Advanced configuration properties
Modify the advanced configurations for Advanced Access Control or Federation to meet the requirements of your organization.
Category filter
The category filter displays names of grouping of configuration settings. The groupings correspond to functional areas. When you select a category, the user interface displays only the settings for the category.
WebSEAL Authenticate Callback
poc.websealAuth.authLevel
- The authentication level of the callback.
One-time password Authenticate Callback
poc.otp.authLevel
- The authentication level of the callback.
poc.otp.backwardCompatibilityEnabled
- Indicates whether the one-time password authentication mechanism should run in backward
compatibility mode. The default value is
false
if it is a new installation. The default value istrue
if the installation is an upgrade.
Authentication-Policy Callback
poc.authPolicy.allowRequestOverride
- Whether the authentication level, the authentication mode, and the authentication type of the callback can be overwritten by query string parameters.
poc.authPolicy.authLevel
- The authentication level of the callback.
poc.authPolicy.authType
- The authentication type of the callback.
SPS HTTP request claims
sps.httpRequestClaims.enabled
- Whether HTTP request information is sent to STS as
HTTPRequestClaims
. sps.httpRequestClaims.filterSpec
- The filter that specifies the HTTP request information that is sent to STS as
HTTPRequestClaims
.
Distributed shared data storage
distributedMap.cleanupWait
- The amount of time, in milliseconds, to wait before it performs another cleanup against the
distributed map.
Distributed map clean up can be disabled by setting the
cleanupWait
to 0. distributedMap.defaultTTL
- The amount of time, in seconds, that the entries in the distributed map must live when no lifetime is specified for an entry.
distributedMap.getRetryDelay
- The amount of time, in milliseconds, to wait before it performs another retrieval against the distributed map. The default is 0.
distributedMap.getRetryLimit
- The number of retrievals that is done against the distributed map before it returns that the retrieved data is not in the distributed map. The default is 0.
Attribute matcher properties
userBehavior.minimumUsageHistoryRequired
- Minimum usage data records required for any usage data analysis; used by LoginTimeMatcher.
userBehavior.ipAddressRequestAttribute
- The XACML request attribute to read from the IP address.
IP reputation PIP properties
ip.reputation.ipAddressAdverseReputationThreshold
- The value that an IP classification score must be at or above for an IP address to be considered as that classification.
ipReputation.dbConnectionTimeout
- Indicates the number of seconds that the IP reputation policy information point (PIP) waits for
a connection to the IP reputation database. The
ipReputation.dbConnectionTimeout
property defaults to 120.
Attribute collector properties
attributeCollection.cookieName
- Correlation ID used by the attribute collector.
attributeCollection.requestServer
- Request server for attribute collector. A list of the allowable hosts where the ajaxRequest can be sent from.
attributeCollection.serviceLocation
- Location of the attribute collector.
attributeCollection.sessionTimeout
- Number of seconds in which sessions stored in context-based access will automatically expire,
unless updated. If any attribute in the session is updated, the session expiry is extended by the
specified number of seconds configured in this property. The default is
1800
seconds. attributeCollection.enableGetAttributes
- Enables the REST GET method to return attributes.
attributeCollection.getAttributesAllowedClients
- A comma-separated list of clients that are allowed to access the ACS REST GET method.
If this property is not set and
attributeCollection.enableGetAttributes
is set to true, anyone can access the GET method. If this property is set butattributeCollection.enableGetAttributes
is set to false, this property is ignored. attributeCollection.hashAlgorithm
- The algorithm that is used to create the hash.
attributeCollection.attributesHashEnabled
- A comma-separated list of attribute URI values configured for hashing. Attention: Do not hash the following attributes:
ipAddress
geoLocation
accessTime
attributeCollection.authenticationContextAttributes
- Comma-separated lists of attribute names to be collected during an authentication service obligation. The maximum number of characters for this property is 200.
