | ✔ | |||
| facebookUserField | ✔ | ||||
| failedLoginNumber | Number of failures stored in login history | ✔ | |||
| findUser | Enable find user | ✔ | |||
| findUserControl | Regular expression to validate parameters | ✔ | |||
| findUserExcludingAttributes | Attributes used for excluding accounts | ✔ | |||
| findUserSearchingAttributes | Attributes used for searching accounts | ✔ | |||
| findUserWildcard | Character used as wildcard | ✔ | |||
| floatingCategoryName | Name of the category displayed as floating menu | ✔ | |||
| forceGlobalStorageIssuerOTT | Force Issuer tokens to be stored into Global Storage | ✔ | ✔ | ||
| forceGlobalStorageUpgradeOTT | Force Upgrade tokens be stored into Global Storage | ✔ | ✔ | ||
| formTimeout | Token timeout for forms | ✔ | |||
| githubAuthnLevel | GitHub authentication level | ✔ | |||
| githubClientID | ✔ | ||||
| githubClientSecret | ✔ | ||||
| githubScope | ✔ | ||||
| githubUserField | ✔ | ||||
| globalLogoutCustomParam | Custom session parameter to display | ✔ | |||
| globalLogoutRule | Global logout activation rule | ✔ | |||
| globalLogoutTimer | Global logout auto accept time | ✔ | |||
| globalStorage | Session backend module | ✔ | ✔ | ||
| globalStorageOptions | Session backend module options | ✔ | ✔ | ||
| gpgAuthnLevel | GPG authentication level | ✔ | |||
| gpgDb | GPG keys database | ✔ | |||
| grantSessionRules | Rules to grant sessions | ✔ | |||
| groupLDAPFilter | LDAP filter for group search | ✔ | |||
| groups | Groups | ✔ | |||
| groupsBeforeMacros | Compute groups before macros | ✔ | |||
| handlerInternalCache | Handler internal cache timeout | ✔ | ✔ | ✔ | |
| handlerServiceTokenTTL | Handler ServiceToken timeout | ✔ | ✔ | ✔ | |
| hashedSessionStore | Securize storage of sensible sessions | ✔ | |||
| hiddenAttributes | Name of attributes to hide in logs | ✔ | |||
| hideOldPassword | Hide old password in portal | ✔ | |||
| httpOnly | Enable httpOnly flag in cookie | ✔ | ✔ | ||
| https | Use HTTPS for redirection from portal | ✔ | |||
| impersonationHiddenAttributes | Attributes to skip | ✔ | |||
| impersonationIdRule | Impersonation identities rule | ✔ | |||
| impersonationMergeSSOgroups | Merge spoofed and real SSO groups | ✔ | |||
| impersonationPrefix | Prefix to rename real session attributes | ✔ | ✔ | ||
| impersonationRule | Impersonation activation rule | ✔ | |||
| impersonationSkipEmptyValues | Skip session empty values | ✔ | |||
| impersonationUnrestrictedUsersRule | Impersonation unrestricted users rule | ✔ | |||
| infoFormMethod | HTTP method for info page form | ✔ | |||
| initializePasswordReset | Enable Password Reset API plugin | ✔ | |||
| initializePasswordResetSecret | Secret key for the Initialize Password Reset API | ✔ | |||
| issuerDBCASActivation | CAS server activation | ✔ | |||
| issuerDBCASPath | CAS server request path | ✔ | |||
| issuerDBCASRule | CAS server rule | ✔ | |||
| issuerDBGetActivation | Get issuer activation | ✔ | |||
| issuerDBGetParameters | List of virtualHosts with their get parameters | ✔ | |||
| issuerDBGetPath | Get issuer request path | ✔ | |||
| issuerDBGetRule | Get issuer rule | ✔ | |||
| issuerDBJitsiMeetTokensActivation | Jitsi issuer activation | ✔ | |||
| issuerDBJitsiMeetTokensPath | Jitsi issuer request path | ✔ | |||
| issuerDBJitsiMeetTokensRule | Jitsi issuer rule | ✔ | |||
| issuerDBOpenIDActivation | OpenID server activation | ✔ | |||
| issuerDBOpenIDConnectActivation | OpenID Connect server activation | ✔ | |||
| issuerDBOpenIDConnectPath | OpenID Connect server request path | ✔ | |||
| issuerDBOpenIDConnectRule | OpenID Connect server rule | ✔ | |||
| issuerDBOpenIDPath | OpenID server request path | ✔ | |||
| issuerDBOpenIDRule | OpenID server rule | ✔ | |||
| issuerDBSAMLActivation | SAML IDP activation | ✔ | |||
| issuerDBSAMLPath | SAML IDP request path | ✔ | |||
| issuerDBSAMLRule | SAML IDP rule | ✔ | |||
| issuersTimeout | Token timeout for issuers | ✔ | |||
| jitsiAppId | Jitsi application ID | ✔ | |||
| jitsiAppSecret | Jitsi application secret | ✔ | |||
| jitsiDefaultServer | Jitsi server URL | ✔ | |||
| jitsiExpiration | Jitsi JWT expiration | ✔ | |||
| jitsiIdAttribute | Jitsi attribute for ID | ✔ | |||
| jitsiMailAttribute | Jitsi attribute for email | ✔ | |||
| jitsiNameAttribute | Jitsi attribute for name | ✔ | |||
| jitsiSigningAlg | Jitsi JWT signature method | ✔ | |||
| jitsiSigningKey | Jitsi JWT signature key | ✔ | |||
| jsRedirect | Use javascript for redirections | ✔ | |||
| key | Secret key | ✔ | |||
| keyComment | ✔ | ✔ | |||
| keyId | ✔ | ✔ | |||
| keyPrivate | ✔ | ✔ | |||
| keyPrivatePwd | ✔ | ✔ | |||
| keyPublic | ✔ | ✔ | |||
| keys | Root of keys | ✔ | ✔ | ||
| krbAllowedDomains | Allowed domains | ✔ | |||
| krbAuthnLevel | Null authentication level | ✔ | |||
| krbByJs | Launch Kerberos authentication by Ajax | ✔ | |||
| krbKeytab | Kerberos keytab | ✔ | |||
| krbRemoveDomain | Remove domain in Kerberos username | ✔ | |||
| ldapAllowResetExpiredPassword | Allow a user to reset his expired password | ✔ | |||
