-
-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathsts.conf
272 lines (255 loc) · 10.9 KB
/
sts.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
# Set mode/protocol, endpoint URL and options for calling the STS
#
#STSExchange <type> <endpoint|jwk> <options> [<expression>]
#
# <type>=[ wstrust | ropc | otx | disabled ]
# wstrust : WS-Trust
# ropc : OAuth 2.0 Resource Owner Password Credentials grant
# cc : OAuth 2.0 Client Credentials grant
# otx : OAuth 2.0 Token Exchange
# jwt : JWT token generation, optionally with JQ processing
# disabled : don't perform any attempt to exchange a token
#
# <endpoint> = <string>
# STS endpoint URL where the request will be sent.
#
# <options>=<form-encoded-string>
#
# Generic Options:
#
# auth=<string>
# Authentication used towards the STS endpoint.
# See below at Authentication Options.
#
# ssl_verify=[true|false]
# Enable or disable SSL server certificate validation for calls to the STS.
# When not defined the default is "On".
#
# http_timeout=<seconds>
# Timeout for calls to the STS endpoint.
# When not defined the default is 20.
#
# cache.expiry=<seconds>
# Set the cache expiry for access tokens exchange results in seconds.
# When not defined, the default is 300
#
# cache.name=<string>
# Name of the cache to use for caching the resulting token (previously defined with STSCache).
# When not defined, the default internal shared memory cache will be used.
#
# on_error=[return|pass]
# Specify the behavior when the source token is missing or the exchange fails.
# "return" will return a 401 error to the caller, "pass" will propagate the request without a swapped token
# When not defined, the default is return
#
# Authentication Options
# (auth=<string>)
#
# Configures the method that the module uses to authenticate to the STS endpoint.
#
# none no authentication towards the endpoint is used
# client_secret_basic client_id, client_secret OIDC client secret basic authentication, URL-encoded values in HTTP Basic Authentication
# client_secret_post client_id, client_secret OIDC client secret post based authentication, values in HTTP POST parameters
# client_secret_jwt client_id, client_secret, aud OIDC client secret JWT, providing a symmetric key in the client_secret value
# private_key_jwt client_id, jwk, aud OIDC private key JWT, providing a JWK in escaped JSON string representation
# client_cert cert, key TLS Client Certificate authentication, providing paths to PEM-formatted files
# basic username,password HTTP basic authentication
#
# When not defined the default is "none".
#
#auth=[ client_secret_basic &client_id=<client_id>&client_secret=<client_secret> |
