The configuration file count is very large, partly due to supporting so many features, partly because we have created smaller units of configuration dealing with specific tasks, and partly because we've tried to expose a lot of options directly without requiring code changes or plugins. In practice, you should expect to interact with the same files as in earlier versions on a regular basis and you may never touch many of these files.
To help orient you, a summary of the general function of each file follows along with a tip for when or why you might care about it. The order is alphabetic, not based on the frequency of use.
The "RL?" column notes which files can be reloadable, but not necessarily which ones are since that depends on the "checkInterval" properties in services.properties.
File | RL? | Purpose | Tasks |
---|---|---|---|
access-control.xml | Y | Controls access to administrative functions like the status page, resolver testing tool, service reloading, etc |
|
attribute-filter.xml | Y | Attribute release policy controlling whether to return attributes to a requester or accept them from an issuer |
|
attribute-registry.xml | Y | A new service for configuring mapping rules for converting between SAML/OIDC/CAS attributes and internal IdPAttribute definitions |
|
attribute-resolver.xml | Y | How attribute data is produced from LDAP, database, or other data sources, and how it's encoded into SAML or other formats (i.e., the formal name(s) used) |
|
admin.xml | N | Describes supported administrative flows to the IdP |
|
audit.xml | N | Controls general audit log behavior |
|
cas-protocol.xml | N | Configure CAS protocol features | |
credentials.xml | Y | Configure private keys and certificates. |
|
errors.xml | N | Error handling configuration, controls which "events" are mapped to SAML errors, and how to signal them |
|
global.xml | N | A place to put globally visible custom Spring bean definitions, empty by default |
|
idp.properties | N | Java property file used to change common or important settings more easily, and as a pointer to additional property sources |
|
ldap.properties | N | Java property file with LDAP authentication and attribute lookup settings |
|
logback.xml | Y | Logback logging configuration |
|
metadata-providers.xml | Y | Configure sources of SAML metadata |
|
mvc-beans.xml | N | A place to put custom bean definitions for the Spring MVC layer, not created by default |
|
relying-party.xml | Y | Controls which profiles are enabled for which relying parties and the profile settings used with them |
|
saml-nameid.properties | N | Java property file with settings controlling SAML NameID generation and consumption |
|
saml-nameid.xml | Y | Controls support for and generation/sourcing of SAML NameIDs |
|
credentials/ secrets.properties | N | Parking lot for any properties of a secret nature that should not be checked into configuration management tools |
|
services.properties | N | Java property file with pointers to the resource collections that configure important services and settings controlling configuration reload policy |
|
services.xml | N | Controls the resources loaded to configure important services, and allows for advanced resource types such as subversion |
|
session-manager.xml | N | Configures behavior associated with session management but not handled with properties |
|
N | Describes supported administrative flows to the IdP |
| |
admin/ metrics.xml | N | Configures customizable instrumentation and reporting features |
|
attributes/ default-rules.xml (and various schema-specific rule files) | Y | Default mapping rules for "conventional" attributes in common or standard usage |
|
attributes/custom/ | N | A directory in which property-based attribute mapping rules can be dropped for local customization |
|
authn/ authn-comparison.xml | N | Establish relationships between authentication methods in terms of protocol-specific identifiers such as SAML AuthnContext classes |
|
authn/ authn-events-flow.xml | N | A webflow definition file for enumerating custom events to use as the result of custom authentication flows |
|
authn/ discovery-config.xml | N | Configures location of IdP Discovery service to use when proxying |
|
authn/ duo-authn-config.xml | N | Configures Duo Security login flow |
|
authn/ duo.properties | N | Java property file that holds Duo integration settings |
|
authn/ external-authn-config.xml | N | Configures External login flow |
|
authn/ function-authn-config.xml | N | Configures Function login flow |
|
authn/ general-authn.xml | N | Describes supported authentication flows to the IdP |
|
authn/ ipaddress-authn-config.xml | N | Configures IPAddress login flow |
|
authn/ jaas-authn-config.xml | N | Configures JAAS back-end for Password login flow (this is the comparable method to V2's UsernamePassword flow) |
|
authn/ jaas.config | N | Configures JAAS login modules to use with JAAS login flow |
|
authn/ krb5-authn-config.xml | N | Configures Kerberos back-end for Password login flow (this is a username/password validation flow, not a ticket- or desktop-based flow) |
|
authn/ ldap-authn-config.xml | N | Configures LDAP back-end for Password login flow (this is a native LDAP password validation flow) |
|
authn/ mfa-authn-config.xml | N | Configures multi-factor authentication login flow |
|
authn/ password-authn-config.xml | N | Configures overall Password login flow |
|
authn/ remoteuser-authn-config.xml | N | Configures RemoteUser login flow |
|
authn/ remoteuser-internal-authn-config.xml | N | Configures RemoteUserInternal login flow (this is similar to the RemoteUser flow, but with no extra redirections) |
|
authn/ saml-authn-config.xml | N | Configures SAML login flow |
|
N | Configures SPNEGO login flow |
| |
authn/ x509-authn-config.xml | N | Configures the X509 login flow |
|
authn/ x509-internal-authn-config.xml | N | Configures the X509Internal login flow (this is the same as the regular one, but with no extra redirections) |
|
c14n/ attribute-sourced-subject-c14n-config.xml | N | Configures a mapping of the logged in username to an internal username based on resolving attributes from LDAP, a database, etc. |
|
c14n/ simple-subject-c14n-config.xml | N | Configures simple transforms of logged in username after authentication |
|
c14n/ subject-c14n-events-flow.xml | N | A webflow definition file for enumerating custom events to use as the result of custom canonicalization flows |
|
c14n/ subject-c14n.xml | N | Configures mechanisms for processing usernames after authentication, and for mapping SAML NameID values back into usernames |
|
c14n/ x500-subject-c14n-config.xml | N | Configures how to extract a username from end-user client certificates |
|
intercept/ consent-intercept-config.xml | N | Configures built-in attribute release and terms of use features |
|
intercept/ context-check-intercept-config.xml | N | Configures built-in flow that blocks a profile request if it meets (or doesn't meet) pluggable criteria, for example preventing SSO if an attribute is not available |
|
intercept/ expiring-password-intercept-config.xml | N | Configures built-in flow that warns a user of an expiring password based on a resolved attribute |
|
intercept/ external-intercept-config.xml | N | Configures built-in flow that supports interceptor construction using external servlet or JSP |
|
intercept/ impersonate-intercept-config.xml | N | Configures built-in flow that allows authorized users to impersonate others on a per-transaction basis |
|
intercept/ intercept-events-flow.xml | N | A webflow definition file for enumerating custom events to use as the result of custom intercept flows |
|
intercept/ -------------------------------------------------------- | N | Configures flows that are run at various defined points inside a profile flow to modify its behavior or change its results |
|