Parameters

Global Parameters

PRIVATE_KEY: private pem key string; private key used for JWT.
PUBLIC_KEY: public pem key string; public key used for JWT.
CERTIFICATE: signed certificate string;
SESSION_DURATION (optional): ISO-8601 string default 5min; duration of the Identity Provider proxy session (e.g., PT10M -> 10min); stateful updates the duration with each client interaction, stateless does not.
SESSION_COOKIE_SETTINGS (optional): string default httpOnly; secure; semicolon-separated values, the last cookie setting must not end with ;.
SESSION_COOKIE_DOMAIN_LEVEL (optional): u8 default 2; how many parts of the domain to include in the cookie starting from the right. If 0, the domain remains unchanged. Example: (“www.example.com”, 0) -> www.example.com, (“www.example.com”, 2) -> .example.com, (“app.example.com”, 2) -> .example.com, (“www.app.example.com”, 6) -> .www.app.example.com, (“www.example.com”, 3) -> .www.example.com.
SESSION_COOKIE_NAME (optional): string.
BASE64_CUSTOM_LOGO_DARK (optional): base64-encoded string; logo used for dark mode.
BASE64_CUSTOM_LOGO_LIGHT (optional): base64-encoded string; logo used for light mode.
SKIP_IDP_CHOICE_IF_ONE (optional): boolean default false; skips the Identity Provider choice if only one is available: this will prevent the user from needing to click the “login via acme.org” button.
COLOR (optional): string in RGB format; the base color used to generate all shades.
COLOR_SCHEME (optional): string; light, dark, or auto; color scheme applied to the client.
BASE64_ICON (optional): base64-encoded string; favicon.
LOGIN_PATH (optional): string default login; login path; set https://domain/login in the Identity Provider.
CALLBACK_PATH (optional): string default callback; callback path (where the Identity Provider redirects to the Relying Party); set https://domain/callback in the Identity Provider.
TRACE (optional): boolean default false; debug log.
TRUST_SELF_SIGNED_CERT (optional): boolean default false; SSL property of the HTTP client.
ADDITIONAL_REDIRECT_HEADERS_n (optional): string where n is a positive natural number; additional headers added during redirection to LOGIN_PATH.
STYLE (optional): string in CSS format; a stylesheet applied to LOGIN_PATH and CALLBACK_PATH.
CALLBACK_TEXT (optional): string; h1 text for the callback.
CALLBACK_ERROR (optional): string; callback error.
CALLBACK_TITLE (optional): string; HTML head tag title for the callback.
CALLBACK_EXPLANATION (optional): string; description of the callback.
LOGIN_TITLE (optional): string; HTML head tag title for the login.
LOGIN_TEXT (optional): string; h1 text for the login.
LOGIN_EXPLANATION (optional): string; description of the login.
LOGIN_ERROR (optional): string; login error.
CONTINUE_BUTTON (optional): string; continue button text.
CANCEL_BUTTON (optional): string; cancel button text.
GROUP_ENABLE_n (opzionale): boolean; enable/disable group.
GROUP_n (opzionale): string csv; list of Identity Providers to be grouped together, ex: “1,2,4-8” i.e., Identity Providers number 1,2,4,5,6,7,8 where these numbers represent the value n of the parameter name (see Identity Provider Parameters).
GROUP_TEXT_n (opzionale): string; group name (placeholder of the select).
GROUP_IMAGE_BASE64_n (opzionale): string encoded base64; icon to the left of the group.
LANG (optional): string; lang attribute of the html tag (ex: en).
META_DESCRIPTION (optional): string; meta description contained in the head tag.

PS: Parameters beginning with GROUP_ have the value n which simply identifies the group and not the Identity Providers.

Identity Provider Parameters

Parameters for the Identity Provider where n is a positive natural number:

ISSUER_n: url; location of the OpenID Connect well-known file; e.g., https://www.acme.org/.well-known/openid-configuration .
CLIENT_ID_n: string; a public identifier for the application. Created during client registration on the server.
CLIENT_SECRET_n: string; a secret key known only to the client and the authorization server. Created during client registration on the server.
BUTTON_TEXT_n: string; text displayed inside the button; e.g., login via acme.org.
AUTHENTICATION_PROTOCOL_n: string; openidconnect, openidfederation, saml2.
BUTTON_FILLED_n (optional): boolean default true; filled button style.
USERINFO_APPROVAL_n (optional): boolean default false; user approval for sharing Identity Provider information with the backend application.
BUTTON_IMAGE_BASE64_n (optional): base64-encoded string; icon on the left side of the button.
OIDC_USERINFO_ENDPOINT_n (optional) (OpenID Connect and OpenID Federation only): boolean default false; merges user information from the userinfo endpoint with the JWT access token.
OIDC_SKIP_ISSUER_VERIFICATION_n (optional) (OpenID Connect only): boolean default false; typically used for cross-tenant authentication, allows skipping issuer verification that initiated authentication. During the callback phase, the Identity Provider will pass the issuer of each cross-tenant user.
OIDC_REPLACE_IN_ENTITY_CONFIGURATION_n (optional) (OpenID Connect only): string with syntax toReplaceWord=newWord; used for replacing words in the entity configuration across tenants (e.g., Microsoft Entra, {tenantid}=5c756555-a890-459f-9f63-7738015a32e2).
OIDC_SCOPES_CSV_n (optional) (OpenID Connect and OpenID Federation only): csv; filter for scopes in the Identity Provider metadata.
CLAIMS_CSV_n (optional): csv; filter for claims in the Identity Provider metadata.
SAML_SIGNED_ASSERTION_n (optional) (SAML2 only): boolean default false; signs interactions between the Identity Provider and the Service Provider (Relying Party).
SAML_BINDING_n (optional) (SAML2 only): SAML2 binding default HTTP-Redirect; HTTP-Redirect, HTTP-POST.