Device registration properties
deviceRegistration.allowIncompleteFingerprints
- Specifies to allow the device registration obligation to store fingerprints where all the fingerprint attributes are not available on the session information.
deviceRegistration.checkForExpiredDevices
- Determines whether registered devices are inactive or expired. If the
deviceRegistration.checkForExpiredDevices
property is set to true, the risk engine checks whether a device is inactive or expired. ThedeviceRegistration.checkForExpiredDevices
property defaults to false, which means that users can use any of the devices that are registered. deviceRegistration.cleanupThread.batchSize
- Specifies if batch delete is enabled for expired devices and how many records are deleted per batch.
deviceRegistration.deviceMatchThreshold
- The risk score threshold where an existing fingerprint is considered to match the incoming device fingerprint.
deviceRegistration.inactiveExpirationTime
- Specifies the number of days that a device must be inactive for it to expire. The
deviceRegistration.inactiveExpirationTime
property defaults to 90. deviceRegistration.maxRegisteredDevices
- Maximum device fingerprint count. The default is
10
. Valid values are1
to100
. deviceRegistration.maxUsageDataPerUser
- Maximum number of historical usage attribute records stored per user. The default is
200
. Valid values are1
to5000
. deviceRegistration.permitOnIncompleteFingerprints
- Specifies to permit access to the resource if the fingerprint collected by the device registration obligation does not include all fingerprint attributes.
Runtime properties
runtime.dbLoggingEnabled
- Enables fine-grained logging for database SQL statements.
runtime.hashAlgorithm
- The algorithm that is used for hashing. The supported algorithms are:
- SHA-1
- SHA-256
- SHA-384
- SHA-512
The
runtime.hashAlgorithm
property defaults toSHA-256
. runtime.verificationHashAlgorithms
- Defines the hashing algorithms that are used to verify a hashed value. The value is typically a comma separated list of hashing algorithms.
Single sign-on protocol service
sps.setCookiesAsSecure
- Determine whether to flag the cookies set by Security Access Manager as secure.
The default value is false.
sps.targetURLWhitelist
-
Specifies a list of allowed target URLs for SAML 2.0, OpenID Connect, and the authentication service. Use this property to prevent an attacker from redirecting a user to malicious target URLs.
The value of this advanced configuration property is a comma-separated string, where each string is a target URL in the form of a regular expression. The regular expression must not contain commas, and spaces between regular expressions are ignored.
- For SAML 2.0 SSO flows, you can specify a Target URL when you configure the initial URL in flows that are initiated by either the Identity Provider or the Service Provider. For more information, see SAML 2.0 profile initial URLs.
- For Open ID Connect flows, you can specify a Target URL when you configure the initial URL for Relying Party initiated single sign-on. For more information, see Relying Party SSO initiation endpoint.
- For the authentication service, you can specify a Target URL when you configure the authentication service trigger URL. For more information, see Configuring authentication.
The default value is “.*”.
Data type
String
Example(http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*
sps.illegalUrlSubstrings
- A comma-separated list of strings, the single sign-on service stops processing the request if
the request URL query parameters contain any of the strings.
The default value is "".
Data type: String
Example:"<script"
sps.doNotSendXFrameOptionsHeader
- Specifies whether an X-Frame-Options header with value SAMEORIGIN must be returned from the SPS
endpoints for browser based flows. When this property is set to true, no
X-Frame-Options header is sent.Note: The
sps.doNotSendXFrameOptionsHeader
property defaults to false.Data type: Boolean
Example: False
SPS page
sps.page.htmlEscapedMacros
- A comma-separated list of macros that is HTML-escaped when it is rendered in pages that are sent to the browser.
sps.page.exceptionMacros
- A comma-separated list of
classname:macro
pairs.Classname
is the fully qualified name of the exception class. Macro is the name of the macro to which the class maps. sps.page.notEscapedMacros
- A comma-separated list of macros that are not HTML-escaped when they are rendered in
pages that are sent to the browser. Macros that do not appear in this list or the Macros in the
htmlEscapedMacros list are HTML-escaped.
Data type: String
Example:@COOKIE_NAME@, @SERVER_NAME@, @JUNCTION@
sps.page.hiddenMacros
- A comma-separated list of macros that are not rendered in the pages that are sent to the
browser. The default value is
@EXCEPTION_STACK@
.Data type: String
Example:
@EXCEPTION_STACK@
Risk engine properties
riskEngine.reportsEnabled
- Enables the generation of risk calculation reports.
riskEngine.reportsMaxStored
- Specifies the maximum number of reports to store.
Authentication service properties
sps.authService.reauthenticationEnabled
- Specifies that the authentication service performs authentication even if the user already has an authenticated session at the required authentication level.
sps.authService.policyKickoffMethod
- Specifies whether the URLs /sps/authsvc and
/sps/apiauthsvc can be invoked with the policyId query
string parameter.