| ldapAuthnLevel | LDAP authentication level | ✔ | |||
| ldapBase | LDAP search base | ✔ | |||
| ldapCAFile | Location of the certificate file for LDAP connections | ✔ | |||
| ldapCAPath | Location of the CA directory for LDAP connections | ✔ | |||
| ldapChangePasswordAsUser | ✔ | ||||
| ldapExportedVars | LDAP exported variables | ✔ | |||
| ldapForcePasswordChangeExpirationWarning | Delay to force password change if password is about to expire | ✔ | |||
| ldapGetUserBeforePasswordChange | ✔ | ||||
| ldapGroupAttributeName | LDAP attribute name for member in groups | ✔ | |||
| ldapGroupAttributeNameGroup | LDAP attribute name in group entry referenced as member in groups | ✔ | |||
| ldapGroupAttributeNameSearch | LDAP attributes to search in groups | ✔ | |||
| ldapGroupAttributeNameUser | LDAP attribute name in user entry referenced as member in groups | ✔ | |||
| ldapGroupBase | ✔ | ||||
| ldapGroupDecodeSearchedValue | Decode value before searching it in LDAP groups | ✔ | |||
| ldapGroupObjectClass | LDAP object class of groups | ✔ | |||
| ldapGroupRecursive | LDAP recursive search in groups | ✔ | |||
| ldapIOTimeout | LDAP operation timeout | ✔ | |||
| ldapITDS | Support for IBM Tivoli Directory Server | ✔ | |||
| ldapPasswordResetAttribute | LDAP password reset attribute | ✔ | |||
| ldapPasswordResetAttributeValue | LDAP password reset value | ✔ | |||
| ldapPort | LDAP port | ✔ | |||
| ldapPpolicyControl | ✔ | ||||
| ldapPwdEnc | LDAP password encoding | ✔ | |||
| ldapRaw | ✔ | ||||
| ldapSearchDeref | “deref” param of Net::LDAP::search() | ✔ | |||
| ldapServer | LDAP server (host or URI) | ✔ | |||
| ldapSetPassword | ✔ | ||||
| ldapTimeout | LDAP connection timeout | ✔ | |||
| ldapUsePasswordResetAttribute | LDAP store reset flag in an attribute | ✔ | |||
| ldapVerify | Whether to validate LDAP certificates | ✔ | |||
| ldapVersion | LDAP protocol version | ✔ | |||
| linkedInAuthnLevel | LinkedIn authentication level | ✔ | |||
| linkedInClientID | ✔ | ||||
| linkedInClientSecret | ✔ | ||||
| linkedInFields | ✔ | ||||
| linkedInScope | ✔ | ||||
| linkedInUserField | ✔ | ||||
| localSessionStorage | Local sessions cache module | ✔ | |||
| localSessionStorageOptions | Sessions cache module options | ✔ | |||
| localStorage | Local cache | ✔ | ✔ | ✔ | ✔ |
| localStorageOptions | Local cache parameters | ✔ | ✔ | ✔ | ✔ |
| locationDetect | Enable LocationDetect plugin | ✔ | |||
| locationDetectGeoIpDatabase | Path to GeoIP database | ✔ | |||
| locationDetectGeoIpLanguages | Languages for GeoIP database | ✔ | |||
| locationDetectIpDetail | Information requested for IP | ✔ | |||
| locationDetectUaDetail | Information requested for User Agent | ✔ | |||
| log4perlConfFile | Log4Perl logger configuration file | ✔ | ✔ | ✔ | ✔ |
| logLevel | Log level, must be set in .ini | ✔ | ✔ | ✔ | ✔ |
| logger | technical logger | ✔ | ✔ | ✔ | ✔ |
| loginHistoryEnabled | Enable login history | ✔ | |||
| logoutServices | Send logout trough GET request to these services | ✔ | |||
| lokiAuthorization | Loki Authorization header value | ✔ | ✔ | ✔ | ✔ |
| lokiEnv | Loki env, default “prod” | ✔ | ✔ | ✔ | ✔ |
| lokiInstance | Loki instance, default hostname output | ✔ | ✔ | ✔ | ✔ |
| lokiLabel | Loki label, default llng | ✔ | ✔ | ✔ | ✔ |
| lokiService | Loki Service (technical context) | ✔ | ✔ | ✔ | ✔ |
| lokiTenant | Loki Tenant | ✔ | ✔ | ✔ | ✔ |
| lokiTenantHeader | Loki Tenant Header name | ✔ | ✔ | ✔ | ✔ |
| lokiUrl | Loki API | ✔ | ✔ | ✔ | ✔ |
| lokiUserService | Loki (userLogger context) | ✔ | ✔ | ✔ | ✔ |
| lwpOpts | Options passed to LWP::UserAgent | ✔ | |||
| lwpSslOpts | TLS/SSL options passed to LWP::UserAgent | ✔ | |||
| macros | Macros | ✔ | |||
| mail2fActivation | Mail second factor activation | ✔ | |||
| mail2fAuthnLevel | Authentication level for users authenticated by Mail second factor | ✔ | |||
| mail2fBody | Mail body for second factor authentication | ✔ | |||
| mail2fCodeRegex | Regular expression to create a mail OTP code | ✔ | |||
| mail2fLabel | Portal label for Mail second factor | ✔ | |||
| mail2fLogo | Custom logo for Mail 2F | ✔ | |||
| mail2fResendInterval | Delay before user is allowed to resend code | ✔ | |||
| mail2fSessionKey | Session parameter where mail is stored | ✔ | |||
| mail2fSubject | Mail subject for second factor authentication | ✔ | |||
| mail2fTimeout | Second factor code timeout | ✔ | |||
| mailBody | Custom password reset mail body | ✔ | |||
| mailCharset | Mail charset | ✔ | |||
| mailConfirmBody | Custom confirm password reset mail body | ✔ | |||
| mailConfirmSubject | Mail subject for reset confirmation | ✔ | |||
| mailFrom | Sender email | ✔ | |||
| mailLDAPFilter | LDAP filter for mail search | ✔ | |||
| mailOnPasswordChange | Send a mail when password is changed | ✔ | |||
| mailReplyTo | Reply-To address | ✔ | |||
| mailSessionKey | Session parameter where mail is stored | ✔ | |||
| mailSubject | Mail subject for new password email | ✔ | |||
| mailTimeout | Mail password reset session timeout | ✔ | |||
