Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
devel:documentation:application_configuration:dev:backend [2023/02/24 12:05] – [Security] add proxy recaptcha koprodevel:documentation:application_configuration:dev:backend [2025/10/22 11:29] (current) – [Application/ Server] otmara
Line 94: Line 94:
 # - disabled # - disabled
 # - description # - description
-idm.pub.app.show.role.table.columns=name, baseCode, environment, disabled, description+idm.pub.app.show.role.table.columns=name, baseCode, zone, tier, environment, disabled, description 
 +# Configuration variable that controls how roles are displayed in role requests. 
 +# If set to false, all roles will be shown in the request. 
 +# If set to true, only newly added or changed roles will be shown. 
 +idm.pub.core.audit.switchShowChangesOnly.enabled=false 
 +# List of bulk actions that will not be available in the table in role detail - users with role 
 +# Actions listed here will disappear completely from the table (they won't just be greyed out) 
 +idm.pub.app.show.role.identity.prohibited=identity-enable-bulk-action,identity-disable-bulk-action,identity-remove-role-bulk-action,identity-add-role-bulk-action,identity-change-contract-tree-node-and-validity-bulk-action 
 +# If set to false, the link to profile detail (looking glass icon) will not appear in 
 +idm.pub.app.show.role.identity.detail=false
 # Show role catalogue item code in role catalogue tree # Show role catalogue item code in role catalogue tree
 idm.pub.app.show.roleCatalogue.tree.code=false idm.pub.app.show.roleCatalogue.tree.code=false
Line 129: Line 138:
 # - passwordexpiration - information about identity password epiration # - passwordexpiration - information about identity password epiration
 # - description # - description
 +# - pam - Flag indicating whether this identity is managed under Privileged Access Management (PAM) (since 15.6.0)
 # Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE). # Note: Table in identity agenda can be configured with this property (common identity table with columns is not specified on FE).
 # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail), # If you want to configure rendered columns for all tables generalized from identity table (e.g. on role or tree node detail),
 # you can use FE configuration https://wiki.czechidm.com/devel/documentation/application_configuration/dev/frontend # you can use FE configuration https://wiki.czechidm.com/devel/documentation/application_configuration/dev/frontend
 idm.pub.app.show.identity.table.columns=username, lastName, firstName, externalCode, email, state, description idm.pub.app.show.identity.table.columns=username, lastName, firstName, externalCode, email, state, description
-idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, identityContract, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority+# Rendered columns in user roles agenda (Directly assigned roles). Comma is used as separator. Order of rendered columns is preserved as configured. 
 +idm.pub.app.show.identityRole.table.columns=role, roleAttributes, environment, owner, contractPosition, validFrom, validTill, directRole, automaticRole, incompatibleRoles, description, priority 
 +# Rendered columns in role requests in the table for assigned roles. Comma is used as separator. Order of rendered columns is preserved as configured. 
 +idm.pub.app.show.role.request.table.columns=name, description, roleAttributes, contractPosition, validFrom, validTill, directRole, automaticRole, action, priority 
 +# if is true, only direct roles are displayed in role request table (@since 13.0.21, 14.0.4) 
 +idm.pub.app.show.role.request.table.directOnly=false
 # If is true, then role-request description will be show on the detail. # If is true, then role-request description will be show on the detail.
 # Description will hidden if this property will be false and role request # Description will hidden if this property will be false and role request
Line 166: Line 181:
 # Set property to false to disable init data creation and updates. # Set property to false to disable init data creation and updates.
 idm.sec.core.init.data.enabled=true idm.sec.core.init.data.enabled=true
 +
 +# Rendered columns in account agenda
 +idm.pub.app.show.account.table.columns=accountType, entityType, uid, system, zone, tier, inProtection, endOfProtection, systemEntity, targetEntity
 +
  
 </code> </code>
Line 173: Line 192:
 @since 11.1.0 @since 11.1.0
  
-Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. Instance identifier can be defined in the application profile (application.properties) by property ''idm.pub.app.instanceId''. When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action ''Change server for asynchronous processing''  in configuration agenda:+Application instance (server) is used for asynchronus processing - for scheduled tasks, asynchronous long running tasks and events. Instance identifier can be defined in the application profile (application.properties) by property ''idm.pub.app.instanceId''. When we want to schedule and process asynchronous tasks and event on other instace (or when one instance shutdown), then we can switch processing by provided bulk action ''Change server for asynchronous processing'' in configuration agenda:
  