If set to query, the authentication service endpoints continue to accept policyId as a query or post parameter.
If set to path, authentication service endpoints are changed to:/sps/apiauthsvc/policy/<shortPolicyId>
/sps/authsvc/policy/<shortPolicyId>
Where
<shortPolicyId>
is the value that comes after the prefixurn:ibm:security:authentication:asf:
By default, the value is set to both.
When set to both, either the path or query parameter can be used to initiate an authentication service flow.
sps.authService.stateIdSource.authsvc
- Specifies whether the URL /sps/authsvc can be invoked with the
StateId query string parameter.
If set to Body and Query, the authentication service endpoint continues to accept StateId as a query or body parameter.
If set to Body Only, the authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).
Data type: String
Default: Body and Query
Example: Body only
sps.authService.stateIdSource.apiauthsvc
- Specifies whether the URL /sps/apiauthsvc can be invoked with the
StateId query string parameter.
If set to Body and Query, the API authentication service endpoint continues to accept StateId as a query or body parameter.
If set to Body Only, the API authentication service endpoint only accepts the StateId as a body parameter (POST or PUT).
Data type: String
Default: Body and Query
Example: Body Only
Authentication service session store properties
authsvc.stateMgmt.cookieless
- Enables the server side storage of session data for the authentication service. If enabled, this
removes the need for the JSESSIONID cookie.
Data type: Boolean
Example: true
Default value: true
authsvc.stateMgmt.store
- Specifies the storage type that is used by the Authentication service to cache user session
data. The authentication service can be supported by the DSC, the HVDB, or stored in Memory.
Note: For clustered environments, storage in Memory does not replicate between nodes.
Data type: String
Example: Memory
Default value: HVDB
authsvc.stateMgmt.HVDB.lifetime
- Length of time in seconds that a session is cached for. Once this time period is exceeded, the
user’s session is removed from the session store. If this value is less than 0, the default lifetime
of 3600 seconds (1 hour) is enforced. This configuration option applies only to session stores
supported by the HVDB or Memory.
Data type: Integer
Example: 60 (1 minute)
Default value: 3600
authsvc.stateMgmt.HVDB.maxSessions
- Maximum number of user sessions to be cached at any point in time. If the number of sessions in
the store exceeds this value, the oldest session is invalidated. This configuration option only
applies to session stores that are supported by the HVDB or Memory.
Data type: Integer
Example: 10000
Default value: 1000
authsvc.stateMgmt.HVDB.cleanupWait
- Frequency (in seconds) that expired or excess sessions are removed from the session store.
Setting this entry to -1 disables the cleanup thread. This configuration option only applies to
session stores backed by the HVDB or Memory.
Data type: Integer
Example: 30
Default value: 120
authsvc.stateMgmt.HVDB.cleanupThread.batchSize
- Maximum number of expired sessions which are removed in a single cleanup operation. If the value
is defined as 0 or is blank, batch delete is not enabled. All expired sessions are deleted by using
one SLQ delete statement. If the value is defined as an integer greater than 0, batch delete is
enabled. The number that you specify determines how many sessions are deleted in each batch. The
batch delete continues until all of the expired sessions are deleted. This configuration option only
applies to sessions that are stored in the HVDB or Memory.
Data type: Integer
Example: 1000
Default value: 0
authsvc.stateMgmt.HVDB.cleanupOnlyOnPrimaryMaster
- Prevent the cleanup thread from running on non-primary master nodes in a clustered environment.
This configuration option only applies to sessions that are stored in the HVDB or Memory.
Data type: Boolean
Example: true
Default value: true
Session
distributedSessionCache.enabled
- A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.
distributedSessionCache.localCacheSize
- The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.
session.dbCleanupInterval
- Specifies the interval, in seconds, that the database cleanup thread runs to remove expired data
in the runtime database. The default is 86400. The minimum value for
this property is 3600. For more information, see Runtime database tuning parameters
Session database clean up can be disabled by setting the
dbCleanupInterval
to 0. This is not overridden by the minimum value.
