From c9f8b513c52d4ad08e6469f38de3a7a3aebd47a1 Mon Sep 17 00:00:00 2001 From: moauto <54212639+mo-auto@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:05:11 +0000 Subject: [PATCH] Deployed ea02f86ed to head with MkDocs 1.4.1 and mike 1.1.2 --- .../kubernetes/helm-chart/index.html | 80 +++++------ head/search/search_index.json | 2 +- head/sitemap.xml | 128 +++++++++--------- head/sitemap.xml.gz | Bin 719 -> 719 bytes 4 files changed, 105 insertions(+), 105 deletions(-) diff --git a/head/reference/kubernetes/helm-chart/index.html b/head/reference/kubernetes/helm-chart/index.html index a3530a870..7d031b052 100644 --- a/head/reference/kubernetes/helm-chart/index.html +++ b/head/reference/kubernetes/helm-chart/index.html @@ -1834,7 +1834,7 @@

gluu#

-

version: 0.0.0-nightly Appversion: 0.0.0-nightly

+

Version: 5.3.0 AppVersion: 5.3.0

Gluu Access and Identity Management

Homepage: https://www.gluu.org

Maintainers#

@@ -1872,72 +1872,72 @@

Requirements admin-ui -5.2.0 +5.3.0 auth-server -1.2.0 +1.3.0 auth-server-key-rotation -1.2.0 +1.3.0 casa -1.2.0 +1.3.0 cn-istio-ingress -1.2.0 +1.3.0 config -1.2.0 +1.3.0 config-api -1.2.0 +1.3.0 fido2 -1.2.0 +1.3.0 kc-scheduler -1.2.0 +1.3.0 link -1.2.0 +1.3.0 nginx-ingress -1.2.0 +1.3.0 persistence -1.2.0 +1.3.0 saml -1.2.0 +1.3.0 scim -1.2.0 +1.3.0 @@ -1955,7 +1955,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/gluufederation/flex/admin-ui","tag":"5.3.0-1"},"lifecycle":{},"livenessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"failureThreshold":20,"initialDelaySeconds":60,"periodSeconds":25,"tcpSocket":{"port":8080},"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2000m","memory":"2000Mi"},"requests":{"cpu":"2000m","memory":"2000Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Admin GUI for configuration of the auth-server @@ -2033,7 +2033,7 @@

Values +"5.3.0-1" Image tag to use for deploying. @@ -2129,13 +2129,13 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/auth-server","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"2500m","memory":"2500Mi"},"requests":{"cpu":"2500m","memory":"2500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server-key-rotation object -{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"0.0.0-nightly"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/certmanager","tag":"1.3.0-1"},"keysLife":48,"keysPushDelay":0,"keysPushStrategy":"NEWER","keysStrategy":"NEWER","lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Responsible for regenerating auth-keys per x hours @@ -2195,7 +2195,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -2357,7 +2357,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -2459,7 +2459,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/casa","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-casa/health-check","port":"http-casa"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Janssen Casa ("Casa") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. @@ -2537,7 +2537,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -2645,13 +2645,13 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"adminPassword":"Test1234#","city":"Austin","configmap":{"cnAwsAccessKeyId":"","cnAwsDefaultRegion":"us-west-1","cnAwsProfile":"gluu","cnAwsSecretAccessKey":"","cnAwsSecretsEndpointUrl":"","cnAwsSecretsNamePrefix":"gluu","cnAwsSecretsReplicaRegions":[],"cnCacheType":"NATIVE_PERSISTENCE","cnConfigKubernetesConfigMap":"cn","cnGoogleProjectId":"google-project-to-save-config-and-secrets-to","cnGoogleSecretManagerServiceAccount":"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=","cnGoogleSecretNamePrefix":"gluu","cnGoogleSecretVersionId":"latest","cnJettyRequestHeaderSize":8192,"cnMaxRamPercent":"75.0","cnMessageType":"DISABLED","cnOpaUrl":"http://opa.opa.svc.cluster.cluster.local:8181/v1","cnPersistenceHybridMapping":"{}","cnRedisSentinelGroup":"","cnRedisSslTruststore":"","cnRedisType":"STANDALONE","cnRedisUrl":"redis.redis.svc.cluster.local:6379","cnRedisUseSsl":false,"cnScimProtectionMode":"OAUTH","cnSecretKubernetesSecret":"cn","cnSqlDbDialect":"mysql","cnSqlDbHost":"my-release-mysql.default.svc.cluster.local","cnSqlDbName":"gluu","cnSqlDbPort":3306,"cnSqlDbSchema":"","cnSqlDbTimezone":"UTC","cnSqlDbUser":"gluu","cnSqldbUserPassword":"Test1234#","cnVaultAddr":"http://localhost:8200","cnVaultAppRolePath":"approle","cnVaultKvPath":"secret","cnVaultNamespace":"","cnVaultPrefix":"jans","cnVaultRoleId":"","cnVaultRoleIdFile":"/etc/certs/vault_role_id","cnVaultSecretId":"","cnVaultSecretIdFile":"/etc/certs/vault_secret_id","cnVaultVerify":false,"kcAdminPassword":"Test1234#","kcAdminUsername":"admin","kcDbPassword":"Test1234#","kcDbSchema":"keycloak","kcDbUrlDatabase":"keycloak","kcDbUrlHost":"mysql.kc.svc.cluster.local","kcDbUrlPort":3306,"kcDbUrlProperties":"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4","kcDbUsername":"keycloak","kcDbVendor":"mysql","kcLogLevel":"INFO","lbAddr":"","quarkusTransactionEnableRecovery":true},"countryCode":"US","customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","email":"team@gluu.org","image":{"pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/configurator","tag":"1.3.0-1"},"lifecycle":{},"migration":{"enabled":false,"migrationDataFormat":"ldif","migrationDir":"/ce-migration"},"orgName":"Gluu","redisPassword":"P@assw0rd","resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"salt":"","state":"TX","usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config-api object -{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"0.0.0-nightly"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/config-api","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-config-api/api/v1/health/live","port":8074},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"jans-config-api/api/v1/health/ready","port":8074},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). @@ -2729,7 +2729,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -3197,7 +3197,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -3311,7 +3311,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/fido2","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-fido2/sys/health-check","port":"http-fido2"},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"500Mi"},"requests":{"cpu":"500m","memory":"500Mi"}},"service":{"name":"http-fido2","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. @@ -3389,7 +3389,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -4817,7 +4817,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/kc-scheduler","tag":"1.3.0-1"},"interval":10,"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Responsible for synchronizing Keycloak SAML clients @@ -4877,7 +4877,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -4949,7 +4949,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/link","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1200Mi"},"requests":{"cpu":"500m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Link. @@ -5027,7 +5027,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -5153,7 +5153,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/persistence-loader","tag":"1.3.0-1"},"lifecycle":{},"resources":{"limits":{"cpu":"300m","memory":"300Mi"},"requests":{"cpu":"300m","memory":"300Mi"}},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} Job to generate data and initial config for Gluu Server persistence layer. @@ -5213,7 +5213,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -5279,7 +5279,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/saml","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"exec":{"command":["python3","/app/scripts/healthcheck.py"]},"failureThreshold":10,"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"500m","memory":"1200Mi"},"requests":{"cpu":"500m","memory":"1200Mi"}},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} SAML. @@ -5357,7 +5357,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -5459,7 +5459,7 @@

Values +{"additionalAnnotations":{},"additionalLabels":{},"customCommand":[],"customScripts":[],"dnsConfig":{},"dnsPolicy":"","hpa":{"behavior":{},"enabled":true,"maxReplicas":10,"metrics":[],"minReplicas":1,"targetCPUUtilizationPercentage":50},"image":{"pullPolicy":"IfNotPresent","pullSecrets":[],"repository":"ghcr.io/janssenproject/jans/scim","tag":"1.3.0-1"},"lifecycle":{},"livenessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"pdb":{"enabled":true,"maxUnavailable":"90%"},"readinessProbe":{"httpGet":{"path":"/jans-scim/sys/health-check","port":8080},"initialDelaySeconds":25,"periodSeconds":25,"timeoutSeconds":5},"replicas":1,"resources":{"limits":{"cpu":"1000m","memory":"1200Mi"},"requests":{"cpu":"1000m","memory":"1200Mi"}},"service":{"name":"http-scim","port":8080},"topologySpreadConstraints":{},"usrEnvs":{"normal":{},"secret":{}},"volumeMounts":[],"volumes":[]} System for Cross-domain Identity Management (SCIM) version 2.0 @@ -5537,7 +5537,7 @@

