Docs
Identity Provider Proxy
Parameters

Parameters

Global Parameters

  • PRIVATE_KEY: private pem key string; private key used for JWT.
  • PUBLIC_KEY: public pem key string; public key used for JWT.
  • CERTIFICATE: signed certificate string;
  • SESSION_DURATION (optional): ISO-8601 string default 5min; duration of the Identity Provider proxy session (e.g., PT10M -> 10min); stateful updates the duration with each client interaction, stateless does not.
  • SESSION_COOKIE_SETTINGS (optional): string default httpOnly; secure; semicolon-separated values, the last cookie setting must not end with ;.
  • SESSION_COOKIE_DOMAIN_LEVEL (optional): u8 default 2; how many parts of the domain to include in the cookie starting from the right. If 0, the domain remains unchanged. Example: (“www.example.com”, 0) -> www.example.com, (“www.example.com”, 2) -> .example.com, (“app.example.com”, 2) -> .example.com, (“www.app.example.com”, 6) -> .www.app.example.com, (“www.example.com”, 3) -> .www.example.com.
  • SESSION_COOKIE_NAME (optional): string.
  • BASE64_CUSTOM_LOGO_DARK (optional): base64-encoded string; logo used for dark mode.
  • BASE64_CUSTOM_LOGO_LIGHT (optional): base64-encoded string; logo used for light mode.
  • SKIP_IDP_CHOICE_IF_ONE (optional): boolean default false; skips the Identity Provider choice if only one is available: this will prevent the user from needing to click the “login via acme.org” button.
  • COLOR (optional): string in RGB format; the base color used to generate all shades.
  • COLOR_SCHEME (optional): string; light, dark, or auto; color scheme applied to the client.
  • BASE64_ICON (optional): base64-encoded string; favicon.
  • LOGIN_PATH (optional): string default login; login path; set https://domain/login in the Identity Provider.
  • CALLBACK_PATH (optional): string default callback; callback path (where the Identity Provider redirects to the Relying Party); set https://domain/callback in the Identity Provider.
  • TRACE (optional): boolean default false; debug log.
  • TRUST_SELF_SIGNED_CERT (optional): boolean default false; SSL property of the HTTP client.
  • ADDITIONAL_REDIRECT_HEADERS_n (optional): string where n is a positive natural number; additional headers added during redirection to LOGIN_PATH.
  • STYLE (optional): string in CSS format; a stylesheet applied to LOGIN_PATH and CALLBACK_PATH.
  • CALLBACK_TEXT (optional): string; h1 text for the callback.
  • CALLBACK_ERROR (optional): string; callback error.
  • CALLBACK_TITLE (optional): string; HTML head tag title for the callback.
  • CALLBACK_EXPLANATION (optional): string; description of the callback.
  • LOGIN_TITLE (optional): string; HTML head tag title for the login.
  • LOGIN_TEXT (optional): string; h1 text for the login.
  • LOGIN_EXPLANATION (optional): string; description of the login.
  • LOGIN_ERROR (optional): string; login error.
  • CONTINUE_BUTTON (optional): string; continue button text.
  • CANCEL_BUTTON (optional): string; cancel button text.

Identity Provider Parameters

Parameters for the Identity Provider where n is a positive natural number:

  • ISSUER_n: url; location of the OpenID Connect well-known file; e.g., https://www.acme.org/.well-known/openid-configuration (opens in a new tab).
  • CLIENT_ID_n: string; a public identifier for the application. Created during client registration on the server.
  • CLIENT_SECRET_n: string; a secret key known only to the client and the authorization server. Created during client registration on the server.
  • BUTTON_TEXT_n: string; text displayed inside the button; e.g., login via acme.org.
  • AUTHENTICATION_PROTOCOL_n: string; openidconnect, openidfederation, saml2.
  • BUTTON_FILLED_n (optional): boolean default true; filled button style.
  • USERINFO_APPROVAL_n (optional): boolean default false; user approval for sharing Identity Provider information with the backend application.
  • BUTTON_IMAGE_BASE64_n (optional): base64-encoded string; icon on the left side of the button.
  • OIDC_USERINFO_ENDPOINT_n (optional) (OpenID Connect and OpenID Federation only): boolean default false; merges user information from the userinfo endpoint with the JWT access token.
  • OIDC_SKIP_ISSUER_VERIFICATION_n (optional) (OpenID Connect only): boolean default false; typically used for cross-tenant authentication, allows skipping issuer verification that initiated authentication. During the callback phase, the Identity Provider will pass the issuer of each cross-tenant user.
  • OIDC_CLAIMS_CSV_n (optional) (OpenID Connect and OpenID Federation only): csv; filter for claims in the Identity Provider metadata.
  • OIDC_SCOPES_CSV_n (optional) (OpenID Connect and OpenID Federation only): csv; filter for scopes in the Identity Provider metadata.
  • OIDC_REPLACE_IN_ENTITY_CONFIGURATION_n (optional) (OpenID Connect only): string with syntax toReplaceWord=newWord; used for replacing words in the entity configuration across tenants (e.g., Microsoft Entra, {tenantid}=5c756555-a890-459f-9f63-7738015a32e2).
  • SAML_SIGNED_ASSERTION_n (optional) (SAML2 only): boolean default false; signs interactions between the Identity Provider and the Service Provider (Relying Party).
  • SAML_BINDING_n (optional) (SAML2 only): SAML2 binding default HTTP-Redirect; HTTP-Redirect, HTTP-POST.
App registrationAPIs