| mailUrl | URL of password reset page | ✔ | |||
| maintenance | Maintenance mode for all virtual hosts | ✔ | |||
| managerDn | LDAP manager DN | ✔ | |||
| managerPassword | LDAP manager Password | ✔ | |||
| max2FDevices | Maximum registered 2F devices | ✔ | ✔ | ||
| max2FDevicesNameLength | Maximum 2F devices name length | ✔ | ✔ | ||
| messageBroker | Messages broker module | ✔ | ✔ | ||
| messageBrokerOptions | Options of messages broker module | ✔ | ✔ | ||
| multiValuesSeparator | Separator for multiple values | ✔ | ✔ | ✔ | |
| mySessionAuthorizedRWKeys | Alterable session keys by user itself | ✔ | ✔ | ||
| newLocationWarning | Enable New Location Warning | ✔ | |||
| newLocationWarningLocationAttribute | New location session attribute | ✔ | |||
| newLocationWarningLocationDisplayAttribute | New location session attribute for user display | ✔ | |||
| newLocationWarningMailAttribute | New location warning mail session attribute | ✔ | |||
| newLocationWarningMailBody | Mail body for new location warning | ✔ | |||
| newLocationWarningMailSubject | Mail subject for new location warning | ✔ | |||
| newLocationWarningMaxValues | How many previous locations should be compared | ✔ | |||
| nginxCustomHandlers | Custom Nginx handler (deprecated) | ✔ | |||
| noAjaxHook | Avoid replacing 302 by 401 for Ajax responses | ✔ | |||
| notification | Notification activation | ✔ | |||
| notificationDefaultCond | Notification default condition | ✔ | |||
| notificationServer | Notification server activation | ✔ | |||
| notificationServerDELETE | Notification server activation | ✔ | |||
| notificationServerGET | Notification server activation | ✔ | |||
| notificationServerPOST | Notification server activation | ✔ | |||
| notificationServerSentAttributes | Prameters to send with notification server GET method | ✔ | |||
| notificationStorage | Notification backend | ✔ | |||
| notificationStorageOptions | Notification backend options | ✔ | |||
| notificationWildcard | Notification string to match all users | ✔ | |||
| notificationXSLTfile | Custom XSLT document for notifications | ✔ | |||
| notificationsExplorer | Notifications explorer activation | ✔ | |||
| notificationsMaxRetrieve | Max number of displayed notifications | ✔ | ✔ | ||
| notifyDeleted | Show deleted sessions in portal | ✔ | |||
| notifyOther | Show other sessions in portal | ✔ | |||
| nullAuthnLevel | Null authentication level | ✔ | |||
| oidcAuthnLevel | OpenID Connect authentication level | ✔ | |||
| oidcDropCspHeaders | Drop CORS headers from OIDC issuer responses | ✔ | |||
| oidcOPMetaDataOptions | ✔ | [1] | |||
| oidcOfflineTokens | OIDC personnal offline token removal | ✔ | |||
| oidcRPCallbackGetParam | OpenID Connect Callback GET URLparameter | ✔ | |||
| oidcRPMetaDataOptions | ✔ | [1] | |||
| oidcRPStateTimeout | OpenID Connect Timeout of state sessions | ✔ | |||
| oidcServiceAccessTokenExpiration | OpenID Connect global access token TTL | ✔ | |||
| oidcServiceAllowAuthorizationCodeFlow | OpenID Connect allow authorization code flow | ✔ | |||
| oidcServiceAllowDynamicRegistration | OpenID Connect allow dynamic client registration | ✔ | |||
| oidcServiceAllowHybridFlow | OpenID Connect allow hybrid flow | ✔ | |||
| oidcServiceAllowImplicitFlow | OpenID Connect allow implicit flow | ✔ | |||
| oidcServiceAllowOnlyDeclaredScopes | OpenID Connect allow only declared scopes | ✔ | |||
| oidcServiceAuthorizationCodeExpiration | OpenID Connect global code TTL | ✔ | |||
| oidcServiceDynamicRegistrationExportedVars | OpenID Connect exported variables for dynamic registration | ✔ | |||
| oidcServiceDynamicRegistrationExtraClaims | OpenID Connect extra claims for dynamic registration | ✔ | |||
| oidcServiceEncAlgorithmAlg | JWT encryption algorithme | ✔ | |||
| oidcServiceEncAlgorithmEnc | JWT encryption algorithme | ✔ | |||
| oidcServiceEncryptionKey | Key to use for OIDC encryption | ✔ | |||
| oidcServiceHideMetadata | ✔ | ||||
| oidcServiceIDTokenExpiration | OpenID Connect global ID token TTL | ✔ | |||
| oidcServiceIgnoreScopeForClaims | OpenID Connect release all attributes even when not allowed by scope | ✔ | |||
| oidcServiceKeyIdEnc | OpenID Connect Encryption Key ID | ✔ | |||
| oidcServiceKeyIdSig | OpenID Connect Signature Key ID | ✔ | |||
| oidcServiceKeyTypeEnc | ✔ | ||||
| oidcServiceKeyTypeSig | ✔ | ||||
| oidcServiceMetaDataAmrRules | OpenID Connect AMR rules | ✔ | |||
| oidcServiceMetaDataAuthnContext | OpenID Connect Authentication Context Class Ref | ✔ | |||
| oidcServiceMetaDataAuthorizeURI | OpenID Connect authorizaton endpoint | ✔ | |||
| oidcServiceMetaDataBackChannelURI | OpenID Connect Back-Channel logout endpoint | ✔ | |||
| oidcServiceMetaDataCheckSessionURI | OpenID Connect check session iframe | ✔ | |||
| oidcServiceMetaDataDisallowNoneAlg | ✔ | ||||
| oidcServiceMetaDataEndSessionURI | OpenID Connect end session endpoint | ✔ | |||
| oidcServiceMetaDataFrontChannelURI | OpenID Connect Front-Channel logout endpoint | ✔ | |||