 {{  .:switch-instance-bulk-action.png  }} {{  .:switch-instance-bulk-action.png  }}
Line 184: Line 203:
   * ''SCHEDULER_UPDATE''  - scheduled tasks and created (~ not processed) asynchronous long running tasks will be changed.   * ''SCHEDULER_UPDATE''  - scheduled tasks and created (~ not processed) asynchronous long running tasks will be changed.
   * ''ENTITYEVENT_UPDATE''  - created (~ not processed) asynchronous events will be changed.   * ''ENTITYEVENT_UPDATE''  - created (~ not processed) asynchronous events will be changed.
 +=== Filters and columns to users table and subordinates table ===
 +
 +@since 14.1.0
 +
 +A new variable has been added that makes the contract end date column visible and provides a filter to select by "Valid till" date. If a user has multiple contracts, all end dates will be visible. Filtering by contract end date includes the boundary for the entered day. If you want to filter, for example, all subordinates for a specific day, fill both date boxes with that day. If one of these dates is not set, the boundary will be ignored.
 +
 +You can add the configuration variable ''idm.pub.app.show.identity.table.columns''  with the value ''contractenddates''  it will make contract column visible and add two filter boxes above table.
 +
 +The configuration variable ''idm.pub.app.show.identity-subordinates.table.columns''  is not set by default. If you add the ''contractenddates''  variable, it will show only the username and contract end date. To display additional columns like name, last name, etc., include them in the frontend configuration for the identity table. For example: ''idm.pub.app.show.identity-subordinates.table.columns=username, lastName, firstName, externalCode, email, state, description, contractenddates''. After setting these configuration values in red boxes, the new values for version 14.1.0 will be:
 +
 +{{.:subordinates-contract-end-date-filter.png?600}}
 +
 +=== Update contract end date pre-fill date ===
 +
 +@since 14.1.0
 +
 +If you add the following configuration variable, it will pre-fill the **Valid till**  date for contracts. The pre-filled date will be today's date + x days based on the configuration value.
 +
 +For example: ''idm.sec.core.bulk.action.identity-change-contract-tree-node-and-validity.extension-period-days=365''
 +
 +Date will be pre-filed with today date + 365 days.
 +
 +
 ==== Jpa ==== ==== Jpa ====
  
Line 220: Line 262:
 # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes. # Enlarge pool size by default. This property should be revised for each project. Size should be configured by task and event thread pool size - should be higher than sum of pool sizes.
 spring.datasource.maximumPoolSize=50 spring.datasource.maximumPoolSize=50
 +
  
 </code> </code>
Line 233: Line 276:
 There are by default two datasources configured There are by default two datasources configured
  
-      * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories) +  * datasource - default datasource, which is being used for almost all database communication (Flyway, JPA repositories) 
-      * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance+  * loggingDatasource - This datasource is used by our database logging appender to write logging messages, when databes appender is enabled. The reason why this is done by separate datasource is to prevent database logging to hog database connections and hinder the application performance
   *   *
  
 Configuration properties, that have changed with introduction of additional datasources: Configuration properties, that have changed with introduction of additional datasources:
  
-      * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' // +  * //''spring.datasource.''url →// //''spring.datasource.jdbcUrl'' // 
-      * spring.datasource.hikari.* → spring.datasource.*+  * spring.datasource.hikari.* → spring.datasource.*
   *   *
  
 Both datasources are required for the app to start. Both datasources are required for the app to start.
  
-      * By default, both datasources are configured for H2 in-memory database +  * By default, both datasources are configured for H2 in-memory database 
-      * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties +  * If you specify property spring.datasource.jdbcUrl, IdM will no longer use in memory database for main datasource and instead it will configure connection using spring.datasource.* properties 
-      * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties+  * The same goes for loggingDatasource, which is configured using spring.logging-datasource.* properties
  
 ===== Datasource configuration properties ===== Datasource configuration properties
Line 254: Line 297:
  