Values +"1.3.0-1" Image tag to use for deploying. @@ -5656,7 +5656,7 @@

Values2025-01-07 + 2025-01-22
Created: diff --git a/head/search/search_index.json b/head/search/search_index.json index cbebd6ac8..739792f41 100644 --- a/head/search/search_index.json +++ b/head/search/search_index.json @@ -1 +1 @@ -{"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Gluu Flex Documentation # Introduction # Designed from the ground up to support cloud-native deployments, Gluu Flex is a self-hosted software stack to enable your organization to build a world-class digital identity platform to authenticate both people and software. With Helm charts available out of the box, Gluu Flex can handle the most demanding requirements for concurrency. Thanks to cloud-native auto-scaling and zero downtime updates, you can build a robust, multi-datacenter topology. You can take advantage of new cloud databases like Amazon Aurora and Google Spanner. Common use cases include: Single sign-on (SSO) Mobile authentication API access management Two-factor authentication (2FA) Customer identity and access management (CIAM) Identity federation Built on Janssen # Gluu Flex is a downstream product of the Linux Foundation Janssen Project . It was created for enterprise customers who want a commercially supported distribution, plus some additional tools to ease administration. Harness Low Code Authentication Flows with Agama # Gluu Flex uses Agama to offer an alternative way to build web-based authentication flows. Traditionally, person authentication flows are defined in the server with jython scripts that adhere to a predefined API. With Agama, flows are coded using a DSL (domain specific language) designed for the sole purpose of writing web flows. Agama flows are simpler, more intuitive, and quicker to build. Support # The Gluu Flex contract includes guaranteed response times and consultative support via our support portal . Looking for older documentation versions? # The Janssen Project posts the last five versions of the documentation. If you are looking for older versions, you can find them unprocessed in the docs folder. Select the version of choice from the tag dropdown in GitHub. If you want to process them you may do so by following the steps below : Testing Documentation Changes Locally # While contributing documentation to official Gluu documentation it is important to make sure that documents meet style guidelines and have been proofread to remove any typographical or grammatical errors. Gluu uses Material for MkDocs to create the documentation site. Before new content is pushed to the repository on GitHub, it should be tested locally by the author. Author can do this by deploying Material for MkDocs locally. High-level steps involve: Install Material for MkDocs Install required plugins Preview as you write","title":"Overview"},{"location":"#gluu-flex-documentation","text":"","title":"Gluu Flex Documentation"},{"location":"#introduction","text":"Designed from the ground up to support cloud-native deployments, Gluu Flex is a self-hosted software stack to enable your organization to build a world-class digital identity platform to authenticate both people and software. With Helm charts available out of the box, Gluu Flex can handle the most demanding requirements for concurrency. Thanks to cloud-native auto-scaling and zero downtime updates, you can build a robust, multi-datacenter topology. You can take advantage of new cloud databases like Amazon Aurora and Google Spanner. Common use cases include: Single sign-on (SSO) Mobile authentication API access management Two-factor authentication (2FA) Customer identity and access management (CIAM) Identity federation","title":"Introduction"},{"location":"#built-on-janssen","text":"Gluu Flex is a downstream product of the Linux Foundation Janssen Project . It was created for enterprise customers who want a commercially supported distribution, plus some additional tools to ease administration.","title":"Built on Janssen"},{"location":"#harness-low-code-authentication-flows-with-agama","text":"Gluu Flex uses Agama to offer an alternative way to build web-based authentication flows. Traditionally, person authentication flows are defined in the server with jython scripts that adhere to a predefined API. With Agama, flows are coded using a DSL (domain specific language) designed for the sole purpose of writing web flows. Agama flows are simpler, more intuitive, and quicker to build.","title":"Harness Low Code Authentication Flows with Agama"},{"location":"#support","text":"The Gluu Flex contract includes guaranteed response times and consultative support via our support portal .","title":"Support"},{"location":"#looking-for-older-documentation-versions","text":"The Janssen Project posts the last five versions of the documentation. If you are looking for older versions, you can find them unprocessed in the docs folder. Select the version of choice from the tag dropdown in GitHub. If you want to process them you may do so by following the steps below :","title":"Looking for older documentation versions?"},{"location":"#testing-documentation-changes-locally","text":"While contributing documentation to official Gluu documentation it is important to make sure that documents meet style guidelines and have been proofread to remove any typographical or grammatical errors. Gluu uses Material for MkDocs to create the documentation site. Before new content is pushed to the repository on GitHub, it should be tested locally by the author. Author can do this by deploying Material for MkDocs locally. High-level steps involve: Install Material for MkDocs Install required plugins Preview as you write","title":"Testing Documentation Changes Locally"},{"location":"CHANGELOG/","text":"Changelog # 5.0.0-21 (2023-12-18) # Bug Fixes # prepare for 5.0.0-21 release ( cee44ca ) 5.0.0-20 (2023-11-16) # Features # aio chart ( #1436 ) ( a20a695 ) Bug Fixes # docs: update casa base URI ( #1440 ) ( 495536c ) prepare for 5.0.0-20 release ( f74643c ) 5.0.0-19 (2023-10-12) # Features # docs: remove Casa files from Flex ( a5b7fcd ) Bug Fixes # docs: remove Casa image assets ( 0b9f0b4 ) docs: update docs w.r.t casa move to Jans ( 5b7d3fd ) docs: update docs w.r.t casa move to Jans ( 16f647c ) prepare for 5.0.0-19 release ( 2d8e13d ) 5.0.0-18 (2023-09-23) # Features # adding configuration and logs details ( d136f3d ) updating configuration docs ( a1933e3 ) Bug Fixes # prepare for 5.0.0-18 release ( 29f822f ) prepare for 5.0.0-18 release ( 4af69cb ) versioning ( 1abf437 ) 5.0.0-16 (2023-08-14) # Bug Fixes # prepare for 5.0.0-16 release ( 699d534 ) 5.0.0-15 (2023-07-14) # Features # adding tags ( 7841e03 ) documentation of admin-ui #1063 ( 3cf1e7b ) documentation of admin-ui #1063 ( 48233d3 ) edit flex license contents ( 8d7f749 ) making changes as per review comments ( 1bcd39b ) making changes as per review comments ( 5c636fb ) Bug Fixes # doc: added How to configure SuperGluu in Flex ( 6b7beef ) doc: adding SG screenshot - 2 ( e06bd79 ) doc: adding SG screenshot-1 ( b581a03 ) doc: enable SG - 2 ( d86ec85 ) doc: Flex SG doc review - How to Use SuperGluu ( f564dd1 ) doc: hiding ad removal related doc ( 5354e84 ) doc: how to enable SG in Flex-UI ( 4851205 ) doc: index page flex ( 7d48422 ) doc: removing key list from user record info ( 01b671a ) docs: flex-ui SG -- Compatability ( f78c46a ) doc: SG flex - How to use Super Gluu-1 ( e07641c ) doc: sg flex - how to use Super Gluu-screenshot location ( 7798023 ) doc: sg workflows ( 601b237 ) docs: test SG authentication ( 32f6b24 ) doc: test authentication SG ( 6d0f550 ) doc: Test authentication user guide ( a554646 ) doc: uploading modified screenshot ( 0e9e0cf ) prepare for 5.0.0-15 release ( 664553a ) 5.0.0-14 (2023-06-12) # Bug Fixes # prepare for 5.0.0-14 release ( 9481f55 ) 5.0.0-13 (2023-05-12) # Bug Fixes # admin-ui: add apply button ( d334103 ) blockUI converted to functional component ( 4b8e7bd ) email_2fa_core/install.bat has been removed; ( f27e461 ) prepare for 5.0.13 release ( 8578827 ) profile details is distorted when multiple roles assigned to the user ( e4603d8 ) revert prod webpack config of static & fonts files ( 96fa135 ) 5.0.0-12 (2023-04-18) # Bug Fixes # prepare for 5.0.12 release ( 994c985 ) 5.0.0-11 (2023-04-06) # Bug Fixes # prepare for 5.0.11 release ( d3cc35a ) 5.0.0-10 (2023-03-16) # Bug Fixes # add cn license enforcment to chart ( 55fb0c9 ) prepare for 5.0.10 release ( 1ffcbc7 ) 5.0.0-9 (2023-03-09) # Bug Fixes # docs: ubuntu install download location ( bb3a5cd ) prepare for 5.0.0-9 release ( 716d309 ) 5.0.0-8 (2023-03-02) # Bug Fixes # prepare for 5.0.0-8 release ( 29e0cbb ) 5.0.0-7 (2023-02-22) # Bug Fixes # prepare for 5.0.0-7 release ( 7f96937 ) 5.0.0-4 (2022-12-08) # Bug Fixes # getting ready for a release ( a0de091 ) 5.0.0-3 (2022-11-08) # Features # admin-ui: reviewed previously updated dependencies #416 ( ab81760 ) Bug Fixes # getting ready to release 5.0.0-3 ( e8f3ecc ) Miscellaneous Chores # release 5.0.0-2 ( 06c6e64 )","title":"Changelog"},{"location":"CHANGELOG/#changelog","text":"","title":"Changelog"},{"location":"CHANGELOG/#500-21-2023-12-18","text":"","title":"5.0.0-21 (2023-12-18)"},{"location":"CHANGELOG/#bug-fixes","text":"prepare for 5.0.0-21 release ( cee44ca )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-20-2023-11-16","text":"","title":"5.0.0-20 (2023-11-16)"},{"location":"CHANGELOG/#features","text":"aio chart ( #1436 ) ( a20a695 )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_1","text":"docs: update casa base URI ( #1440 ) ( 495536c ) prepare for 5.0.0-20 release ( f74643c )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-19-2023-10-12","text":"","title":"5.0.0-19 (2023-10-12)"},{"location":"CHANGELOG/#features_1","text":"docs: remove Casa files from Flex ( a5b7fcd )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_2","text":"docs: remove Casa image assets ( 0b9f0b4 ) docs: update docs w.r.t casa move to Jans ( 5b7d3fd ) docs: update docs w.r.t casa move to Jans ( 16f647c ) prepare for 5.0.0-19 release ( 2d8e13d )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-182023-09-23","text":"","title":"5.0.0-18(2023-09-23)"},{"location":"CHANGELOG/#features_2","text":"adding configuration and logs details ( d136f3d ) updating configuration docs ( a1933e3 )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_3","text":"prepare for 5.0.0-18 release ( 29f822f ) prepare for 5.0.0-18 release ( 4af69cb ) versioning ( 1abf437 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-16-2023-08-14","text":"","title":"5.0.0-16 (2023-08-14)"},{"location":"CHANGELOG/#bug-fixes_4","text":"prepare for 5.0.0-16 release ( 699d534 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-15-2023-07-14","text":"","title":"5.0.0-15 (2023-07-14)"},{"location":"CHANGELOG/#features_3","text":"adding tags ( 7841e03 ) documentation of admin-ui #1063 ( 3cf1e7b ) documentation of admin-ui #1063 ( 48233d3 ) edit flex license contents ( 8d7f749 ) making changes as per review comments ( 1bcd39b ) making changes as per review comments ( 5c636fb )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_5","text":"doc: added How to configure SuperGluu in Flex ( 6b7beef ) doc: adding SG screenshot - 2 ( e06bd79 ) doc: adding SG screenshot-1 ( b581a03 ) doc: enable SG - 2 ( d86ec85 ) doc: Flex SG doc review - How to Use SuperGluu ( f564dd1 ) doc: hiding ad removal related doc ( 5354e84 ) doc: how to enable SG in Flex-UI ( 4851205 ) doc: index page flex ( 7d48422 ) doc: removing key list from user record info ( 01b671a ) docs: flex-ui SG -- Compatability ( f78c46a ) doc: SG flex - How to use Super Gluu-1 ( e07641c ) doc: sg flex - how to use Super Gluu-screenshot location ( 7798023 ) doc: sg workflows ( 601b237 ) docs: test SG authentication ( 32f6b24 ) doc: test authentication SG ( 6d0f550 ) doc: Test authentication user guide ( a554646 ) doc: uploading modified screenshot ( 0e9e0cf ) prepare for 5.0.0-15 release ( 664553a )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-14-2023-06-12","text":"","title":"5.0.0-14 (2023-06-12)"},{"location":"CHANGELOG/#bug-fixes_6","text":"prepare for 5.0.0-14 release ( 9481f55 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-13-2023-05-12","text":"","title":"5.0.0-13 (2023-05-12)"},{"location":"CHANGELOG/#bug-fixes_7","text":"admin-ui: add apply button ( d334103 ) blockUI converted to functional component ( 4b8e7bd ) email_2fa_core/install.bat has been removed; ( f27e461 ) prepare for 5.0.13 release ( 8578827 ) profile details is distorted when multiple roles assigned to the user ( e4603d8 ) revert prod webpack config of static & fonts files ( 96fa135 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-12-2023-04-18","text":"","title":"5.0.0-12 (2023-04-18)"},{"location":"CHANGELOG/#bug-fixes_8","text":"prepare for 5.0.12 release ( 994c985 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-11-2023-04-06","text":"","title":"5.0.0-11 (2023-04-06)"},{"location":"CHANGELOG/#bug-fixes_9","text":"prepare for 5.0.11 release ( d3cc35a )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-10-2023-03-16","text":"","title":"5.0.0-10 (2023-03-16)"},{"location":"CHANGELOG/#bug-fixes_10","text":"add cn license enforcment to chart ( 55fb0c9 ) prepare for 5.0.10 release ( 1ffcbc7 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-9-2023-03-09","text":"","title":"5.0.0-9 (2023-03-09)"},{"location":"CHANGELOG/#bug-fixes_11","text":"docs: ubuntu install download location ( bb3a5cd ) prepare for 5.0.0-9 release ( 716d309 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-8-2023-03-02","text":"","title":"5.0.0-8 (2023-03-02)"},{"location":"CHANGELOG/#bug-fixes_12","text":"prepare for 5.0.0-8 release ( 29e0cbb )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-7-2023-02-22","text":"","title":"5.0.0-7 (2023-02-22)"},{"location":"CHANGELOG/#bug-fixes_13","text":"prepare for 5.0.0-7 release ( 7f96937 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-4-2022-12-08","text":"","title":"5.0.0-4 (2022-12-08)"},{"location":"CHANGELOG/#bug-fixes_14","text":"getting ready for a release ( a0de091 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-3-2022-11-08","text":"","title":"5.0.0-3 (2022-11-08)"},{"location":"CHANGELOG/#features_4","text":"admin-ui: reviewed previously updated dependencies #416 ( ab81760 )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_15","text":"getting ready to release 5.0.0-3 ( e8f3ecc )","title":"Bug Fixes"},{"location":"CHANGELOG/#miscellaneous-chores","text":"release 5.0.0-2 ( 06c6e64 )","title":"Miscellaneous Chores"},{"location":"admin/","text":"Gluu Flex Admin Guide # Overview # Gluu Flex is a commercially supported distribution of the Janssen Project , including the OpenID, OAuth, Config, FIDO, Casa, and SCIM Server components. Additionally, Flex includes the commercially licensed Flex Admin UI. Janssen Documentation # Central to Gluu Flex is the Janssen Project . Janssen enables organizations to build a scalable centralized authentication and authorization service using free open source software. Admin UI # The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place.","title":"Gluu Flex Admin Guide"},{"location":"admin/#gluu-flex-admin-guide","text":"","title":"Gluu Flex Admin Guide"},{"location":"admin/#overview","text":"Gluu Flex is a commercially supported distribution of the Janssen Project , including the OpenID, OAuth, Config, FIDO, Casa, and SCIM Server components. Additionally, Flex includes the commercially licensed Flex Admin UI.","title":"Overview"},{"location":"admin/#janssen-documentation","text":"Central to Gluu Flex is the Janssen Project . Janssen enables organizations to build a scalable centralized authentication and authorization service using free open source software.","title":"Janssen Documentation"},{"location":"admin/#admin-ui","text":"The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place.","title":"Admin UI"},{"location":"admin/config/","text":"Configuring Gluu Flex # Overview # After installing, there are four primary strategies to configure Gluu Flex. Text-based User Interface (TUI) # The current recommendation is to use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration, and instructions can be found in the Janssen documentation here. CURL Commands # As an alternative, the Config API can be called directly using CURL commands. Command Line Interface (CLI) # If needed, a command-line alternative to the TUI is available. Instructions can be found in the Janssen documentation here. Admin UI # The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place. The Admin UI can be accessed by accessing the hostname set during installation in the browser.","title":"Configuration"},{"location":"admin/config/#configuring-gluu-flex","text":"","title":"Configuring Gluu Flex"},{"location":"admin/config/#overview","text":"After installing, there are four primary strategies to configure Gluu Flex.","title":"Overview"},{"location":"admin/config/#text-based-user-interface-tui","text":"The current recommendation is to use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration, and instructions can be found in the Janssen documentation here.","title":"Text-based User Interface (TUI)"},{"location":"admin/config/#curl-commands","text":"As an alternative, the Config API can be called directly using CURL commands.","title":"CURL Commands"},{"location":"admin/config/#command-line-interface-cli","text":"If needed, a command-line alternative to the TUI is available. Instructions can be found in the Janssen documentation here.","title":"Command Line Interface (CLI)"},{"location":"admin/config/#admin-ui","text":"The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place. The Admin UI can be accessed by accessing the hostname set during installation in the browser.","title":"Admin UI"},{"location":"admin/admin-ui/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"admin/admin-ui/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/admin-ui/admin-menu/","tags":["administration","admin-ui","admin","role","permission","scripts","mau"],"text":"Admin Menu # The features like managing Roles and Permissions, Custom Scripts and monthly active users monitoring are placed under the Admin menu (in the left navigation of GUI). These features will be discussed one by one in this section. GUI Access Control # The administrator can control view/edit/delete access of users of Gluu Flex Admin UI by adding or removing the appropriate Permissions mapped to the user's Admin UI Role. For e.g. if the read Permission of OIDC clients ( https://jans.io/oauth/config/clients.readonly ) is not mapped to the logged-in user's Role, the contents of the page showing OIDC client records will not be visible to the user. In the same way, if the write and delete Permissions of OIDC clients are not mapped then the user will not be able to edit or delete any OIDC client record. Role # The logged-in administrator can create, edit or delete Admin UI Roles using the Admin UI Roles Page. The Admin UI Role can be assigned to the user using the User Management feature of this GUI. After installation, the following Admin UI Roles can be seen on Admin UI: api-viewer, api-editor, api-manager and api-admin. The default user i.e. admin is assigned with api-admin role. A user with one or more Admin UI Role(s) assigned will be able to log into Gluu Flex Admin UI. Permissions (Scopes) # Gluu Flex Admin UI uses Config API to manage and configure the Jans Auth server. Config API helps in configuring auth-server, users, fido2 and scim modules. The APIs of this rest application are protected using an authorization token containing the appropriate permissions (scopes). The user interface has the capability to add, edit and delete the Permissions used to access the APIs (i.e. rest APIs used by Admin UI). Role-Permission Mapping # The administrator can map the Admin UI Role with one or more Permission(s) using the Role-Permission Mapping page. The Role mapped with Permissions can be then assigned to the user to allow access to the corresponding operations of the GUI. The below table lists the Permissions used in Admin UI: Permission Description https://jans.io/oauth/config/attributes.readonly View Person attributes https://jans.io/oauth/config/attributes.write Add/Edit Person attributes https://jans.io/oauth/config/attributes.delete Delete Person attributes https://jans.io/oauth/config/scopes.readonly View the Scopes https://jans.io/oauth/config/scopes.write Add/Edit Scopes https://jans.io/oauth/config/scopes.delete Delete Scopes https://jans.io/oauth/config/scripts.readonly View the Scripts https://jans.io/oauth/config/scripts.write Add/Edit Scripts https://jans.io/oauth/config/scripts.delete Delete Scripts https://jans.io/oauth/config/openid/clients.readonly View the Clients https://jans.io/oauth/config/openid/clients.write Add/Edit Clients https://jans.io/oauth/config/openid/clients.delete Delete Clients https://jans.io/oauth/config/smtp.readonly View SMTP configuration https://jans.io/oauth/config/smtp.write Edit SMTP configuration https://jans.io/oauth/config/smtp.delete Remove SMTP configuration https://jans.io/oauth/config/logging.readonly View Auth server log configuration https://jans.io/oauth/config/logging.write Edit Auth server log configuration https://jans.io/oauth/config/database/ldap.readonly View LDAP persistence configuration https://jans.io/oauth/config/database/ldap.write Edit LDAP persistence configuration https://jans.io/oauth/config/database/ldap.delete Delete LDAP persistence configuration https://jans.io/oauth/config/jwks.readonly View JWKS https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly View Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write Edit Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete Delete Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly View Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write Edit Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete Delete Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly View Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write Edit Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete Delete Role-Permission Mapping Custom Scripts # Custom Scripts are used to implement custom business logic for authentication, authorization, client registration, cache refresh, scopes, token revocation etc. The Janssen Authentication Server leverages Custom Scripts when implemented can facilitate complex business workflows without changing the server code. Gluu Flex Admin UI provides the interface to add/edit/delete custom scripts. Custom Scripts fields descriptions # INUM: Unique id identifying the script. Name: Name of the custom script. Only letters, digits and underscores are allowed. Description: Description of the script. Select SAML ACRS: The SAML parameter Authentication Context Requests (ACRS). Script Type: The type of the script (e.g. PERSON_AUTHENTICATION, INTROSPECTION, APPLICATION_SESSION, CLIENT_REGISTRATION etc). Programming Language: Programming language of the custom script (e.g. Java and Jython). Location Type: The location of the script, either database or file. Level: The level describes how secure and reliable the script is. Custom properties (key/value): Custom properties that can be used in the script. Script: Script content. Enable: Field set to enable or disable the script. MAU Graph # This is a line graph showing month-wise active users under a selected date range. Webhooks # Webhooks can be created and mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Follow this tutorial for more details. Settings # The Gluu Flex Admin UI provides a user-friendly interface for managing various UI settings of this web application. This page has the following fields. List paging size: This field allows to define the default paging size for all search pages within the Admin UI. Config API URL: The read-only URL of the Jans Config API is used by the Admin UI for interaction. Admin UI Session Timeout (In Minutes): This field determines the maximum idle time allowed before a user is automatically logged out of the Admin UI. Admin UI authentication method (ACR): This dropdown enables user to select the default authentication method to be used in the Admin UI. Custom Parameters (for authentication): The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication.","title":"Admin"},{"location":"admin/admin-ui/admin-menu/#admin-menu","text":"The features like managing Roles and Permissions, Custom Scripts and monthly active users monitoring are placed under the Admin menu (in the left navigation of GUI). These features will be discussed one by one in this section.","title":"Admin Menu"},{"location":"admin/admin-ui/admin-menu/#gui-access-control","text":"The administrator can control view/edit/delete access of users of Gluu Flex Admin UI by adding or removing the appropriate Permissions mapped to the user's Admin UI Role. For e.g. if the read Permission of OIDC clients ( https://jans.io/oauth/config/clients.readonly ) is not mapped to the logged-in user's Role, the contents of the page showing OIDC client records will not be visible to the user. In the same way, if the write and delete Permissions of OIDC clients are not mapped then the user will not be able to edit or delete any OIDC client record.","title":"GUI Access Control"},{"location":"admin/admin-ui/admin-menu/#role","text":"The logged-in administrator can create, edit or delete Admin UI Roles using the Admin UI Roles Page. The Admin UI Role can be assigned to the user using the User Management feature of this GUI. After installation, the following Admin UI Roles can be seen on Admin UI: api-viewer, api-editor, api-manager and api-admin. The default user i.e. admin is assigned with api-admin role. A user with one or more Admin UI Role(s) assigned will be able to log into Gluu Flex Admin UI.","title":"Role"},{"location":"admin/admin-ui/admin-menu/#permissions-scopes","text":"Gluu Flex Admin UI uses Config API to manage and configure the Jans Auth server. Config API helps in configuring auth-server, users, fido2 and scim modules. The APIs of this rest application are protected using an authorization token containing the appropriate permissions (scopes). The user interface has the capability to add, edit and delete the Permissions used to access the APIs (i.e. rest APIs used by Admin UI).","title":"Permissions (Scopes)"},{"location":"admin/admin-ui/admin-menu/#role-permission-mapping","text":"The administrator can map the Admin UI Role with one or more Permission(s) using the Role-Permission Mapping page. The Role mapped with Permissions can be then assigned to the user to allow access to the corresponding operations of the GUI. The below table lists the Permissions used in Admin UI: Permission Description https://jans.io/oauth/config/attributes.readonly View Person attributes https://jans.io/oauth/config/attributes.write Add/Edit Person attributes https://jans.io/oauth/config/attributes.delete Delete Person attributes https://jans.io/oauth/config/scopes.readonly View the Scopes https://jans.io/oauth/config/scopes.write Add/Edit Scopes https://jans.io/oauth/config/scopes.delete Delete Scopes https://jans.io/oauth/config/scripts.readonly View the Scripts https://jans.io/oauth/config/scripts.write Add/Edit Scripts https://jans.io/oauth/config/scripts.delete Delete Scripts https://jans.io/oauth/config/openid/clients.readonly View the Clients https://jans.io/oauth/config/openid/clients.write Add/Edit Clients https://jans.io/oauth/config/openid/clients.delete Delete Clients https://jans.io/oauth/config/smtp.readonly View SMTP configuration https://jans.io/oauth/config/smtp.write Edit SMTP configuration https://jans.io/oauth/config/smtp.delete Remove SMTP configuration https://jans.io/oauth/config/logging.readonly View Auth server log configuration https://jans.io/oauth/config/logging.write Edit Auth server log configuration https://jans.io/oauth/config/database/ldap.readonly View LDAP persistence configuration https://jans.io/oauth/config/database/ldap.write Edit LDAP persistence configuration https://jans.io/oauth/config/database/ldap.delete Delete LDAP persistence configuration https://jans.io/oauth/config/jwks.readonly View JWKS https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly View Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write Edit Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete Delete Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly View Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write Edit Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete Delete Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly View Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write Edit Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete Delete Role-Permission Mapping","title":"Role-Permission Mapping"},{"location":"admin/admin-ui/admin-menu/#custom-scripts","text":"Custom Scripts are used to implement custom business logic for authentication, authorization, client registration, cache refresh, scopes, token revocation etc. The Janssen Authentication Server leverages Custom Scripts when implemented can facilitate complex business workflows without changing the server code. Gluu Flex Admin UI provides the interface to add/edit/delete custom scripts.","title":"Custom Scripts"},{"location":"admin/admin-ui/admin-menu/#custom-scripts-fields-descriptions","text":"INUM: Unique id identifying the script. Name: Name of the custom script. Only letters, digits and underscores are allowed. Description: Description of the script. Select SAML ACRS: The SAML parameter Authentication Context Requests (ACRS). Script Type: The type of the script (e.g. PERSON_AUTHENTICATION, INTROSPECTION, APPLICATION_SESSION, CLIENT_REGISTRATION etc). Programming Language: Programming language of the custom script (e.g. Java and Jython). Location Type: The location of the script, either database or file. Level: The level describes how secure and reliable the script is. Custom properties (key/value): Custom properties that can be used in the script. Script: Script content. Enable: Field set to enable or disable the script.","title":"Custom Scripts fields descriptions"},{"location":"admin/admin-ui/admin-menu/#mau-graph","text":"This is a line graph showing month-wise active users under a selected date range.","title":"MAU Graph"},{"location":"admin/admin-ui/admin-menu/#webhooks","text":"Webhooks can be created and mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Follow this tutorial for more details.","title":"Webhooks"},{"location":"admin/admin-ui/admin-menu/#settings","text":"The Gluu Flex Admin UI provides a user-friendly interface for managing various UI settings of this web application. This page has the following fields. List paging size: This field allows to define the default paging size for all search pages within the Admin UI. Config API URL: The read-only URL of the Jans Config API is used by the Admin UI for interaction. Admin UI Session Timeout (In Minutes): This field determines the maximum idle time allowed before a user is automatically logged out of the Admin UI. Admin UI authentication method (ACR): This dropdown enables user to select the default authentication method to be used in the Admin UI. Custom Parameters (for authentication): The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication.","title":"Settings"},{"location":"admin/admin-ui/auth-server-interaction/","tags":["administration","admin-ui","interaction"],"text":"Interaction with Jans Auth Server # This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API . Here, we'll explore the working mechanism of the Gluu Flex Admin UI, focusing on its interaction with the Jans Auth Server and the key steps involved. When accessing the Gluu Flex Admin UI through a web browser, the following steps are involved: License Verification # The user accesses the Gluu Flex Admin UI frontend through a web browser. The frontend requests the Admin UI backend to retrieve Admin UI configuration from Janssen persistence. The Admin UI configuration includes OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata. It's important to note that the Admin UI backend is implemented as a Jans Config API plugin . The frontend calls the Admin UI backend API ( /isConfigValid ) to validate the license configuration in persistence, essentially verifying the validity of the OIDC client used to access the License APIs. If it is not valid, the same API tries to register a new OIDC client using the SSA uploaded during installation. In case the SSA is invalid, the Admin UI shows a page to upload a new valid SSA. After ensuring the validity of the OIDC client, the Admin UI calls the Admin UI backend API (/isActive) to check if a valid license is present in the license configuration. The Admin UI backend then calls the SCAN API (/scan/license/isActive) to verify the validity of the license. If a valid license is not present, the frontend calls the backend API (/retrieve) to retrieve the license for the user via the SCAN API (/scan/license/retrieve). The license can only be retrieved from SCAN if the user has subscribed to the Admin UI license in Agama Lab. If the user has not already subscribed to a valid license in Agama Lab, the Admin UI displays a page to generate a 30-day trial license. The user cannot generate another trial license after expiry of a generated trial license and will need to subscribe to the Admin UI license in Agama Lab to access the user interface. After verification of valid license the frontend initiates the Authorization Code Flow by redirecting the user to the login page. sequenceDiagram title License Verification autonumber actor User User->>Browser: open Admin UI URL Browser->>Gluu Flex Admin UI: launch Admin UI Gluu Flex Admin UI->>Admin UI Backend: /config Admin UI Backend->>Gluu Flex Admin UI: Admin UI config Gluu Flex Admin UI->>Admin UI Backend: /license/isConfigValid Note over Gluu Flex Admin UI,Admin UI Backend: validate license OIDC client alt license client valid Admin UI Backend->>Gluu Flex Admin UI: true else license client invalid Admin UI Backend->>account.gluu.org: DCR using SSA alt DCR success account.gluu.org->>Admin UI Backend: client credentials Admin UI Backend->>Admin UI Backend: save client credentials in persistence Admin UI Backend->>Gluu Flex Admin UI: true else DCR fails Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to Upload SSA end end Gluu Flex Admin UI->>Admin UI Backend: /license/isActive Note over Gluu Flex Admin UI,Admin UI Backend: validate license Admin UI Backend->>SCAN: /scan/license/isActive alt license active SCAN->>Admin UI Backend: true else license inactive / not present SCAN->>Admin UI Backend: false Admin UI Backend->>SCAN: /retrieve alt license subscribed SCAN->>Admin UI Backend: license else license not subscribed SCAN->>Admin UI Backend: false Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to generate Trial license end end Admin UI Backend->>Gluu Flex Admin UI: login page The Authorization Code Flow # The frontend initiates the Authorization Code Flow by calling authorization url and redirecting the user to the login page of the Janssen authorization server for user authentication. Upon successful authentication, the authorization server sends an authorization code and a state to the frontend. The frontend verifies the state. The frontend utilizes the authorization code to first obtain an access token ( AT1 ) from the token endpoint of the authorization server. With AT1, the frontend requests the User-Info in JWT format ( UJWT ) from the authorization server by calling userInfo endpoint. The frontend stores the UJWT and its claims, including the user's role ( claim name is jansAdminUIRole ) and other relevant information, in the Redux store. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Jans Auth Server: /authorize Jans Auth Server->>Gluu Flex Admin UI:code Gluu Flex Admin UI->>Jans Auth Server: /token Note right of Gluu Flex Admin UI: code as parameter Jans Auth Server->>Gluu Flex Admin UI: access_token Note right of Gluu Flex Admin UI: access_token as parameter Gluu Flex Admin UI->>Jans Auth Server: /userInfo Jans Auth Server->>Gluu Flex Admin UI: user-info (UJWT) Gluu Flex Admin UI->>Gluu Flex Admin UI: extract & store claims from UJWT API Protection and Scopes # To ensure security and access control, Gluu Flex Admin UI leverages API protection and scopes: The Jans Config API's endpoints are protected and can only be accessed using a token ( AT2 ) with the required scopes. To generate an AT2, the frontend requests the Token Server via the backend. The Token Server and Authorization Server can be the same or different. The Token Server employs an introspection script that validates the UJWT and refers to the role-scope mapping in the Token Server persistence. The introspection script validates the UJWT and includes the appropriate scopes in AT2 based on the user's role. The frontend receives AT2 and associated scopes from the backend. Features in the frontend are enabled or disabled based on the scopes provided in AT2. Refer this doc for GUI access control. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI:extracts scopes from AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI: GUI access control based on scopes from AT2 Accessing Config-API Endpoints # To access config-api endpoints, the following steps are taken: The Admin UI frontend requests AT2 from the Token Server through the backend. Armed with AT2, the frontend sends a request to the desired Jans Config API endpoint. AT2 is included in the authorization header, along with other request parameters. At the Jans Config API, AT2 is validated, and the provided scopes are verified to ensure the necessary scope for the requested endpoint is present. If the above steps are successful, the requested data is fetched from the Jans Config API and forwarded to the frontend. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Jans Config API: request API with AT2 Jans Config API<<->>Jans Token Server: introspect AT2 Jans Token Server->>Jans Config API: AT2 JSON Jans Config API->>Jans Config API: Enforcement: verify required scopes Jans Config API->>Jans Config API: validate params Jans Config API->>Jans Auth Server:call API with request params Jans Auth Server->>Jans Config API:response Jans Config API->>Gluu Flex Admin UI:response Conclusion # The Gluu Flex Admin UI simplifies the process of managing configuration and features of the Jans Auth Server through an intuitive graphical user interface. By following the Authorization Code Flow and leveraging API protection and scopes, the Gluu Flex Admin UI ensures secure and controlled interaction with the Jans Auth Server's REST API layer. This seamless interaction empowers administrators to efficiently manage the Jans Auth Server's settings while adhering to strict access controls and security protocols.","title":"Auth Server Interaction"},{"location":"admin/admin-ui/auth-server-interaction/#interaction-with-jans-auth-server","text":"This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API . Here, we'll explore the working mechanism of the Gluu Flex Admin UI, focusing on its interaction with the Jans Auth Server and the key steps involved. When accessing the Gluu Flex Admin UI through a web browser, the following steps are involved:","title":"Interaction with Jans Auth Server"},{"location":"admin/admin-ui/auth-server-interaction/#license-verification","text":"The user accesses the Gluu Flex Admin UI frontend through a web browser. The frontend requests the Admin UI backend to retrieve Admin UI configuration from Janssen persistence. The Admin UI configuration includes OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata. It's important to note that the Admin UI backend is implemented as a Jans Config API plugin . The frontend calls the Admin UI backend API ( /isConfigValid ) to validate the license configuration in persistence, essentially verifying the validity of the OIDC client used to access the License APIs. If it is not valid, the same API tries to register a new OIDC client using the SSA uploaded during installation. In case the SSA is invalid, the Admin UI shows a page to upload a new valid SSA. After ensuring the validity of the OIDC client, the Admin UI calls the Admin UI backend API (/isActive) to check if a valid license is present in the license configuration. The Admin UI backend then calls the SCAN API (/scan/license/isActive) to verify the validity of the license. If a valid license is not present, the frontend calls the backend API (/retrieve) to retrieve the license for the user via the SCAN API (/scan/license/retrieve). The license can only be retrieved from SCAN if the user has subscribed to the Admin UI license in Agama Lab. If the user has not already subscribed to a valid license in Agama Lab, the Admin UI displays a page to generate a 30-day trial license. The user cannot generate another trial license after expiry of a generated trial license and will need to subscribe to the Admin UI license in Agama Lab to access the user interface. After verification of valid license the frontend initiates the Authorization Code Flow by redirecting the user to the login page. sequenceDiagram title License Verification autonumber actor User User->>Browser: open Admin UI URL Browser->>Gluu Flex Admin UI: launch Admin UI Gluu Flex Admin UI->>Admin UI Backend: /config Admin UI Backend->>Gluu Flex Admin UI: Admin UI config Gluu Flex Admin UI->>Admin UI Backend: /license/isConfigValid Note over Gluu Flex Admin UI,Admin UI Backend: validate license OIDC client alt license client valid Admin UI Backend->>Gluu Flex Admin UI: true else license client invalid Admin UI Backend->>account.gluu.org: DCR using SSA alt DCR success account.gluu.org->>Admin UI Backend: client credentials Admin UI Backend->>Admin UI Backend: save client credentials in persistence Admin UI Backend->>Gluu Flex Admin UI: true else DCR fails Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to Upload SSA end end Gluu Flex Admin UI->>Admin UI Backend: /license/isActive Note over Gluu Flex Admin UI,Admin UI Backend: validate license Admin UI Backend->>SCAN: /scan/license/isActive alt license active SCAN->>Admin UI Backend: true else license inactive / not present SCAN->>Admin UI Backend: false Admin UI Backend->>SCAN: /retrieve alt license subscribed SCAN->>Admin UI Backend: license else license not subscribed SCAN->>Admin UI Backend: false Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to generate Trial license end end Admin UI Backend->>Gluu Flex Admin UI: login page","title":"License Verification"},{"location":"admin/admin-ui/auth-server-interaction/#the-authorization-code-flow","text":"The frontend initiates the Authorization Code Flow by calling authorization url and redirecting the user to the login page of the Janssen authorization server for user authentication. Upon successful authentication, the authorization server sends an authorization code and a state to the frontend. The frontend verifies the state. The frontend utilizes the authorization code to first obtain an access token ( AT1 ) from the token endpoint of the authorization server. With AT1, the frontend requests the User-Info in JWT format ( UJWT ) from the authorization server by calling userInfo endpoint. The frontend stores the UJWT and its claims, including the user's role ( claim name is jansAdminUIRole ) and other relevant information, in the Redux store. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Jans Auth Server: /authorize Jans Auth Server->>Gluu Flex Admin UI:code Gluu Flex Admin UI->>Jans Auth Server: /token Note right of Gluu Flex Admin UI: code as parameter Jans Auth Server->>Gluu Flex Admin UI: access_token Note right of Gluu Flex Admin UI: access_token as parameter Gluu Flex Admin UI->>Jans Auth Server: /userInfo Jans Auth Server->>Gluu Flex Admin UI: user-info (UJWT) Gluu Flex Admin UI->>Gluu Flex Admin UI: extract & store claims from UJWT","title":"The Authorization Code Flow"},{"location":"admin/admin-ui/auth-server-interaction/#api-protection-and-scopes","text":"To ensure security and access control, Gluu Flex Admin UI leverages API protection and scopes: The Jans Config API's endpoints are protected and can only be accessed using a token ( AT2 ) with the required scopes. To generate an AT2, the frontend requests the Token Server via the backend. The Token Server and Authorization Server can be the same or different. The Token Server employs an introspection script that validates the UJWT and refers to the role-scope mapping in the Token Server persistence. The introspection script validates the UJWT and includes the appropriate scopes in AT2 based on the user's role. The frontend receives AT2 and associated scopes from the backend. Features in the frontend are enabled or disabled based on the scopes provided in AT2. Refer this doc for GUI access control. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI:extracts scopes from AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI: GUI access control based on scopes from AT2","title":"API Protection and Scopes"},{"location":"admin/admin-ui/auth-server-interaction/#accessing-config-api-endpoints","text":"To access config-api endpoints, the following steps are taken: The Admin UI frontend requests AT2 from the Token Server through the backend. Armed with AT2, the frontend sends a request to the desired Jans Config API endpoint. AT2 is included in the authorization header, along with other request parameters. At the Jans Config API, AT2 is validated, and the provided scopes are verified to ensure the necessary scope for the requested endpoint is present. If the above steps are successful, the requested data is fetched from the Jans Config API and forwarded to the frontend. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Jans Config API: request API with AT2 Jans Config API<<->>Jans Token Server: introspect AT2 Jans Token Server->>Jans Config API: AT2 JSON Jans Config API->>Jans Config API: Enforcement: verify required scopes Jans Config API->>Jans Config API: validate params Jans Config API->>Jans Auth Server:call API with request params Jans Auth Server->>Jans Config API:response Jans Config API->>Gluu Flex Admin UI:response","title":"Accessing Config-API Endpoints"},{"location":"admin/admin-ui/auth-server-interaction/#conclusion","text":"The Gluu Flex Admin UI simplifies the process of managing configuration and features of the Jans Auth Server through an intuitive graphical user interface. By following the Authorization Code Flow and leveraging API protection and scopes, the Gluu Flex Admin UI ensures secure and controlled interaction with the Jans Auth Server's REST API layer. This seamless interaction empowers administrators to efficiently manage the Jans Auth Server's settings while adhering to strict access controls and security protocols.","title":"Conclusion"},{"location":"admin/admin-ui/auth-server-menu/","tags":["administration","admin-ui","auth server","sessions","configuration","keys","logging","clients","scopes"],"text":"Auth Server Menu # The Auth Server menu covers the following important sub-menus to configure and manage Auth server. Sessions Server configuration Keys Logging Clients Scopes Enabled Acrs Agama deployment Sessions # The Janssen Authentication Server stores user session data in persistence. This screen lists the active session details and the administrator can revoke the sessions of the selected user. Keys # The JSON Web Key Sets (JWKS) is a set of public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server. Auth Server Configuration Properties # The auth server configuration properties can be updated using GUI. Logging # Following AS configuration properties can be used to customize AS logging: Log level: Specify the log levels of loggers Log layout: Logging layout used for Jans Authorization Server loggers Enable HTTP Logging: Enable/disable the request/response logging filter. Disabled by default. Disable JDK Logger?: Choose whether to disable JDK loggers Enable Oauth Audit Logging?: enable OAuth Audit Logging Clients # The logged-in user with appropriate permissions can view, register, edit and delete OIDC clients on auth server using Gluu Flex Admin UI. The Client details are as follows: Client fields Description Client name Name of the Client to be presented to the End-User. Client secret Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. Description Description of the client. Authn method token endpoint Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none. Subject type Subject type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. Grants List of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Response types List of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Active Specifies whether the client is enabled. Application type Kind of the application. The default, if omitted, is web. Redirect URIs List of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request Redirect Regex When this field is set then redirect-URI must match with regex. Scopes List of scopes granted to the client. Access token type Type of the access token (JWT or reference) generated by the client. Include claims in id_token The claims will be included in id_token if this field is enabled Add auth_time to id_token When enabled then the auth_time claim is required in id_token. Run Introspection Script Before AccessToken As Jwt Creation And Include Claims When this field is enabled then Introspection Script will run before access token generation. Token binding confirmation method for id_token Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports the Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support the Token Binding of ID Tokens. Access token additional audiences The client audiences. Access token lifetime The client-specific access-token expiration. Refresh token lifetime The client-specific refresh-token expiration. Default max authn age The default maximum authentication age. Front channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when rendered in an iframe by the OP. This is used in the front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent. Post logout redirect URI Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. Back channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when sent a Logout Token by the OP. This is used in the back-channel logout mechanisms, which communicate logout requests directly between the OP and RPs. Back channel. logout session required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. Front channel. logout session required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. Client URI URL of the home page of the Client. The value of this field must point to a valid Web page. Policy URI URL that the Relying Party Client provides to the End-User to read about how the profile data will be used. Logo URI URL that references a logo for the Client application. Terms of service URI URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. Contacts OpenID connect client contacts list. Authorized JS origins Specifies authorized JavaScript origins. Software id Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Software version Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. Software statement Specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. CIBA: Token delivery method Specifies how backchannel token will be delivered. CIBA: Client notification endpoint Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. CIBA: Require user code param If selected the auth_time claim is included in id_token. PAR: Require lifetime Represents the lifetime of Pushed Authorisation Request (PAR). PAR: Require PAR Is Pushed Authorisation Request (PAR) required? UMA: RPT token type Type of RPT token (JWT or reference). UMA: Claims redirect URI Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. UMA: RPT Modification Script List of Requesting Party Token (RPT) claims scripts. Client JWKS URI URL for the Client's JSON Web Key Set (JWK) document containing the key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client''s encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage. Client JWKS List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. id_token subject type The subject identifiers in ID tokens. Persist Authorizations Specifies if the client authorization details are to be persisted. The default value is true. Allow spontaneous scopes Whether to allow spontaneous scopes for the client. Spontaneous scope validation regex List of spontaneous scope regular expression. Spontaneous scopes Spontaneous scopes created using the client. Initiate Login URI Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. Request URIs Provide a list of requests_uri values that are pre-registered by the Client for use at the Authorization Server. Default ACR Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. Allowed ACRs Allowed ACRs Default prompt=login If enabled then sets prompt=login to the authorization request, which causes the authorization server to force the user to sign in again before it will show the authorization prompt. TLS Subject DN String representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. Is Expirable Client? Specifies whether client is expirable Client Scripts The custom scripts specific to the client. Scopes # The scope is a mechanism to limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. Please check here for detail documentation on scopes. OAuth 2.0 scopes # This scope type would only have a description, but no claims. Once a client obtains this token, it may be passed to the backend API. OpenID scopes # Specify what access privileges are being requested for Access Tokens. The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints. For OpenID Connect, scopes can be used to request that specific sets of information be made available as Claim Values. Spontaneous scopes # Spontaneous scopes are scopes with random part in it which are not known in advance. For e.g. transaction:4685456787, pis-552fds where 4685456787 or 552fds are generated part of the scope. Spontaneous scopes are disabled by default and can be enabled per client. The admins cannot create a spontaneous scope. Creation only happens when an authorized client presents a spontaneous scope at the token endpoint. There are the following client properties available during dynamic registration of the client related to spontaneous scopes: allowSpontaneousScopes OPTIONAL, boolean, false by default. Whether spontaneous scopes are allowed for the given client. spontaneousScopes OPTIONAL, array of strings. Regular expressions which should match to scope. If matched scope is allowed. Example: [\"^transaction:.+$\"]. It matches transaction:245 but not transaction:. UMA scopes # UMA scope can either be created by the user or auto-created by the authentication server. UMA scope cannot be modified using Gluu Flex Admin UI. If the logged-in user creates UMA scope then the creator type will be USER and the creator Id will be logged-in user's INUM. If auth server has auto-created a UMA scope then it will have the creator type as AUTO and no creator Id. Dynamic Scopes # The dynamic scope custom script allows to generate a list of claims (and their values) on the fly, depending on circumstances like the id of the client requesting it, logged user's session parameters, values of other user's attributes, results of some calculations implementing specific business logic and/or requests to remote APIs or databases. Claims are then returned the usual way in response to a call to the user info endpoint. In order to configure a dynamic scope the following steps are required: The script of type DYNAMIC_SCOPE must be configured and enabled. Create scope of scope type Dynamic and select Dynamic scope script and claims inputs. Authn # Authentication Context Class Reference (ACR) enables applications to request and verify the level of authentication assurance or the context of the authentication process used for user authentication. This page allows the administrator to view all enabled ACRs and select the default ACR which refers to the predefined or default authentication assurance when no specific ACR value is requested or specified. Agama # This menu addresses deployment of Agama project packages (file with .gama extension). To make sure that package is untempered, the file containing sha256 checksum also need to be uploaded on UI. The project name, description, version, deployment start/end date-time and deployment error (if any) can be seen on details popup of the record. User can export sample and current configuration or import configuration.","title":"Auth server"},{"location":"admin/admin-ui/auth-server-menu/#auth-server-menu","text":"The Auth Server menu covers the following important sub-menus to configure and manage Auth server. Sessions Server configuration Keys Logging Clients Scopes Enabled Acrs Agama deployment","title":"Auth Server Menu"},{"location":"admin/admin-ui/auth-server-menu/#sessions","text":"The Janssen Authentication Server stores user session data in persistence. This screen lists the active session details and the administrator can revoke the sessions of the selected user.","title":"Sessions"},{"location":"admin/admin-ui/auth-server-menu/#keys","text":"The JSON Web Key Sets (JWKS) is a set of public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.","title":"Keys"},{"location":"admin/admin-ui/auth-server-menu/#auth-server-configuration-properties","text":"The auth server configuration properties can be updated using GUI.","title":"Auth Server Configuration Properties"},{"location":"admin/admin-ui/auth-server-menu/#logging","text":"Following AS configuration properties can be used to customize AS logging: Log level: Specify the log levels of loggers Log layout: Logging layout used for Jans Authorization Server loggers Enable HTTP Logging: Enable/disable the request/response logging filter. Disabled by default. Disable JDK Logger?: Choose whether to disable JDK loggers Enable Oauth Audit Logging?: enable OAuth Audit Logging","title":"Logging"},{"location":"admin/admin-ui/auth-server-menu/#clients","text":"The logged-in user with appropriate permissions can view, register, edit and delete OIDC clients on auth server using Gluu Flex Admin UI. The Client details are as follows: Client fields Description Client name Name of the Client to be presented to the End-User. Client secret Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. Description Description of the client. Authn method token endpoint Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none. Subject type Subject type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. Grants List of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Response types List of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Active Specifies whether the client is enabled. Application type Kind of the application. The default, if omitted, is web. Redirect URIs List of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request Redirect Regex When this field is set then redirect-URI must match with regex. Scopes List of scopes granted to the client. Access token type Type of the access token (JWT or reference) generated by the client. Include claims in id_token The claims will be included in id_token if this field is enabled Add auth_time to id_token When enabled then the auth_time claim is required in id_token. Run Introspection Script Before AccessToken As Jwt Creation And Include Claims When this field is enabled then Introspection Script will run before access token generation. Token binding confirmation method for id_token Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports the Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support the Token Binding of ID Tokens. Access token additional audiences The client audiences. Access token lifetime The client-specific access-token expiration. Refresh token lifetime The client-specific refresh-token expiration. Default max authn age The default maximum authentication age. Front channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when rendered in an iframe by the OP. This is used in the front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent. Post logout redirect URI Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. Back channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when sent a Logout Token by the OP. This is used in the back-channel logout mechanisms, which communicate logout requests directly between the OP and RPs. Back channel. logout session required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. Front channel. logout session required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. Client URI URL of the home page of the Client. The value of this field must point to a valid Web page. Policy URI URL that the Relying Party Client provides to the End-User to read about how the profile data will be used. Logo URI URL that references a logo for the Client application. Terms of service URI URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. Contacts OpenID connect client contacts list. Authorized JS origins Specifies authorized JavaScript origins. Software id Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Software version Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. Software statement Specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. CIBA: Token delivery method Specifies how backchannel token will be delivered. CIBA: Client notification endpoint Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. CIBA: Require user code param If selected the auth_time claim is included in id_token. PAR: Require lifetime Represents the lifetime of Pushed Authorisation Request (PAR). PAR: Require PAR Is Pushed Authorisation Request (PAR) required? UMA: RPT token type Type of RPT token (JWT or reference). UMA: Claims redirect URI Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. UMA: RPT Modification Script List of Requesting Party Token (RPT) claims scripts. Client JWKS URI URL for the Client's JSON Web Key Set (JWK) document containing the key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client''s encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage. Client JWKS List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. id_token subject type The subject identifiers in ID tokens. Persist Authorizations Specifies if the client authorization details are to be persisted. The default value is true. Allow spontaneous scopes Whether to allow spontaneous scopes for the client. Spontaneous scope validation regex List of spontaneous scope regular expression. Spontaneous scopes Spontaneous scopes created using the client. Initiate Login URI Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. Request URIs Provide a list of requests_uri values that are pre-registered by the Client for use at the Authorization Server. Default ACR Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. Allowed ACRs Allowed ACRs Default prompt=login If enabled then sets prompt=login to the authorization request, which causes the authorization server to force the user to sign in again before it will show the authorization prompt. TLS Subject DN String representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. Is Expirable Client? Specifies whether client is expirable Client Scripts The custom scripts specific to the client.","title":"Clients"},{"location":"admin/admin-ui/auth-server-menu/#scopes","text":"The scope is a mechanism to limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. Please check here for detail documentation on scopes.","title":"Scopes"},{"location":"admin/admin-ui/auth-server-menu/#oauth-20-scopes","text":"This scope type would only have a description, but no claims. Once a client obtains this token, it may be passed to the backend API.","title":"OAuth 2.0 scopes"},{"location":"admin/admin-ui/auth-server-menu/#openid-scopes","text":"Specify what access privileges are being requested for Access Tokens. The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints. For OpenID Connect, scopes can be used to request that specific sets of information be made available as Claim Values.","title":"OpenID scopes"},{"location":"admin/admin-ui/auth-server-menu/#spontaneous-scopes","text":"Spontaneous scopes are scopes with random part in it which are not known in advance. For e.g. transaction:4685456787, pis-552fds where 4685456787 or 552fds are generated part of the scope. Spontaneous scopes are disabled by default and can be enabled per client. The admins cannot create a spontaneous scope. Creation only happens when an authorized client presents a spontaneous scope at the token endpoint. There are the following client properties available during dynamic registration of the client related to spontaneous scopes: allowSpontaneousScopes OPTIONAL, boolean, false by default. Whether spontaneous scopes are allowed for the given client. spontaneousScopes OPTIONAL, array of strings. Regular expressions which should match to scope. If matched scope is allowed. Example: [\"^transaction:.+$\"]. It matches transaction:245 but not transaction:.","title":"Spontaneous scopes"},{"location":"admin/admin-ui/auth-server-menu/#uma-scopes","text":"UMA scope can either be created by the user or auto-created by the authentication server. UMA scope cannot be modified using Gluu Flex Admin UI. If the logged-in user creates UMA scope then the creator type will be USER and the creator Id will be logged-in user's INUM. If auth server has auto-created a UMA scope then it will have the creator type as AUTO and no creator Id.","title":"UMA scopes"},{"location":"admin/admin-ui/auth-server-menu/#dynamic-scopes","text":"The dynamic scope custom script allows to generate a list of claims (and their values) on the fly, depending on circumstances like the id of the client requesting it, logged user's session parameters, values of other user's attributes, results of some calculations implementing specific business logic and/or requests to remote APIs or databases. Claims are then returned the usual way in response to a call to the user info endpoint. In order to configure a dynamic scope the following steps are required: The script of type DYNAMIC_SCOPE must be configured and enabled. Create scope of scope type Dynamic and select Dynamic scope script and claims inputs.","title":"Dynamic Scopes"},{"location":"admin/admin-ui/auth-server-menu/#authn","text":"Authentication Context Class Reference (ACR) enables applications to request and verify the level of authentication assurance or the context of the authentication process used for user authentication. This page allows the administrator to view all enabled ACRs and select the default ACR which refers to the predefined or default authentication assurance when no specific ACR value is requested or specified.","title":"Authn"},{"location":"admin/admin-ui/auth-server-menu/#agama","text":"This menu addresses deployment of Agama project packages (file with .gama extension). To make sure that package is untempered, the file containing sha256 checksum also need to be uploaded on UI. The project name, description, version, deployment start/end date-time and deployment error (if any) can be seen on details popup of the record. User can export sample and current configuration or import configuration.","title":"Agama"},{"location":"admin/admin-ui/configuration/","tags":["administration","admin-ui","configuration"],"text":"Configuration # This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include role-permission mapping, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata. Configuration Components # Role-Permission Mapping # Role-permission mapping defines which administrative roles are granted specific permissions within the Gluu Flex Admin UI. This mapping ensures that administrators can only access and modify functionalities relevant to their roles. The mapping is stored in json format with following attributes. Roles Attribute Name Description roles Array of all roles role Role name description Role description deletable If set to true then entire role-permission mapping with respect to the role can be deleted. Default value: false Permissions Attribute Name Description permissions Array of all available permissions permission Permission name description Permission description defaultPermissionInToken If set to true , it indicates that permission will need authentication and valid role during /token request to include in token Mapping Attribute Name Description rolePermissionMapping List of all role-permission mapping role Role name permission Array of all permission mapped to the role Sample role-permission mapping stored in persistence { \"roles\": [ { \"role\": \"sample-role\", \"description\": \"role description\", \"deletable\": false } ], \"permissions\": [ { \"permission\": \"sample-permission1\", \"description\": \"permission1 description\", \"defaultPermissionInToken\": false }, { \"permission\": \"sample-permission2\", \"description\": \"permission2 description\", \"defaultPermissionInToken\": true } ], \"rolePermissionMapping\": [ { \"role\": \"sample-role\", \"permissions\": [ \"sample-permission1\", \"sample-permission2\" ] } ] } OIDC Client Details for Auth Server # To establish secure communication with the Auth Server, Gluu Flex Admin UI requires the OIDC client details, including client ID and client secret. These details are used for authentication and authorization purposes. The information is stored in json format with following attributes. Attribute Name Description auiWebClient Object with Web OIDC client details opHost Auth Server hostname clientId Client Id of OIDC client used to access Auth server clientSecret Client Secret of OIDC client used to access Auth server scopes Scopes required for Admin UI authentication acrValues ACR required for Admin UI authentication redirectUri Redirect UI which is Admin UI home page postLogoutUri Url to be redirected after Admin UI logout frontchannelLogoutUri Front channel Logout Uri additionalParameters The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication. Format: [{\"key\": \"custom-param-key\", \"value\": \"custom-param-value\"}, ...] OIDC Client Details for Backend API Server # Similarly, Gluu Flex Admin UI needs OIDC client details to interact with the Janssen Server via. Jans Config API protected APIs. The Backend API client enables the UI to request and manage access tokens required to access Jans Config API protected resources. The information is stored in json format with following attributes. Attribute Name Description auiBackendApiClient Object with Backend API client details opHost Token Server hostname clientId Client Id of OIDC client used to access Token server clientSecret Client Secret of OIDC client used to access Token server tokenEndpoint Token endpoint of token server Configuration Properties for User-Interface # Attribute Name Description uiConfig Object with UI configuration attributes sessionTimeoutInMins The admin UI will auto-logout after a period of inactivity defined in this field. OIDC Client Details for License Server # Access to the License APIs is managed through OIDC client details. These details allows the Gluu Flex Admin UI Backend to generated access token to allow the retrieval of license-related information using license APIs. The information is stored in json format with following attributes. Attribute Name Description opHost Auth Server hostname used to generate token to access License APIs clientId Client Id of OIDC client used to generate token to access License APIs clientSecret Client Secret of OIDC client used to generate token to access License APIs License Metadata # License metadata includes relevant information about the Gluu Flex Admin UI's licensing, such as License Key, Hardware id, License server url, License Auth server url, SSA used to register license auth server client. The information is stored in json format with following attributes. Attribute Name Description licenseConfig Object with License configuration details ssa SSA used to register OIDC client to access license APIs scanLicenseApiHostname SCAN License server hostname licenseHardwareKey Hardware key (org_id) to access license APIs Sample configuration stored in persistence { \"oidcConfig\": { \"auiWebClient\": { \"redirectUri\": \"https://your.host.com/admin\", \"postLogoutUri\": \"https://your.gost.com/admin\", \"frontchannelLogoutUri\": \"https://your.host.com/admin/logout\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"acrValues\": [ \"basic\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\". \"additionalParameters\": [] }, \"auiBackendApiClient\": { \"tokenEndpoint\": \"https://your.host.com/jans-auth/restv1/token\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\" } }, \"uiConfig\": { \"sessionTimeoutInMins\": 30 }, \"licenseConfig\": { \"ssa\": \"...ssa in jwt format...\", \"scanLicenseApiHostname\": \"https://cloud-dev.gluu.cloud\", \"licenseKey\": \"XXXX-XXXX-XXXX-XXXX\", \"licenseHardwareKey\": \"github:ghUsername\", \"oidcClient\": { \"opHost\": \"https://account-dev.gluu.cloud\", \"clientId\": \"36a43e2b-a77b-4e9c-a966-a9d98af1665c\", \"clientSecret\": \"211188d8-a2d8-4562-ab53-80907c1bb5ba\" } } }","title":"Configuration"},{"location":"admin/admin-ui/configuration/#configuration","text":"This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include role-permission mapping, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata.","title":"Configuration"},{"location":"admin/admin-ui/configuration/#configuration-components","text":"","title":"Configuration Components"},{"location":"admin/admin-ui/configuration/#role-permission-mapping","text":"Role-permission mapping defines which administrative roles are granted specific permissions within the Gluu Flex Admin UI. This mapping ensures that administrators can only access and modify functionalities relevant to their roles. The mapping is stored in json format with following attributes. Roles Attribute Name Description roles Array of all roles role Role name description Role description deletable If set to true then entire role-permission mapping with respect to the role can be deleted. Default value: false Permissions Attribute Name Description permissions Array of all available permissions permission Permission name description Permission description defaultPermissionInToken If set to true , it indicates that permission will need authentication and valid role during /token request to include in token Mapping Attribute Name Description rolePermissionMapping List of all role-permission mapping role Role name permission Array of all permission mapped to the role Sample role-permission mapping stored in persistence { \"roles\": [ { \"role\": \"sample-role\", \"description\": \"role description\", \"deletable\": false } ], \"permissions\": [ { \"permission\": \"sample-permission1\", \"description\": \"permission1 description\", \"defaultPermissionInToken\": false }, { \"permission\": \"sample-permission2\", \"description\": \"permission2 description\", \"defaultPermissionInToken\": true } ], \"rolePermissionMapping\": [ { \"role\": \"sample-role\", \"permissions\": [ \"sample-permission1\", \"sample-permission2\" ] } ] }","title":"Role-Permission Mapping"},{"location":"admin/admin-ui/configuration/#oidc-client-details-for-auth-server","text":"To establish secure communication with the Auth Server, Gluu Flex Admin UI requires the OIDC client details, including client ID and client secret. These details are used for authentication and authorization purposes. The information is stored in json format with following attributes. Attribute Name Description auiWebClient Object with Web OIDC client details opHost Auth Server hostname clientId Client Id of OIDC client used to access Auth server clientSecret Client Secret of OIDC client used to access Auth server scopes Scopes required for Admin UI authentication acrValues ACR required for Admin UI authentication redirectUri Redirect UI which is Admin UI home page postLogoutUri Url to be redirected after Admin UI logout frontchannelLogoutUri Front channel Logout Uri additionalParameters The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication. Format: [{\"key\": \"custom-param-key\", \"value\": \"custom-param-value\"}, ...]","title":"OIDC Client Details for Auth Server"},{"location":"admin/admin-ui/configuration/#oidc-client-details-for-backend-api-server","text":"Similarly, Gluu Flex Admin UI needs OIDC client details to interact with the Janssen Server via. Jans Config API protected APIs. The Backend API client enables the UI to request and manage access tokens required to access Jans Config API protected resources. The information is stored in json format with following attributes. Attribute Name Description auiBackendApiClient Object with Backend API client details opHost Token Server hostname clientId Client Id of OIDC client used to access Token server clientSecret Client Secret of OIDC client used to access Token server tokenEndpoint Token endpoint of token server","title":"OIDC Client Details for Backend API Server"},{"location":"admin/admin-ui/configuration/#configuration-properties-for-user-interface","text":"Attribute Name Description uiConfig Object with UI configuration attributes sessionTimeoutInMins The admin UI will auto-logout after a period of inactivity defined in this field.","title":"Configuration Properties for User-Interface"},{"location":"admin/admin-ui/configuration/#oidc-client-details-for-license-server","text":"Access to the License APIs is managed through OIDC client details. These details allows the Gluu Flex Admin UI Backend to generated access token to allow the retrieval of license-related information using license APIs. The information is stored in json format with following attributes. Attribute Name Description opHost Auth Server hostname used to generate token to access License APIs clientId Client Id of OIDC client used to generate token to access License APIs clientSecret Client Secret of OIDC client used to generate token to access License APIs","title":"OIDC Client Details for License Server"},{"location":"admin/admin-ui/configuration/#license-metadata","text":"License metadata includes relevant information about the Gluu Flex Admin UI's licensing, such as License Key, Hardware id, License server url, License Auth server url, SSA used to register license auth server client. The information is stored in json format with following attributes. Attribute Name Description licenseConfig Object with License configuration details ssa SSA used to register OIDC client to access license APIs scanLicenseApiHostname SCAN License server hostname licenseHardwareKey Hardware key (org_id) to access license APIs Sample configuration stored in persistence { \"oidcConfig\": { \"auiWebClient\": { \"redirectUri\": \"https://your.host.com/admin\", \"postLogoutUri\": \"https://your.gost.com/admin\", \"frontchannelLogoutUri\": \"https://your.host.com/admin/logout\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"acrValues\": [ \"basic\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\". \"additionalParameters\": [] }, \"auiBackendApiClient\": { \"tokenEndpoint\": \"https://your.host.com/jans-auth/restv1/token\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\" } }, \"uiConfig\": { \"sessionTimeoutInMins\": 30 }, \"licenseConfig\": { \"ssa\": \"...ssa in jwt format...