| oidcServiceMetaDataIntrospectionURI | OpenID Connect introspection endpoint | ✔ | |||
| oidcServiceMetaDataIssuer | OpenID Connect issuer | ✔ | |||
| oidcServiceMetaDataJWKSURI | OpenID Connect JWKS endpoint | ✔ | |||
| oidcServiceMetaDataRegistrationURI | OpenID Connect registration endpoint | ✔ | |||
| oidcServiceMetaDataRevokeURI | OpenID Connect token revocation endpoint | ✔ | |||
| oidcServiceMetaDataRpLogoutReturnURI | OpenID Connect RP-Initiated logout return endpoint | ✔ | |||
| oidcServiceMetaDataTokenURI | OpenID Connect token endpoint | ✔ | |||
| oidcServiceMetaDataUserInfoURI | OpenID Connect user info endpoint | ✔ | |||
| oidcServiceMetadataTtl | OIDC Metadata TTL | ✔ | |||
| oidcServiceNewKeyIdSig | Future OpenID Connect Signature Key ID | ✔ | |||
| oidcServiceNewKeyTypeSig | ✔ | ||||
| oidcServiceNewPrivateKeySig | ✔ | ||||
| oidcServiceNewPublicKeySig | ✔ | ||||
| oidcServiceOfflineSessionExpiration | OpenID Connect global offline session TTL | ✔ | |||
| oidcServiceOldKeyIdEnc | Previous OpenID Connect Encryption Key ID | ✔ | |||
| oidcServiceOldKeyIdSig | Previous OpenID Connect Signature Key ID | ✔ | |||
| oidcServiceOldKeyTypeEnc | ✔ | ||||
| oidcServiceOldKeyTypeSig | ✔ | ||||
| oidcServiceOldPrivateKeyEnc | ✔ | ||||
| oidcServiceOldPrivateKeySig | ✔ | ||||
| oidcServiceOldPublicKeyEnc | ✔ | ||||
| oidcServiceOldPublicKeySig | ✔ | ||||
| oidcServicePrivateKeyEnc | ✔ | ||||
| oidcServicePrivateKeySig | ✔ | ||||
| oidcServicePublicKeyEnc | ✔ | ||||
| oidcServicePublicKeySig | ✔ | ||||
| oidcServiceSignatureKey | Key to use for OIDC signature | ✔ | |||
| oidcStorage | Apache::Session module to store OIDC user data | ✔ | |||
| oidcStorageOptions | Apache::Session module parameters | ✔ | |||
| okta2fActivation | Okta2F activation | ✔ | |||
| okta2fAdminURL | Okta Administration URL | ✔ | |||
| okta2fApiKey | Okta API key | ✔ | |||
| okta2fAuthnLevel | Authentication level for users authentified by Okta2F | ✔ | |||
| okta2fLabel | Portal label for Okta2F | ✔ | |||
| okta2fLoginAttribute | Session key containing Okta login | ✔ | |||
| okta2fLogo | Custom logo for Okta 2F | ✔ | |||
| oldNotifFormat | Use old XML format for notifications | ✔ | |||
| openIdAttr | ✔ | ||||
| openIdAuthnLevel | OpenID authentication level | ✔ | |||
| openIdExportedVars | OpenID exported variables | ✔ | |||
| openIdIDPList | ✔ | ||||
| openIdIssuerSecret | ✔ | ||||
| openIdSPList | ✔ | ||||
| openIdSecret | ✔ | ||||
| openIdSreg_country | ✔ | ||||
| openIdSreg_dob | ✔ | ||||
| openIdSreg_email | OpenID SREG email session parameter | ✔ | |||
| openIdSreg_fullname | OpenID SREG fullname session parameter | ✔ | |||
| openIdSreg_gender | ✔ | ||||
| openIdSreg_language | ✔ | ||||
| openIdSreg_nickname | OpenID SREG nickname session parameter | ✔ | |||
| openIdSreg_postcode | ✔ | ||||
| openIdSreg_timezone | OpenID SREG timezone session parameter | ✔ | |||
| pamAuthnLevel | PAM authentication level | ✔ | |||
| pamService | PAM service | ✔ | |||
| password2fActivation | Password2F activation | ✔ | |||
| password2fAuthnLevel | Authentication level for users authentified by Password2F | ✔ | |||
| password2fLabel | Portal label for Password2F | ✔ | |||
| password2fLogo | Custom logo for Password 2F | ✔ | |||
| password2fSelfRegistration | Password2F self registration activation | ✔ | |||
| password2fTTL | Password2F device time to live | ✔ | |||
| password2fUserCanRemoveKey | Authorize users to remove existing Password2F secret | ✔ | |||
| passwordDB | Password module | ✔ | |||
| passwordPolicyActivation | Enable password policy | ✔ | |||
| passwordPolicyMaxSize | Password policy: maximal size | ✔ | |||
| passwordPolicyMinDigit | Password policy: minimal digit characters | ✔ | |||
| passwordPolicyMinLower | Password policy: minimal lower characters | ✔ | |||
| passwordPolicyMinSize | Password policy: minimal size | ✔ | |||
| passwordPolicyMinSpeChar | Password policy: minimal special characters | ✔ | |||
| passwordPolicyMinUpper | Password policy: minimal upper characters | ✔ | |||
| passwordPolicySpecialChar | Password policy: allowed special characters | ✔ | |||
| passwordResetAllowedRetries | Maximum number of retries to reset password | ✔ | |||
| pdataDomain | pdata cookie DNS domain | ✔ | ✔ | ✔ | |
| persistentSessionAttributes | Persistent session attributes to hide | ✔ | ✔ | ||
| persistentStorage | Storage module for persistent sessions | ✔ | |||
| persistentStorageOptions | Options for persistent sessions storage module | ✔ | |||
| port | Force port in redirection | ✔ | |||
| portal | Portal URL | ✔ | ✔ | ✔ | |
| portalAntiFrame | Avoid portal to be displayed inside frames | ✔ | |||
| portalCheckLogins | Display login history checkbox in portal | ✔ | |||
| portalCustomCss | Path to custom CSS file | ✔ | |||
| portalCustomJs | Path to custom JS file | ✔ | |||
| portalCustomTplParams | Custom templates parameters | ✔ | |||
| portalDisplayAppslist | Display applications tab in portal | ✔ | |||