 ===== Developer ===== ===== Developer =====
-      * If you are using ''EntityManager''  in your code, you will run into the issue with autowiring. In order to fix it, you need to explicitly specify, which ''EntityManager''  bean you want spring to autowire. You can use + 
-        * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this +  * If you are using ''EntityManager''  in your code, you will run into the issue with autowiring. In order to fix it, you need to explicitly specify, which ''EntityManager''  bean you want spring to autowire. You can use 
-        * @Qualifier("coreEntityManager") annotation, if you want to autowire main application datasource and do not want to explicitly define dependency on core-api module+      * @CoreEntityManager` annotation, if you want to autowire main application datasource (in most cases you want to use this 
 +      * @Qualifier("coreEntityManager") annotation, if you want to autowire main application datasource and do not want to explicitly define dependency on core-api module
  
 === JNDI datasource === === JNDI datasource ===
Line 275: Line 319:
             maxIdle="4"/>             maxIdle="4"/>
 </Context> </Context>
 +
  
 </code> </code>
Line 283: Line 328:
 # JNDI location of the datasource. Class, url, username & password are ignored when set. # JNDI location of the datasource. Class, url, username & password are ignored when set.
 spring.datasource.jndi-name=PostgresDS spring.datasource.jndi-name=PostgresDS
 +
  
 </code> </code>
Line 299: Line 345:
 </appender> </appender>
 ... ...
 +
  
 </code> </code>
Line 327: Line 374:
 # add ssl usage flag, see https://jdbc.postgresql.org/documentation/head/connect.html # add ssl usage flag, see https://jdbc.postgresql.org/documentation/head/connect.html
 spring.datasource.url=jdbc:postgresql://localhost:5432/bcv_idm_storage?ssl=true spring.datasource.url=jdbc:postgresql://localhost:5432/bcv_idm_storage?ssl=true
 +
  
 </code> </code>
Line 347: Line 395:
 # Size in MB # Size in MB
 idm.sec.cache.terracota.resource.pool.size=32 idm.sec.cache.terracota.resource.pool.size=32
 +
  
 </code> </code>
Line 384: Line 433:
 # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends). # Temporary file is used mainly for upload files internaly. When upload is complete, then temporary file is moved into normal IdM attachment (~ temporary file is not reachable, after user session ends).
 idm.sec.core.attachment.tempTtl=1209600000 idm.sec.core.attachment.tempTtl=1209600000
 +
  
 </code> </code>
Line 405: Line 455:
 # definitions name pattern - subfolders can be used # definitions name pattern - subfolders can be used
 spring.activiti.processDefinitionLocationSuffixes=**/**.bpmn20.xml spring.activiti.processDefinitionLocationSuffixes=**/**.bpmn20.xml
 +
  
 </code> </code>
Line 428: Line 479:
 # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do # - test secret key: https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do
 idm.sec.security.recaptcha.secretKey=xxx idm.sec.security.recaptcha.secretKey=xxx
-# Proxy configuration for reCAPTCHA+# Proxy configuration for reCAPTCHA (since version 12.2.5)
 idm.sec.security.recaptcha.proxy=12.34.56.78:1234 idm.sec.security.recaptcha.proxy=12.34.56.78:1234
 +
  
 </code> </code>
Line 443: Line 495:
 # @see https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:databazove_scripty # @see https://proj.bcvsolutions.eu/ngidm/doku.php?id=navrh:databazove_scripty
 flyway.enabled=false flyway.enabled=false
 +
  
 </code> </code>
Line 467: Line 520:
 # IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used. # IdmFlywayMigrationStrategy resolves used jdbc database dynamically - ${dbName} in location could be used.
 flyway.core.locations=classpath:eu/bcvsolutions/idm/core/sql/${dbName} flyway.core.locations=classpath:eu/bcvsolutions/idm/core/sql/${dbName}
 +
  
 </code> </code>
Line 490: Line 544:
 module.<module>.build.name=@project.name@ module.<module>.build.name=@project.name@
 module.<module>.build.description=@project.description@ module.<module>.build.description=@project.description@
 +
  
 </code> </code>
Line 508: Line 563:
 springfox.documentation.swagger.outputDir=@swagger.output.dir@ springfox.documentation.swagger.outputDir=@swagger.output.dir@
 springfox.documentation.swagger.outputFilename=@swagger.output.filename@ springfox.documentation.swagger.outputFilename=@swagger.output.filename@
 +
  
 </code> </code>
Line 526: Line 582:
 # The FROM email address. # The FROM email address.
 idm.sec.core.emailer.from=idm@bcvsolutions.eu idm.sec.core.emailer.from=idm@bcvsolutions.eu
 +
  