Parameters for generic SPID

The following parameters are suitable for both private and public Service Providers. Identity provider parameters where n is a non-zero natural number:

SPID_PRIVATE_KEY: string private key pem
SPID_PUBLIC_KEY: string public key pem
SPID_CERTIFICATE: string signed certificate pem
LOG_CERT: string certificate path in p12 format
LOG_CERT_PWD: string certificate password
LOG_CERT_ALIAS: string alias of the certificate
SAML_SIGNED_ASSERTION_n: boolean must be a true
BUTTON_TEXT_n: BUTTON_TEXT_ Identity Provider parameters
AUTHENTICATION_PROTOCOL_n: string must be saml2
SAML_BINDING_n: SAML_BINDING_ Identity Provider Parameters
BUTTON_FILLED_n: BUTTON_FILLED_ Identity Provider Parameters
BUTTON_IMAGE_BASE64_n: BUTTON_IMAGE_BASE64_ Identity Provider Parameters
CLIENT_ID_n: CLIENT_ID_ Identity Provider Parameters
ISSUER_n: string must contain SPID
SERVICE_NAME_n: string
ORGANIZATION_NAME_n: string Name - complete and in full and with the correct use of lower case, upper case, accented letters and other diacritical marks - of the SP, as given in the organizationName extension of the SP’s electronic certificate (example: “Agenzia per l’Italia Digitale”)
ORGANIZATION_DISPLAY_NAME_n: string Name of the SP, possibly in abbreviated form (without making explicit any acronyms) with the correct use of lower and upper case (example: “AgID”). During the authentication phase, IdPs alert the user to the submission of attributes to the SP, displaying the value of this tag to indicate the requesting entity
ORGANIZATION_URL_n: string Contains the `URL of a page on the SP’s Web site related to the authentication service or services accessible through it, the contents of which are localized to the language specified by its xml:lang attribute
ENVIRONMENT_n: string Allowed values are:
- validator-offline configuration verification phase (AgID validator must be installed on the machine)
- demo-offline configuration testing phase on a demo site (AgID validator must be installed on the machine)
- demo-online configuration testing phase on the AgID’s demo site
- validator-online phase where federation is requested from AgID
- prod phase after federation is confirmed by AgID

Parameters for SPID (private)

Identity provider parameters where n is a non-zero natural number:

PRIVATE_n: boolean set to true
VAT_NUMBER_n: string Mandatory for private SP with VAT ID (otherwise optional), it is valorized inclusive of ISO 3166-1 α-2 country code (no spaces)
FISCAL_CODE_n: string Mandatory for private SP with no vat number (otherwise optional), it is valorized including the tax code of the SP
COMPANY_n: string (0 or 1 occurrences) - If present, it is valorized as the OrganizationName tag contained in the Organization tag
EMAIL_ADDRESS_n: string (1 occurrence, mandatory) - Contains the e-mail address, corporate or institutional, to contact the entity for electronic billing matters. This may be a corporate certified electronic mail (pec) address, but it must not be a personal e-mail box
TELEPHONE_NUMBER_n: string (0 or 1 occurrence) - Contains the telephone number, for contacting the SP; without spaces and including the international area code (example: “+39” for Italy)
ID_PAESE_n: string
ID_CODICE_n: number
DENOMINAZIONE_n: string Billing recipient
INDIRIZZO_n: string
NUMERO_CIVICO_n: number
CAP_n: number
COMUNE_n: string
PROVINCIA_n: string
NAZIONE_n: string
COMPANY_FATTURAZIONE_n: string (0 or 1 occurrence) - Mandatory if the entity for issuing invoices is distinct from the SP itself (and in any case bearing the full and complete name of a legal entity, with the correct use of lower case, upper case and diacritical marks)
EMAIL_ADDRESS_FATTURAZIONE_n: string string (1 occurrence, mandatory) - Contains the e-mail address for contacting the SP. This must not be an address directly referable to an individual

Parameters for SPID (public)

Identity provider parameters where n is a non-zero natural number:

PRIVATE_n: boolean set to false
IPA_CODE_n: string is valued with the ipa code of the Entity

For SPID metadata references click here