| portalDisplayCertificateResetByMail | Display certificate reset by mail button in portal | ✔ | |||
| portalDisplayChangePassword | Display password tab in portal | ✔ | |||
| portalDisplayGeneratePassword | Display password generate box in reset password form | ✔ | |||
| portalDisplayLoginHistory | Display login history tab in portal | ✔ | |||
| portalDisplayLogout | Display logout tab in portal | ✔ | |||
| portalDisplayOfflineTokens | ✔ | ||||
| portalDisplayOidcConsents | Display OIDC consents tab in portal | ✔ | |||
| portalDisplayOrder | List for ordering tabs in portal | ✔ | |||
| portalDisplayPasswordPolicy | Display policy in password form | ✔ | |||
| portalDisplayRefreshMyRights | Display link to refresh the user session | ✔ | |||
| portalDisplayRegister | Display register button in portal | ✔ | |||
| portalDisplayResetPassword | Display reset password button in portal | ✔ | |||
| portalEnablePasswordDisplay | Allow to display password in login form | ✔ | |||
| portalErrorOnExpiredSession | Show error if session is expired | ✔ | |||
| portalErrorOnMailNotFound | Show error if mail is not found in password reset process | ✔ | |||
| portalFavicon | Path to favicon file | ✔ | |||
| portalForceAuthn | Enable force to authenticate when displaying portal | ✔ | |||
| portalForceAuthnInterval | Maximum interval in seconds since last authentication to force reauthentication | ✔ | |||
| portalMainLogo | Portal main logo path | ✔ | |||
| portalOpenLinkInNewWindow | Open applications in new windows | ✔ | |||
| portalPingInterval | Interval in ms between portal Ajax pings | ✔ | |||
| portalRequireOldPassword | Rule to require old password to change the password | ✔ | |||
| portalSkin | Name of portal skin | ✔ | |||
| portalSkinBackground | Background image of portal skin | ✔ | |||
| portalSkinRules | Rules to choose portal skin | ✔ | |||
| portalStatus | Enable portal status | ✔ | |||
| portalUserAttr | Session parameter to display connected user in portal | ✔ | |||
| protection | Manager protection method | ✔ | ✔ | ✔ | |
| proxyAuthService | ✔ | ||||
| proxyAuthServiceChoiceParam | ✔ | ||||
| proxyAuthServiceChoiceValue | ✔ | ||||
| proxyAuthServiceImpersonation | Enable internal portal Impersonation | ✔ | |||
| proxyAuthnLevel | Proxy authentication level | ✔ | |||
| proxyCookieName | Name of the internal portal cookie | ✔ | |||
| proxySessionService | ✔ | ||||
| proxyUseSoap | Use SOAP instead of REST | ✔ | |||
| publicNotifications | Enable PublicNotification plugin | ✔ | |||
| radius2fActivation | Radius second factor activation | ✔ | |||
| radius2fAuthnLevel | Authentication level for users authenticated by Radius second factor | ✔ | |||
| radius2fDictionaryFile | ✔ | ||||
| radius2fLabel | Portal label for Radius 2F | ✔ | |||
| radius2fLogo | Custom logo for Radius 2F | ✔ | |||
| radius2fMsgAuth | Use Message-Authentication for Radius requests | ✔ | |||
| radius2fRequestAttributes | RADIUS second factor authentication attributes | ✔ | |||
| radius2fSecret | ✔ | ||||
| radius2fSendInitialRequest | Dial in to radius server before displaying form | ✔ | |||
| radius2fServer | ✔ | ||||
| radius2fTimeout | Radius 2f verification timeout | ✔ | |||
| radius2fUsernameSessionKey | Session key used as Radius login | ✔ | |||
| radiusAuthnLevel | Radius authentication level | ✔ | |||
| radiusDictionaryFile | ✔ | ||||
| radiusExportedVars | RADIUS exported variables | ✔ | |||
| radiusMsgAuth | Use Message-Authentication for Radius requests | ✔ | |||
| radiusRequestAttributes | RADIUS authentication attributes | ✔ | |||
| radiusSecret | ✔ | ||||
| radiusServer | ✔ | ||||
| radiusTimeout | ✔ | ||||
| randomPasswordRegexp | Regular expression to create a random password | ✔ | |||
| redirectFormMethod | HTTP method for redirect page form | ✔ | |||
| refreshSessions | Refresh sessions plugin | ✔ | |||
| registerConfirmBody | Mail body for register confirmation | ✔ | |||
| registerConfirmSubject | Mail subject for register confirmation | ✔ | |||
| registerDB | Register module | ✔ | |||
| registerDoneBody | Mail body when register is done | ✔ | |||
| registerDoneSubject | Mail subject when register is done | ✔ | |||
| registerTimeout | Register session timeout | ✔ | |||
| registerUrl | URL of register page | ✔ | |||
| reloadTimeout | Configuration reload timeout | ✔ | |||
| reloadUrls | URL to call on reload | ✔ | |||
| rememberAuthChoiceForgetAtLogout | Forget Auth Choice at logout | ✔ | |||
| rememberAuthChoiceRule | remember auth choice activation rule | ✔ | |||
| rememberCookieName | Name of the remember auth choice cookie | ✔ | |||
| rememberCookieTimeout | lifetime of the remember auth choice cookie | ✔ | |||
| rememberDefaultChecked | Is remember auth choice checkbox enabled by default? | ✔ | |||
| rememberTimer | timer before automatic authentication with remembered choice | ✔ | |||
| remoteCookieName | Name of the remote portal cookie | ✔ | |||
| remoteGlobalStorage | Remote session backend | ✔ | |||
| remoteGlobalStorageOptions | Apache::Session module parameters | ✔ | |||