 </code> </code>
Line 540: Line 597:
 idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/template/ idm.sec.core.notification.template.folder=classpath*:/eu/bcvsolutions/idm/template/
 idm.sec.core.notification.template.fileSuffix=**/**.xml # template suffix idm.sec.core.notification.template.fileSuffix=**/**.xml # template suffix
 +
  
 </code> </code>
Line 554: Line 612:
 idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts/ idm.sec.core.script.folder=classpath*:/eu/bcvsolutions/idm/scripts/
 idm.sec.core.script.fileSuffix=**/**.xml idm.sec.core.script.fileSuffix=**/**.xml
 +
  
 </code> </code>
Line 599: Line 658:
 # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5). # Thread priority for threads in event executor pool - 6 by default (a little higher priority than normal 5).
 scheduler.event.executor.threadPriority=6 scheduler.event.executor.threadPriority=6
 +
  
 </code> </code>
Line 627: Line 687:
 # Needed on FE (=> public) # Needed on FE (=> public)
 idm.pub.core.identity.passwordChange.public.idm.enabled=true idm.pub.core.identity.passwordChange.public.idm.enabled=true
 +#
 +# Configure initial state of account selection for password change (since version 13.0.16 and pwdreset 3.0.8)
 +# true - whether all of the accounts will be selected initially
 +# false - non of the accounts will be selected initially
 +idm.pub.core.identity.passwordChange.preselectSystems=true
 # #
 # Skip identity dashboard content - show full detail directly (link from table or from info component) # Skip identity dashboard content - show full detail directly (link from table or from info component)
Line 637: Line 702:
 # Creates default identity's contract with configured position name. # Creates default identity's contract with configured position name.
 idm.sec.core.identity.create.defaultContract.position=Default idm.sec.core.identity.create.defaultContract.position=Default
 +# This conf. property will pre-filled to the position name in the projection form when creating a new user. If the configuration value is not provided, the position name defaults to "Default".
 +idm.pub.core.identity.create.defaultContract.position=Contract name
 # Creates default identity's contract with configured state. Valid contract will be crated by default, other possible values: # Creates default identity's contract with configured state. Valid contract will be crated by default, other possible values:
 # EXCLUDED - Excluded from evidence - remains valid, but roles assigned for this contract are not added for logged identity. # EXCLUDED - Excluded from evidence - remains valid, but roles assigned for this contract are not added for logged identity.
Line 647: Line 714:
 # Profile image max file size in readable string format (e.g. 200KB). # Profile image max file size in readable string format (e.g. 200KB).
 idm.sec.core.identity.profile.image.max-file-size=512KB idm.sec.core.identity.profile.image.max-file-size=512KB
 +
 +# Validation all password to banned strings. Banned string are comparison for similarity to first name last name, usernames, account name, ... 
 +# Configuration is global for all users, accounts and all policies 
 +idm.sec.core.identity.passwordChange.validateBannedStrings=false
  
 </code> </code>
Line 661: Line 731:
 # termination of the contract from the currently valid slice. # termination of the contract from the currently valid slice.
 idm.sec.core.contract-slice.protection-interval=0 idm.sec.core.contract-slice.protection-interval=0
 +
  
 </code> </code>
Line 705: Line 776:
 # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script). # Look out: when separator is changed, then all roles should be updated (manually from ui, by scripted LRT or by change script).
 idm.sec.core.role.codeEnvironmentSeperator=| idm.sec.core.role.codeEnvironmentSeperator=|
 +
  
 </code> </code>
Line 719: Line 791:
 # Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc. # Default tree node (uuid) - is used, when default contract is created. More in Contractual relationship doc.
 idm.sec.core.tree.defaultNode= idm.sec.core.tree.defaultNode=
 +
  
 </code> </code>
Line 729: Line 802:
 # rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted. # rebuild index in progress (true). When tree type index rebuild is in progress, then tree node cannot be created / updated / deleted.
 idm.sec.core.treeType.<tree-code>.rebuild=false idm.sec.core.treeType.<tree-code>.rebuild=false
 +
  
 </code> </code>
Line 749: Line 823:
 # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher 'scheduler.event.queue.process' property). # If you events are processed quickly (~provisioning on your environment is quick), then batch size can be higher (in combination with higher 'scheduler.event.queue.process' property).
 idm.sec.core.event.asynchronous.batchSize=15 idm.sec.core.event.asynchronous.batchSize=15
 +
  
