Parameters

Global Parameters

• PRIVATE_KEY: private pem key string; private key used for JWT.
• PUBLIC_KEY: public pem key string; public key used for JWT.
• CERTIFICATE: signed certificate string;
• SESSION_DURATION (optional): ISO-8601 string default 5min; duration of the Identity Provider proxy session (e.g., PT10M -> 10min); stateful updates the duration with each client interaction, stateless does not.
• SESSION_COOKIE_SETTINGS (optional): string default httpOnly; secure; semicolon-separated values, the last cookie setting must not end with ;.
• SESSION_COOKIE_DOMAIN_LEVEL (optional): u8 default 2; how many parts of the domain to include in the cookie starting from the right. If 0, the domain remains unchanged. Example: (“www.example.com”, 0) -> www.example.com, (“www.example.com”, 2) -> .example.com, (“app.example.com”, 2) -> .example.com, (“www.app.example.com”, 6) -> .www.app.example.com, (“www.example.com”, 3) -> .www.example.com.
• SESSION_COOKIE_NAME (optional): string.
• BASE64_CUSTOM_LOGO_DARK (optional): base64-encoded string; logo used for dark mode.
• BASE64_CUSTOM_LOGO_LIGHT (optional): base64-encoded string; logo used for light mode.
• SKIP_IDP_CHOICE_IF_ONE (optional): boolean default false; skips the Identity Provider choice if only one is available: this will prevent the user from needing to click the “login via acme.org” button.
• COLOR (optional): string in RGB format; the base color used to generate all shades.
• COLOR_SCHEME (optional): string; light, dark, or auto; color scheme applied to the client.
• BASE64_ICON (optional): base64-encoded string; favicon.
• LOGIN_PATH (optional): string default login; login path; set https://domain/login in the Identity Provider.
• CALLBACK_PATH (optional): string default callback; callback path (where the Identity Provider redirects to the Relying Party); set https://domain/callback in the Identity Provider.
• TRACE (optional): boolean default false; debug log.
• TRUST_SELF_SIGNED_CERT (optional): boolean default false; SSL property of the HTTP client.
• ADDITIONAL_REDIRECT_HEADERS_n (optional): string where n is a positive natural number; additional headers added during redirection to LOGIN_PATH.
• STYLE (optional): string in CSS format; a stylesheet applied to LOGIN_PATH and CALLBACK_PATH.
• CALLBACK_TEXT (optional): string; h1 text for the callback.
• CALLBACK_ERROR (optional): string; callback error.
• CALLBACK_TITLE (optional): string; HTML head tag title for the callback.
• CALLBACK_EXPLANATION (optional): string; description of the callback.
• LOGIN_TITLE (optional): string; HTML head tag title for the login.
• LOGIN_TEXT (optional): string; h1 text for the login.
• LOGIN_EXPLANATION (optional): string; description of the login.
• LOGIN_ERROR (optional): string; login error.
• CONTINUE_BUTTON (optional): string; continue button text.
• CANCEL_BUTTON (optional): string; cancel button text.
• GROUP_ENABLE_n (opzionale): boolean; enable/disable group.
• GROUP_n (opzionale): string csv; list of Identity Providers to be grouped together, ex: “1,2,4-8” i.e., Identity Providers number 1,2,4,5,6,7,8 where these numbers represent the value n of the parameter name (see Identity Provider Parameters).
• GROUP_TEXT_n (opzionale): string; group name (placeholder of the select).
• GROUP_IMAGE_BASE64_n (opzionale): string encoded base64; icon to the left of the group.
• LANG (optional): string; lang attribute of the html tag (ex: en).
• META_DESCRIPTION (optional): string; meta description contained in the head tag.

PS: Parameters beginning with GROUP_ have the value n which simply identifies the group and not the Identity Providers.

Identity Provider Parameters

Parameters for the Identity Provider where n is a positive natural number:

• ISSUER_n: url; location of the OpenID Connect well-known file; e.g., https://www.acme.org/.well-known/openid-configuration .
• CLIENT_ID_n: string; a public identifier for the application. Created during client registration on the server.
• CLIENT_SECRET_n: string; a secret key known only to the client and the authorization server. Created during client registration on the server.
• BUTTON_TEXT_n: string; text displayed inside the button; e.g., login via acme.org.
• AUTHENTICATION_PROTOCOL_n: string; openidconnect, openidfederation, saml2.
• BUTTON_FILLED_n (optional): boolean default true; filled button style.
• USERINFO_APPROVAL_n (optional): boolean default false; user approval for sharing Identity Provider information with the backend application.
• BUTTON_IMAGE_BASE64_n (optional): base64-encoded string; icon on the left side of the button.
• OIDC_USERINFO_ENDPOINT_n (optional) (OpenID Connect and OpenID Federation only): boolean default false; merges user information from the userinfo endpoint with the JWT access token.
• OIDC_SKIP_ISSUER_VERIFICATION_n (optional) (OpenID Connect only): boolean default false; typically used for cross-tenant authentication, allows skipping issuer verification that initiated authentication. During the callback phase, the Identity Provider will pass the issuer of each cross-tenant user.
• OIDC_REPLACE_IN_ENTITY_CONFIGURATION_n (optional) (OpenID Connect only): string with syntax toReplaceWord=newWord; used for replacing words in the entity configuration across tenants (e.g., Microsoft Entra, {tenantid}=5c756555-a890-459f-9f63-7738015a32e2).
• OIDC_SCOPES_CSV_n (optional) (OpenID Connect and OpenID Federation only): csv; filter for scopes in the Identity Provider metadata.
• CLAIMS_CSV_n (optional): csv; filter for claims in the Identity Provider metadata.
• UNIFIED_CLAIMS_n (optional): csv; transforms jwt response keys. Must be composed as follows: key1=key2 where key1 is the key you want to change and key2 is the key you want to get (transforms key1 to key2). Eg: key1=key2,key3=key4.
• SAML_SIGNED_ASSERTION_n (optional) (SAML2 only): boolean default false; signs interactions between the Identity Provider and the Service Provider (Relying Party).
• SAML_BINDING_n (optional) (SAML2 only): SAML2 binding default HTTP-Redirect; HTTP-Redirect, HTTP-POST.