| remotePortal | ✔ | ||||
| requireToken | Enable token for forms | ✔ | |||
| rest2fActivation | REST second factor activation | ✔ | |||
| rest2fAuthnLevel | Authentication level for users authentified by REST second factor | ✔ | |||
| rest2fCodeActivation | OTP generated by Portal | ✔ | |||
| rest2fInitArgs | Args for REST 2F init | ✔ | |||
| rest2fInitUrl | REST 2F init URL | ✔ | |||
| rest2fLabel | Portal label for REST second factor | ✔ | |||
| rest2fLogo | Custom logo for REST 2F | ✔ | |||
| rest2fResendInterval | Delay before user is allowed to resend code | ✔ | |||
| rest2fVerifyArgs | Args for REST 2F init | ✔ | |||
| rest2fVerifyUrl | REST 2F init URL | ✔ | |||
| restAuthServer | Enable REST authentication server | ✔ | |||
| restAuthUrl | ✔ | ||||
| restAuthnLevel | REST authentication level | ✔ | |||
| restClockTolerance | How tolerant the REST session server will be to clock dift | ✔ | |||
| restConfigServer | Enable REST config server | ✔ | |||
| restExportSecretKeys | Allow to export secret keys in REST session server | ✔ | |||
| restFindUserDBUrl | ✔ | ||||
| restPasswordServer | Enable REST password reset server | ✔ | |||
| restPwdConfirmUrl | ✔ | ||||
| restPwdModifyUrl | ✔ | ||||
| restSessionServer | Enable REST session server | ✔ | |||
| restUserDBUrl | ✔ | ||||
| sameSite | Cookie SameSite value | ✔ | ✔ | ||
| samlAttributeAuthorityDescriptorAttributeServiceSOAP | SAML Attribute Authority SOAP | ✔ | |||
| samlAuthnContextMapExtra | SAML extra authn contexts | ✔ | |||
| samlAuthnContextMapKerberos | SAML authn context kerberos level | ✔ | |||
| samlAuthnContextMapPassword | SAML authn context password level | ✔ | |||
| samlAuthnContextMapPasswordProtectedTransport | SAML authn context password protected transport level | ✔ | |||
| samlAuthnContextMapTLSClient | SAML authn context TLS client level | ✔ | |||
| samlCommonDomainCookieActivation | SAML CDC activation | ✔ | |||
| samlCommonDomainCookieDomain | ✔ | ||||
| samlCommonDomainCookieReader | ✔ | ||||
| samlCommonDomainCookieWriter | ✔ | ||||
| samlDiscoveryProtocolActivation | SAML Discovery Protocol activation | ✔ | |||
| samlDiscoveryProtocolIsPassive | SAML Discovery Protocol Is Passive | ✔ | |||
| samlDiscoveryProtocolPolicy | SAML Discovery Protocol Policy | ✔ | |||
| samlDiscoveryProtocolURL | SAML Discovery Protocol EndPoint URL | ✔ | |||
| samlEntityID | SAML service entityID | ✔ | |||
| samlFederationFiles | Path to SAML Federation Metadata | ✔ | |||
| samlIDPMetaDataOptions | ✔ | [1] | |||
| samlIDPSSODescriptorArtifactResolutionServiceArtifact | SAML IDP artifact resolution service | ✔ | |||
| samlIDPSSODescriptorSingleLogoutServiceHTTPPost | SAML IDP SLO HTTP POST | ✔ | |||
| samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect | SAML IDP SLO HTTP Redirect | ✔ | |||
| samlIDPSSODescriptorSingleLogoutServiceSOAP | SAML IDP SLO SOAP | ✔ | |||
| samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact | SAML IDP SSO HTTP Artifact | ✔ | |||
| samlIDPSSODescriptorSingleSignOnServiceHTTPPost | SAML IDP SSO HTTP POST | ✔ | |||
| samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect | SAML IDP SSO HTTP Redirect | ✔ | |||
| samlIDPSSODescriptorWantAuthnRequestsSigned | SAML IDP want authn request signed | ✔ | |||
| samlMetadataForceUTF8 | SAML force metadata UTF8 conversion | ✔ | |||
| samlNameIDFormatMapEmail | SAML session parameter for NameID email | ✔ | |||
| samlNameIDFormatMapKerberos | SAML session parameter for NameID kerberos | ✔ | |||
| samlNameIDFormatMapWindows | SAML session parameter for NameID windows | ✔ | |||
| samlNameIDFormatMapX509 | SAML session parameter for NameID x509 | ✔ | |||
| samlOrganizationDisplayName | SAML service organization display name | ✔ | |||
| samlOrganizationName | SAML service organization name | ✔ | |||
| samlOrganizationURL | SAML service organization URL | ✔ | |||
| samlOverrideIDPEntityID | Override SAML EntityID when acting as an IDP | ✔ | |||
| samlRelayStateTimeout | SAML timeout of relay state | ✔ | |||
| samlSPMetaDataOptions | ✔ | [1] | |||
| samlSPSSODescriptorArtifactResolutionServiceArtifact | SAML SP artifact resolution service | ✔ | |||
| samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact | SAML SP ACS HTTP artifact | ✔ | |||
| samlSPSSODescriptorAssertionConsumerServiceHTTPPost | SAML SP ACS HTTP POST | ✔ | |||
| samlSPSSODescriptorAuthnRequestsSigned | SAML SP AuthnRequestsSigned | ✔ | |||
| samlSPSSODescriptorSingleLogoutServiceHTTPPost | SAML SP SLO HTTP POST | ✔ | |||
| samlSPSSODescriptorSingleLogoutServiceHTTPRedirect | SAML SP SLO HTTP Redirect | ✔ | |||
| samlSPSSODescriptorSingleLogoutServiceSOAP | SAML SP SLO SOAP | ✔ | |||
| samlSPSSODescriptorWantAssertionsSigned | SAML SP WantAssertionsSigned | ✔ | |||
| samlServiceEncryptionKey | Key to use for SAML encryption | ✔ | |||
| samlServicePrivateKeyEnc | SAML encryption private key | ✔ | |||
| samlServicePrivateKeyEncPwd | ✔ | ||||
| samlServicePrivateKeySig | SAML signature private key | ✔ | |||