\", \"scanLicenseApiHostname\": \"https://cloud-dev.gluu.cloud\", \"licenseKey\": \"XXXX-XXXX-XXXX-XXXX\", \"licenseHardwareKey\": \"github:ghUsername\", \"oidcClient\": { \"opHost\": \"https://account-dev.gluu.cloud\", \"clientId\": \"36a43e2b-a77b-4e9c-a966-a9d98af1665c\", \"clientSecret\": \"211188d8-a2d8-4562-ab53-80907c1bb5ba\" } } }","title":"License Metadata"},{"location":"admin/admin-ui/dashboard/","tags":["administration","admin-ui","dashboard"],"text":"Dashboard # After successful authentication, the administrator is taken to the dashboard. The dashboard brings an organized presentation of crucial details at one place adding to the convenience of users in tracking and analysis of auth server and other details. Dashboard fields descriptions # OIDC Clients Count: The count of OIDC clients created on auth server. Active Users Count: The count of active users on auth server. Token Issued Count: This figure is the sum of the access-tokens with grant-type client credentials and authorization code and id-token. OAuth server status: The health status of the auth server. For e.g. Running or Down . Database status: The health status of the persistence (e.g. PostgreSQL, MySQL, Google Spanner etc). License Details # Admin UI uses LicenseSpring platform for customer license management. Product Name: The name of the product created on the LicenseSpring platform. The license issued for Admin UI activation is created under this product. Check LicenseSpring docs for more details. License Type: The type of license issued. For e.g. Perpetual, Time Limited, Subscription and Consumption. Customer Email: To issue a license, we need to enter customer details like first name, last name, company, email and phone number in the LicenseSpring platform. This field displays the email of the customer of the license. Company Name: The company name of the registered product. License Status: The status of the license (e.g. active or inactive). Access Token Graph # The dashboard has a bar graph showing month-wise access-token with grant-type client credentials , authorization code and id_token generated from auth server. Localization and Theme selection # Admin UI supports localization. The default language is English. The other supported languages are French and Portuguese. A new preferred language can be selected from the top right corner of the dashboard which will convert the labels and tooltip to the selected language. The administrator can also select from four website themes in Admin UI.","title":"Home"},{"location":"admin/admin-ui/dashboard/#dashboard","text":"After successful authentication, the administrator is taken to the dashboard. The dashboard brings an organized presentation of crucial details at one place adding to the convenience of users in tracking and analysis of auth server and other details.","title":"Dashboard"},{"location":"admin/admin-ui/dashboard/#dashboard-fields-descriptions","text":"OIDC Clients Count: The count of OIDC clients created on auth server. Active Users Count: The count of active users on auth server. Token Issued Count: This figure is the sum of the access-tokens with grant-type client credentials and authorization code and id-token. OAuth server status: The health status of the auth server. For e.g. Running or Down . Database status: The health status of the persistence (e.g. PostgreSQL, MySQL, Google Spanner etc).","title":"Dashboard fields descriptions"},{"location":"admin/admin-ui/dashboard/#license-details","text":"Admin UI uses LicenseSpring platform for customer license management. Product Name: The name of the product created on the LicenseSpring platform. The license issued for Admin UI activation is created under this product. Check LicenseSpring docs for more details. License Type: The type of license issued. For e.g. Perpetual, Time Limited, Subscription and Consumption. Customer Email: To issue a license, we need to enter customer details like first name, last name, company, email and phone number in the LicenseSpring platform. This field displays the email of the customer of the license. Company Name: The company name of the registered product. License Status: The status of the license (e.g. active or inactive).","title":"License Details"},{"location":"admin/admin-ui/dashboard/#access-token-graph","text":"The dashboard has a bar graph showing month-wise access-token with grant-type client credentials , authorization code and id_token generated from auth server.","title":"Access Token Graph"},{"location":"admin/admin-ui/dashboard/#localization-and-theme-selection","text":"Admin UI supports localization. The default language is English. The other supported languages are French and Portuguese. A new preferred language can be selected from the top right corner of the dashboard which will convert the labels and tooltip to the selected language. The administrator can also select from four website themes in Admin UI.","title":"Localization and Theme selection"},{"location":"admin/admin-ui/faq/","text":"Frequently Asked Questions (FAQ) # Why is the Gluu Flex Admin UI displaying the following error messages after the Flex VM installation? # The requested page not found # Error Code: 404 The requested page was not found on this server. If a user encounters the above error when visiting the Admin UI URL, it indicates that the Admin UI is not properly installed. Please verify whether the Admin UI build is located at /var/www/html/admin . If the build is not present at this location, Janssen displays this error. Admin UI backend is down # Error Code: 503 Gluu Flex Admin UI is not getting any response from the backend (Jans Config Api). Gluu Flex Admin UI facilitates interaction with the Jans Auth Server through a REST API layer, Jans Config API . This error prompts administrators to perform a series of troubleshooting steps. Verify the status of the Jans Config API service by using the command systemctl status jans-config-api.service . In the majority of cases, this error is displayed when the Jans Config API is not running. It is essential to verify the server's network connectivity, including firewall rules, ports, and routing, to ensure that there are no network-related impediments preventing communication with the Jans Config API. Jans Config API runs at port 8074 for Janssen vm installation. Check the Jans Config API logs at /opt/jans/jetty/jans-config-api/logs/configapi.log for any potential errors. Review the Admin UI logs at /opt/jans/jetty/jans-config-api/logs/adminui.log to check for any potential errors. Confirm the existence of the /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar file. This file serves as the backend jar for the Admin UI and is used as a Jans Config API extension. It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues. Internal server error in generating Jans Config Api token # Error Code: 500 Error in generating token to access Jans Config Api endpoints. This error is displayed when there is an internal server error in generating an access token for the Jans Config API. The Jans Config API endpoints are protected and require a token with the appropriate scopes for access. Inspect the Gluu Flex Admin UI log at /opt/jans/jetty/jans-config-api/logs/adminui.log for any errors related to token requests. Examine the Janssen Auth server log at /opt/jans/jetty/jans-auth/logs/jans-auth.log while it is in debug/trace mode to identify any errors that may occur during token generation. Why is the Gluu Flex Admin UI is displaying following page to upload SSA? # During installation, it is necessary to provide a Software Statement Assertion (SSA), which the Admin UI utilizes to register an OIDC client for accessing license APIs. To obtain a new SSA or renew an existing one, please follow the steps outlined in the provided guide from the Agama Lab web interface. If the SSA used during the installation has expired or become invalidated, you will need to upload a fresh SSA to regain access to the Admin UI. Why is the Gluu Flex Admin UI is displaying following message on screen to generate trial license? # Payment Required. This message indicates that in order to enjoy long-term access to the Gluu Flex Admin UI, you will need to subscribe for a Admin UI license on the Agama Lab website. License validity period has expired. This message is displayed when a user attempts to generate a trial license (from the Admin UI) after the previously generated trial license has expired. Please note that the Admin UI 30-day trial license can only be generated once per Agama Lab user.","title":"FAQ & Troubleshooting"},{"location":"admin/admin-ui/faq/#frequently-asked-questions-faq","text":"","title":"Frequently Asked Questions (FAQ)"},{"location":"admin/admin-ui/faq/#why-is-the-gluu-flex-admin-ui-displaying-the-following-error-messages-after-the-flex-vm-installation","text":"","title":"Why is the Gluu Flex Admin UI displaying the following error messages after the Flex VM installation?"},{"location":"admin/admin-ui/faq/#the-requested-page-not-found","text":"Error Code: 404 The requested page was not found on this server. If a user encounters the above error when visiting the Admin UI URL, it indicates that the Admin UI is not properly installed. Please verify whether the Admin UI build is located at /var/www/html/admin . If the build is not present at this location, Janssen displays this error.","title":"The requested page not found"},{"location":"admin/admin-ui/faq/#admin-ui-backend-is-down","text":"Error Code: 503 Gluu Flex Admin UI is not getting any response from the backend (Jans Config Api). Gluu Flex Admin UI facilitates interaction with the Jans Auth Server through a REST API layer, Jans Config API . This error prompts administrators to perform a series of troubleshooting steps. Verify the status of the Jans Config API service by using the command systemctl status jans-config-api.service . In the majority of cases, this error is displayed when the Jans Config API is not running. It is essential to verify the server's network connectivity, including firewall rules, ports, and routing, to ensure that there are no network-related impediments preventing communication with the Jans Config API. Jans Config API runs at port 8074 for Janssen vm installation. Check the Jans Config API logs at /opt/jans/jetty/jans-config-api/logs/configapi.log for any potential errors. Review the Admin UI logs at /opt/jans/jetty/jans-config-api/logs/adminui.log to check for any potential errors. Confirm the existence of the /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar file. This file serves as the backend jar for the Admin UI and is used as a Jans Config API extension. It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues.","title":"Admin UI backend is down"},{"location":"admin/admin-ui/faq/#internal-server-error-in-generating-jans-config-api-token","text":"Error Code: 500 Error in generating token to access Jans Config Api endpoints. This error is displayed when there is an internal server error in generating an access token for the Jans Config API. The Jans Config API endpoints are protected and require a token with the appropriate scopes for access. Inspect the Gluu Flex Admin UI log at /opt/jans/jetty/jans-config-api/logs/adminui.log for any errors related to token requests. Examine the Janssen Auth server log at /opt/jans/jetty/jans-auth/logs/jans-auth.log while it is in debug/trace mode to identify any errors that may occur during token generation.","title":"Internal server error in generating Jans Config Api token"},{"location":"admin/admin-ui/faq/#why-is-the-gluu-flex-admin-ui-is-displaying-following-page-to-upload-ssa","text":"During installation, it is necessary to provide a Software Statement Assertion (SSA), which the Admin UI utilizes to register an OIDC client for accessing license APIs. To obtain a new SSA or renew an existing one, please follow the steps outlined in the provided guide from the Agama Lab web interface. If the SSA used during the installation has expired or become invalidated, you will need to upload a fresh SSA to regain access to the Admin UI.","title":"Why is the Gluu Flex Admin UI is displaying following page to upload SSA?"},{"location":"admin/admin-ui/faq/#why-is-the-gluu-flex-admin-ui-is-displaying-following-message-on-screen-to-generate-trial-license","text":"Payment Required. This message indicates that in order to enjoy long-term access to the Gluu Flex Admin UI, you will need to subscribe for a Admin UI license on the Agama Lab website. License validity period has expired. This message is displayed when a user attempts to generate a trial license (from the Admin UI) after the previously generated trial license has expired. Please note that the Admin UI 30-day trial license can only be generated once per Agama Lab user.","title":"Why is the Gluu Flex Admin UI is displaying following message on screen to generate trial license?"},{"location":"admin/admin-ui/fido-menu/","tags":["administration","admin-ui","fido2"],"text":"FIDO Configuration # FIDO 2.0 (FIDO2) is an open authentication standard that enables people to leverage common devices to authenticate to online services in both mobile and desktop environments. FIDO2 comprises the W3C\u2019s Web Authentication specification (WebAuthn) and FIDO\u2019s corresponding Client-to-Authenticator Protocol (CTAP). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services. Gluu Flex Admin UI allows configuring parameters of Janssen's FIDO2 server. Check following documnetation for details of FIDO2 configuration parameters.","title":"FIDO"},{"location":"admin/admin-ui/fido-menu/#fido-configuration","text":"FIDO 2.0 (FIDO2) is an open authentication standard that enables people to leverage common devices to authenticate to online services in both mobile and desktop environments. FIDO2 comprises the W3C\u2019s Web Authentication specification (WebAuthn) and FIDO\u2019s corresponding Client-to-Authenticator Protocol (CTAP). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services. Gluu Flex Admin UI allows configuring parameters of Janssen's FIDO2 server. Check following documnetation for details of FIDO2 configuration parameters.","title":"FIDO Configuration"},{"location":"admin/admin-ui/introduction/","tags":["administration","admin-ui","installation","license"],"text":"Gluu Flex Admin UI # Gluu Flex Admin UI is a web interface to simplify the management and configuration of your Janssen Authentication Server. One of the key services offered by Gluu Flex is the ability to view and edit configuration properties, interception scripts, clients, users, metrics, and more, all in one place. This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API. The above diagram explains interaction between various depending components. Admin UI Frontend # This user facing GUI has been developed using React.js and Redux is used for state management. The Admin UI utilizes an OpenAPI JavaScript client for Jans Config API, facilitating API calls to Jans Config API endpoints. The GUI utilizes popular libraries such as Material-UI , Axios, Formik , etc. Webpack is responsible for compiling and bundling the application, optimizing its performance, and generating the necessary production files. The Admin UI bundle is hosted on an Apache HTTP server , which is included as a component with the Janssen server installation. This setup ensures that the GUI is readily accessible and efficiently served to users. Admin UI Backend # The GUI utilizes a dedicated Java backend to handle specific tasks, such as reading the Admin UI configuration from persistence, managing Admin UI roles and permission mapping in configuration, performing audit logging, and making calls to license APIs on SCAN. The Jans Config API follows a flexible plugin architecture, allowing the addition of new APIs through extensions known as plugins, without the need to modify the core application. The Admin UI Backend has been incorporated into the Jans Config API as a plugin to address Admin UI-specific tasks. Installation # Gluu Flex can be installed using VM installer or using Rancher on Cloud Native. During installation, we need to provide a Software Statement Assertion (SSA) which is used by Admin UI to register an OIDC client to access license APIs. Check the following guide for the steps to issue SSA from the Agama Lab web interface. Gluu Flex License # After installation, the Admin UI can be accessed at https://hostname/admin (the hostname is provided during setup). Access to this web interface is granted only after subscribing to the Admin UI license from Agama Lab. There is a provision to generate a 30-day free trial license of Gluu Flex which will help users to enter and understand this web interface. After license activation, the user can log into Gluu Flex Admin UI using the default username ( admin ) and the password (the admin password provided during installation). Flex services dependencies # Gluu Flex Admin UI depends on following Flex services: Janssen Config API service (jans-config-api.service) The Apache HTTP Server (apache2.service)","title":"Introduction"},{"location":"admin/admin-ui/introduction/#gluu-flex-admin-ui","text":"Gluu Flex Admin UI is a web interface to simplify the management and configuration of your Janssen Authentication Server. One of the key services offered by Gluu Flex is the ability to view and edit configuration properties, interception scripts, clients, users, metrics, and more, all in one place. This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API. The above diagram explains interaction between various depending components.","title":"Gluu Flex Admin UI"},{"location":"admin/admin-ui/introduction/#admin-ui-frontend","text":"This user facing GUI has been developed using React.js and Redux is used for state management. The Admin UI utilizes an OpenAPI JavaScript client for Jans Config API, facilitating API calls to Jans Config API endpoints. The GUI utilizes popular libraries such as Material-UI , Axios, Formik , etc. Webpack is responsible for compiling and bundling the application, optimizing its performance, and generating the necessary production files. The Admin UI bundle is hosted on an Apache HTTP server , which is included as a component with the Janssen server installation. This setup ensures that the GUI is readily accessible and efficiently served to users.","title":"Admin UI Frontend"},{"location":"admin/admin-ui/introduction/#admin-ui-backend","text":"The GUI utilizes a dedicated Java backend to handle specific tasks, such as reading the Admin UI configuration from persistence, managing Admin UI roles and permission mapping in configuration, performing audit logging, and making calls to license APIs on SCAN. The Jans Config API follows a flexible plugin architecture, allowing the addition of new APIs through extensions known as plugins, without the need to modify the core application. The Admin UI Backend has been incorporated into the Jans Config API as a plugin to address Admin UI-specific tasks.","title":"Admin UI Backend"},{"location":"admin/admin-ui/introduction/#installation","text":"Gluu Flex can be installed using VM installer or using Rancher on Cloud Native. During installation, we need to provide a Software Statement Assertion (SSA) which is used by Admin UI to register an OIDC client to access license APIs. Check the following guide for the steps to issue SSA from the Agama Lab web interface.","title":"Installation"},{"location":"admin/admin-ui/introduction/#gluu-flex-license","text":"After installation, the Admin UI can be accessed at https://hostname/admin (the hostname is provided during setup). Access to this web interface is granted only after subscribing to the Admin UI license from Agama Lab. There is a provision to generate a 30-day free trial license of Gluu Flex which will help users to enter and understand this web interface. After license activation, the user can log into Gluu Flex Admin UI using the default username ( admin ) and the password (the admin password provided during installation).","title":"Gluu Flex License"},{"location":"admin/admin-ui/introduction/#flex-services-dependencies","text":"Gluu Flex Admin UI depends on following Flex services: Janssen Config API service (jans-config-api.service) The Apache HTTP Server (apache2.service)","title":"Flex services dependencies"},{"location":"admin/admin-ui/left-nav-menu/","tags":["administration","admin-ui","left navigation menu"],"text":"Left Navigation Menu # In the realm of web design and user experience, the left navigation menu holds a prominent position. It serves as a vital element in organizing and navigating the content within web applications. In Gluu Flex Admin UI the left navigation menu establishes a clear information hierarchy to access the core features. Gluu Flex Admin UI has the following main menus on the left navigation: Home Admin Auth server Schema Services SMTP Users Sign out","title":"Left Navigation Menu"},{"location":"admin/admin-ui/left-nav-menu/#left-navigation-menu","text":"In the realm of web design and user experience, the left navigation menu holds a prominent position. It serves as a vital element in organizing and navigating the content within web applications. In Gluu Flex Admin UI the left navigation menu establishes a clear information hierarchy to access the core features. Gluu Flex Admin UI has the following main menus on the left navigation: Home Admin Auth server Schema Services SMTP Users Sign out","title":"Left Navigation Menu"},{"location":"admin/admin-ui/logs/","tags":["administration","admin-ui","installation","logs"],"text":"Logs # Log files are essential components of a web application's infrastructure as they provide valuable insights into its functioning, performance, and potential issues. Log files play a critical role in maintaining, troubleshooting, and monitoring the Gluu Flex Admin UI application. Understanding the different log types, their locations, and the process of accessing and analyzing them will empower administrators to efficiently manage the application's health and quickly address any issues that may arise. Log File Types # The Gluu Flex Admin UI generates two types of log files: adminui.log : This is the backend log file that captures various activities, errors, and events related to the Gluu Flex Admin UI's operation. It provides insights into the application's behavior and potential issues. adminuiAudit.log : This audit log file records user interactions, actions, and events related to administrative activities. It's particularly useful for tracking changes made to the system and ensuring accountability. Configuration of Log Locations # The log locations for Gluu Flex Admin UI can be configured by modifying the log4j2-adminui.xml file located at: /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml Within this configuration file, you can adjust various settings such as log levels, appenders, and formats. Default Log Location # The default log location for the Admin UI backend is: /var/log/adminui It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues.","title":"Logs"},{"location":"admin/admin-ui/logs/#logs","text":"Log files are essential components of a web application's infrastructure as they provide valuable insights into its functioning, performance, and potential issues. Log files play a critical role in maintaining, troubleshooting, and monitoring the Gluu Flex Admin UI application. Understanding the different log types, their locations, and the process of accessing and analyzing them will empower administrators to efficiently manage the application's health and quickly address any issues that may arise.","title":"Logs"},{"location":"admin/admin-ui/logs/#log-file-types","text":"The Gluu Flex Admin UI generates two types of log files: adminui.log : This is the backend log file that captures various activities, errors, and events related to the Gluu Flex Admin UI's operation. It provides insights into the application's behavior and potential issues. adminuiAudit.log : This audit log file records user interactions, actions, and events related to administrative activities. It's particularly useful for tracking changes made to the system and ensuring accountability.","title":"Log File Types"},{"location":"admin/admin-ui/logs/#configuration-of-log-locations","text":"The log locations for Gluu Flex Admin UI can be configured by modifying the log4j2-adminui.xml file located at: /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml Within this configuration file, you can adjust various settings such as log levels, appenders, and formats.","title":"Configuration of Log Locations"},{"location":"admin/admin-ui/logs/#default-log-location","text":"The default log location for the Admin UI backend is: /var/log/adminui It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues.","title":"Default Log Location"},{"location":"admin/admin-ui/properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Properties"},{"location":"admin/admin-ui/properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/admin-ui/schema-menu/","tags":["administration","admin-ui","schema","person","attributes"],"text":"Schema # Attributes are individual pieces of user data, like uid or email, that are required by applications in order to identify a user and grant access to protected resources. The Person attributes that are available in your Janssen server can be found by navigating Schema > Person . The following fields are supported in the Person (attribute) creation form: Name: This field defines the name of the Person attribute. The name must be unique in the Janssen Server persistence tree. Display Name: The display name can be anything that is human-readable. Description: The description of the attribute. Status: Used to mark the attribute as Active so that it can be used in your federation service or choose Inactive to create the attribute that can be activated at a later date. Data Type: Select what type of attribute is being added in this field. Edit Type: This field controls who can edit this attribute. If user is selected, this will enable each user to edit this attribute in their Janssen server user profile. View Type: This field controls which type of user is allowed to view the corresponding attribute on the web user interface. oxAuth claim name: If this attribute will be used as a 'claim' in your OpenID Connect service, add the name of the claim here. Generally, the name of the attribute == name of the claim . Multivalued?: If the attribute contains more than one value, set this field to True. Hide On Discovery?: Boolean value indicating if the attribute should be shown on the discovery page. Include In SCIM Extension?: Boolean value indicating if the attribute is a SCIM custom attribute. Enable custom validation for this attribute?: If you plan to set minimum and maximum lengths or a regex pattern, as described below, you will need to enable custom validation for this attribute. Otherwise, you can leave this disabled. Regular expression: You can set a regex pattern to enforce the proper formatting of an attribute. For example, you could set a regex expression for an email attribute like this: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$. This would make sure that a value is added for the attribute only if it follows standard email formatting. Minimum length: This is the minimum length of a value associated with this attribute. Maximum length: This is the maximum length of a value associated with this attribute. Saml1 URI: This field can contain a SAML v1 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value. Saml2 URI: This field can contain a SAML v2 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value.","title":"Schema"},{"location":"admin/admin-ui/schema-menu/#schema","text":"Attributes are individual pieces of user data, like uid or email, that are required by applications in order to identify a user and grant access to protected resources. The Person attributes that are available in your Janssen server can be found by navigating Schema > Person . The following fields are supported in the Person (attribute) creation form: Name: This field defines the name of the Person attribute. The name must be unique in the Janssen Server persistence tree. Display Name: The display name can be anything that is human-readable. Description: The description of the attribute. Status: Used to mark the attribute as Active so that it can be used in your federation service or choose Inactive to create the attribute that can be activated at a later date. Data Type: Select what type of attribute is being added in this field. Edit Type: This field controls who can edit this attribute. If user is selected, this will enable each user to edit this attribute in their Janssen server user profile. View Type: This field controls which type of user is allowed to view the corresponding attribute on the web user interface. oxAuth claim name: If this attribute will be used as a 'claim' in your OpenID Connect service, add the name of the claim here. Generally, the name of the attribute == name of the claim . Multivalued?: If the attribute contains more than one value, set this field to True. Hide On Discovery?: Boolean value indicating if the attribute should be shown on the discovery page. Include In SCIM Extension?: Boolean value indicating if the attribute is a SCIM custom attribute. Enable custom validation for this attribute?: If you plan to set minimum and maximum lengths or a regex pattern, as described below, you will need to enable custom validation for this attribute. Otherwise, you can leave this disabled. Regular expression: You can set a regex pattern to enforce the proper formatting of an attribute. For example, you could set a regex expression for an email attribute like this: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$. This would make sure that a value is added for the attribute only if it follows standard email formatting. Minimum length: This is the minimum length of a value associated with this attribute. Maximum length: This is the maximum length of a value associated with this attribute. Saml1 URI: This field can contain a SAML v1 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value. Saml2 URI: This field can contain a SAML v2 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value.","title":"Schema"},{"location":"admin/admin-ui/services-menu/","tags":["administration","admin-ui","services","cache-configuration"],"text":"Services # This menu allows user to configure Cache Provider and LDAP schemas which can be used by the auth server. Cache Provider Configuration # The following cache providers are supported in Janssen's auth server: In Memory : recommended for small deployments only Memcached : recommended for single cache server deployment Redis : recommended for cluster deployments Native Persistence : recommended avoiding additional components' installation. All cache entries are saved in persistence layers. Cache Provider Properties # The following tables include the name and description of each Cache Provider's properties. Cache Configuration # Name Description Cache Provider Type The cache provider type Memcached Configuration # Name Description Server Details Server details separated by spaces (e.g. `server1:8080 server2:8081) Max Operation Queue Length Maximum number of operations that can be queued Buffer Size Buffer size in bytes Default Put Expiration Expiration timeout value in seconds Connection Factory Type Connection factory type In-Memory Configuration # Name Description Default Put Expiration Default put expiration timeout value in seconds Redis Configuration # Name Description Redis Provider Type Type of connection: standalone, clustered, sharded, sentinel Server Details Server details separated by commas (e.g. 'server1:8080,server2:8081') Use SSL Enable SSL communication between Gluu Server and Redis cache Password Redis password Sentinel Master Group Name Sentinel Master Group Name (required if SENTINEL type of connection is selected) SSL Trust Store File Path Directory Path to Trust Store Default Put Expiration Default expiration time for the object put into cache in seconds Max Retry Attempts Max retry attepts in case of failure So Timeout With this option set to a non-zero timeout, a read() call on the InputStream associated with this Socket will block for only this amount of time. If the timeout expires, a java.net.SocketTimeoutException is raised, though the Socket is still valid. The option must be enabled prior to entering the blocking operation to have effect. The timeout must be > 0. A timeout of zero is interpreted as an infinite timeout. Max Idle Connections The cap on the number of \\\"idle\\\" instances in the pool. If maxIdle is set too low on heavily loaded systems it is possible you will see objects being destroyed and almost immediately new objects being created. This is a result of the active threads momentarily returning objects faster than they are requesting them, causing the number of idle objects to rise above maxIdle. The best value for maxIdle for heavily loaded system will vary but the default is a good starting point. Max Total Connections The number of maximum connection instances in the pool Connection Timeout Connection time out Native Persistence Configuration # Name Description Default Put Expiration Default expiration time for the object put into cache in seconds Default Cleanup Batch Size Default cleanup batch page size Delete Expired OnGetRequest whether to delete on GET request","title":"Services"},{"location":"admin/admin-ui/services-menu/#services","text":"This menu allows user to configure Cache Provider and LDAP schemas which can be used by the auth server.","title":"Services"},{"location":"admin/admin-ui/services-menu/#cache-provider-configuration","text":"The following cache providers are supported in Janssen's auth server: In Memory : recommended for small deployments only Memcached : recommended for single cache server deployment Redis : recommended for cluster deployments Native Persistence : recommended avoiding additional components' installation. All cache entries are saved in persistence layers.","title":"Cache Provider Configuration"},{"location":"admin/admin-ui/services-menu/#cache-provider-properties","text":"The following tables include the name and description of each Cache Provider's properties.","title":"Cache Provider Properties"},{"location":"admin/admin-ui/services-menu/#cache-configuration","text":"Name Description Cache Provider Type The cache provider type","title":"Cache Configuration"},{"location":"admin/admin-ui/services-menu/#memcached-configuration","text":"Name Description Server Details Server details separated by spaces (e.g. `server1:8080 server2:8081) Max Operation Queue Length Maximum number of operations that can be queued Buffer Size Buffer size in bytes Default Put Expiration Expiration timeout value in seconds Connection Factory Type Connection factory type","title":"Memcached Configuration"},{"location":"admin/admin-ui/services-menu/#in-memory-configuration","text":"Name Description Default Put Expiration Default put expiration timeout value in seconds","title":"In-Memory Configuration"},{"location":"admin/admin-ui/services-menu/#redis-configuration","text":"Name Description Redis Provider Type Type of connection: standalone, clustered, sharded, sentinel Server Details Server details separated by commas (e.g. 