 </code> </code>
Line 761: Line 836:
 # override event types for given processor # override event types for given processor
 idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE idm.sec.<module>.processor.<name>.eventTypes=CREATE,UPDATE
 +
  
 </code> </code>
Line 782: Line 858:
 # disable / enable bulk action # disable / enable bulk action
 idm.sec.<module>.bulk-action.<name>.enabled=true idm.sec.<module>.bulk-action.<name>.enabled=true
 +
  
 </code> </code>
Line 826: Line 903:
 # Default main WF for approve all roles. # Default main WF for approve all roles.
 idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions idm.sec.core.processor.role-request-approval-processor.wf=approve-identity-change-permissions
 +
  
 </code> </code>
Line 838: Line 916:
 # If returns null, then all guarantees will be used for approving (no limitations). # If returns null, then all guarantees will be used for approving (no limitations).
 idm.sec.core.request.idm-role.approval.guarantee-type= idm.sec.core.request.idm-role.approval.guarantee-type=
 +
  
 </code> </code>
Line 850: Line 929:
 ## Enable sending notification of changing roles to user, who made request ## Enable sending notification of changing roles to user, who made request
 idm.sec.core.wf.notification.implementer.enabled=true idm.sec.core.wf.notification.implementer.enabled=true
 +
  
 </code> </code>
Line 864: Line 944:
 # or secretKey defined in the external file - secret.keyPath # or secretKey defined in the external file - secret.keyPath
 # cipher.crypt.secret.keyPath=/path/to/key # cipher.crypt.secret.keyPath=/path/to/key
 +
  
 </code> </code>
Line 879: Line 960:
 # Throws exception, when size is exceeded. Set to {@code -1} to disable this check. # Throws exception, when size is exceeded. Set to {@code -1} to disable this check.
 idm.sec.core.filter.check.size.maximum=500 idm.sec.core.filter.check.size.maximum=500
 +
  
 </code> </code>
Line 889: Line 971:
 # filter implementation # filter implementation
 idm.sec.<module>.filter.<entity>.<name>.impl=<beanName> idm.sec.<module>.filter.<entity>.<name>.impl=<beanName>
 +
  
 </code> </code>
Line 911: Line 994:
 # sender implementation # sender implementation
 idm.sec.<module>.notification-sender.<notificationType>.impl=<beanName> idm.sec.<module>.notification-sender.<notificationType>.impl=<beanName>
 +
  
 </code> </code>
Line 930: Line 1014:
 # ID system against which to authenticate # ID system against which to authenticate
 idm.sec.security.auth.system= idm.sec.security.auth.system=
 +
  
 </code> </code>
Line 938: Line 1023:
 idm.sec.acc.security.auth.order1.system= idm.sec.acc.security.auth.order1.system=
 idm.sec.acc.security.auth.order2.system= idm.sec.acc.security.auth.order2.system=
 +
  
 </code> </code>
Line 945: Line 1031:
 <code properties> <code properties>
 idm.sec.acc.security.auth.maximumSystemCount=50 idm.sec.acc.security.auth.maximumSystemCount=50
 +
  
 </code> </code>
Line 957: Line 1044:
 # enable/ disable filter - enabled by default or by filter implementation. # enable/ disable filter - enabled by default or by filter implementation.
 idm.sec.<module>.authentication-filter.<name>.enabled=true idm.sec.<module>.authentication-filter.<name>.enabled=true
 +
  
 </code> </code>
Line 980: Line 1068:
 # The uids that can't be authenticated by SSO # The uids that can't be authenticated by SSO
 idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids= idm.sec.core.authentication-filter.core-sso-authentication-filter.forbidden-uids=
 +
  
 </code> </code>
Line 994: Line 1083:
 # The uids that can't be authenticated by SSO # The uids that can't be authenticated by SSO
 idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids= idm.sec.core.authentication-filter.core-remote-user-authentication-filter.forbidden-uids=
 +
  