# client_secret_post &client_id=<client_id>&client_secret=<client_secret> |
# client_secret_jwt &client_id=<client_id>&client_secret=<client_secret>&aud=<aud> |
# private_key_jwt &client_id=<client_id>&jwk=<json>&aud=<aud> |
# client_cert &cert=<cert_file>&key=<key_file> |
# basic &username=<username>&password=<password> ]
#
# WS-Trust Token Exchange protocol settings
# (<type>=wstrust)
#
# <endpoint>
# Set the WS-Trust STS endpoint.
#
# WS-Trust Options:
#
# applies_to=<string>
# Set the WS-Trust AppliesTo value.
#
# token_type=<string>
# Set the WS-Trust Token Type value.
# When not defined the default is:
# http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
#
# value_type=<string>
# Set the WS-Trust Value Type value for BinarySecurity source tokens.
# Sample value for presenting OAuth 2.0 access tokens to a PingFederate server:
# urn:pingidentity.com:oauth2:grant_type:validate_bearer
# When not defined the default is to not present the source token as a BinarySecurity token but
# to include it as a "verbatim" token e.g. a SAML 2.0 SAML 1.1 or even Username token
#
# OAuth 2.0 Resource Owner Password Credentials Token Exchange protocol settings
# (<type>=ropc)
#
# <endpoint>
# Set the OAuth 2.0 Token endpoint.
#
# OAuth 2.0 Resource Owner Password Credentials Options:
#
# client_id=<string>
# Set the client identifier value to be used in the client_id parameter towards the token endpoint
# when no authentication has been configured.
#
# username=<string>
# Username to put into the ROPC username field.
# When not defined the default is to take the client_id.
# When the special value "*" is used, the username will be pulled from the environment e.g.
# as previously set by a different webserver authentication module.
#
# params=<form-encoded-request-parameters>
# Set extra parameters added to the token exchange request. Sample value(s) are:
# access_token_manager_id jwt
# aud myresource
# When not defined the default is not to add any additional parameters.
#
# OAuth 2.0 Client Credentials token retrieval protocol settings
# (<type>=cc)
#
# <endpoint>
# Set the OAuth 2.0 Token endpoint.
#
# OAuth 2.0 Client Credentials Options:
#
# client_id=<string>
# Set the client identifier value to be used in the client_id parameter towards the token endpoint
# when no authentication has been configured.
#
# params=<form-encoded-request-parameters>
# Set extra parameters added to the token request. Sample value(s) are:
# scope=resource-set-basic
# When not defined the default is not to add any additional parameters.
#
# OAuth 2.0 Token Exchange protocol settings
# (<type>=otx)
#
# <endpoint>
# Set the OAuth 2.0 Token Exchange Endpoint.
#
# OAuth 2.0 Token Exchange Options:
#
# client_id=<string>
# Set the Client ID for the OAuth 2.0 Token Exchange request, used in the client authentication.
# When not defined, the default is to not use any client_id for client authentication.
#
# params=<form-encoded-request-parameters>
# Set extra parameters added to the token exchange request. Sample value(s) are:
# audience myresource
# scope "read write"
# requested_token_type urn:ietf:params:oauth:token-type:saml2
# subject_token_type bogustoken
# parameterwithemptyvalue
# When not defined the default for OAuth 2.0 Token Exchange is:
# subject_token_type urn:ietf:params:oauth:token-type:access_token
# i.e. set the source token to an OAuth 2.0 access token
#
# JWT token generation, optionally with JQ processing
# (<type>=jwt)
#
# <jwk>
# Set the JWK that is used to sign the JWT, must be a private key.
#
# JWT Options:
#
# alg=<sting>
# iss=<string>
# sub=<string>
# client_id=<string>
# aud=<string>
# jq.cache.name=<string>
#
# <expression>
# JQ filter to be applied to the input JSON object before signing the JWT
#
# Source Token Settings
#
# Configure how the source token may be passed in; must be one of:
#
# environment [name=<name>] : from an Apache environment variable called <name>
# <name> defaults to "access_token"
# header [name=<name>&type=<type>] : from an HTTP header called <name>
# <name> defaults to the "Authorization" header
# <type> is a type prefix string which defaults to "Bearer"
# query [name=<name>] : from an HTTP query parameter called <name>
# <name> defaults to "access_token"
# post [name=<name>] : from an HTTP POST parameter called <name>
# <name> defaults to "access_token"
# cookie [name=<name>] : from an HTTP cookie called <name>
# <name> defaults to "access_token"
#
# Multiple primitives can be specified in order of processing i.e the token will be obtained by the first method that
# returns a token. When not defined, the default is: "environment" "header"
#
#STSAcceptSourceTokenIn [ environment [name=<name>] | header [name=<name>&type=<type>] | query [name=<name>] | post [name=<name>] |cookie [name=<name>] ]
#
# Target Token Settings
#
# Configure how the target token may passed on; must be one of:
#
# environment [<name>]" : in an Apache environment variable called <name>
# <name> defaults to "MOD_STS_TARGET_TOKEN"
# header [name=<name>&type=<type>]" : in an HTTP header called <name>
# <name> defaults to the "Authorization" header
# <type> is a type prefix string which defaults to "Bearer"
# query [<name>]" : in an HTTP query parameter called <name>
# <name> defaults to "access_token"
# post [<name>]" : in an HTTP POST parameter called <name>
# <name> defaults to "access_token"
# cookie [<name>]" : in an HTTP cookie called <name>
# <name> defaults to "sts_token"
#
# Multiple primitives can be specified to pass a token in multiple ways.
# When not defined, the default is: "environment" "cookie"
#
#STSPassTargetTokenIn [ environment [name=<name>] | header [name=<name>&type=<type>] | query [name=<name>] | post [name=<name>] | cookie [name=<name>] ]
# Cache settings.
#
# Set the cache type and options.
#
# When not defined the default is "shm".
#
# <type> <options> (default) <description>
#
# generic:
#
# name <string> (default) name of the cache
# key_hash_algo <string> (sha256) hash algorithm for the cache key (or "none")
# encrypt true|false (true) encrypt the cache value (default is "false" for the shm cache backend)
# passphrase <string> (auto-generated) password used as the symmetric encryption key for cache values
# passphrase_hash_algo <string> (sha256) hash algorithm to apply to the passphrase before using it as an encryption key
#
# shm:
#
# max_key_size <number> (65) maximum size of the cache key in bytes (see also: key_hash_algo)
# max_val_size <number> (8193) maximum size of a single cache value
# max_entries <number> (1000) maximum number of entries in the cache (FIFO policy, overruns will result in a warning in the log)
#
# file:
#
# dir <path> (/tmp or C:\\Temp) cache file directory
# clean_interval <seconds> (60) minimum interval to loop over the cache directories looking to delete expired entries
#
# memcache:
#
# config_string <string> (--SERVER=localhost) memcached specific server configuration string, see: https://www.systutorials.com/docs/linux/man/3-memcached/
#
# redis:
#
# host <string> (localhost) Redis server hostname
# port <number> (6379) Redis servver port
# password <string> (<no authentication>) password used to authenticate to the Redis server
#
#
#STSCache <type> <options>
#
# Encryption key (required for encrypted cache contents to survive restarts)
#
#STSCryptoPassphrase <secret>