'server1:8080,server2:8081') Use SSL Enable SSL communication between Gluu Server and Redis cache Password Redis password Sentinel Master Group Name Sentinel Master Group Name (required if SENTINEL type of connection is selected) SSL Trust Store File Path Directory Path to Trust Store Default Put Expiration Default expiration time for the object put into cache in seconds Max Retry Attempts Max retry attepts in case of failure So Timeout With this option set to a non-zero timeout, a read() call on the InputStream associated with this Socket will block for only this amount of time. If the timeout expires, a java.net.SocketTimeoutException is raised, though the Socket is still valid. The option must be enabled prior to entering the blocking operation to have effect. The timeout must be > 0. A timeout of zero is interpreted as an infinite timeout. Max Idle Connections The cap on the number of \\\"idle\\\" instances in the pool. If maxIdle is set too low on heavily loaded systems it is possible you will see objects being destroyed and almost immediately new objects being created. This is a result of the active threads momentarily returning objects faster than they are requesting them, causing the number of idle objects to rise above maxIdle. The best value for maxIdle for heavily loaded system will vary but the default is a good starting point. Max Total Connections The number of maximum connection instances in the pool Connection Timeout Connection time out","title":"Redis Configuration"},{"location":"admin/admin-ui/services-menu/#native-persistence-configuration","text":"Name Description Default Put Expiration Default expiration time for the object put into cache in seconds Default Cleanup Batch Size Default cleanup batch page size Delete Expired OnGetRequest whether to delete on GET request","title":"Native Persistence Configuration"},{"location":"admin/admin-ui/smtp-menu/","tags":["administration","admin-ui","smtp"],"text":"SMTP Configuration # The description of all the fields in SMTP configuration form: Fields Description SMTP Host Hostname of the SMTP server Connect Protection Protocol to protect connection From Name Name of the sender From Email Address Email Address of the Sender Requires Authentication This checkbox enables sender authentication SMTP User Name Username of the SMTP SMTP User Password Password for the SMTP Requires SSL This checkbox enables the SSL SMTP Port Port number of the SMTP server Keystore","title":"SMTP"},{"location":"admin/admin-ui/smtp-menu/#smtp-configuration","text":"The description of all the fields in SMTP configuration form: Fields Description SMTP Host Hostname of the SMTP server Connect Protection Protocol to protect connection From Name Name of the sender From Email Address Email Address of the Sender Requires Authentication This checkbox enables sender authentication SMTP User Name Username of the SMTP SMTP User Password Password for the SMTP Requires SSL This checkbox enables the SSL SMTP Port Port number of the SMTP server Keystore","title":"SMTP Configuration"},{"location":"admin/admin-ui/userMgmt-menu/","tags":["administration","admin-ui","users"],"text":"Users # This interface allows the administrator to create, edit, delete and search user records in Janssen persistence. The user creation/modification form has First Name, Middle Name, Last Name, Username, Display Name, Email, Status and Password fields populated by default on it. The administrator can select and add more user attributes to the form from the right Available Claims panel. To add a new user claim, please follow this document . Different Admin UI Roles can be assigned to the user in the jansAdminUIRole attribute (to be selected from the Available Claims panel).","title":"Users"},{"location":"admin/admin-ui/userMgmt-menu/#users","text":"This interface allows the administrator to create, edit, delete and search user records in Janssen persistence. The user creation/modification form has First Name, Middle Name, Last Name, Username, Display Name, Email, Status and Password fields populated by default on it. The administrator can select and add more user attributes to the form from the right Available Claims panel. To add a new user claim, please follow this document . Different Admin UI Roles can be assigned to the user in the jansAdminUIRole attribute (to be selected from the Available Claims panel).","title":"Users"},{"location":"admin/admin-ui/webhooks/","tags":["administration","admin-ui","webhooks"],"text":"Webhooks # Gluu Flex Admin UI serves as a powerful web interface designed to streamline the management and configuration of the Janssen Authentication Server. To further extend its capabilities, Gluu Flex Admin UI integrates the use of webhooks, enabling the execution of custom business logic during the creation, update, and deletion of information on the Janssen Authentication Server. The seamless integration of webhooks into this interface enhances its functionality, offering a dynamic and extensible solution. Webhooks are a mechanism for automating workflows by allowing external systems to be notified of specific events. In the context of Gluu Flex Admin UI, webhooks can be mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Administrators can map one or more webhooks to specific feature events using the user interface. Webhook management on the UI # The webhook create/update form consists for following fields. Field Description Required Webhook Id The unique identifier of webhook Yes. Generated by Admin UI Webhook Name The name give to webhook Yes URL The webhook url Yes HTTP Method The type HTTP request (e.g. GET, POST, PUT, PATCH, DELETE ) Yes Description Webhook description No Webhook Headers The HTTP request headers No Request Body The HTTP request body Mandatory for POST, PUT, PATCH requests Enabled Toggle switch to enable/disable webhook Yes Admin UI Features The Admin UI features which can be mapped to the webhook No Once a webhook is created it can be searched, edited or deleted. Shortcodes # When working with webhooks, shortcodes play a crucial role in dynamically injecting data into URLs and request bodies. They allow for flexible and customizable communication between different systems. Shortcode is denoted by curly braces ${} . Using shortcodes in webhook url: Shortcodes can be used in path parameters or query parameters of webhook url. https://example.com/webhook/ ${ inum } /update https://example.com/webhook?action = ${ action } & user_id = ${ userId } Using shortcodes in webhook request-body: Webhook request bodies can utilize placeholders to dynamically populate data sent to the recipient system. { \"username\" : \" ${ username } \" , \"email\" : \" ${ email } \" , \"password\" : \" ${ password } \" } Triggering webhooks # The webhooks can be mapped with one or more Admin UI feature(s) using the webhook create/update form . The following Admin UI features can be mapped to the webhooks. Feature Name Action Permission Custom Script Add/Edit https://jans.io/oauth/config/scripts.write Custom Script Delete https://jans.io/oauth/config/scripts.delete FIDO Configuration Edit https://jans.io/oauth/jans-auth-server/config/properties.write Jans Link Edit https://jans.io/oauth/config/jans-link.write OIDC Clients Add/Edit https://jans.io/oauth/config/openid/clients.write OIDC Clients Delete https://jans.io/oauth/config/openid/clients.delete Scopes Add/Edit https://jans.io/oauth/config/scopes.write Scopes Delete https://jans.io/oauth/config/scopes.delete Schema:Person Add/Edit https://jans.io/oauth/config/attributes.write Schema:Person Delete https://jans.io/oauth/config/attributes.delete SCIM Configuration Edit https://jans.io/scim/config.write SMTP Configuration Edit https://jans.io/oauth/config/smtp.write Users Add/Edit https://jans.io/oauth/config/user.write Users Delete https://jans.io/oauth/config/user.delete When the feature action is performed (e.g. submitting the \"create new user\" form), the Admin UI displays the consent dialog with a list of webhooks that will be triggered upon the successful execution of the event. If the user clicks on the Accept button, all the enabled webhooks will be triggered during the event execution. The Admin UI is unable to proceed with event execution if any webhook fails during the process.","title":"Webhooks"},{"location":"admin/admin-ui/webhooks/#webhooks","text":"Gluu Flex Admin UI serves as a powerful web interface designed to streamline the management and configuration of the Janssen Authentication Server. To further extend its capabilities, Gluu Flex Admin UI integrates the use of webhooks, enabling the execution of custom business logic during the creation, update, and deletion of information on the Janssen Authentication Server. The seamless integration of webhooks into this interface enhances its functionality, offering a dynamic and extensible solution. Webhooks are a mechanism for automating workflows by allowing external systems to be notified of specific events. In the context of Gluu Flex Admin UI, webhooks can be mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Administrators can map one or more webhooks to specific feature events using the user interface.","title":"Webhooks"},{"location":"admin/admin-ui/webhooks/#webhook-management-on-the-ui","text":"The webhook create/update form consists for following fields. Field Description Required Webhook Id The unique identifier of webhook Yes. Generated by Admin UI Webhook Name The name give to webhook Yes URL The webhook url Yes HTTP Method The type HTTP request (e.g. GET, POST, PUT, PATCH, DELETE ) Yes Description Webhook description No Webhook Headers The HTTP request headers No Request Body The HTTP request body Mandatory for POST, PUT, PATCH requests Enabled Toggle switch to enable/disable webhook Yes Admin UI Features The Admin UI features which can be mapped to the webhook No Once a webhook is created it can be searched, edited or deleted.","title":"Webhook management on the UI"},{"location":"admin/admin-ui/webhooks/#shortcodes","text":"When working with webhooks, shortcodes play a crucial role in dynamically injecting data into URLs and request bodies. They allow for flexible and customizable communication between different systems. Shortcode is denoted by curly braces ${} . Using shortcodes in webhook url: Shortcodes can be used in path parameters or query parameters of webhook url. https://example.com/webhook/ ${ inum } /update https://example.com/webhook?action = ${ action } & user_id = ${ userId } Using shortcodes in webhook request-body: Webhook request bodies can utilize placeholders to dynamically populate data sent to the recipient system. { \"username\" : \" ${ username } \" , \"email\" : \" ${ email } \" , \"password\" : \" ${ password } \" }","title":"Shortcodes"},{"location":"admin/admin-ui/webhooks/#triggering-webhooks","text":"The webhooks can be mapped with one or more Admin UI feature(s) using the webhook create/update form . The following Admin UI features can be mapped to the webhooks. Feature Name Action Permission Custom Script Add/Edit https://jans.io/oauth/config/scripts.write Custom Script Delete https://jans.io/oauth/config/scripts.delete FIDO Configuration Edit https://jans.io/oauth/jans-auth-server/config/properties.write Jans Link Edit https://jans.io/oauth/config/jans-link.write OIDC Clients Add/Edit https://jans.io/oauth/config/openid/clients.write OIDC Clients Delete https://jans.io/oauth/config/openid/clients.delete Scopes Add/Edit https://jans.io/oauth/config/scopes.write Scopes Delete https://jans.io/oauth/config/scopes.delete Schema:Person Add/Edit https://jans.io/oauth/config/attributes.write Schema:Person Delete https://jans.io/oauth/config/attributes.delete SCIM Configuration Edit https://jans.io/scim/config.write SMTP Configuration Edit https://jans.io/oauth/config/smtp.write Users Add/Edit https://jans.io/oauth/config/user.write Users Delete https://jans.io/oauth/config/user.delete When the feature action is performed (e.g. submitting the \"create new user\" form), the Admin UI displays the consent dialog with a list of webhooks that will be triggered upon the successful execution of the event. If the user clicks on the Accept button, all the enabled webhooks will be triggered during the event execution. The Admin UI is unable to proceed with event execution if any webhook fails during the process.","title":"Triggering webhooks"},{"location":"admin/kubernetes-ops/","tags":["administration","kubernetes","operations"],"text":"Overview # This Operation guide helps you learn about the common operations for Gluu Flex on Kubernetes. Note Since Flex = Janssen + Admin-UI. The Kubernetes Operations in Gluu Flex are identitical to Janssen . You will mostly only need to change the helm chart reference from janssen/janssen to gluu-flex/gluu , along with the helm release name and namespace. Here's an example how would the upgrade of Flex looks like. Common Operations # Upgrade Admin-UI Private Scaling Backup and Restore Certificate Management Customization Start Order Logs External Secrets and Configmaps Health Check TUI K8s Custom Attributes Jans SAML/Keycloak Memory Dump","title":"Overview"},{"location":"admin/kubernetes-ops/#overview","text":"This Operation guide helps you learn about the common operations for Gluu Flex on Kubernetes. Note Since Flex = Janssen + Admin-UI. The Kubernetes Operations in Gluu Flex are identitical to Janssen . You will mostly only need to change the helm chart reference from janssen/janssen to gluu-flex/gluu , along with the helm release name and namespace. Here's an example how would the upgrade of Flex looks like.","title":"Overview"},{"location":"admin/kubernetes-ops/#common-operations","text":"Upgrade Admin-UI Private Scaling Backup and Restore Certificate Management Customization Start Order Logs External Secrets and Configmaps Health Check TUI K8s Custom Attributes Jans SAML/Keycloak Memory Dump","title":"Common Operations"},{"location":"admin/kubernetes-ops/admin-ui-private/","tags":["administration","kubernetes","operations","private","internal","admin-ui"],"text":"Overview # This document demonstrates a method to override the URLs in the admin-ui used to connect to the backend services, such as the config API. This way the calls are made privately without hitting the FQDN through the internet. Configuration # We will install nginx in ingress-nginx namespace using the following command: helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx and thus, the svc is accessible at ingress-nginx-controller.ingress-nginx.svc.cluster.local Modify values.yaml : admin-ui : usrEnvs : normal : CN_CONFIG_API_BASE_URL : https://ingress.local:8443 CN_AUTH_BASE_URL : https://ingress.local:8443 CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local config-api : usrEnvs : normal : CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local nginx-ingress : ingress : hosts : - demoexample.gluu.org # adjust Gluu FQDN used as needed - ingress-nginx-controller.ingress-nginx.svc.cluster.local - ingress.local Deploy the flex helm chart using the updated values.yaml To allow the browser to access internal service, add an entry inside /etc/hosts file: 127.0.0.1 ingress.local ingress-nginx-controller.ingress-nginx.svc.cluster.local By default, the ingress-nginx-controller deployment uses fake certificate generated by k8s. Add a new certificate (self-signed certificate and key are sufficient) as the default certificate into the ingress controller. Generate SSL cert and key using your preferred tool. Make sure to add domain ingress-nginx-controller.ingress-nginx.svc.cluster.local and ingress.local in SAN section. Example: openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout ingress.local.key -out ingress.local.crt -subj \"/CN=ingress.local\" -addext \"subjectAltName=DNS:ingress.local,DNS:ingress-nginx-controller.ingress-nginx.svc.cluster.local\" Create secrets to store the certificate and key, for example: kubectl -n create secret tls internal-tls-certificate --cert /path/to/cert --key /path/to/key Modify the ingress-nginx-controller deployment: apiVersion : apps/v1 kind : Deployment metadata : name : ingress-nginx-controller namespace : ingress-nginx spec : template : spec : containers : - args : # some arguments are omitted # add a new argument to load self-signed cert - --default-ssl-certificate=/internal-tls-certificate Rollout restart the ingress-nginx-controller deployment. Expose the service IP (port 443) to host (port 8443): kubectl -n ingress-nginx port-forward svc/ingress-nginx-controller 8443:443 & OPTIONAL : if the K8s cluster is deployed at a remote VM, make SSH tunneling before accessing the admin-ui web: ssh -N -L 8443:localhost:8443 @ & Hit https://ingress.local:8443 and allow the browser to skip certificate validation. Visit https:///admin","title":"Admin-UI Private"},{"location":"admin/kubernetes-ops/admin-ui-private/#overview","text":"This document demonstrates a method to override the URLs in the admin-ui used to connect to the backend services, such as the config API. This way the calls are made privately without hitting the FQDN through the internet.","title":"Overview"},{"location":"admin/kubernetes-ops/admin-ui-private/#configuration","text":"We will install nginx in ingress-nginx namespace using the following command: helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx and thus, the svc is accessible at ingress-nginx-controller.ingress-nginx.svc.cluster.local Modify values.yaml : admin-ui : usrEnvs : normal : CN_CONFIG_API_BASE_URL : https://ingress.local:8443 CN_AUTH_BASE_URL : https://ingress.local:8443 CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local config-api : usrEnvs : normal : CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local nginx-ingress : ingress : hosts : - demoexample.gluu.org # adjust Gluu FQDN used as needed - ingress-nginx-controller.ingress-nginx.svc.cluster.local - ingress.local Deploy the flex helm chart using the updated values.yaml To allow the browser to access internal service, add an entry inside /etc/hosts file: 127.0.0.1 ingress.local ingress-nginx-controller.ingress-nginx.svc.cluster.local By default, the ingress-nginx-controller deployment uses fake certificate generated by k8s. Add a new certificate (self-signed certificate and key are sufficient) as the default certificate into the ingress controller. Generate SSL cert and key using your preferred tool. Make sure to add domain ingress-nginx-controller.ingress-nginx.svc.cluster.local and ingress.local in SAN section. Example: openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout ingress.local.key -out ingress.local.crt -subj \"/CN=ingress.local\" -addext \"subjectAltName=DNS:ingress.local,DNS:ingress-nginx-controller.ingress-nginx.svc.cluster.local\" Create secrets to store the certificate and key, for example: kubectl -n create secret tls internal-tls-certificate --cert /path/to/cert --key /path/to/key Modify the ingress-nginx-controller deployment: apiVersion : apps/v1 kind : Deployment metadata : name : ingress-nginx-controller namespace : ingress-nginx spec : template : spec : containers : - args : # some arguments are omitted # add a new argument to load self-signed cert - --default-ssl-certificate=/internal-tls-certificate Rollout restart the ingress-nginx-controller deployment. Expose the service IP (port 443) to host (port 8443): kubectl -n ingress-nginx port-forward svc/ingress-nginx-controller 8443:443 & OPTIONAL : if the K8s cluster is deployed at a remote VM, make SSH tunneling before accessing the admin-ui web: ssh -N -L 8443:localhost:8443 @ & Hit https://ingress.local:8443 and allow the browser to skip certificate validation. Visit https:///admin","title":"Configuration"},{"location":"admin/kubernetes-ops/upgrade/","tags":["administration","kubernetes","operations","helm","upgrade"],"text":"This guide shows how to upgrade a Gluu Flex helm deployment. helm ls -n Keep note of the helm release version Add your changes to override.yaml Apply your upgrade: helm upgrade gluu-flex/gluu -n -f override.yaml --version=replace-flex-version","title":"Upgrade"},{"location":"admin/recipes/","tags":["administration","recipes"],"text":"Overview # Please use the left navigation menu to browse the content of this section while we are still working on developing content for Overview page.","title":"Overview"},{"location":"admin/recipes/#overview","text":"Please use the left navigation menu to browse the content of this section while we are still working on developing content for Overview page.","title":"Overview"},{"location":"admin/recipes/getting-started-rancher/","text":"Overview # Gluu Flex (\u201cFlex\u201d) is a cloud-native digital identity platform that enables organizations to authenticate and authorize people and software through the use of open standards like OpenID Connect, OAuth, and FIDO. It is a downstream commercial distribution of the Linux Foundation Janssen Project software, plus a web administration tool(Gluu Admin-UI). SUSE Rancher\u2019s helm-based deployment approach simplifies the deployment and configuration of Flex, enabling organizations to take advantage of Flex\u2019s modular design to improve their security posture while simultaneously enabling just-in-time auto-scaling. The key services of Flex include: (REQUIRED) Jans Auth Server : This component is the OAuth Authorization Server, the OpenID Connect Provider, and the UMA Authorization Server for person and software authentication. This service must be Internet-facing. (REQUIRED) Jans Config API : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Gluu Admin UI : Web admin tool for ad-hoc configuration. Jans Fido : This component provides the server-side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be Internet-facing. Jans SCIM : System for Cross-domain Identity Management ( SCIM ) is JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet-facing. Jans Casa : A self-service web portal for end-users to manage authentication and authorization preferences for their account in the Gluu Flex server. Typically, it enables people to manage their MFA credentials, like FIDO tokens and OTP authenticators. It's also extensible if your organization has any other self-service requirements. Building Blocks # Scope # In this Quickstart Guide, we will: Deploy Flex and add some users. Enable two-factor authentication. Protect content on an Apache web server with OpenID Connect. Audience # This document is intended for DevOps engineers, site reliability engineers (SREs), platform engineers, software engineers, and developers who are responsible for managing and running stateful workloads in Kubernetes clusters. Technical overview # In addition to the core services listed in the Introduction above, the SUSE Rancher deployment includes the following components: PostgreSQL/MySQL : SQL database dialect used to store configuration, people clients, sessions and other data needed for Gluu Flex operation. Cert Manager : Used for managing X.509 certificates and crypto keys lifecycle in Janssen Server. Key Rotation : A cronjob that implements Cert Manager to rotate the auth keys Configuration job : loads (generate/restore) and dumps (backup) the configuration and secrets. Persistence job : This job loads initial data for the backend used (SQL or Couchbase). ConfigMaps : Stores configuration needed for Flex environment setup. Secrets : Contains sensitive or confidential data such as a password, a token, or a key. Config and Secret keys # The Configuration job creates a set of configurations and secrets used by all services in the Flex setup. To check the values of the configuration keys(configmaps) in the installation: kubectl get cm cn -o json -n To check the values of the secret keys in installation: kubectl get secret cn -o json -n Gluu Config Keys # Key Example Values admin_email team@gluu.org admin_inum d3afef58-c026-4514-9d4c-e0a3efb4c29d admin_ui_client_id 1901.a6575c1e-4688-4c11-8c95-d9e570b13ee8 auth_enc_keys RSA1_5 RSA-OAEP auth_key_rotated_at 1653517558 auth_legacyIdTokenClaims false auth_openidScopeBackwardCompatibility false auth_openid_jks_fn /etc/certs/auth-keys.jks auth_openid_jwks_fn /etc/certs/auth-keys.json casa_client_id 0008-db36db1f-025e-4164-aeed-f82df064eee8 auth_sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS384 PS512 city Austin country_code US default_openid_jks_dn_name CN=Janssen Auth CA Certificate fido2ConfigFolder /etc/jans/conf/fido2 hostname demoexample.gluu.org jca_client_id 1801.4df6c3ba-ebf6-4836-8fb5-6da927586f61 optional_scopes [\\\"casa\\\", \\\"sql\\\", \\\"fido2\\\", \\\"scim\\\"] orgName Gluu tui_client_id 2000.9313cd4b-147c-4a67-96be-8a69ddbaf7e9 scim_client_id 1201.1cbcc731-3fca-4668-a480-1b5f5a7d6a53 state TX token_server_admin_ui_client_id 1901.57a858dc-69f3-4967-befe-e089fe376638 Gluu Secret Keys # Key Example Values admin_ui_client_encoded_pw QlBMMTZUZWVYeWczVlpNUk1XN0pzdzrg admin_ui_client_pw WnJYZEcyVlNBWG9d auth_jks_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx auth_openid_jks_pass TWZoR3Rlb0NnUHEP auth_openid_key_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx casa_client_encoded_pw b3NabG9oVGNncFVVWFpxNEJMU3V0dzrg casa_client_pw M1g0Z1dEbGNPQ19d encoded_admin_password e3NzaGF9eGpOaDRyblU3dzJZbmpPclovMUlheTdkR0RrOTdLe encoded_salt Um9NSEJnOU9IbTRvRkJHVVZETVZIeXEP jca_client_encoded_pw Um9NSEJnOU9IbTRvRkJHVVZETVZIeX58 jca_client_pw Um9NSEJnOU9IbTRvR otp_configuration xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pairwiseCalculationKey ZHd2VW01Y3VOUW6638ZHd2VW pairwiseCalculationSalt ZHd2VW01Y3VOUW6638ZHd2VW0 plugins_admin_ui_properties xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx tui_client_encoded_pw ZHd2VW01Y3VOUW66388PS512 tui_client_pw AusZHd2VW01Y3VOUW6638 scim_client_encoded_pw UZHd2VW01Y3VOUW6638ZHd2VW01Y3VOUW6638 scim_client_pw ZHd2VW01Y3VOUW6638 sql_password ZHd2VW01Y3V638 ssl_ca_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_ca_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_csr xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx super_gluu_creds xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3 token_server_admin_ui_client_encoded_pw Q1Z1cmtYWUlYSVg4U2tLTldVcnZVTUF token_server_admin_ui_client_pw ZHd2VW01Y3VOUW6638 Prerequisites # SUSE Rancher installed with an accessible UI Kubernetes cluster running on SUSE Rancher with at least 1 worker node Sufficient RBAC permissions to deploy and manage applications in the cluster. LinuxIO kernel modules on the worker nodes Docker running locally (Linux preferred) Essential tools and CLI utilities are installed on your local workstation and are available in your $PATH : curl , kubectl An entry in the /etc/hosts file of your local workstation to resolve the hostname of the Gluu Flex installation. This step is for testing purposes. Installation # Summary of steps : Install Database: Note For the Database test setup to work, a PV provisioner support must be present in the underlying infrastructure. Install PostgreSQL database # Note If you are willing to use MySQL installation, skip this section and head to the Install MySQL section. To install a quick setup with PostgreSQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Apps --> Charts and search for Postgres . Click on Install on the right side of the window. Create a new namespace called postgres and hit Next . You should be on the Edit YAML page. Modify the below keys as desired. These values will be inputted in the installation of Gluu Flex Key auth.database auth.username auth.password Click Install at the bottom right of the page. Install MySQL database # Note Skip this section if you installed PostgreSQL . This section is only needed if you are willing to use MySQL. To install a quick setup with MySQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Open a kubectl shell from the top right navigation menu >_ . Run: helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update kubectl create ns gluu #Create gluu namespace Pass in a custom password for the database. Here we used Test1234# . The admin user will be left as root . Notice we are installing in the gluu namespace. Run helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu Successful Installation # After the installation is successful, you should have a Statefulset active in the rancher UI as shown in the screenshot below. Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx To get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Install Gluu Flex: Head to Apps --> Charts and search for Gluu Click on Install on the right side of the window. Change the namespace from default to gluu , then click on Next . Scroll through the sections to get familiar with the options. For minimal setup follow with the next instructions. Add License SSA . Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Click on the Persistence section. Change SQL database host uri to postgresql.postgres.svc.cluster.local in the case of PostgreSQL or my-release-mysql.gluu.svc.cluster.local in the case of MySQL . Also set SQL database username , SQL password , and SQL database name to the values you used during the database installation. To enable Casa and the Admin UI, navigate to the Optional Services section and check the Enable casa and boolean flag to enable admin UI boxes. You can also enable different services like Client API and Jackrabbit . Click on the section named Ingress and enable all the endpoints. You might add LB IP or address if you don't have FQDN for Gluu . To pass your FQDN or Domain that is intended to serve the Gluu Flex IDP, head to the Configuration section: Add your FQDN and check the box Is the FQDN globally resolvable . Click on the Edit YAML tab and add your FQDN to nginx-ingress.ingress.hosts and nginx-ingress.ingress.tls.hosts . Click on Install on the bottom right of the window. Note You can upgrade your installation after the deployment. To do that, go to the SUSE Rancher Dashboard -> Apps -> Installed Apps -> gluu -> Click on the 3 dots on the right -> Upgrade -> Make your changes -> Click Update. The running deployment and services of different Gluu Flex components like casa , admin-ui , scim , auth-server , etc can be viewed by navigating through the SUSE Rancher. Go to Workloads and see the running pods. Go under Service Discovery and checkout the Ingresses and Services . All deployed components should be in a healthy and running state like in the screenshot shown below. Connecting to the Setup # Note You can skip this section if you have a globally resolvable FQDN . In the event you used microk8s or your fqdn is not registered, the below steps will help with connecting to your setup. To access the setup from a browser or another VM, we need to change the ingress class annotation from kubernetes.io/ingress.class: nginx to kubernetes.io/ingress.class: public e.g., for the specific component you want to access publicly in the browser; Navigate through the SUSE Rancher UI to Service Discovery -> Ingresses Choose the ingress for the targeted component. For example gluu-nginx-ingress-auth-server for auth-server Click on the three dots in the top right corner Click on Edit Yaml On line 8, change the kubernetes.io/ingress.class annotation value from nginx to public Click Save The LoadBalancer IP needs to get mapped inside /etc/hosts with the domain chosen for gluu flex . If the domain you used in the setup is demoexample.gluu.org: 3.65.27.95 demoexample.gluu.org You can do the same edit for every component you want to access publicly from the browser. Testing Configuration endpoints # Try accessing some Gluu Flex endpoints like https://demoexample.gluu.org/.well-known/openid-configuration in the browser and you'll get back a JSON response; Note that you can also access those endpoints via curl command, E.g. curl -k https://demoexample.gluu.org/.well-known/openid-configuration You should get a similar response like the one below; {\"version\":\"1.1\",\"issuer\":\"https://demoexample.gluu.org\",\"attestation\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/result\"},\"assertion\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/result\"}} Login and Add a New User # After inputting the license keys, you can then use admin and the password you set to login to the Admin UI and you should see the Admin UI dashboard. You could also add another test user via the admin UI that will be used for testing Casa and 2FA as shown in the screenshot below. Navigate to Users and click on + in the top right corner to add a user. Testing Casa # Jans Casa (\"Casa\") is a self-service web portal for managing account security preferences. The primary use case for Casa is self-service 2FA, but other use cases and functionalities can be supported via Casa plugins. Although you have not enabled two-factor authentication yet, you should still be able to login to Casa as the admin user and the password is the one you set during installation. Point your browser to https://demoexample.gluu.org/jans-casa and you should be welcomed by the Casa login page as shown below. After logging in, you'll be welcomed by the home page as shown below. Enabling Two-Factor Authentication # In this part, we are going to enable two standard authentication mechanisms: OTP and FIDO. This can be done through the admin UI. 2FA can be turned on by clicking the switch in the Second Factor Authentication widget. By default, you will be able to choose from a few 2FA policies: Always (upon every login attempt) If the location (e.g. city) detected in the login attempt is unrecognized If the device used to login is unrecognized To reduce the chance of account lockout, enroll at least two different types of 2FA credentials -- e.g. one security key and one OTP app; or one OTP app and one SMS phone number, etc. This way, regardless of which device you're using to access a protected resource, you will have a usable option for passing strong authentication. To enable 2FA, firstly the OTP and FIDO components have to be enabled in the Casa admin UI then login to Casa as an end user, and register an OTP device (i.e. Google Authenticator) and a FIDO device. Register OTP device To add a new OTP token, navigate to 2FA credentials > OTP Tokens. You can either add a soft OTP token by choosing the Soft token option or a hard token by choosing the Hard Token Option Check the soft OTP token and click ready Before proceeding to the next step, Download Google Authenticator from Google Play or Appstore Then proceed and scan the QR code with your app Enter the 6-digit code that appears in your authenticator app and validate the enrollment. Register Fido device To add a new FIDO 2 credential, navigate to 2FA credentials > Security Keys and built-in Platform Authenticators Insert the fido key and click Ready. Casa will prompt you to press the button on the key. Add a nickname and click Add. Once added, the new device will appear in a list on the same page. Click the pencil to edit the device's nickname Testing Apache OIDC Locally # In this part, we are going to use docker to locally configure an apache web server, and then install the mod_auth_openidc module and configure it accordingly. Using local docker containers, our approach is to first register a client, then spin up two Apache containers, one serving static content (with server-side includes configured so we can display headers and environment information), and one acting as the OpenID Connect authenticating reverse proxy. Register an OpenID Connect client # On the Janssen server, you can register a new client in the Flex Admin UI or the jans-cli. In this section, we are going to show both ways of doing it from the Admin UI and using jans-cli Admin UI # Navigate to Auth server -> Clients and click on + in the top right corner to create a client. Take note of the following keys:values because they configure the right client that we need scopes: email_,openid_,profile responseTypes: code The screenshot below shows an example of the Admin UI section from where a client is created Jans TUI # On the Janssen server, we are going to register a new client using the jans-cli. There are two ways you can register an OIDC client with the Janssen server, Manual Client Registration and Dynamic Client Registration (DCR). Here we will use manual client registration. We will use jans-tui tool provided by the Janssen server. jans-tui has a menu-driven interface that makes it easy to configure the Janssen server. Here we will use the menu-driven approach to register a new client. Download jans-cli-tui from the release assets depending on your OS. For example: wget https://github.com/JanssenProject/jans/releases/download/vreplace-janssen-version/jans-cli-tui-linux-ubuntu-X86-64.pyz Now we have jans-cli-tui-linux-ubuntu-X86-64.pyz downloaded. Now we can grab the FQDN, client-id, client-secret, and connect using the following commands: FQDN= #Add your FQDN here TUI_CLIENT_ID=$(kubectl get cm cn -n --template={{.data.tui_client_id}}) TUI_CLIENT_SECRET=$(kubectl get secret cn -n --template={{.data.tui_client_pw}} | base64 -d) #add -noverify if your FQDN is not registered Get schema file using this command python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --schema /components/schemas/Client Add values for required params and store this JSON in a text file. Take keynote of the following properties. schema-json-file.json { \"dn\": null, \"inum\": null, \"displayName\": \"\", \"clientSecret\": \"\", \"frontChannelLogoutUri\": null, \"frontChannelLogoutSessionRequired\": null, \"registrationAccessToken\": null, \"clientIdIssuedAt\": null, \"clientSecretExpiresAt\": null, \"redirectUris\": [ \"\" ], \"claimRedirectUris\": null, \"responseTypes\": [ \"code\" ], \"grantTypes\": [ \"authorization_code\" ], \"applicationType\": \"web\", \"contacts\": null, \"idTokenTokenBindingCnf\": null, \"logoUri\": null, \"clientUri\": null, \"policyUri\": null, \"tosUri\": null, \"jwksUri\": null, \"jwks\": null, \"sectorIdentifierUri\": null, \"subjectType\": \"public\", \"idTokenSignedResponseAlg\": null, \"idTokenEncryptedResponseAlg\": null, \"idTokenEncryptedResponseEnc\": null, \"userInfoSignedResponseAlg\": null, \"userInfoEncryptedResponseAlg\": null, \"userInfoEncryptedResponseEnc\": null, \"requestObjectSigningAlg\": null, \"requestObjectEncryptionAlg\": null, \"requestObjectEncryptionEnc\": null, \"tokenEndpointAuthMethod\": \"client_secret_basic\", \"tokenEndpointAuthSigningAlg\": null, \"defaultMaxAge\": null, \"requireAuthTime\": null, \"defaultAcrValues\": null, \"initiateLoginUri\": null, \"postLogoutRedirectUris\": null, \"requestUris\": null, \"scopes\": [ \"email\", \"openid\", \"profile\" ], \"claims\": null, \"trustedClient\": false, \"lastAccessTime\": null, \"lastLogonTime\": null, \"persistClientAuthorizations\": null, \"includeClaimsInIdToken\": false, \"refreshTokenLifetime\": null, \"accessTokenLifetime\": null, \"customAttributes\": null, \"customObjectClasses\": null, \"rptAsJwt\": null, \"accessTokenAsJwt\": null, \"accessTokenSigningAlg\": null, \"disabled\": false, \"authorizedOrigins\": null, \"softwareId\": null, \"softwareVersion\": null, \"softwareStatement\": null, \"attributes\": null, \"backchannelTokenDeliveryMode\": null, \"backchannelClientNotificationEndpoint\": null, \"backchannelAuthenticationRequestSigningAlg\": null, \"backchannelUserCodeParameter\": null, \"expirationDate\": null, \"deletable\": false, \"jansId\": null, \"description\": null } Now you can use that JSON file as input to the command below and register your client python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --operation-id=post-oauth-openid-client --data /schema-json-file.json After the client is successfully registered, there will be data that describes the newly registered client. Some of these values, like inum and clientSecret , will be required before we configure mod_auth_openidc So keep in mind that we shall get back to this. Create an Application Container # An application docker container will be run locally which will act as the protected resource (PR) / external application. The following files have code for the small application. We shall create a directory locally / on your machine called test and add the required files. Firstly create a project folder named test by running mkdir test && cd test and add the following files with their content; app.conf ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule unixd_module modules/mod_unixd.so LoadModule dir_module modules/mod_dir.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks Includes AllowOverride None Require all granted SetEnvIf X-Remote-User \"(.*)\" REMOTE_USER=$0 SetEnvIf X-Remote-User-Name \"(.*)\" REMOTE_USER_NAME=$0 SetEnvIf X-Remote-User-Email \"(.*)\" REMOTE_USER_EMAIL=$0 DirectoryIndex index.html Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common CustomLog /proc/self/fd/1 common TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml user.shtml Hello User