Distributed session cache
distributedSessionCache.enabled
- A switch that dictates if the distributed session cache is used for session failover. If this setting is not enabled, the distributed session cache server still runs as a service, but the client does not use it.
distributedSessionCache.localCacheSize
- The number of sessions to be stored on the client as a local cache. A value of 0 or less means that any number of sessions can be cached by the client. A low number requires more connections to the distributed session cache if there are many active sessions. A high number runs the risk of running out of memory if many sessions are locally cached. All sessions are still stored on the distributed session cache when it is enabled.
distributedSessionCache.externalServers
-
A list of locations of the distributed session cache servers in weighted order.
Syntax:
<primary_address>:<port>[:<ssl>];<secondary_address>:<port>[:<ssl>],...
<address>
-
The IP address of the distributed session cache server. For example, 10.150.21.80.
<port>
-
The port for the distributed session cache. For example, 2126.
<ssl>
-
Whether SSL communication with the distributed session cache is required. The default value is false.
Data type: String
Example:
10.150.21.80:2126:true;10.150.21.81:2126:false,10.150.21.82:2126
- distributedSessionCache.localCacheEnabled
- A switch that dictates whether a local cache of distributed sessions is maintained. If this
setting is disabled a higher load is placed on the distributed session cache server. The local cache
should only be enabled if all requests from the same client is guaranteed to be sent to the same
runtime server (otherwise known as stickiness). Session inconsistencies might occur if the local
cache is enabled and stickiness is not maintained. All sessions are still stored in the distributed
session cache when it is enabled.
Data type: Boolean
Example: False
TOTP and HOTP retry properties
otp.retry.enabled
- Whether the retry protection is enabled.
otp.retry.maxNumberOfAttempts
- The maximum number of strikes the users can have before they are prevented from logging in.
otp.retry.otpRetryTimeout
- The number in seconds a strike lasts.
OAuth20
oauth20.cleanupThread.batchSize
- Specifies if batch delete is enabled for expired OAuth 2.0 tokens and how many records are deleted per batch.
oauth20.clientDataToInclude
- Specifies the OAuth client information to be returned as JSON data. This property is a
comma-separated list of the JSON Keys. Valid values
are:
You can specify one or more of these keys for this property.contact_type email_address contact_person company_name company_url phone_number other_info
Note: Theoauth20.clientDataToInclude
property defaults tocontact_type, email_address, contact_person, company_name, company_url, phone_number, other_info
. oauth20.doNotSendXFrameOptionsHeader
- Specifies whether an X-Frame-Options header with value
SAMEORIGIN
must be returned from the OAuth 2.0 endpoints. When set totrue
, no X-Frame-Options header is sent.Note: Theoauth20.doNotSendXFrameOptionsHeader
property defaults tofalse
. oauth20.hashedTokenStorageEnabled
- Enables hashed storage when set to true. The Security Access Manager
appliance can persist OAuth 2.0 tokens in the clear text form or in the more secure hashed form.
The hashing algorithm set in the
runtime.hashAlgorithm
property will be used. When verifying hashed tokens, theruntime.verificationHashAlgorithms
property will be used. The algorithms listed in theruntime.verificationHashAlgorithms
property will be tried in the specified order. This mechanism allows for upgrading of the hashing algorithm while continuing to support old tokens.Note: Theoauth20.hashedTokenStorageEnabled
property defaults tofalse
, and the OAuth 2.0 tokens will be stored as-is. oauth20.sessionEndpointEnabled
- Enables the ability to return an authenticated session at the point-of-contact when the
oauth20.sessionEndpointEnabled
property is set totrue
.Note: Theoauth20.sessionEndpointEnabled
property defaults tofalse
. oauth20.tokenCache.cleanupWait
- The amount of time, in seconds, to wait before it performs another cleanup of expired tokens in
the OAuth 2.0 token cache.Note: The
oauth20.tokenCache.cleanupWait
property defaults to120
.OAuth token clean up can be disabled by setting the
cleanupWait
value to 0. oauth20.legacyAttributeHandling
- Changes how associated attributes function across the API Protection and OpenID Connect
solution. This includes:
OauthMappingExtUtils.retrieveAllAssociations() OauthMappingExtUtils.getAssociation()
calls in mapping rules- When it is set to True, it does not return READONLY or SENSITIVE attributes.
- When it is set to False, it returns READONLY or SENSITIVE attributes.
- The user self care endpoint
/mga/sps/mga/user/mgmt/grant/
- When it is set to True, attributes that are both READONLY and SENSITIVE are returned
- When it is set to False, attributes that are both READONLY and SENSITIVE are not returned.