 </code> </code>
Line 1038: Line 1128:
 # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https://hostname-of-CzechIdM/URI/?ticket=. Not configured by default. # Path to CzechIdM for the HTTP Referer header used by CAS while redirecting back to application. This value is concatenated with CAS ticket to form Referer header. Syntax of this field is https://hostname-of-CzechIdM/URI/?ticket=. Not configured by default.
 idm.sec.core.cas.header-prefix= idm.sec.core.cas.header-prefix=
 +
 +
 +</code>
 +
 +=== OIDC authentication ===
 +
 +@since 13.1.0 [[this>wiki.czechidm.com/wiki.czechidm.com/wiki.czechidm.com/devel/documentation/security/dev/security#oidc_authentication|OIDC authentication]] can be configured with following properties:
 +
 +<code properties>
 +# Enable authentication via OIDC when false IDM will return 503 SERVICE_UNAVAILABLE on enpoints used for OICD auth, and ignore any Bearer token. Default: false
 +idm.pub.core.oidc.enabled=false
 +# REQIRED configuration
 +# client-id confugured in CAS Service
 +idm.sec.core.oidc.client-id=
 +# client-secret confugured in CAS Service
 +idm.sec.core.oidc.client-secret=
 +# Base URL where OICD provider is accessible. Syntax of this field is https://hostname-of-OICD/URI.
 +idm.sec.core.oidc.url=
 +
 +# OPTIONAL configuration
 +idm.sec.core.oidc.login-path=/authorize
 +idm.sec.core.oidc.logout-path=/logout
 +idm.sec.core.oidc.token-path=/token
 +
 +​​​​​# Configuration for spring.security most is gotten from auto-discover endpoint (${idm.sec.core.oidc.url}/.well-known/openid-configuration) but can be overwritten here
 +spring.security.oauth2.client.registration.cas.client-id=${idm.sec.core.oidc.client-id}
 +spring.security.oauth2.client.registration.cas.client-secret=${idm.sec.core.oidc.client-secret}
 +spring.security.oauth2.client.registration.cas.scope=openid
 +spring.security.oauth2.client.registration.cas.redirect-uri={baseUrl}/api/v1/authentication/oidc-login-response/{registrationId}
 +#spring.security.oauth2.client.registration.cas.authorization-grant-type=authorization_code
 +#spring.security.oauth2.resource.jwk.key-set-uri=${idm.sec.core.oidc.url}/jwks
 +
 +spring.security.oauth2.client.provider.cas.issuer-uri=${idm.sec.core.oidc.url}
 +#spring.security.oauth2.client.provider.cas.token-uri=${idm.sec.core.oidc.token-path}
 +#spring.security.oauth2.client.provider.cas.authorization-uri=${idm.sec.core.oidc.login-path}
 +
  
 </code> </code>
Line 1049: Line 1175:
 # Configured attachment storage patrh ( see 'idm.sec.core.attachment.storagePath') is used as default. # Configured attachment storage patrh ( see 'idm.sec.core.attachment.storagePath') is used as default.
 idm.sec.core.backups.default.folder.path=/tmp/backup idm.sec.core.backups.default.folder.path=/tmp/backup
 +
  
 </code> </code>
Line 1054: Line 1181:
 ==== Http proxy ==== ==== Http proxy ====
  
-For outgoing http communication, you can set a proxy (currently used only by ReCaptcha).+For outgoing http communication, you can set a proxy.
  
 **Server restart**  is needed to apply this configuration change. **Server restart**  is needed to apply this configuration change.
Line 1061: Line 1188:
 # Proxy for HTTP requests # Proxy for HTTP requests
 idm.sec.core.http.proxy=12.34.56.78:1234 idm.sec.core.http.proxy=12.34.56.78:1234
 +
 +# For reCAPTCHA is used since version 12.2.5 new configuration. Backward compatibility with original configuration still exists.
 +# Proxy configuration for reCAPTCHA
 +idm.sec.security.recaptcha.proxy=12.34.56.78:1234
 +
  
 </code> </code>
Line 1071: Line 1203:
 # use cglib for proxies by default # use cglib for proxies by default
 spring.aop.proxy-target-class=true spring.aop.proxy-target-class=true
 +
  
 </code> </code>
Line 1081: Line 1214:
 # If you do not define default role, then will be used **superAdminRole** as default! # If you do not define default role, then will be used **superAdminRole** as default!
 idm.sec.vs.role.default=<some-code-of-role> idm.sec.vs.role.default=<some-code-of-role>
 +
  
 </code> </code>
Line 1089: Line 1223:
 # Long polling # Long polling
 idm.pub.app.long-polling.enabled=true idm.pub.app.long-polling.enabled=true
 +
  