| samlServicePrivateKeySigPwd | SAML signature private key password | ✔ | |||
| samlServicePublicKeyEnc | SAML encryption public key | ✔ | |||
| samlServicePublicKeySig | SAML signature public key | ✔ | |||
| samlServiceSignatureKey | Key to use for SAML signature | ✔ | |||
| samlServiceSignatureMethod | ✔ | ||||
| samlServiceUseCertificateInResponse | Use certificate instead of public key in SAML responses | ✔ | |||
| samlStorage | Apache::Session module to store SAML user data | ✔ | |||
| samlStorageOptions | Apache::Session module parameters | ✔ | |||
| samlUseQueryStringSpecific | SAML use specific method for query_string | ✔ | |||
| scrollTop | Display back to top button | ✔ | |||
| secureTokenAllowOnError | Secure Token allow requests in error | ✔ | ✔ | ||
| secureTokenAttribute | Secure Token attribute | ✔ | ✔ | ||
| secureTokenExpiration | Secure Token expiration | ✔ | ✔ | ||
| secureTokenHeader | Secure Token header | ✔ | ✔ | ||
| secureTokenMemcachedServers | Secure Token Memcached servers | ✔ | ✔ | ||
| secureTokenUrls | ✔ | ✔ | |||
| securedCookie | Cookie securisation method | ✔ | ✔ | ||
| sentryDsn | Sentry logger DSN | ✔ | ✔ | ✔ | ✔ |
| sessionDataToRemember | Data to remember in login history | ✔ | |||
| sfEngine | Second factor engine | ✔ | ✔ | ||
| sfExtra | Extra second factors | ✔ | |||
| sfLoginTimeout | Timeout for 2F login process | ✔ | |||
| sfManagerRule | Rule to display second factor Manager link | ✔ | |||
| sfOnlyUpgrade | Only trigger second factor on session upgrade | ✔ | |||
| sfRegisterTimeout | Timeout for 2F registration process | ✔ | |||
| sfRemovedMsgRule | Display a message if at leat one expired SF has been removed | ✔ | |||
| sfRemovedNotifMsg | Notification message | ✔ | |||
| sfRemovedNotifRef | Notification reference | ✔ | |||
| sfRemovedNotifTitle | Notification title | ✔ | |||
| sfRemovedUseNotif | Use Notifications plugin to display message | ✔ | |||
| sfRequired | Second factor required | ✔ | |||
| sfRetries | Allowed number of retries | ✔ | |||
| showLanguages | Display langs icons | ✔ | |||
| singleIP | Allow only one session per IP | ✔ | |||
| singleSession | Allow only one session per user | ✔ | |||
| singleUserByIP | Allow only one user per IP | ✔ | |||
| skipRenewConfirmation | Avoid asking confirmation when an Issuer asks to renew auth | ✔ | |||
| skipUpgradeConfirmation | Avoid asking confirmation during a session upgrade | ✔ | |||
| slaveAuthnLevel | Slave authentication level | ✔ | |||
| slaveDisplayLogo | Display Slave authentication logo | ✔ | |||
| slaveExportedVars | Slave exported variables | ✔ | |||
| slaveHeaderContent | ✔ | ||||
| slaveHeaderName | ✔ | ||||
| slaveMasterIP | ✔ | ||||
| slaveUserHeader | ✔ | ||||
| soapConfigServer | Enable SOAP config server | ✔ | |||
| soapProxyUrn | SOAP URN for Proxy | ✔ | ✔ | ||
| soapSessionServer | Enable SOAP session server | ✔ | |||
| sslByAjax | Use Ajax request for Mutual TLS Authentication | ✔ | |||
| sslHost | URL for Mutual TLS Authentication Ajax request | ✔ | |||
| staticPrefix | Prefix of static files for HTML templates | ✔ | ✔ | ||
| statusQueueName | Status channel name | ✔ | ✔ | ||
| stayConnected | Stay connected activation rule | ✔ | |||
| stayConnectedBypassFG | Disable fingerprint checkng | ✔ | |||
| stayConnectedCookieName | Name of the stayConnected plugin cookie | ✔ | |||
| stayConnectedSingleSession | Allow only one permanent session per user | ✔ | |||
| stayConnectedTimeout | StayConnected persistent connexion session timeout | ✔ | |||
| storePassword | Store password in session | ✔ | |||
| storePasswordEncrypted | Crypt the password in session | ✔ | |||
| strictTransportSecurityMax_Age | Max-age for Strict-Transport-Security | ✔ | |||
| successLoginNumber | Number of success stored in login history | ✔ | |||
| syslogFacility | Syslog logger technical facility | ✔ | ✔ | ✔ | ✔ |
| syslogSockOptions | Option to send to setlogsock() | ✔ | ✔ | ✔ | ✔ |
| timeout | Session timeout on server side | ✔ | |||
| timeoutActivity | Session activity timeout on server side | ✔ | |||
| timeoutActivityInterval | Update session timeout interval on server side | ✔ | |||
| tokenUseGlobalStorage | Enable global token storage | ✔ | |||
| totp2fActivation | TOTP activation | ✔ | |||
| totp2fAuthnLevel | Authentication level for users authentified by password+TOTP | ✔ | |||
| totp2fDigits | Number of digits for TOTP code | ✔ | |||
| totp2fEncryptSecret | Encrypt TOTP secrets in database | ✔ | |||
| totp2fInterval | TOTP interval | ✔ | |||
| totp2fIssuer | TOTP Issuer | ✔ | |||
| totp2fLabel | Portal label for TOTP 2F | ✔ | |||
| totp2fLogo | Custom logo for TOTP 2F | ✔ | |||
| totp2fRange | TOTP range (number of interval to test) | ✔ | |||
| totp2fSelfRegistration | TOTP self registration activation | ✔ | |||
| totp2fTTL | TOTP device time to live | ✔ | |||
| totp2fUserCanRemoveKey | Authorize users to remove existing TOTP secret | ✔ | |||
| trustedBrowserRule | Trusted browser registration rule | ✔ | |||