- Attributes which are saved from attribute sources when performing identity enrichment.
- When it is set to True, attributes are saved against the grant as neither READONLY or SENSITIVE.
- When it is set to False, attributes are saved against the grant as READONLY. The post token rule can be used to update this value if necessary.
HTTP client
util.httpClient.defaultTrustStore
- Stores the default truststore that HTTPS connections in HTTP client uses.Note: The
util.httpClient.TrustStore
property defaults tort_profile_keys
. util.httpClient.defaultSSLProtocol
- Stores the default SSL protocol configuration that HTTPS connections in HTTP client
uses.Note: The
util.httpClient.defaultSSLProtocol
property defaults toTLS
. util.httpClient.maxActiveConnections
- Specifies the maximum number of HTTP and HTTPS connections, per host, between the appliance
runtime and other modules. In a multiple host environment, the runtime might need to establish many
HTTP/HTTPS connections at the same time. By specifying this property, you can limit the number of
active connections for each host. This setting ensures that each host can obtain their fair share of
HTTP/HTTPS connections without being forced to wait for other hosts to release connections.
- Data type: String
- Default: An unlimited number of HTTP/HTTPS connections are permitted
You can specify the maximum number of active connections in one of two ways:
- Specify a maximum number to apply to every host.
Syntax:
"*=<count>"
- Specify a maximum number on a per host basis. Syntax:
"<host1>:<port1>=<count>,<host2>:<port2>=<count>,*=<count>"
- <host>
- The host value can be either an IP address, a hostname or domain name as specified in the
Endpoint URL. Specify the host value based on the URL format. For example:
- IP Address:
192.168.102.192
- Hostname or domain name:
www.server1.com
- IP Address:
- <port>=<count>
- The communication port on the host. For example, to limit port 80 to only 100 connections, enter
80=100
. *=<count>
- The count limit for servers that are not specified by a
<host>
value in this property. When set to zero (*=0
) there is no limit on the number of HTTP/HTTPS connections that can be created to other servers. When set to an integer greater than zero, the integer specifies the maximum number of HTTP/HTTPS connections that can be created to each of the other servers.Note: Ensure that<count>
is specified as a value of type integer. Do not use values of type string for<count>
.
Demo
live.demos.enabled
- Enables the mobile demonstration application.
live.demos.settings
- This setting can be used to pre-populate the settings of the mobile demo. This is a comma
separated set of key, value pairs that match what is submitted on the settings form.
Data type:
String
Example: lmiHostAndPort=lmi.host.com, lmiAdminId=admin, lmiAdminPwd=admin, acHostAndPort=127.0.0.1, websealHostNameAndPort=webseal.host.com
Knowledge questions properties
knowledge.questions.AnswerValidationRegEx
- Specifies the regular expression used to validate the knowledge question answer value provided
during a knowledge question management operation. The assigned value is the list of invalid
characters to match against to determine if the supplied value is valid.Note: At a minimum, this property must include the following characters: <>:"
knowledge.questions.QuestionValidationRegEx
- Specifies the regular expression used to validate the knowledge question text value provided
during a knowledge question management operation. The assigned value is the list of invalid
characters to match against to determine if the supplied value is valid.Note: At a minimum, this property must include the following characters: <>:"
Key encryption and signing service (KESS)
kess.crlEnabled
- Checks the certificate revocation list. Checking is done by the key encryption and signature
service (KESS) for all functions that use an external certificate, except for the audit syslog. If
your configuration does not require CRL checking, you can disable it. For example, if you use if an
internal certificate authority (CA), you might want to disable CRL checking. The
kess.crlEnabled property defaults to true.
- CRL site unavailability scenario
- If you have kess.crlEnabled set to
true and a CRL site becomes unavailable, you cannot determine the
revocation status of the certificate. In this situation, the single sign-on flow will fail.
Confirm a CRL site unavailability issue by looking for the message
FBTKJK056E The CRL site could not be determined.
in the runtime trace.log file.As a temporary workaround, set the CRL checking to false to keep the single sign-on flow running. As soon as the CRL site is working again, set kess.crlEnabled to true so that the single sign-on flow contains the CRL check.