Hello !

You authenticated as:

Your email address is:

Environment:

!

index.html Hello World

Hello world!

Dockerfile FROM httpd:2.4.54@sha256:c9eba4494b9d856843b49eb897f9a583a0873b1c14c86d5ab77e5bdedd6ad05d # \"Created\": \"2022-06-08T18:45:46.260791323Z\" , \"Version\":\"2.4.54\" RUN apt-get update \\ && apt-get install -y --no-install-recommends wget ca-certificates libcjose0 libhiredis0.14 apache2-api-20120211 apache2-bin\\ && wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.11.2/libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && dpkg -i libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && ln -s /usr/lib/apache2/modules/mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so \\ && rm -rf /var/log/dpkg.log /var/log/alternatives.log /var/log/apt \\ && touch /usr/local/apache2/conf/extra/secret.conf \\ && touch /usr/local/apache2/conf/extra/oidc.conf RUN echo \"\\n\\nLoadModule auth_openidc_module modules/mod_auth_openidc.so\\n\\nInclude conf/extra/secret.conf\\nInclude conf/extra/oidc.conf\\n\" >> /usr/local/apache2/conf/httpd.conf gluu.secret.conf OIDCClientID OIDCCryptoPassphrase OIDCClientSecret OIDCResponseType code OIDCScope \"openid email profile\" OIDCProviderTokenEndpointAuth client_secret_basic OIDCSSLValidateServer Off OIDCRedirectURI http://localhost:8111/oauth2callback OIDCCryptoPassphrase Require valid-user AuthType openid-connect After, run an Apache container which will play the role of an application being protected by the authenticating reverse proxy. docker run -dit -p 8110:80 \\ -v \"$PWD/app.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/index.html\":/usr/local/apache2/htdocs/index.html \\ -v \"$PWD/user.shtml\":/usr/local/apache2/htdocs/user.shtml \\ --name apache-app httpd:2.4 Note that we are using a popular pre-built image useful for acting as a reverse proxy for authentication in front of an application. It contains a stripped-down Apache with minimal modules, and adds the mod_auth_openidc module for performing OpenID Connect authentication. Make a test curl command call to ensure you get back some content as shown in the screenshot below curl http://localhost:8110/user.shtml Create an Authenticating Reverse Proxy Container # We shall use Apache, but this time we use a Docker image that has mod_auth_oidc installed and configured. This proxy will require authentication, handle the authentication flow with redirects, and then forward requests to the application. In order to use this, you will need to have registered a new OpenID Connect client on the Janssen server. We did that in the step 1 above Add the following files to the test folder. oidc.conf # Unset to make sure clients can't control these RequestHeader unset X-Remote-User RequestHeader unset X-Remote-User-Name RequestHeader unset X-Remote-User-Email # If you want to see tons of logs for your experimentation #LogLevel trace8 OIDCClientID OIDCProviderMetadataURL https://idp-proxy.med.stanford.edu/auth/realms/med-all/.well-known/openid-configuration #OIDCProviderMetadataURL https://idp-proxy-stage.med.stanford.edu/auth/realms/choir/.well-known/openid-configuration OIDCRedirectURI http://localhost:8111/oauth2callback OIDCScope \"openid email profile\" OIDCRemoteUserClaim principal OIDCPassClaimsAs environment AuthType openid-connect Require valid-user ProxyPass http://app:80/ ProxyPassReverse http://app:80/ RequestHeader set X-Remote-User %{OIDC_CLAIM_principal}e RequestHeader set X-Remote-User-Name %{OIDC_CLAIM_name}e RequestHeader set X-Remote-User-Email %{OIDC_CLAIM_email}e proxy.conf # This is the main Apache HTTP server configuration file. For documentation, see: # http://httpd.apache.org/docs/2.4/ # http://httpd.apache.org/docs/2.4/mod/directives.html # # This is intended to be a hardened configuration, with minimal security surface area necessary # to run mod_auth_openidc. ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule unixd_module modules/mod_unixd.so #LoadModule status_module modules/mod_status.so #LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so User daemon Group daemon ServerAdmin you@example.com AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Options None Require all denied Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\" %I %O\" combinedio CustomLog /proc/self/fd/1 common ScriptAlias /cgi-bin/ \"/usr/local/apache2/cgi-bin/\" AllowOverride None Options None Require all granted RequestHeader unset Proxy early TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin TraceEnable off ServerTokens Prod ServerSignature Off LoadModule auth_openidc_module modules/mod_auth_openidc.so Include conf/extra/secret.conf Include conf/extra/oidc.conf Edit the file to include the client secret for the client you created during DCR, and add a securely generated pass phrase for the session keys docker build --pull -t apache-oidc -f Dockerfile . docker run -dit -p 8111:80 \\ -v \"$PWD/proxy.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/gluu.secret.conf\":/usr/local/apache2/conf/extra/secret.conf \\ -v \"$PWD/oidc.conf\":/usr/local/apache2/conf/extra/oidc.conf \\ --link apache-app:app \\ --name apache-proxy apache-oidc Now open a fresh web browser with private (incognito) mode, and go to this url http://localhost:8111/user.shtml To check the proxy logs docker logs -f apache-proxy To see the app logs docker logs -f apache-app If you modified the configuration files, just restart the proxy. docker restart apache-proxy","title":"Getting Started with Rancher"},{"location":"admin/recipes/getting-started-rancher/#overview","text":"Gluu Flex (\u201cFlex\u201d) is a cloud-native digital identity platform that enables organizations to authenticate and authorize people and software through the use of open standards like OpenID Connect, OAuth, and FIDO. It is a downstream commercial distribution of the Linux Foundation Janssen Project software, plus a web administration tool(Gluu Admin-UI). SUSE Rancher\u2019s helm-based deployment approach simplifies the deployment and configuration of Flex, enabling organizations to take advantage of Flex\u2019s modular design to improve their security posture while simultaneously enabling just-in-time auto-scaling. The key services of Flex include: (REQUIRED) Jans Auth Server : This component is the OAuth Authorization Server, the OpenID Connect Provider, and the UMA Authorization Server for person and software authentication. This service must be Internet-facing. (REQUIRED) Jans Config API : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Gluu Admin UI : Web admin tool for ad-hoc configuration. Jans Fido : This component provides the server-side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be Internet-facing. Jans SCIM : System for Cross-domain Identity Management ( SCIM ) is JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet-facing. Jans Casa : A self-service web portal for end-users to manage authentication and authorization preferences for their account in the Gluu Flex server. Typically, it enables people to manage their MFA credentials, like FIDO tokens and OTP authenticators. It's also extensible if your organization has any other self-service requirements.","title":"Overview"},{"location":"admin/recipes/getting-started-rancher/#building-blocks","text":"","title":"Building Blocks"},{"location":"admin/recipes/getting-started-rancher/#scope","text":"In this Quickstart Guide, we will: Deploy Flex and add some users. Enable two-factor authentication. Protect content on an Apache web server with OpenID Connect.","title":"Scope"},{"location":"admin/recipes/getting-started-rancher/#audience","text":"This document is intended for DevOps engineers, site reliability engineers (SREs), platform engineers, software engineers, and developers who are responsible for managing and running stateful workloads in Kubernetes clusters.","title":"Audience"},{"location":"admin/recipes/getting-started-rancher/#technical-overview","text":"In addition to the core services listed in the Introduction above, the SUSE Rancher deployment includes the following components: PostgreSQL/MySQL : SQL database dialect used to store configuration, people clients, sessions and other data needed for Gluu Flex operation. Cert Manager : Used for managing X.509 certificates and crypto keys lifecycle in Janssen Server. Key Rotation : A cronjob that implements Cert Manager to rotate the auth keys Configuration job : loads (generate/restore) and dumps (backup) the configuration and secrets. Persistence job : This job loads initial data for the backend used (SQL or Couchbase). ConfigMaps : Stores configuration needed for Flex environment setup. Secrets : Contains sensitive or confidential data such as a password, a token, or a key.","title":"Technical overview"},{"location":"admin/recipes/getting-started-rancher/#config-and-secret-keys","text":"The Configuration job creates a set of configurations and secrets used by all services in the Flex setup. To check the values of the configuration keys(configmaps) in the installation: kubectl get cm cn -o json -n To check the values of the secret keys in installation: kubectl get secret cn -o json -n ","title":"Config and Secret keys"},{"location":"admin/recipes/getting-started-rancher/#gluu-config-keys","text":"Key Example Values admin_email team@gluu.org admin_inum d3afef58-c026-4514-9d4c-e0a3efb4c29d admin_ui_client_id 1901.a6575c1e-4688-4c11-8c95-d9e570b13ee8 auth_enc_keys RSA1_5 RSA-OAEP auth_key_rotated_at 1653517558 auth_legacyIdTokenClaims false auth_openidScopeBackwardCompatibility false auth_openid_jks_fn /etc/certs/auth-keys.jks auth_openid_jwks_fn /etc/certs/auth-keys.json casa_client_id 0008-db36db1f-025e-4164-aeed-f82df064eee8 auth_sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS384 PS512 city Austin country_code US default_openid_jks_dn_name CN=Janssen Auth CA Certificate fido2ConfigFolder /etc/jans/conf/fido2 hostname demoexample.gluu.org jca_client_id 1801.4df6c3ba-ebf6-4836-8fb5-6da927586f61 optional_scopes [\\\"casa\\\", \\\"sql\\\", \\\"fido2\\\", \\\"scim\\\"] orgName Gluu tui_client_id 2000.9313cd4b-147c-4a67-96be-8a69ddbaf7e9 scim_client_id 1201.1cbcc731-3fca-4668-a480-1b5f5a7d6a53 state TX token_server_admin_ui_client_id 1901.57a858dc-69f3-4967-befe-e089fe376638","title":"Gluu Config Keys"},{"location":"admin/recipes/getting-started-rancher/#gluu-secret-keys","text":"Key Example Values admin_ui_client_encoded_pw QlBMMTZUZWVYeWczVlpNUk1XN0pzdzrg admin_ui_client_pw WnJYZEcyVlNBWG9d auth_jks_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx auth_openid_jks_pass TWZoR3Rlb0NnUHEP auth_openid_key_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx casa_client_encoded_pw b3NabG9oVGNncFVVWFpxNEJMU3V0dzrg casa_client_pw M1g0Z1dEbGNPQ19d encoded_admin_password e3NzaGF9eGpOaDRyblU3dzJZbmpPclovMUlheTdkR0RrOTdLe encoded_salt Um9NSEJnOU9IbTRvRkJHVVZETVZIeXEP jca_client_encoded_pw Um9NSEJnOU9IbTRvRkJHVVZETVZIeX58 jca_client_pw Um9NSEJnOU9IbTRvR otp_configuration xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pairwiseCalculationKey ZHd2VW01Y3VOUW6638ZHd2VW pairwiseCalculationSalt ZHd2VW01Y3VOUW6638ZHd2VW0 plugins_admin_ui_properties xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx tui_client_encoded_pw ZHd2VW01Y3VOUW66388PS512 tui_client_pw AusZHd2VW01Y3VOUW6638 scim_client_encoded_pw UZHd2VW01Y3VOUW6638ZHd2VW01Y3VOUW6638 scim_client_pw ZHd2VW01Y3VOUW6638 sql_password ZHd2VW01Y3V638 ssl_ca_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_ca_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_csr xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx super_gluu_creds xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3 token_server_admin_ui_client_encoded_pw Q1Z1cmtYWUlYSVg4U2tLTldVcnZVTUF token_server_admin_ui_client_pw ZHd2VW01Y3VOUW6638","title":"Gluu Secret Keys"},{"location":"admin/recipes/getting-started-rancher/#prerequisites","text":"SUSE Rancher installed with an accessible UI Kubernetes cluster running on SUSE Rancher with at least 1 worker node Sufficient RBAC permissions to deploy and manage applications in the cluster. LinuxIO kernel modules on the worker nodes Docker running locally (Linux preferred) Essential tools and CLI utilities are installed on your local workstation and are available in your $PATH : curl , kubectl An entry in the /etc/hosts file of your local workstation to resolve the hostname of the Gluu Flex installation. This step is for testing purposes.","title":"Prerequisites"},{"location":"admin/recipes/getting-started-rancher/#installation","text":"Summary of steps : Install Database: Note For the Database test setup to work, a PV provisioner support must be present in the underlying infrastructure.","title":"Installation"},{"location":"admin/recipes/getting-started-rancher/#install-postgresql-database","text":"Note If you are willing to use MySQL installation, skip this section and head to the Install MySQL section. To install a quick setup with PostgreSQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Apps --> Charts and search for Postgres . Click on Install on the right side of the window. Create a new namespace called postgres and hit Next . You should be on the Edit YAML page. Modify the below keys as desired. These values will be inputted in the installation of Gluu Flex Key auth.database auth.username auth.password Click Install at the bottom right of the page.","title":"Install PostgreSQL database"},{"location":"admin/recipes/getting-started-rancher/#install-mysql-database","text":"Note Skip this section if you installed PostgreSQL . This section is only needed if you are willing to use MySQL. To install a quick setup with MySQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Open a kubectl shell from the top right navigation menu >_ . Run: helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update kubectl create ns gluu #Create gluu namespace Pass in a custom password for the database. Here we used Test1234# . The admin user will be left as root . Notice we are installing in the gluu namespace. Run helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu","title":"Install MySQL database"},{"location":"admin/recipes/getting-started-rancher/#successful-installation","text":"After the installation is successful, you should have a Statefulset active in the rancher UI as shown in the screenshot below. Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx To get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Install Gluu Flex: Head to Apps --> Charts and search for Gluu Click on Install on the right side of the window. Change the namespace from default to gluu , then click on Next . Scroll through the sections to get familiar with the options. For minimal setup follow with the next instructions. Add License SSA . Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Click on the Persistence section. Change SQL database host uri to postgresql.postgres.svc.cluster.local in the case of PostgreSQL or my-release-mysql.gluu.svc.cluster.local in the case of MySQL . Also set SQL database username , SQL password , and SQL database name to the values you used during the database installation. To enable Casa and the Admin UI, navigate to the Optional Services section and check the Enable casa and boolean flag to enable admin UI boxes. You can also enable different services like Client API and Jackrabbit . Click on the section named Ingress and enable all the endpoints. You might add LB IP or address if you don't have FQDN for Gluu . To pass your FQDN or Domain that is intended to serve the Gluu Flex IDP, head to the Configuration section: Add your FQDN and check the box Is the FQDN globally resolvable . Click on the Edit YAML tab and add your FQDN to nginx-ingress.ingress.hosts and nginx-ingress.ingress.tls.hosts . Click on Install on the bottom right of the window. Note You can upgrade your installation after the deployment. To do that, go to the SUSE Rancher Dashboard -> Apps -> Installed Apps -> gluu -> Click on the 3 dots on the right -> Upgrade -> Make your changes -> Click Update. The running deployment and services of different Gluu Flex components like casa , admin-ui , scim , auth-server , etc can be viewed by navigating through the SUSE Rancher. Go to Workloads and see the running pods. Go under Service Discovery and checkout the Ingresses and Services . All deployed components should be in a healthy and running state like in the screenshot shown below.","title":"Successful Installation"},{"location":"admin/recipes/getting-started-rancher/#connecting-to-the-setup","text":"Note You can skip this section if you have a globally resolvable FQDN . In the event you used microk8s or your fqdn is not registered, the below steps will help with connecting to your setup. To access the setup from a browser or another VM, we need to change the ingress class annotation from kubernetes.io/ingress.class: nginx to kubernetes.io/ingress.class: public e.g., for the specific component you want to access publicly in the browser; Navigate through the SUSE Rancher UI to Service Discovery -> Ingresses Choose the ingress for the targeted component. For example gluu-nginx-ingress-auth-server for auth-server Click on the three dots in the top right corner Click on Edit Yaml On line 8, change the kubernetes.io/ingress.class annotation value from nginx to public Click Save The LoadBalancer IP needs to get mapped inside /etc/hosts with the domain chosen for gluu flex . If the domain you used in the setup is demoexample.gluu.org: 3.65.27.95 demoexample.gluu.org You can do the same edit for every component you want to access publicly from the browser.","title":"Connecting to the Setup"},{"location":"admin/recipes/getting-started-rancher/#testing-configuration-endpoints","text":"Try accessing some Gluu Flex endpoints like https://demoexample.gluu.org/.well-known/openid-configuration in the browser and you'll get back a JSON response; Note that you can also access those endpoints via curl command, E.g. curl -k https://demoexample.gluu.org/.well-known/openid-configuration You should get a similar response like the one below; {\"version\":\"1.1\",\"issuer\":\"https://demoexample.gluu.org\",\"attestation\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/result\"},\"assertion\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/result\"}}","title":"Testing Configuration endpoints"},{"location":"admin/recipes/getting-started-rancher/#login-and-add-a-new-user","text":"After inputting the license keys, you can then use admin and the password you set to login to the Admin UI and you should see the Admin UI dashboard. You could also add another test user via the admin UI that will be used for testing Casa and 2FA as shown in the screenshot below. Navigate to Users and click on + in the top right corner to add a user.","title":"Login and Add a New User"},{"location":"admin/recipes/getting-started-rancher/#testing-casa","text":"Jans Casa (\"Casa\") is a self-service web portal for managing account security preferences. The primary use case for Casa is self-service 2FA, but other use cases and functionalities can be supported via Casa plugins. Although you have not enabled two-factor authentication yet, you should still be able to login to Casa as the admin user and the password is the one you set during installation. Point your browser to https://demoexample.gluu.org/jans-casa and you should be welcomed by the Casa login page as shown below. After logging in, you'll be welcomed by the home page as shown below.","title":"Testing Casa"},{"location":"admin/recipes/getting-started-rancher/#enabling-two-factor-authentication","text":"In this part, we are going to enable two standard authentication mechanisms: OTP and FIDO. This can be done through the admin UI. 2FA can be turned on by clicking the switch in the Second Factor Authentication widget. By default, you will be able to choose from a few 2FA policies: Always (upon every login attempt) If the location (e.g. city) detected in the login attempt is unrecognized If the device used to login is unrecognized To reduce the chance of account lockout, enroll at least two different types of 2FA credentials -- e.g. one security key and one OTP app; or one OTP app and one SMS phone number, etc. This way, regardless of which device you're using to access a protected resource, you will have a usable option for passing strong authentication. To enable 2FA, firstly the OTP and FIDO components have to be enabled in the Casa admin UI then login to Casa as an end user, and register an OTP device (i.e. Google Authenticator) and a FIDO device. Register OTP device To add a new OTP token, navigate to 2FA credentials > OTP Tokens. You can either add a soft OTP token by choosing the Soft token option or a hard token by choosing the Hard Token Option Check the soft OTP token and click ready Before proceeding to the next step, Download Google Authenticator from Google Play or Appstore Then proceed and scan the QR code with your app Enter the 6-digit code that appears in your authenticator app and validate the enrollment. Register Fido device To add a new FIDO 2 credential, navigate to 2FA credentials > Security Keys and built-in Platform Authenticators Insert the fido key and click Ready. Casa will prompt you to press the button on the key. Add a nickname and click Add. Once added, the new device will appear in a list on the same page. Click the pencil to edit the device's nickname","title":"Enabling Two-Factor Authentication"},{"location":"admin/recipes/getting-started-rancher/#testing-apache-oidc-locally","text":"In this part, we are going to use docker to locally configure an apache web server, and then install the mod_auth_openidc module and configure it accordingly. Using local docker containers, our approach is to first register a client, then spin up two Apache containers, one serving static content (with server-side includes configured so we can display headers and environment information), and one acting as the OpenID Connect authenticating reverse proxy.","title":"Testing Apache OIDC Locally"},{"location":"admin/recipes/getting-started-rancher/#register-an-openid-connect-client","text":"On the Janssen server, you can register a new client in the Flex Admin UI or the jans-cli. In this section, we are going to show both ways of doing it from the Admin UI and using jans-cli","title":"Register an OpenID Connect client"},{"location":"admin/recipes/getting-started-rancher/#admin-ui","text":"Navigate to Auth server -> Clients and click on + in the top right corner to create a client. Take note of the following keys:values because they configure the right client that we need scopes: email_,openid_,profile responseTypes: code The screenshot below shows an example of the Admin UI section from where a client is created","title":"Admin UI"},{"location":"admin/recipes/getting-started-rancher/#jans-tui","text":"On the Janssen server, we are going to register a new client using the jans-cli. There are two ways you can register an OIDC client with the Janssen server, Manual Client Registration and Dynamic Client Registration (DCR). Here we will use manual client registration. We will use jans-tui tool provided by the Janssen server. jans-tui has a menu-driven interface that makes it easy to configure the Janssen server. Here we will use the menu-driven approach to register a new client. Download jans-cli-tui from the release assets depending on your OS. For example: wget https://github.com/JanssenProject/jans/releases/download/vreplace-janssen-version/jans-cli-tui-linux-ubuntu-X86-64.pyz Now we have jans-cli-tui-linux-ubuntu-X86-64.pyz downloaded. Now we can grab the FQDN, client-id, client-secret, and connect using the following commands: FQDN= #Add your FQDN here TUI_CLIENT_ID=$(kubectl get cm cn -n --template={{.data.tui_client_id}}) TUI_CLIENT_SECRET=$(kubectl get secret cn -n --template={{.data.tui_client_pw}} | base64 -d) #add -noverify if your FQDN is not registered Get schema file using this command python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --schema /components/schemas/Client Add values for required params and store this JSON in a text file. Take keynote of the following properties. schema-json-file.json { \"dn\": null, \"inum\": null, \"displayName\": \"\", \"clientSecret\": \"\", \"frontChannelLogoutUri\": null, \"frontChannelLogoutSessionRequired\": null, \"registrationAccessToken\": null, \"clientIdIssuedAt\": null, \"clientSecretExpiresAt\": null, \"redirectUris\": [ \"\" ], \"claimRedirectUris\": null, \"responseTypes\": [ \"code\" ], \"grantTypes\": [ \"authorization_code\" ], \"applicationType\": \"web\", \"contacts\": null, \"idTokenTokenBindingCnf\": null, \"logoUri\": null, \"clientUri\": null, \"policyUri\": null, \"tosUri\": null, \"jwksUri\": null, \"jwks\": null, \"sectorIdentifierUri\": null, \"subjectType\": \"public\", \"idTokenSignedResponseAlg\": null, \"idTokenEncryptedResponseAlg\": null, \"idTokenEncryptedResponseEnc\": null, \"userInfoSignedResponseAlg\": null, \"userInfoEncryptedResponseAlg\": null, \"userInfoEncryptedResponseEnc\": null, \"requestObjectSigningAlg\": null, \"requestObjectEncryptionAlg\": null, \"requestObjectEncryptionEnc\": null, \"tokenEndpointAuthMethod\": \"client_secret_basic\", \"tokenEndpointAuthSigningAlg\": null, \"defaultMaxAge\": null, \"requireAuthTime\": null, \"defaultAcrValues\": null, \"initiateLoginUri\": null, \"postLogoutRedirectUris\": null, \"requestUris\": null, \"scopes\": [ \"email\", \"openid\", \"profile\" ], \"claims\": null, \"trustedClient\": false, \"lastAccessTime\": null, \"lastLogonTime\": null, \"persistClientAuthorizations\": null, \"includeClaimsInIdToken\": false, \"refreshTokenLifetime\": null, \"accessTokenLifetime\": null, \"customAttributes\": null, \"customObjectClasses\": null, \"rptAsJwt\": null, \"accessTokenAsJwt\": null, \"accessTokenSigningAlg\": null, \"disabled\": false, \"authorizedOrigins\": null, \"softwareId\": null, \"softwareVersion\": null, \"softwareStatement\": null, \"attributes\": null, \"backchannelTokenDeliveryMode\": null, \"backchannelClientNotificationEndpoint\": null, \"backchannelAuthenticationRequestSigningAlg\": null, \"backchannelUserCodeParameter\": null, \"expirationDate\": null, \"deletable\": false, \"jansId\": null, \"description\": null } Now you can use that JSON file as input to the command below and register your client python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --operation-id=post-oauth-openid-client --data /schema-json-file.json After the client is successfully registered, there will be data that describes the newly registered client. Some of these values, like inum and clientSecret , will be required before we configure mod_auth_openidc So keep in mind that we shall get back to this.","title":"Jans TUI"},{"location":"admin/recipes/getting-started-rancher/#create-an-application-container","text":"An application docker container will be run locally which will act as the protected resource (PR) / external application. The following files have code for the small application. We shall create a directory locally / on your machine called test and add the required files. Firstly create a project folder named test by running mkdir test && cd test and add the following files with their content; app.conf ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule unixd_module modules/mod_unixd.so LoadModule dir_module modules/mod_dir.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks Includes AllowOverride None Require all granted SetEnvIf X-Remote-User \"(.*)\" REMOTE_USER=$0 SetEnvIf X-Remote-User-Name \"(.*)\" REMOTE_USER_NAME=$0 SetEnvIf X-Remote-User-Email \"(.*)\" REMOTE_USER_EMAIL=$0 DirectoryIndex index.html Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common CustomLog /proc/self/fd/1 common TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml user.shtml Hello User

Hello !

You authenticated as:

Your email address is:

Environment:

!

index.html Hello World

Hello world!