 </code> </code>
Line 1114: Line 1249:
 # Timeout has to be configured>= 1000, otherwise default will be returned. # Timeout has to be configured>= 1000, otherwise default will be returned.
 idm.sec.acc.provisioning.timeout=180000 idm.sec.acc.provisioning.timeout=180000
 +
  
 </code> </code>
Line 1175: Line 1311:
 # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',') # Global break for delete. Recipient will be solved as identities that has assigned defined role/s (role code or id, split by ',')
 idm.sec.acc.provisioning.break.delete.roleRecipients idm.sec.acc.provisioning.break.delete.roleRecipients
 +
  
 </code> </code>
Line 1187: Line 1324:
 # disable / enable report # disable / enable report
 idm.sec.<module>.report-executor.<name>.enabled=true idm.sec.<module>.report-executor.<name>.enabled=true
 +
  
 </code> </code>
Line 1202: Line 1340:
 # disable / enable renderer # disable / enable renderer
 idm.sec.<module>.report-renderer.<name>.enabled=true idm.sec.<module>.report-renderer.<name>.enabled=true
 +
  
 </code> </code>
Line 1219: Line 1358:
 logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n logging.pattern.console=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n logging.pattern.file=%d{yyyy-MM-dd HH:mm:ss.SSS} %5level %relative --- [%thread] %logger{60}.%M : %msg%n
 +
  
 </code> </code>
Line 1228: Line 1368:
 <code properties> <code properties>
 idm.sec.core.logger.<packageName>=<level> idm.sec.core.logger.<packageName>=<level>
 +
  
 </code> </code>
Line 1237: Line 1378:
 <code properties> <code properties>
 idm.sec.core.logger.eu.bcvsolutions=DEBUG idm.sec.core.logger.eu.bcvsolutions=DEBUG
 +
  
 </code> </code>
Line 1249: Line 1391:
 # disable / enable monitoring evaluator # disable / enable monitoring evaluator
 idm.sec.<module>.monitoring-evaluator.<name>.enabled=true idm.sec.<module>.monitoring-evaluator.<name>.enabled=true
 +
  
 </code> </code>
Line 1257: Line 1400:
  
   * ''enabled''  - true / false   * ''enabled''  - true / false
 +==== Subordinates ====
 +
 +=== Left subordinates visibility (from 13.0.19) ===
 +
 +By default, manager doesn't see subordinates that left (their contract end date is in past). To allow manager to see left subordinates, set this configuration item:
 +
 +<code properties>
 +idm.sec.filter.IdmIdentity.managerLeftSubordinateAccess.enabled=true
 +
 +
 +</code>
 +
 +==== Contract column in tables ====
 +
 +=== Left subordinates visibility (from 13.0.19) ===
 +
 +By default, manager doesn't see subordinates that left (their contract end date is in past). To allow manager to see left subordinates, set this configuration item:
 +
 +<code properties>
 +idm.sec.filter.IdmIdentity.managerLeftSubordinateAccess.enabled=true
 +
 +
 +</code>
 +
 +==== Account attributes in technical account entity report (from idm-tech version 2.1.0) ====
 +
 +<code properties>
 +# list of attributes from account connector object added to technical account entity report
 +idm.sec.tech.account.report.connector.object.attributes=
 +</code>
 +
 +The property ''idm.sec.tech.account.report.connector.object.attributes'' defines attributes of the account on the system that will be added to the technical account entity report. If you want to define multiple attributes, separate them with a comma.
 +
 +<note important>
 +If properties of the account on the system are defined and the system is unavailable during report generation, the attempt to retrieve attributes for each account will wait for the internal IdM timeout.
 +</note>
 +
 +
 +==== Role requests ====
 +
 +=== Configurable extensive role requests with NORMAL priority (from 14.11.0, 15.3.0) ===
 +
 +<code properties>
 +# Minimal total count of roles in role request (business subrole tree included) to be run with NORMAL priority
 +# -1 means "don't use this feature"
 +idm.sec.core.roleRequest.normalPriority.roleCountThreshold=-1
 +
 +</code>
 +
 +By default, role requests initiated from the frontend (whether individually via "Submit a request" or through bulk actions) are executed with HIGH priority. This configuration item, if it has a value other than the default -1 (in which case nothing happens), specifies that if a role request contains at least this number of roles (summed across all concepts and complete business role trees), the role request will be launched with NORMAL priority.
 +
 +This is useful in cases where extensive role requests are blocking regular operations.
  
  
  • by kopro