CAUTION:If you do stop CRL checking as a temporary workaround, be aware that the certificate might have already been revoked by the CA. If this type of certificate is allowed to pass the validation, it creates security issues. Therefore, ensure that you enable CRL checking to avoid potential security issues such as this.
kess.crlInterval
- The amount of time, in seconds, between successive CRL checks. Using an interval of time between
CRL checks reduces the performance impact of doing the checks every time a certificate needs to be
validated.
A value less than or equal to zero means that the runtime performs a CRL check every time it wants to use a certificate. The default is 0 seconds.
If kess.crlEnabled is set to false, this value is ignored.
kess.hostnameValidationDisabled
- Determine whether to disable host name verification when establishing an SSL connection. Host
name verification is performed when the host name of the server does not match the CN of the
certificate of the server.
In a test environment, you might want to disable the validation. In a production environment, you might want to enable validation.
The default value is False.
kess.keySelectionCriteria
- Specify which key or certificate to use for signing, validating, encrypting, or decrypting
various messages. If there are multiple keys or certificates with the same Subject DN as the key or
certificate with the specified alias, this setting determines which one to use. Use one of the
following selection methods:
- only.alias
- Select the key or certificate with the specified alias. This is the default.
- longest.lifetime
- Select the key or certificate with the longest lifetime.
- shortest.lifetime
- Select the key or certificate with the shortest lifetime.
kessjksservice.exclude.inclusive.namespace.prefixes
- Specifies a comma-separated list of prefix names. When this is set, the prefixes in the list are
not added to the InclusiveNamespaces list that is in the Signature Element.
Data type: String
Example: ds
JSON Web Key
jwks.encryption.keystore
-
Defines the name of the encryption keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'enc'.
Default value:
rt_profile_keys
jwks.signing.keystore
-
Defines the name of the signing keystore to be used by the jwks endpoint for the runtime. These certificates will have their public keys exposed, with the 'use' value 'sig'.
Default value:
rt_profile_keys
Policy information point (PIP)
pip.uncachedAttributes
- Defines a comma-separated list of attributes that are generated by a policy information point (PIP) that you do not want to be cached.
Security token service (STS)
sts.ivcred.unauthenticated.user.name
-
Set to a special user account for unauthenticated user tokens when using IVCRED STS module in
validate
mode. The Default value is "".Data type:
String
Example: guest
sts.ivcred.unauthenticated.user.registry.id
-
In addition to the user name set in
sts.ivcred.unauthenticated.user.name
, a user's registry id can also be added when using IVCRED STS module invalidate
mode. The Default value is "".This parameter is optional.
Data type:
String
Example: cn=guest,o=ibm,c=us
sts.ivcred.unauthenticated.user.uuid
-
In addition to the user name set in
sts.ivcred.unauthenticated.user.name
, a user's UUID can also be added when using IVCRED STS module invalidate
mode. The Default value is "".This parameter is optional.
Data type:
String
Example: 81a2a65e-0018-0150-8080-3f83b0f74f4c
sts.ldapAttributeCache.TTL
- Specifies a time-to-live (TTL) value, in seconds, for the amount of time to keep an LDAP
attribute in the cache. Specify 0 to disable.
The default value is 60.
Mobile Multi-Factor Authentication (MMFA)
mmfa.authenticator.cleanupWait
-
The amount of time, in seconds, to wait before another cleanup of expired authenticators is performed.
MMFA authenticator clean up can be disabled by setting
cleanupWait
to 0.The default value is 3600.
Data type: Integer
Example: 3600
mmfa.transactionArchival.maxCompletedPerUser
-
The number of historical transactions in a completed state to keep in the HVDB before archival to the audit log. The oldest transactions will be removed first. A value of -1 will indicate that no archival should be performed.
mmfa.transactionArchival.maxPendingPerUser
-
The number of transactions to keep in a pending state. Transactions over this number will have their status set to "fail". The oldest transactions will be aborted first. A value of -1 will indicate that no archival should be performed.
mmfa.transactionPending.minAgeBeforeAbort
-
The minimum number of seconds a transaction is in the pending state before being aborted via a cleanup thread. Due to the cleanup thread interval, the total time a transaction can be in the pending state can be between
minAgeBeforeAbort
and (minAgeBeforeAbort
+cleanupInterval
) - 1 mmfa.transactionPending.cleanupInterval
-
The number of seconds between each run of the pending transactions cleanup thread.
mmfa.transaction.cleanupOnlyOnPrimaryMaster
-
Indicates whether transaction cleanup should be run on all nodes in a cluster, or only on the primary master. This applies to pending transaction cleanup as well as transaction archival.