| trustedBrowserUseTotp | Use TOTP for trusted browser registration | ✔ | |||
| trustedDomains | Trusted domains | ✔ | |||
| twitterAppName | ✔ | ||||
| twitterAuthnLevel | Twitter authentication level | ✔ | |||
| twitterKey | ✔ | ||||
| twitterSecret | ✔ | ||||
| twitterUserField | ✔ | ||||
| upgradeSession | Upgrade session activation | ✔ | |||
| useRedirectAjaxOnUnauthorized | Redirect Ajax requests to portal for unauthorized (401) | ✔ | |||
| useRedirectOnError | Use 302 redirect code for error (500) | ✔ | |||
| useRedirectOnForbidden | Use 302 redirect code for forbidden (403) | ✔ | |||
| useSafeJail | Activate Safe jail | ✔ | ✔ | ||
| userControl | Regular expression to validate login | ✔ | |||
| userDB | User module | ✔ | |||
| userLogger | User actions logger | ✔ | ✔ | ✔ | ✔ |
| userPivot | ✔ | ||||
| userSyslogFacility | Syslog logger user-actions facility | ✔ | ✔ | ✔ | ✔ |
| vhostOptions | ✔ | [1] | |||
| viewerAllowBrowser | Allow configuration browser | ✔ | ✔ | ||
| viewerAllowDiff | Allow configuration diff | ✔ | ✔ | ||
| viewerHiddenKeys | Hidden Conf keys | ✔ | ✔ | ||
| webCronSecret | Secret token for webcron plugin | ✔ | |||
| webIDAuthnLevel | WebID authentication level | ✔ | |||
| webIDExportedVars | WebID exported variables | ✔ | |||
| webIDWhitelist | ✔ | ||||
| webauthn2fActivation | WebAuthn second factor activation | ✔ | |||
| webauthn2fAttestation | Ask the authenticator for an attestation | ✔ | |||
| webauthn2fAttestationTrust | Certificate bundle for attestation trust validation | ✔ | |||
| webauthn2fAuthnLevel | Authentication level for users authentified by WebAuthn second factor | ✔ | |||
| webauthn2fLabel | Portal label for WebAuthn second factor | ✔ | |||
| webauthn2fLogo | Custom logo for WebAuthn 2F | ✔ | |||
| webauthn2fResidentKey | Use discoverable credential | ✔ | |||
| webauthn2fSelfRegistration | WebAuthn self registration activation | ✔ | |||
| webauthn2fUserCanRemoveKey | Authorize users to remove existing WebAuthn | ✔ | |||
| webauthn2fUserVerification | Verify user during registration and login | ✔ | |||
| webauthnAppId | Send AppID extension | ✔ | |||
| webauthnAuthnLevel | WebAuthn authentication level | ✔ | |||
| webauthnDefaultTransports | WebAuthn default transports | ✔ | |||
| webauthnDisplayNameAttr | Session attribute containing user display name | ✔ | |||
| webauthnRpId | WebAuthn Relying Party ID | ✔ | |||
| webauthnRpName | WebAuthn Relying Party display name | ✔ | |||
| whatToTrace | Session parameter used to fill REMOTE_USER | ✔ | ✔ | ||
| wsdlServer | Enable /portal.wsdl server | ✔ | |||
| yubikey2fActivation | Yubikey second factor activation | ✔ | |||
| yubikey2fAuthnLevel | Authentication level for users authentified by Yubikey second factor | ✔ | |||
| yubikey2fClientID | Yubico client ID | ✔ | |||
| yubikey2fFromSessionAttribute | Provision yubikey from the given session variable | ✔ | |||
| yubikey2fLabel | Portal label for Yubikey second factor | ✔ | |||
| yubikey2fLogo | Custom logo for Yubikey 2F | ✔ | |||
| yubikey2fNonce | Yubico nonce | ✔ | |||
| yubikey2fPublicIDSize | Yubikey public ID size | ✔ | |||
| yubikey2fSecretKey | Yubico secret key | ✔ | |||
| yubikey2fSelfRegistration | Yubikey self registration activation | ✔ | |||
| yubikey2fTTL | Yubikey device time to live | ✔ | |||
| yubikey2fUrl | Yubico server | ✔ | |||
| yubikey2fUserCanRemoveKey | Authorize users to remove existing Yubikey | ✔ | |||
| zimbraAccountKey | Zimbra account session key | ✔ | ✔ | ||
| zimbraBy | Zimbra account type | ✔ | ✔ | ||
| zimbraPreAuthKey | Zimbra preauthentication key | ✔ | ✔ | ||
| zimbraSsoUrl | Zimbra local SSO URL pattern | ✔ | ✔ | ||
| zimbraUrl | Zimbra preauthentication URL | ✔ | ✔ |
[1]: complex nodes
Configuration backend parameters¶
| Full name | Key name | Configuration backend |
|---|---|---|
| Configuration load timeout | confTimeout | all backends (default: 10) |
| DBI connection string | dbiChain | CDBI / RDBI |
| DBI user | dbiUser | |
| DBI password | dbiPassword | |
| DBI table name | dbiTable | |
| Directory | dirName | File / YAML |
| LDAP server | ldapServer | LDAP |
| LDAP port | ldapPort | |
| LDAP base | ldapConfBase | |
| LDAP bind dn | ldapBindDN | |
| LDAP bind password | ldapBindPassword | |
| LDAP ObjectClass | ldapObjectClass | |
| LDAP ID attribute | ldapAttributeId | |
| LDAP content attribute | ldapAttributeContent | |
| Certificate authorities file | caFile | |
| Certificate authorities directory | caPath | |
| MongoDB database | dbName | MongoDB |
| MongoDB collection | collectionName | |
| Pretty print | prettyPrint | File |
| REST base URL | baseUrl | REST |
| REST realm | realm | |
| REST user | user | |
| REST password | password | |
| SOAP server location (URL) | proxy | SOAP |
| LWP::UserAgent parameters | proxyOptions | |
| SOAP user | User | |
| SOAP password | Password | |
| Overlay real configuration backend | overlayRealtype | Overlay |
| Overlay directory | overlayDirectory | Overlay |
| Overlay write authorization | overlayWrite | Overlay |