The default value is false.
Data type: Boolean
Example: false
- mmfa.devicePrompt.skipIfOneDevice
- Indicates whether to skip the device selection page in an MMFA flow if the user only has one
device or authenticator registered.
The default value is false.
Data type: Boolean
Example: true
WS-Federation
wsfed.idp.rstr.excluded.elements
- Specifies a comma-separated list of elements to exclude from the WS-Federation request security
token response. Can optionally contain a federation realm and federation partner realm, to indicate
the federation or federation partner that uses the property values.
The default value is
default=Forwardable,Delegatable,Status,Renewing
.The syntax for specifying federation and federation partner is:
default=<comma_separated_list_of_elements>:<federation_realm>=<comma_separated_list_of_elements>: <federation_realm>%<partner_realm>=<comma_separated_list_of_elements>
Data type: String
Example:
default=Forwardable,Delegatable,Status,Renewing:fed1-REALM=Forwardable,Delegatable: fed1-REALM%partner1-REALM=Status
SAML 1.1
- saml.use.legacy.clockskew.default
- IBM Security Access Manager can add a clock skew of
60 seconds when validating the SAML assertion timestamps. To enable the 60 second clock skew, add
the custom property:
saml.use.legacy.clockskew.default = true
Default value = False- Value type: Boolean
- Example value: True
Note: This custom property is also applicable for SAML 2.0 - saml.allowDebugMessages
- When specified as true, and a SAML artifact resolution failure occurs, the SystemOut.log and
SystemErr.log contains an informational message. In addition, the message contains extra debug
information about the request that contained the failed artifact and provides a reason for the
event.Note: This message is only available in English.Default value: False
- Value type: Boolean
- Example value: SAML.allowDebugMessage = True
- saml.allowNoRecipient
- Use this custom property if a SAML 1.x service provider needs to accept a samlp:Response that
does not contain a Recipient attribute.
Default value: False
- saml.assertion.IncludeNSPrefixList.DS
- When this custom property is specified as true, ds is included in the Prefix List attribute of
the InclusiveNameSpaces in the SAML assertion. Default value: False
- Value type: Boolean
- Example value: True
Note: This custom property is also applicable for SAML 2.0 - saml.allowSpecificInvalidArtifactMessages
- When this custom property is specified as true, and a SAML artifact resolution failure
occurs, identity provider sends a SAML Response with specific invalid message to tell the service
provider that there is no assertion available. The specific invalid message is
FBTSML276E. If not specified, by default it is false, and the invalid message send back
to service provider is FBTSML013E.Default value: False
- Value type: Boolean
- Example value: True
SAML 2.0
saml20.enableSubjectInAuthnRequest
-
Set to
true
if the Subject element is required for the SAML 2.0 AuthnRequest. The Subject element is set to the userid of the existing authenticated session. The Default value isfalse
.Data type:
Boolean
Example: true
saml20.idp.acsurlpattern
- IBM Security Access Manager uses an exact string
comparison between the AssertionConsumerService URL in the AuthnRequest message and the protocol
endpoint specified in metadata.
This custom property allows regular expression matching for the AssertionConsumerService URL and the protocol endpoint, so that a dynamic AssertionConsumerService URL that matches the regular expression can be provided in the AuthnRequest.
Data type: String
Note: The binding can be omitted if the configuration applies to all the bindings for that specific federation and partner.Format:<FederationId>%<PartnerId> %<Binding>=<RegularExpression>,<FederationId2>%<PartnerId2> =<RegularExpression2>
Example:https://www.myidp.ibm.com/isam/sps/saml20idp/saml20%https://www.mysp.ibm.com /isam/sps/saml20sp/saml20%urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST=https://.*.ibm.com/isam/sps/.*
OIDC
oidc.rp.idToken.validationSkew
- The number of seconds of skew allowed on the 'nbf' and 'exp' claims of an idToken when it is
being processed by an OpenID Connect relying party. For instances where the clocks of two systems
are not perfectly synchronized.Note: This advanced configuration does not apply to legacy OpenID Connect relying parties or Reverse Proxy Relying parties.
Default value: 0