Dockerfile FROM httpd:2.4.54@sha256:c9eba4494b9d856843b49eb897f9a583a0873b1c14c86d5ab77e5bdedd6ad05d # \"Created\": \"2022-06-08T18:45:46.260791323Z\" , \"Version\":\"2.4.54\" RUN apt-get update \\ && apt-get install -y --no-install-recommends wget ca-certificates libcjose0 libhiredis0.14 apache2-api-20120211 apache2-bin\\ && wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.11.2/libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && dpkg -i libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && ln -s /usr/lib/apache2/modules/mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so \\ && rm -rf /var/log/dpkg.log /var/log/alternatives.log /var/log/apt \\ && touch /usr/local/apache2/conf/extra/secret.conf \\ && touch /usr/local/apache2/conf/extra/oidc.conf RUN echo \"\\n\\nLoadModule auth_openidc_module modules/mod_auth_openidc.so\\n\\nInclude conf/extra/secret.conf\\nInclude conf/extra/oidc.conf\\n\" >> /usr/local/apache2/conf/httpd.conf gluu.secret.conf OIDCClientID OIDCCryptoPassphrase OIDCClientSecret OIDCResponseType code OIDCScope \"openid email profile\" OIDCProviderTokenEndpointAuth client_secret_basic OIDCSSLValidateServer Off OIDCRedirectURI http://localhost:8111/oauth2callback OIDCCryptoPassphrase Require valid-user AuthType openid-connect After, run an Apache container which will play the role of an application being protected by the authenticating reverse proxy. docker run -dit -p 8110:80 \\ -v \"$PWD/app.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/index.html\":/usr/local/apache2/htdocs/index.html \\ -v \"$PWD/user.shtml\":/usr/local/apache2/htdocs/user.shtml \\ --name apache-app httpd:2.4 Note that we are using a popular pre-built image useful for acting as a reverse proxy for authentication in front of an application. It contains a stripped-down Apache with minimal modules, and adds the mod_auth_openidc module for performing OpenID Connect authentication. Make a test curl command call to ensure you get back some content as shown in the screenshot below curl http://localhost:8110/user.shtml","title":"Create an Application Container"},{"location":"admin/recipes/getting-started-rancher/#create-an-authenticating-reverse-proxy-container","text":"We shall use Apache, but this time we use a Docker image that has mod_auth_oidc installed and configured. This proxy will require authentication, handle the authentication flow with redirects, and then forward requests to the application. In order to use this, you will need to have registered a new OpenID Connect client on the Janssen server. We did that in the step 1 above Add the following files to the test folder. oidc.conf # Unset to make sure clients can't control these RequestHeader unset X-Remote-User RequestHeader unset X-Remote-User-Name RequestHeader unset X-Remote-User-Email # If you want to see tons of logs for your experimentation #LogLevel trace8 OIDCClientID OIDCProviderMetadataURL https://idp-proxy.med.stanford.edu/auth/realms/med-all/.well-known/openid-configuration #OIDCProviderMetadataURL https://idp-proxy-stage.med.stanford.edu/auth/realms/choir/.well-known/openid-configuration OIDCRedirectURI http://localhost:8111/oauth2callback OIDCScope \"openid email profile\" OIDCRemoteUserClaim principal OIDCPassClaimsAs environment AuthType openid-connect Require valid-user ProxyPass http://app:80/ ProxyPassReverse http://app:80/ RequestHeader set X-Remote-User %{OIDC_CLAIM_principal}e RequestHeader set X-Remote-User-Name %{OIDC_CLAIM_name}e RequestHeader set X-Remote-User-Email %{OIDC_CLAIM_email}e proxy.conf # This is the main Apache HTTP server configuration file. For documentation, see: # http://httpd.apache.org/docs/2.4/ # http://httpd.apache.org/docs/2.4/mod/directives.html # # This is intended to be a hardened configuration, with minimal security surface area necessary # to run mod_auth_openidc. ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule unixd_module modules/mod_unixd.so #LoadModule status_module modules/mod_status.so #LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so User daemon Group daemon ServerAdmin you@example.com AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Options None Require all denied Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\" %I %O\" combinedio CustomLog /proc/self/fd/1 common ScriptAlias /cgi-bin/ \"/usr/local/apache2/cgi-bin/\" AllowOverride None Options None Require all granted RequestHeader unset Proxy early TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin TraceEnable off ServerTokens Prod ServerSignature Off LoadModule auth_openidc_module modules/mod_auth_openidc.so Include conf/extra/secret.conf Include conf/extra/oidc.conf Edit the file to include the client secret for the client you created during DCR, and add a securely generated pass phrase for the session keys docker build --pull -t apache-oidc -f Dockerfile . docker run -dit -p 8111:80 \\ -v \"$PWD/proxy.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/gluu.secret.conf\":/usr/local/apache2/conf/extra/secret.conf \\ -v \"$PWD/oidc.conf\":/usr/local/apache2/conf/extra/oidc.conf \\ --link apache-app:app \\ --name apache-proxy apache-oidc Now open a fresh web browser with private (incognito) mode, and go to this url http://localhost:8111/user.shtml To check the proxy logs docker logs -f apache-proxy To see the app logs docker logs -f apache-app If you modified the configuration files, just restart the proxy. docker restart apache-proxy","title":"Create an Authenticating Reverse Proxy Container"},{"location":"admin/saml/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"admin/saml/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/saml/idp/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Idp"},{"location":"admin/saml/idp/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/saml/proxy/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Proxy"},{"location":"admin/saml/proxy/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"includes/cn-system-requirements/","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"Cn system requirements"},{"location":"install/","tags":["administration","installation"],"text":"Installation Overview # The goal of Gluu Flex is to give you a lot of deployment options. This is a challenge--the more ways to install, the more ways for things to go wrong! But to build a large community, we need to provide ways to install the software in enough different ways to make at least the bulk of the community happy. Currently, that means the following installation options: VM packages for Ubuntu, SUSE and Red Hat Helm deployments for Amazon, Google, Microsoft and Rancher Docker monolith deployment for development / testing (not production) Minimal Configuration # It turns out that just installing the Flex binary object code (i.e. the bits), is totally useless. That's because in order to do anything useful with Gluu Flex, you need a minimal amount of configuration. For example, you need to generate cryptographic key pairs, you need to generate a minimal amount of data in the database, you need to generate some web server TLS certificates. For this reason, for most of the platforms, installation is a three step process. Step 1, install the bits. Step 2, run \"setup\" and answer some basic question (like the hostname of your IDP). Step 3, fire up a configuration tool to perform any other last mile configuration. Databases # Gluu Flex gives you a few options to store data: MySQL, Postgres, Couchbase, Amazon Aurora, and Spanner. You can also configure an in-memory cache server like Redis. Sometimes installation and configuration of this database is included in the setup process. Sometimes, you need to setup the database ahead of time. Please refer to the database instructions specific for your choice. And of course, you may need to refer to the database documentation itself--we don't want to duplicate any of that third party content. Optimization # Remember, installation is just a starting point. To get peak performance, you may need to tweak some of the configuration dials for your system or the database. If you intend to deploy a Gluu Flex in production for high concurrency, make sure you benchmark the exact flows you expect to serve in production.","title":"Installation Overview"},{"location":"install/#installation-overview","text":"The goal of Gluu Flex is to give you a lot of deployment options. This is a challenge--the more ways to install, the more ways for things to go wrong! But to build a large community, we need to provide ways to install the software in enough different ways to make at least the bulk of the community happy. Currently, that means the following installation options: VM packages for Ubuntu, SUSE and Red Hat Helm deployments for Amazon, Google, Microsoft and Rancher Docker monolith deployment for development / testing (not production)","title":"Installation Overview"},{"location":"install/#minimal-configuration","text":"It turns out that just installing the Flex binary object code (i.e. the bits), is totally useless. That's because in order to do anything useful with Gluu Flex, you need a minimal amount of configuration. For example, you need to generate cryptographic key pairs, you need to generate a minimal amount of data in the database, you need to generate some web server TLS certificates. For this reason, for most of the platforms, installation is a three step process. Step 1, install the bits. Step 2, run \"setup\" and answer some basic question (like the hostname of your IDP). Step 3, fire up a configuration tool to perform any other last mile configuration.","title":"Minimal Configuration"},{"location":"install/#databases","text":"Gluu Flex gives you a few options to store data: MySQL, Postgres, Couchbase, Amazon Aurora, and Spanner. You can also configure an in-memory cache server like Redis. Sometimes installation and configuration of this database is included in the setup process. Sometimes, you need to setup the database ahead of time. Please refer to the database instructions specific for your choice. And of course, you may need to refer to the database documentation itself--we don't want to duplicate any of that third party content.","title":"Databases"},{"location":"install/#optimization","text":"Remember, installation is just a starting point. To get peak performance, you may need to tweak some of the configuration dials for your system or the database. If you intend to deploy a Gluu Flex in production for high concurrency, make sure you benchmark the exact flows you expect to serve in production.","title":"Optimization"},{"location":"install/agama/prerequisites/","tags":["administration","installation"],"text":"Agama Lab # Agama Lab is a platform to manage your Gluu license. This is where you may subscribe to Gluu Flex or obtain credentials for your enterprise license. To begin, please visit Agama Lab You may register via email or login via GitHub If you want to author or test Agama projects, you will need to login via GitHub Once you have logged in, please navigate to Market > SCAN and subscribe to the free tier. SCAN is the API gateway Gluu uses to validate licenses. The free tier will give you 500 credits. As license calls do not cost credits, this will not cost you anything. Software Statement Assertions # In order to install Flex, you will need a Software Statement Assertion (SSA). An SSA is a signed JSON Web Token (JWT) that is required by the Flex install script to validate your license. Obtaining an SSA # Gluu issues SSAs through the Agama Lab web interface. You can obtain an SSA for use with Flex by following these steps: Login to Agama Lab On the left navigation bar, select Market Navigate to the tab named SSA . Sign up for a free SCAN subscription, which will give you 500 SCAN credits. Flex does not cost any SCAN credits, so you will not be charged for SCAN. Click on Create New SSA On Software Name , fill in a unique identifier for this SSA Description is optional Under Software Roles , tick license Under Expiration Date , select an appropriate date. Your SSA will not be useable after that date. Under SSA Lifetime , choose an appropriate lifetime for the Flex client. One month or longer is recommended. Deselect One time use and Rotate SSA Click Create - Click on Detail of the newly issued SSA, then click on Show JWT You will be shown a long string of characters. Copy this and save it to a file. You may now use this file during Flex installation. License # Gluu Flex uses the SSA obtained in the above step to either request a 30 day trial license or verify presence of a license tied to your Agama Lab account. One account may request one trial license in its lifetime. To purchase a full license, please navigate to the Flex tab of the marketplace where you may purchase licenses for up to 1600 MAU (monthly active users). To purchase an enterprise license for more MAU, please contact Sales . If you have subscribed to Flex via Agama Lab, the SSA obtained in the step before will automatically link your license to your installation. For enterprise licenses, please open a support ticket so that we can issue a license against your Agama account. Once this is done, you may use the SSA obtained to proceed to installation.","title":"Prerequisites"},{"location":"install/agama/prerequisites/#agama-lab","text":"Agama Lab is a platform to manage your Gluu license. This is where you may subscribe to Gluu Flex or obtain credentials for your enterprise license. To begin, please visit Agama Lab You may register via email or login via GitHub If you want to author or test Agama projects, you will need to login via GitHub Once you have logged in, please navigate to Market > SCAN and subscribe to the free tier. SCAN is the API gateway Gluu uses to validate licenses. The free tier will give you 500 credits. As license calls do not cost credits, this will not cost you anything.","title":"Agama Lab"},{"location":"install/agama/prerequisites/#software-statement-assertions","text":"In order to install Flex, you will need a Software Statement Assertion (SSA). An SSA is a signed JSON Web Token (JWT) that is required by the Flex install script to validate your license.","title":"Software Statement Assertions"},{"location":"install/agama/prerequisites/#obtaining-an-ssa","text":"Gluu issues SSAs through the Agama Lab web interface. You can obtain an SSA for use with Flex by following these steps: Login to Agama Lab On the left navigation bar, select Market Navigate to the tab named SSA . Sign up for a free SCAN subscription, which will give you 500 SCAN credits. Flex does not cost any SCAN credits, so you will not be charged for SCAN. Click on Create New SSA On Software Name , fill in a unique identifier for this SSA Description is optional Under Software Roles , tick license Under Expiration Date , select an appropriate date. Your SSA will not be useable after that date. Under SSA Lifetime , choose an appropriate lifetime for the Flex client. One month or longer is recommended. Deselect One time use and Rotate SSA Click Create - Click on Detail of the newly issued SSA, then click on Show JWT You will be shown a long string of characters. Copy this and save it to a file. You may now use this file during Flex installation.","title":"Obtaining an SSA"},{"location":"install/agama/prerequisites/#license","text":"Gluu Flex uses the SSA obtained in the above step to either request a 30 day trial license or verify presence of a license tied to your Agama Lab account. One account may request one trial license in its lifetime. To purchase a full license, please navigate to the Flex tab of the marketplace where you may purchase licenses for up to 1600 MAU (monthly active users). To purchase an enterprise license for more MAU, please contact Sales . If you have subscribed to Flex via Agama Lab, the SSA obtained in the step before will automatically link your license to your installation. For enterprise licenses, please open a support ticket so that we can issue a license against your Agama account. Once this is done, you may use the SSA obtained to proceed to installation.","title":"License"},{"location":"install/docker-install/compose/","tags":["administration","reference","kubernetes","docker image","docker compose"],"text":"Warning This image is for testing and development purposes only. Use Flex helm charts for production setups. Overview # Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui. Pre-requisites # Docker Docker compose Versions # See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly . Environment Variables # Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client `` How to run # Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. Configure Gluu flex # Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py Access endpoints externally # Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration Clean up # Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Docker compose"},{"location":"install/docker-install/compose/#overview","text":"Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui.","title":"Overview"},{"location":"install/docker-install/compose/#pre-requisites","text":"Docker Docker compose","title":"Pre-requisites"},{"location":"install/docker-install/compose/#versions","text":"See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly .","title":"Versions"},{"location":"install/docker-install/compose/#environment-variables","text":"Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client ``","title":"Environment Variables"},{"location":"install/docker-install/compose/#how-to-run","text":"Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"How to run"},{"location":"install/docker-install/compose/#configure-gluu-flex","text":"Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py","title":"Configure Gluu flex"},{"location":"install/docker-install/compose/#access-endpoints-externally","text":"Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration","title":"Access endpoints externally"},{"location":"install/docker-install/compose/#clean-up","text":"Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Clean up"},{"location":"install/docker-install/quick-start/","tags":["administration","installation","quick-start","docker"],"text":"Warning This image is for testing and development purposes only. Use Flex helm charts for production setups. Overview # The quickest way to get Gluu flex up and running is to have a Docker container-based deployment. System Requirements # System should meet minimum VM system requirements Install # Installation depends on a set of environment variables . These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. Run this command to start the installation: wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexmonolithdemo.sh && chmod u+x startflexmonolithdemo.sh && sudo bash startflexmonolithdemo.sh demoexample.gluu.org MYSQL Console messages like below confirms the successful installation: [+] Running 3/3 \u283f Network docker-flex-monolith_cloud_bridge Created 0.0s \u283f Container docker-flex-monolith-mysql-1 Started 0.6s \u283f Container docker-flex-monolith-flex-1 Started 0.9s Waiting for auth-server to come up. Depending on the resources it may take 3-5 mins for the services to be up. Testing openid-configuration endpoint.. As can be seen, the install script also accesses the well-known endpoints to verify that Gluu Flex is responsive. Verify Installation By Accessing Standard Endpoints # To access Gluu flex standard endpoints from outside of the Docker container, systems /etc/hosts file needs to be updated. Open the file and add the IP domain record which should be the IP of the instance docker is installed. And the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record, hit the standard endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration Configure Gluu flex # Access the Docker container shell using: docker exec -ti docker-flex-monolith-flex-1 bash Grab a pair of client_id and client_pw(secret) from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py Uninstall/Remove Gluu flex # This docker based installation uses docker compose under the hood to create containers. Hence uninstalling Gluu flex involves invoking docker compose with appropriate yml file. Run command below to stop and remove containers. docker compose -f /tmp/flex/docker-flex-monolith/flex-mysql-compose.yml down && rm -rf flex-* Console messages like below confirms the successful removal: [+] Running 3/3 \u283f Container docker-flex-monolith-flex-1 Removed 10.5s \u283f Container docker-flex-monolith-mysql-1 Removed 0.9s \u283f Network docker-flex-monolith_cloud_bridge Removed 0.1s","title":"Quick Start"},{"location":"install/docker-install/quick-start/#overview","text":"The quickest way to get Gluu flex up and running is to have a Docker container-based deployment.","title":"Overview"},{"location":"install/docker-install/quick-start/#system-requirements","text":"System should meet minimum VM system requirements","title":"System Requirements"},{"location":"install/docker-install/quick-start/#install","text":"Installation depends on a set of environment variables . These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. Run this command to start the installation: wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexmonolithdemo.sh && chmod u+x startflexmonolithdemo.sh && sudo bash startflexmonolithdemo.sh demoexample.gluu.org MYSQL Console messages like below confirms the successful installation: [+] Running 3/3 \u283f Network docker-flex-monolith_cloud_bridge Created 0.0s \u283f Container docker-flex-monolith-mysql-1 Started 0.6s \u283f Container docker-flex-monolith-flex-1 Started 0.9s Waiting for auth-server to come up. Depending on the resources it may take 3-5 mins for the services to be up. Testing openid-configuration endpoint.. As can be seen, the install script also accesses the well-known endpoints to verify that Gluu Flex is responsive.","title":"Install"},{"location":"install/docker-install/quick-start/#verify-installation-by-accessing-standard-endpoints","text":"To access Gluu flex standard endpoints from outside of the Docker container, systems /etc/hosts file needs to be updated. Open the file and add the IP domain record which should be the IP of the instance docker is installed. And the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record, hit the standard endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration","title":"Verify Installation By Accessing Standard Endpoints"},{"location":"install/docker-install/quick-start/#configure-gluu-flex","text":"Access the Docker container shell using: docker exec -ti docker-flex-monolith-flex-1 bash Grab a pair of client_id and client_pw(secret) from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py","title":"Configure Gluu flex"},{"location":"install/docker-install/quick-start/#uninstallremove-gluu-flex","text":"This docker based installation uses docker compose under the hood to create containers. Hence uninstalling Gluu flex involves invoking docker compose with appropriate yml file. Run command below to stop and remove containers. docker compose -f /tmp/flex/docker-flex-monolith/flex-mysql-compose.yml down && rm -rf flex-* Console messages like below confirms the successful removal: [+] Running 3/3 \u283f Container docker-flex-monolith-flex-1 Removed 10.5s \u283f Container docker-flex-monolith-mysql-1 Removed 0.9s \u283f Network docker-flex-monolith_cloud_bridge Removed 0.1s","title":"Uninstall/Remove Gluu flex"},{"location":"install/helm-install/","tags":["administration","installation","helm"],"text":"Overview # Gluu Flex enables organizations to build a scalable centralized authentication and authorization service using free open source software. The components of the project include client and server implementations of the OAuth, OpenID Connect, SCIM and FIDO standards. All these components are deployed using Gluu helm chart . You can check the reference guide to view the list of the chart components and values. Looking for older helm charts? # If you are looking for older helm charts, you need to build them from the Gluu Flex repository. We only keep the last 5 versions of the chart up. We support auto-upgrade using helm upgrade and hence want everyone to stay up to date with our charts. To build older charts manually from the Gluu Flex repository, you can use the following example which assumes we are building for janssen version v5.0.0 : git clone --filter blob:none --no-checkout https://github.com/GluuFederation/flex.git /tmp/flex \\ && cd /tmp/flex \\ && git sparse-checkout init --cone \\ && git checkout v5.0.0 \\ && git sparse-checkout add charts/gluu \\ && cd charts/gluu \\ && helm dependency update \\ && helm package .","title":"Overview"},{"location":"install/helm-install/#overview","text":"Gluu Flex enables organizations to build a scalable centralized authentication and authorization service using free open source software. The components of the project include client and server implementations of the OAuth, OpenID Connect, SCIM and FIDO standards. All these components are deployed using Gluu helm chart . You can check the reference guide to view the list of the chart components and values.","title":"Overview"},{"location":"install/helm-install/#looking-for-older-helm-charts","text":"If you are looking for older helm charts, you need to build them from the Gluu Flex repository. We only keep the last 5 versions of the chart up. We support auto-upgrade using helm upgrade and hence want everyone to stay up to date with our charts. To build older charts manually from the Gluu Flex repository, you can use the following example which assumes we are building for janssen version v5.0.0 : git clone --filter blob:none --no-checkout https://github.com/GluuFederation/flex.git /tmp/flex \\ && cd /tmp/flex \\ && git sparse-checkout init --cone \\ && git checkout v5.0.0 \\ && git sparse-checkout add charts/gluu \\ && cd charts/gluu \\ && helm dependency update \\ && helm package .","title":"Looking for older helm charts?"},{"location":"install/helm-install/amazon-eks/","tags":["administration","installation","helm","EKS","Amazon Web Services","AWS"],"text":"Install Gluu Flex on EKS # System Requirements # The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Initial Setup # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install aws cli Configure your AWS user account using aws configure command. This makes you able to authenticate before creating the cluster. Note that this user account must have permissions to work with Amazon EKS IAM roles and service linked roles, AWS CloudFormation, and a VPC and related resources Install kubectl Install eksctl Create cluster using eksctl such as the following example: eksctl create cluster --name gluu-cluster --nodegroup-name gluu-nodes --node-type NODE_TYPE --nodes 2 --managed --region REGION_CODE You can adjust node-type and nodes number as per your desired cluster size To be able to attach volumes to your pod, you need to install the Amazon EBS CSI driver Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu Gluu Flex Installation using Helm # Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer address: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : false config : configmap : lbAddr : http:// #Add LB address from previous command FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command nginx : ingress : enabled : true path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Amazon EKS"},{"location":"install/helm-install/amazon-eks/#install-gluu-flex-on-eks","text":"","title":"Install Gluu Flex on EKS"},{"location":"install/helm-install/amazon-eks/#system-requirements","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/amazon-eks/#initial-setup","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install aws cli Configure your AWS user account using aws configure command. This makes you able to authenticate before creating the cluster. Note that this user account must have permissions to work with Amazon EKS IAM roles and service linked roles, AWS CloudFormation, and a VPC and related resources Install kubectl Install eksctl Create cluster using eksctl such as the following example: eksctl create cluster --name gluu-cluster --nodegroup-name gluu-nodes --node-type NODE_TYPE --nodes 2 --managed --region REGION_CODE You can adjust node-type and nodes number as per your desired cluster size To be able to attach volumes to your pod, you need to install the Amazon EBS CSI driver Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu","title":"Initial Setup"},{"location":"install/helm-install/amazon-eks/#gluu-flex-installation-using-helm","text":"Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer address: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : false config : configmap : lbAddr : http:// #Add LB address from previous command FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command nginx : ingress : enabled : true path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Gluu Flex Installation using Helm"},{"location":"install/helm-install/amazon-eks/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/google-gke/","tags":["administration","installation","helm","GKE","Google Cloud","GCP"],"text":"Install Gluu Flex on GKE # System Requirements # The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Initial Setup # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Enable GKE API if not enabled yet. If you are using Cloud Shell , you can skip to step 7. Install gcloud . Install kubectl using gcloud components install kubectl command. Install Helm3 . Create cluster using a command such as the following example: gcloud container clusters create gluu-cluster --num-nodes 2 --machine-type e2-standard-4 --zone us-west1-a You can adjust num-nodes and machine-type as per your desired cluster size Create gluu namespace where our resources will reside kubectl create namespace gluu Gluu Flex Installation using Helm # Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Google GKE"},{"location":"install/helm-install/google-gke/#install-gluu-flex-on-gke","text":"","title":"Install Gluu Flex on GKE"},{"location":"install/helm-install/google-gke/#system-requirements","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/google-gke/#initial-setup","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Enable GKE API if not enabled yet. If you are using Cloud Shell , you can skip to step 7. Install gcloud . Install kubectl using gcloud components install kubectl command. Install Helm3 . Create cluster using a command such as the following example: gcloud container clusters create gluu-cluster --num-nodes 2 --machine-type e2-standard-4 --zone us-west1-a You can adjust num-nodes and machine-type as per your desired cluster size Create gluu namespace where our resources will reside kubectl create namespace gluu","title":"Initial Setup"},{"location":"install/helm-install/google-gke/#gluu-flex-installation-using-helm","text":"Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Gluu Flex Installation using Helm"},{"location":"install/helm-install/google-gke/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/local/","tags":["administration","installation","helm"],"text":"Install Gluu Server Locally with minikube and MicroK8s # System Requirements # For local deployments like minikube and MicroK8s or cloud installations in demo mode, resources may be set to the minimum as below: 8 GB RAM 4 CPU cores 50 GB hard-disk Use the listing below for a detailed estimation of minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Installation Steps # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Start a fresh Ubuntu 18.04 / 20.04 / 22.04 VM with ports 443 and 80 open. Then execute the following: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexdemo.sh && chmod u+x startflexdemo.sh && ./startflexdemo.sh This will install Docker, Microk8s, Helm and Gluu with the default settings that can be found inside values.yaml . The installer will automatically add a record to your hosts record in the VM but if you want to access the endpoints outside the VM you must map the ip of the instance running Ubuntu to the FQDN you provided and then access the endpoints at your browser such in the example in the table below. Service Example endpoint Auth server https://FQDN/.well-known/openid-configuration fido2 https://FQDN/.well-known/fido2-configuration scim https://FQDN/.well-known/scim-configuration Casa https://FQDN/jans-casa Admin-UI https://FQDN/admin Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Local Kubernetes Cluster"},{"location":"install/helm-install/local/#install-gluu-server-locally-with-minikube-and-microk8s","text":"","title":"Install Gluu Server Locally with minikube and MicroK8s"},{"location":"install/helm-install/local/#system-requirements","text":"For local deployments like minikube and MicroK8s or cloud installations in demo mode, resources may be set to the minimum as below: 8 GB RAM 4 CPU cores 50 GB hard-disk Use the listing below for a detailed estimation of minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/local/#installation-steps","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Start a fresh Ubuntu 18.04 / 20.04 / 22.04 VM with ports 443 and 80 open. Then execute the following: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexdemo.sh && chmod u+x startflexdemo.sh && ./startflexdemo.sh This will install Docker, Microk8s, Helm and Gluu with the default settings that can be found inside values.yaml . The installer will automatically add a record to your hosts record in the VM but if you want to access the endpoints outside the VM you must map the ip of the instance running Ubuntu to the FQDN you provided and then access the endpoints at your browser such in the example in the table below. Service Example endpoint Auth server https://FQDN/.well-known/openid-configuration fido2 https://FQDN/.well-known/fido2-configuration scim https://FQDN/.well-known/scim-configuration Casa https://FQDN/jans-casa Admin-UI https://FQDN/admin","title":"Installation Steps"},{"location":"install/helm-install/local/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/microsoft-azure/","tags":["administration","installation","helm","AKS","Microsoft","Azure"],"text":"Install Gluu Flex on AKS # System Requirements # The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Initial Setup # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install Azure CLI Create a Resource Group az group create --name gluu-resource-group --location eastus Create an AKS cluster such as the following example: az aks create -g gluu-resource-group -n gluu-cluster --enable-managed-identity --node-vm-size NODE_TYPE --node-count 2 --enable-addons monitoring --enable-msi-auth-for-monitoring --generate-ssh-keys You can adjust node-count and node-vm-size as per your desired cluster size Connect to the cluster az aks install-cli az aks get-credentials --resource-group gluu-resource-group --name gluu-cluster Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu Gluu Flex Installation using Helm # Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Azure Database for PostgreSQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Azure Database for MySQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Microsoft Azure AKS"},{"location":"install/helm-install/microsoft-azure/#install-gluu-flex-on-aks","text":"","title":"Install Gluu Flex on AKS"},{"location":"install/helm-install/microsoft-azure/#system-requirements","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/microsoft-azure/#initial-setup","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install Azure CLI Create a Resource Group az group create --name gluu-resource-group --location eastus Create an AKS cluster such as the following example: az aks create -g gluu-resource-group -n gluu-cluster --enable-managed-identity --node-vm-size NODE_TYPE --node-count 2 --enable-addons monitoring --enable-msi-auth-for-monitoring --generate-ssh-keys You can adjust node-count and node-vm-size as per your desired cluster size Connect to the cluster az aks install-cli az aks get-credentials --resource-group gluu-resource-group --name gluu-cluster Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu","title":"Initial Setup"},{"location":"install/helm-install/microsoft-azure/#gluu-flex-installation-using-helm","text":"Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Azure Database for PostgreSQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Azure Database for MySQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Gluu Flex Installation using Helm"},{"location":"install/helm-install/microsoft-azure/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/rancher/","tags":["administration","installation","helm"],"text":"Install Gluu Server Using Rancher Marketplace # For a more generic Gluu Flex installation on Rancher, you can follow this comprehensive guide. Also, there are multiple Rancher installation options . For this quick start setup we will use a single node Kubernetes install in docker with a self-signed certificate . Installation Steps # Note If you are deploying an Ingress controller on a single node deployment, in which Ingress utilizes ports 80 and 443, then you have to adjust the host ports mapped for the rancher/rancher container. Here's an example on how to do that. Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Provision a Linux 4 CPU, 16 GB RAM, and 50GB SSD VM with ports 443 and 80 open. Save the VM IP address. For development environments, the VM can be set up using VMWare Workstation Player or VirtualBox with Ubuntu 20.04 operating system running on a VM. Install Docker . Execute docker run -d --restart = unless-stopped -p 80 :80 -p 443 :443 --privileged rancher/rancher:latest The final line of the returned text is the container-id , which you'll need for the next step. Execute the following command to get the bootstrap password for login. docker logs 2 > & 1 | grep \"Bootstrap Password:\" Head to https:// and log in with the username admin and the password from the previous step. If you are logging into Rancher for the first time, you'll need to enter just the password, and on the next step, Rancher will ask you to reset your current password. Next, you'll see the Rancher home page with a list of existing clusters. By default, the name of the newly created cluster would be local . Click on the cluster name to go to the dashboard. From the top-left menu expand Apps and click Charts . Search for Gluu and begin your installation. During Step 1 of installation, be sure to select the Customize Helm options before install option. In Step 2, customize the settings for the Gluu installation. Specifically Optional Services from where you can enable Gluu modules. In Step 3, unselect the Wait option and start the installation.","title":"Rancher Marketplace"},{"location":"install/helm-install/rancher/#install-gluu-server-using-rancher-marketplace","text":"For a more generic Gluu Flex installation on Rancher, you can follow this comprehensive guide. Also, there are multiple Rancher installation options . For this quick start setup we will use a single node Kubernetes install in docker with a self-signed certificate .","title":"Install Gluu Server Using Rancher Marketplace"},{"location":"install/helm-install/rancher/#installation-steps","text":"Note If you are deploying an Ingress controller on a single node deployment, in which Ingress utilizes ports 80 and 443, then you have to adjust the host ports mapped for the rancher/rancher container. Here's an example on how to do that. Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Provision a Linux 4 CPU, 16 GB RAM, and 50GB SSD VM with ports 443 and 80 open. Save the VM IP address. For development environments, the VM can be set up using VMWare Workstation Player or VirtualBox with Ubuntu 20.04 operating system running on a VM. Install Docker . Execute docker run -d --restart = unless-stopped -p 80 :80 -p 443 :443 --privileged rancher/rancher:latest The final line of the returned text is the container-id , which you'll need for the next step. Execute the following command to get the bootstrap password for login. docker logs 2 > & 1 | grep \"Bootstrap Password:\" Head to https:// and log in with the username admin and the password from the previous step. If you are logging into Rancher for the first time, you'll need to enter just the password, and on the next step, Rancher will ask you to reset your current password. Next, you'll see the Rancher home page with a list of existing clusters. By default, the name of the newly created cluster would be local . Click on the cluster name to go to the dashboard. From the top-left menu expand Apps and click Charts . Search for Gluu and begin your installation. During Step 1 of installation, be sure to select the Customize Helm options before install option. In Step 2, customize the settings for the Gluu installation. Specifically Optional Services from where you can enable Gluu modules. In Step 3, unselect the Wait option and start the installation.","title":"Installation Steps"},{"location":"install/vm-install/rhel/","tags":["administration","installation","vm","RHEL","CentOS"],"text":"Install Gluu Flex On Red Hat EL # This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux. Prerequisites # Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload ; Install EPEL and mod-auth-openidc as dependencies sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest- $( rpm -E %rhel ) .noarch.rpm sudo yum -y module enable mod_auth_openidc ; Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path. Install the Package # Download and Verify the Release Package # Download the release package from the Github Flex Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum -P /tmp Run the command below from the directory where the downloaded package and the .sha256sum files are located. cd /tmp ; sha256sum -c flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum ; Output similar to below should confirm the integrity of the downloaded package. flex-replace-flex-version-el8.x86_64.rpm : ok Install the Release Package # sudo yum install ./flex-replace-flex-version-stable.el8.x86_64.rpm Run the setup script # Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ] Verify and Access the Installation # Verify that installation has been successful and all installed components are accessible using the steps below Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py Full TUI documentation can be found here Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa Enabling HTTPS # To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open https_jans.conf sudo vi /etc/httpd/conf.d/https_jans.conf Update SSLCertificateFile and SSLCertificateKeyFile parameters values SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart httpd service for changes to take effect sudo service httpd restart Uninstallation # Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package. Uninstall Gluu Flex # Use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.931e814d-01e2-4983-898f-91bf93670f7b - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api Uninstall Janssen Packages # The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/httpd/conf.d/https_jans.conf Remove Gluu Flex Packages: # List existing Gluu packages with: sudo yum list installed | grep flex Remove packages: sudo yum remove Uninstalling Admin UI # To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Updating Admin UI # To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"RHEL"},{"location":"install/vm-install/rhel/#install-gluu-flex-on-red-hat-el","text":"This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux.","title":"Install Gluu Flex On Red Hat EL"},{"location":"install/vm-install/rhel/#prerequisites","text":"Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload ; Install EPEL and mod-auth-openidc as dependencies sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest- $( rpm -E %rhel ) .noarch.rpm sudo yum -y module enable mod_auth_openidc ; Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path.","title":"Prerequisites"},{"location":"install/vm-install/rhel/#install-the-package","text":"","title":"Install the Package"},{"location":"install/vm-install/rhel/#download-and-verify-the-release-package","text":"Download the release package from the Github Flex Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum -P /tmp Run the command below from the directory where the downloaded package and the .sha256sum files are located. cd /tmp ; sha256sum -c flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum ; Output similar to below should confirm the integrity of the downloaded package. flex-replace-flex-version-el8.x86_64.rpm : ok","title":"Download and Verify the Release Package"},{"location":"install/vm-install/rhel/#install-the-release-package","text":"sudo yum install ./flex-replace-flex-version-stable.el8.x86_64.rpm","title":"Install the Release Package"},{"location":"install/vm-install/rhel/#run-the-setup-script","text":"Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ]","title":"Run the setup script"},{"location":"install/vm-install/rhel/#verify-and-access-the-installation","text":"Verify that installation has been successful and all installed components are accessible using the steps below Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py Full TUI documentation can be found here Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa","title":"Verify and Access the Installation"},{"location":"install/vm-install/rhel/#enabling-https","text":"To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open https_jans.conf sudo vi /etc/httpd/conf.d/https_jans.conf Update SSLCertificateFile and SSLCertificateKeyFile parameters values SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart httpd service for changes to take effect sudo service httpd restart","title":"Enabling HTTPS"},{"location":"install/vm-install/rhel/#uninstallation","text":"Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package.","title":"Uninstallation"},{"location":"install/vm-install/rhel/#uninstall-gluu-flex","text":"Use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.931e814d-01e2-4983-898f-91bf93670f7b - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api","title":"Uninstall Gluu Flex"},{"location":"install/vm-install/rhel/#uninstall-janssen-packages","text":"The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/httpd/conf.d/https_jans.conf","title":"Uninstall Janssen Packages"},{"location":"install/vm-install/rhel/#remove-gluu-flex-packages","text":"List existing Gluu packages with: sudo yum list installed | grep flex Remove packages: sudo yum remove ","title":"Remove Gluu Flex Packages:"},{"location":"install/vm-install/rhel/#uninstalling-admin-ui","text":"To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex","title":"Uninstalling Admin UI"},{"location":"install/vm-install/rhel/#updating-admin-ui","text":"To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Updating Admin UI"},{"location":"install/vm-install/suse/","tags":["administration","installation","vm","SUSE","SLES","Tumbleweed"],"text":"Install Gluu Flex On SUSE Linux # This is a step-by-step guide for installation and uninstallation of Gluu Flex on SUSE Linux distributions Prerequisites # Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload for SUSE Linux Enterprise(SLES) we need to enable PackageHub as per OS version and architecture sudo SUSEConnect -p PackageHub/15.4/x86_64 Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path. Install the Package # Download and Verify the Release Package # Download the release package from the GitHub FLEX Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm -P ~/ GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum -P ~/ Verify package integrity sha256sum -c flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum You should see: flex-replace-flex-version-suse15.x86_64.rpm: ok Install the Release Package # Use SUSE zypper to install sudo zypper install ~/flex-replace-flex-version-stable.suse15.x86_64.rpm Run the setup script # Run the setup script: Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ] Verify and Access the Installation # Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa Enabling HTTPS # To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open _https_jans.conf sudo vi /etc/apache2/vhosts.d/_https_jans.conf ``` - Update ` SSLCertificateFile ` and ` SSLCertificateKeyFile ` parameters values ``` bash SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart apache service for changes to take effect sudo /usr/sbin/rcapache2 restart Uninstallation # Removing Flex is a two step process: Uninstall Gluu Flex and Uninstall Janssen Packages Remove Gluu Packages If you have not run the setup script, you can skip step 1 and just remove the package. First use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex the output will be like this: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.732c7b51-57c4-48a5-b64d-8718b3e043bb - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /srv/www/htdocs/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api Uninstall Janssen Packages # The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall output will be like this: sudo python3 /opt/jans/jans-setup/install.py -uninstall -yes --keep-downloads --keep-setup This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [ yes/N ] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/apache2/vhosts.d/_https_jans.conf Second uninstall the package: You should see the package with: sudo rpm -qa | grep flex Remove package with: sudo zypper remove flex Updating Admin UI # To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"SUSE"},{"location":"install/vm-install/suse/#install-gluu-flex-on-suse-linux","text":"This is a step-by-step guide for installation and uninstallation of Gluu Flex on SUSE Linux distributions","title":"Install Gluu Flex On SUSE Linux"},{"location":"install/vm-install/suse/#prerequisites","text":"Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload for SUSE Linux Enterprise(SLES) we need to enable PackageHub as per OS version and architecture sudo SUSEConnect -p PackageHub/15.4/x86_64 Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path.","title":"Prerequisites"},{"location":"install/vm-install/suse/#install-the-package","text":"","title":"Install the Package"},{"location":"install/vm-install/suse/#download-and-verify-the-release-package","text":"Download the release package from the GitHub FLEX Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm -P ~/ GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum -P ~/ Verify package integrity sha256sum -c flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum You should see: flex-replace-flex-version-suse15.x86_64.rpm: ok","title":"Download and Verify the Release Package"},{"location":"install/vm-install/suse/#install-the-release-package","text":"Use SUSE zypper to install sudo zypper install ~/flex-replace-flex-version-stable.suse15.x86_64.rpm","title":"Install the Release Package"},{"location":"install/vm-install/suse/#run-the-setup-script","text":"Run the setup script: Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ]","title":"Run the setup script"},{"location":"install/vm-install/suse/#verify-and-access-the-installation","text":"Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa","title":"Verify and Access the Installation"},{"location":"install/vm-install/suse/#enabling-https","text":"To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open _https_jans.conf sudo vi /etc/apache2/vhosts.d/_https_jans.conf ``` - Update ` SSLCertificateFile ` and ` SSLCertificateKeyFile ` parameters values ``` bash SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart apache service for changes to take effect sudo /usr/sbin/rcapache2 restart","title":"Enabling HTTPS"},{"location":"install/vm-install/suse/#uninstallation","text":"Removing Flex is a two step process: Uninstall Gluu Flex and Uninstall Janssen Packages Remove Gluu Packages If you have not run the setup script, you can skip step 1 and just remove the package. First use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex the output will be like this: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.732c7b51-57c4-48a5-b64d-8718b3e043bb - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /srv/www/htdocs/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api","title":"Uninstallation"},{"location":"install/vm-install/suse/#uninstall-janssen-packages","text":"The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall output will be like this: sudo python3 /opt/jans/jans-setup/install.py -uninstall -yes --keep-downloads --keep-setup This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [ yes/N ] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/apache2/vhosts.d/_https_jans.conf Second uninstall the package: You should see the package with: sudo rpm -qa | grep flex Remove package with: sudo zypper remove flex","title":"Uninstall Janssen Packages"},{"location":"install/vm-install/suse/#updating-admin-ui","text":"To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Updating Admin UI"},{"location":"install/vm-install/ubuntu/","tags":["administration","installation","vm","Ubuntu"],"text":"Install Gluu Flex On Ubuntu Linux # This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux Prerequisites # Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo ufw allow https Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path. Install the Package # Download and Verify the Release Package # Download the release package from the GitHub FLEX Releases . Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip ; sudo gpg --import automation-flex-public-gpg.asc ; Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package. Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum -P /tmp Verify package integrity of the package that has been downloaded by checking hash. Run the command below from the directory where the downloaded package and the .sha256sum files are located. Choose the correct command from below based on the OS version. #Ubuntu 22.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum #Ubuntu 20.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum Output similar to below should confirm the integrity of the downloaded package. flex_replace-flex-version-stable.ubuntu_amd64.deb: ok Install the Release Package # Choose the correct command from below based on the OS version. #Ubuntu 22.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb #Ubuntu 20.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb Run the setup script # Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ] Verify and Access the Installation # Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa Enabling HTTPS # To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Note Want to use Let's Encrypt to get a certificate? Follow this guide . Uninstallation # Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package. Uninstall Gluu Flex # Use the command below to uninstall the Gluu Flex server python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.e7989c7e-09b5-4e39-a7c9-a78017127cf0 - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api Uninstall Janssen Packages # The command below removes and uninstall the jans package python3 /opt/jans/jans-setup/install.py -uninstall Output : root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Stopping OpenDj Server Stopping Server... [23/Jun/2023:09:10:27 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend userRoot is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend site is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend metric is now taken offline [23/Jun/2023:09:10:28 +0000] category=CORE severity=NOTICE msgID=203 msg=The Directory Server is now stopped Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/opendj Executing rm -r -f /opt/dist Removing /etc/apache2/sites-enabled/https_jans.conf Removing /etc/apache2/sites-available/https_jans.conf Remove Gluu Flex Packages: # List existing Gluu Flex packages with: sudo apt list --installed | grep flex Remove packages: sudo apt remove Uninstalling Admin UI # To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Updating Admin UI # To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Ubuntu"},{"location":"install/vm-install/ubuntu/#install-gluu-flex-on-ubuntu-linux","text":"This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux","title":"Install Gluu Flex On Ubuntu Linux"},{"location":"install/vm-install/ubuntu/#prerequisites","text":"Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo ufw allow https Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path.","title":"Prerequisites"},{"location":"install/vm-install/ubuntu/#install-the-package","text":"","title":"Install the Package"},{"location":"install/vm-install/ubuntu/#download-and-verify-the-release-package","text":"Download the release package from the GitHub FLEX Releases . Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip ; sudo gpg --import automation-flex-public-gpg.asc ; Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package. Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum -P /tmp Verify package integrity of the package that has been downloaded by checking hash. Run the command below from the directory where the downloaded package and the .sha256sum files are located. Choose the correct command from below based on the OS version. #Ubuntu 22.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum #Ubuntu 20.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum Output similar to below should confirm the integrity of the downloaded package. flex_replace-flex-version-stable.ubuntu_amd64.deb: ok","title":"Download and Verify the Release Package"},{"location":"install/vm-install/ubuntu/#install-the-release-package","text":"Choose the correct command from below based on the OS version. #Ubuntu 22.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb #Ubuntu 20.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb","title":"Install the Release Package"},{"location":"install/vm-install/ubuntu/#run-the-setup-script","text":"Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ]","title":"Run the setup script"},{"location":"install/vm-install/ubuntu/#verify-and-access-the-installation","text":"Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa","title":"Verify and Access the Installation"},{"location":"install/vm-install/ubuntu/#enabling-https","text":"To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Note Want to use Let's Encrypt to get a certificate? Follow this guide .","title":"Enabling HTTPS"},{"location":"install/vm-install/ubuntu/#uninstallation","text":"Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package.","title":"Uninstallation"},{"location":"install/vm-install/ubuntu/#uninstall-gluu-flex","text":"Use the command below to uninstall the Gluu Flex server python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.e7989c7e-09b5-4e39-a7c9-a78017127cf0 - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api","title":"Uninstall Gluu Flex"},{"location":"install/vm-install/ubuntu/#uninstall-janssen-packages","text":"The command below removes and uninstall the jans package python3 /opt/jans/jans-setup/install.py -uninstall Output : root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Stopping OpenDj Server Stopping Server... [23/Jun/2023:09:10:27 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend userRoot is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend site is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend metric is now taken offline [23/Jun/2023:09:10:28 +0000] category=CORE severity=NOTICE msgID=203 msg=The Directory Server is now stopped Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/opendj Executing rm -r -f /opt/dist Removing /etc/apache2/sites-enabled/https_jans.conf Removing /etc/apache2/sites-available/https_jans.conf","title":"Uninstall Janssen Packages"},{"location":"install/vm-install/ubuntu/#remove-gluu-flex-packages","text":"List existing Gluu Flex packages with: sudo apt list --installed | grep flex Remove packages: sudo apt remove ","title":"Remove Gluu Flex Packages:"},{"location":"install/vm-install/ubuntu/#uninstalling-admin-ui","text":"To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex","title":"Uninstalling Admin UI"},{"location":"install/vm-install/ubuntu/#updating-admin-ui","text":"To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Updating Admin UI"},{"location":"install/vm-install/vm-requirements/","text":"VM System Requirements # Supported Versions # Gluu Flex currently provides packages for these Linux distros: Ubuntu (versions: 20.04 and 22.04) SUSE Distributions SUSE Linux Enterprise Server (SLES) 15 openSUSE Leap 15.5 openSUSE Tumbleweed RedHat Enterprise Linux (version: 8) Note This document is intended exclusively for dev and staging environments. For production deployment on a VM, refer to this documentation which utilizes Rancher and Helm deployments. Hardware Requirements # A single-VM deployment is where all services are running on one server. Although, the requirements can vary based on the size of the data and the required concurrency, the following guidelines can help you plan: 8 GB RAM 4 CPU 20 GB Disk Port Configuration # Gluu Flex requires the following ports to be open for incoming connections. Port Protocol Notes 443 TCP TLS/HTTP You may want to use a redirect on port 80 to 443, although it is not required. Of course you will also need some way to login to your server, but that is out of scope of these docs. Check your server firewall documentation to configure your firewall to allow https . Hostname / IP Address Configuration # It is recommended that you use a static ip address for Gluu Flex. Your server should also return the hostname for the hostname command, it's recommended that you add the hostname to the /etc/hosts file. File Descriptor Configuration (FD) # Like most database and Internet servers, you must have at least 65k file descriptors. If you don't, your server will hang. First, check the current file descriptor limit using command below. If the existing FD limit exceeds 65535, then you're good. # cat /proc/sys/fs/file-max If FD limit is less than 65535 (e.g. 1024), then follow the steps below to increase the value. 1) Set soft and hard limits by adding the following lines in the /etc/security/limits.conf file * soft nofile 65535 * hard nofile 262144 2) Add the following lines to /etc/pam.d/login if not already present session required pam_limits.so 3) Increase the FD limit in /proc/sys/fs/file-max echo 65535 > /proc/sys/fs/file-max** 4) Use the ulimit command to set the FD limit to the hard limit specified in /etc/security/limits.conf . If setting to hard limit doesn't work, then try to set it to the soft limit. ulimit -n 262144 5) Restart the system","title":"VM System Requirements"},{"location":"install/vm-install/vm-requirements/#vm-system-requirements","text":"","title":"VM System Requirements"},{"location":"install/vm-install/vm-requirements/#supported-versions","text":"Gluu Flex currently provides packages for these Linux distros: Ubuntu (versions: 20.04 and 22.04) SUSE Distributions SUSE Linux Enterprise Server (SLES) 15 openSUSE Leap 15.5 openSUSE Tumbleweed RedHat Enterprise Linux (version: 8) Note This document is intended exclusively for dev and staging environments. For production deployment on a VM, refer to this documentation which utilizes Rancher and Helm deployments.","title":"Supported Versions"},{"location":"install/vm-install/vm-requirements/#hardware-requirements","text":"A single-VM deployment is where all services are running on one server. Although, the requirements can vary based on the size of the data and the required concurrency, the following guidelines can help you plan: 8 GB RAM 4 CPU 20 GB Disk","title":"Hardware Requirements"},{"location":"install/vm-install/vm-requirements/#port-configuration","text":"Gluu Flex requires the following ports to be open for incoming connections. Port Protocol Notes 443 TCP TLS/HTTP You may want to use a redirect on port 80 to 443, although it is not required. Of course you will also need some way to login to your server, but that is out of scope of these docs. Check your server firewall documentation to configure your firewall to allow https .","title":"Port Configuration"},{"location":"install/vm-install/vm-requirements/#hostname-ip-address-configuration","text":"It is recommended that you use a static ip address for Gluu Flex. Your server should also return the hostname for the hostname command, it's recommended that you add the hostname to the /etc/hosts file.","title":"Hostname / IP Address Configuration"},{"location":"install/vm-install/vm-requirements/#file-descriptor-configuration-fd","text":"Like most database and Internet servers, you must have at least 65k file descriptors. If you don't, your server will hang. First, check the current file descriptor limit using command below. If the existing FD limit exceeds 65535, then you're good. # cat /proc/sys/fs/file-max If FD limit is less than 65535 (e.g. 1024), then follow the steps below to increase the value. 1) Set soft and hard limits by adding the following lines in the /etc/security/limits.conf file * soft nofile 65535 * hard nofile 262144 2) Add the following lines to /etc/pam.d/login if not already present session required pam_limits.so 3) Increase the FD limit in /proc/sys/fs/file-max echo 65535 > /proc/sys/fs/file-max** 4) Use the ulimit command to set the FD limit to the hard limit specified in /etc/security/limits.conf . If setting to hard limit doesn't work, then try to set it to the soft limit. ulimit -n 262144 5) Restart the system","title":"File Descriptor Configuration (FD)"},{"location":"openbanking/","text":"Gluu Open Banking Identity Platform # Overview # The Gluu Open Banking Identity Platform is a specific profile of the Gluu Server that is packaged and configured for certain use cases: Dynamic Client Registration using software statements Payment Authorization Identity - eKYC Client Initiated Authentication (mobile/out-of-band) Other services needed by enterprises--but not by banks--have been disabled. The goal is to reduce the security surface area to make the platform easy to deploy, easy to keep up to date, and easy to rollout new features with zero downtime. This is a cloud-native distribution. Cloud-native is essential for auto-scaling, high availability, and operational automation. For development and testing we also support its VM distribution, where the Installation Section has more details about it. This distribution of Gluu is based on the Linux Foundation Janssen Project at the Linux Foundation, the most certified OpenID Platform available. Components # Open Banking OpenID Provider : Based on the Janssen Auth-Server, this internet-facing component provides the FAPI OpenID Connect API for dynamic client registration, transaction authorization, and CIBA. Config API : Service which configures the OpenID Provider. The Client must present an access token authorized by a trusted issuer with certain scopes. Cloud Database : Database used to store configuration, client metadata, tokens, and other information required for the operation of the OpenID Provider. Open Banking API Gateway : An Internet facing gateway for the core open banking API, should enforce the presence of a token with certain scopes. Open Banking API : The core banking API. Internal Authentication and Consent Service : An OpenID Provider, SAML IDP, or another authentication service that provides access to actual customer information. This service may handle the consent, or delegate consent to another service. User Accounts : A database where the user account information is held Bank Regulatory Directory : This is hosted by the federation operator which publishes public key material and other metadata about participants in the open banking ecosystem. Fintech / Payment Processor : A service that wants to call the Open Banking API or to get data or to process a payment. PKI infrastructure # Cloud-Native Architecture #","title":"Overview"},{"location":"openbanking/#gluu-open-banking-identity-platform","text":"","title":"Gluu Open Banking Identity Platform"},{"location":"openbanking/#overview","text":"The Gluu Open Banking Identity Platform is a specific profile of the Gluu Server that is packaged and configured for certain use cases: Dynamic Client Registration using software statements Payment Authorization Identity - eKYC Client Initiated Authentication (mobile/out-of-band) Other services needed by enterprises--but not by banks--have been disabled. The goal is to reduce the security surface area to make the platform easy to deploy, easy to keep up to date, and easy to rollout new features with zero downtime. This is a cloud-native distribution. Cloud-native is essential for auto-scaling, high availability, and operational automation. For development and testing we also support its VM distribution, where the Installation Section has more details about it. This distribution of Gluu is based on the Linux Foundation Janssen Project at the Linux Foundation, the most certified OpenID Platform available.","title":"Overview"},{"location":"openbanking/#components","text":"Open Banking OpenID Provider : Based on the Janssen Auth-Server, this internet-facing component provides the FAPI OpenID Connect API for dynamic client registration, transaction authorization, and CIBA. Config API : Service which configures the OpenID Provider. The Client must present an access token authorized by a trusted issuer with certain scopes. Cloud Database : Database used to store configuration, client metadata, tokens, and other information required for the operation of the OpenID Provider. Open Banking API Gateway : An Internet facing gateway for the core open banking API, should enforce the presence of a token with certain scopes. Open Banking API : The core banking API. Internal Authentication and Consent Service : An OpenID Provider, SAML IDP, or another authentication service that provides access to actual customer information. This service may handle the consent, or delegate consent to another service. User Accounts : A database where the user account information is held Bank Regulatory Directory : This is hosted by the federation operator which publishes public key material and other metadata about participants in the open banking ecosystem. Fintech / Payment Processor : A service that wants to call the Open Banking API or to get data or to process a payment.","title":"Components"},{"location":"openbanking/#pki-infrastructure","text":"","title":"PKI infrastructure"},{"location":"openbanking/#cloud-native-architecture","text":"","title":"Cloud-Native Architecture"},{"location":"openbanking/configuration-instructions/","text":"Generate/install keys and certs for Gluu Open Banking Identity Platform # This section covers details about setting up the keys and certificates in Cloud-Native distribution. For MTLS keys, see the document that demonstrates enabling mTLS in nginx ingress . Remember, MTLS is needed not only for the TPPs to call the authorization and token endpoints for OpenID Connect flows, but also by clients that are calling the configuration API. Add/Update Custom Scripts: # To add or update custom scripts, you can use either jans-cli or curl . jans-cli in interactive mode, option 13 enables you to manage custom scripts. For more info, see the docs . jans-cli in command line argument mode is more conducive to scripting and automation. To display the available operations for custom scripts, use config-cli.py --info CustomScripts . See the docs for more info. To use curl see these docs Note: If using VM installation you can normally find jans-cli.py in the /opt/jans/jans-cli/ folder.","title":"Configuration Instructions"},{"location":"openbanking/configuration-instructions/#generateinstall-keys-and-certs-for-gluu-open-banking-identity-platform","text":"This section covers details about setting up the keys and certificates in Cloud-Native distribution. For MTLS keys, see the document that demonstrates enabling mTLS in nginx ingress . Remember, MTLS is needed not only for the TPPs to call the authorization and token endpoints for OpenID Connect flows, but also by clients that are calling the configuration API.","title":"Generate/install keys and certs for Gluu Open Banking Identity Platform"},{"location":"openbanking/configuration-instructions/#addupdate-custom-scripts","text":"To add or update custom scripts, you can use either jans-cli or curl . jans-cli in interactive mode, option 13 enables you to manage custom scripts. For more info, see the docs . jans-cli in command line argument mode is more conducive to scripting and automation. To display the available operations for custom scripts, use config-cli.py --info CustomScripts . See the docs for more info. To use curl see these docs Note: If using VM installation you can normally find jans-cli.py in the /opt/jans/jans-cli/ folder.","title":"Add/Update Custom Scripts:"},{"location":"openbanking/curl/","text":"Managing scripts with CURL # Curl Prerequisites # Gluu open banking distribution client-id client-secret client certificate client key Getting the prerequisites # Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt CURL operations # The curl commands to list, add, or update custom script require a token, so first call the token endpoint to get the token using: curl -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert client.crt --key client.key Example: curl -u '1801.bdfae945-b31d-4d60-8e47-16518153215:rjHoLfjfsv2G2qzGEasd1651813aIXvCi61NU' https://bank.gluu.org/jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert apr22.crt --key apr22.key { \"access_token\" : \"ad34ac-8f2d-4bec-aed3-343adasda2\" , \"scope\" : \"https://jans.io/oauth/config/scripts.readonly\" , \"token_type\" : \"bearer\" , \"expires_in\" :299 } Save the access_token for use in subsequent commands. Use different scope values as per the requirement: View scripts information: https://jans.io/oauth/config/scripts.readonly Manage scripts-related information: https://jans.io/oauth/config/scripts.write Delete scripts-related information: https://jans.io/oauth/config/scripts.delete Use the obtained access token to perform further operations on custom scripts as given in subsequent text: Use the following command to display details of all the available custom scripts: curl -X GET https:///jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" Example: curl -X GET https://bank.gluu.org/jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" The following command will add a new custom script (Obtain token with write scope) and if it is successful it will display the added script in JSON format. The scriptformat.json file has script details according to the custom script schema. It should have the entire script inside the scriptformat.json as a string value under the script field. Converting a multiline script into a string requires converting newlines into \\n. So curl is not a suitable choice for adding new script, jans-cli is a better option. curl -X POST \"https:///jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json Example: curl -X POST \"https://bank.gluu.org/jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json","title":"Managing scripts with CURL"},{"location":"openbanking/curl/#managing-scripts-with-curl","text":"","title":"Managing scripts with CURL"},{"location":"openbanking/curl/#curl-prerequisites","text":"Gluu open banking distribution client-id client-secret client certificate client key","title":"Curl Prerequisites"},{"location":"openbanking/curl/#getting-the-prerequisites","text":"Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt","title":"Getting the prerequisites"},{"location":"openbanking/curl/#curl-operations","text":"The curl commands to list, add, or update custom script require a token, so first call the token endpoint to get the token using: curl -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert client.crt --key client.key Example: curl -u '1801.bdfae945-b31d-4d60-8e47-16518153215:rjHoLfjfsv2G2qzGEasd1651813aIXvCi61NU' https://bank.gluu.org/jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert apr22.crt --key apr22.key { \"access_token\" : \"ad34ac-8f2d-4bec-aed3-343adasda2\" , \"scope\" : \"https://jans.io/oauth/config/scripts.readonly\" , \"token_type\" : \"bearer\" , \"expires_in\" :299 } Save the access_token for use in subsequent commands. Use different scope values as per the requirement: View scripts information: https://jans.io/oauth/config/scripts.readonly Manage scripts-related information: https://jans.io/oauth/config/scripts.write Delete scripts-related information: https://jans.io/oauth/config/scripts.delete Use the obtained access token to perform further operations on custom scripts as given in subsequent text: Use the following command to display details of all the available custom scripts: curl -X GET https:///jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" Example: curl -X GET https://bank.gluu.org/jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" The following command will add a new custom script (Obtain token with write scope) and if it is successful it will display the added script in JSON format. The scriptformat.json file has script details according to the custom script schema. It should have the entire script inside the scriptformat.json as a string value under the script field. Converting a multiline script into a string requires converting newlines into \\n. So curl is not a suitable choice for adding new script, jans-cli is a better option. curl -X POST \"https:///jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json Example: curl -X POST \"https://bank.gluu.org/jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json","title":"CURL operations"},{"location":"openbanking/install-cn/","text":"System Requirements # Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth-server 2.5 2.5GB N/A 64 Bit Yes config - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs persistence - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if not ALB or Istio config-api 1 1GB N/A 64 Bit No Installation # Install using Helm(production-ready) # The below certificates and keys are needed to complete the installation. Certificate / key Description OB Issuing CA Used in nginx as a certificate authority OB Root CA Used in nginx as a certificate authority OB Signing CA Used in nginx as a certificate authority OB AS Transport key Used for mTLS. This will also be added to the JVM OB AS Transport crt Used for mTLS. This will also be added to the JVM OB AS signing crt Added to the JVM. Used in SSA Validation OB AS signing key Added to the JVM. Used in SSA Validation OB transport truststore Used in SSA Validation. Generated from OB Root CA nd Issuing CA Based on the provider/platform you're using, you can follow the docs to install your platform prerequistes, nginx-ingress, and the yaml changes needed in override.yaml based on the Gluu persistence choosed. To enable mTLS in ingress-nginx, add the following to your override.yaml : nginx-ingress : ingress : additionalAnnotations : nginx.ingress.kubernetes.io/auth-tls-verify-client : \"optional\" nginx.ingress.kubernetes.io/auth-tls-secret : \"gluu/tls-ob-ca-certificates\" nginx.ingress.kubernetes.io/auth-tls-verify-depth : \"1\" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream : \"true\" Adding these annotations will enable client certificate authentication . Enable authServerProtectedToken and authServerProtectedRegister : global auth-server : ingress : authServerProtectedToken : true authServerProtectedRegister : true Enable HTTPS During fresh installation, the config-job checks if SSL certificates and keys are mounted as files. If no mounted files are found, it attempts to download SSL certificates from the FQDN supplied. If the download is successful, an empty key file is generated. If no mounted or downloaded files are found, it generates self-signed SSL certificates, CA certificates, and keys. certificates and keys of interest in https Notes web_https.crt (nginx) web server certificate. This is commonly referred to as server.crt web_https.key (nginx) web server key. This is commonly referred to as server.key web_https.csr (nginx) web server certificate signing request. This is commonly referred to as server.csr web_https_ca.crt Certificate authority certificate that signed/signs the web server certificate. web_https_ca.key Certificate authority key that signed/signs the web server certificate. Create a secret containing the OB CA certificates (issuing, root, and signing CAs) and the OB AS transport crt. For more information read here . cat web_https_ca.crt issuingca.crt rootca.crt signingca.crt >> ca.crt kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file = tls.crt = web_https.crt --from-file = tls.key = web_https.key --from-file = ca.crt = ca.crt If you have an existing helm deployment, those secrets can be retrieved and then create using the following commands: kubectl get secret cn -n gluu --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_cert }} | base64 -d > server.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_key }} | base64 -d > server.key kubectl create secret generic ca-secret -n gluu --from-file = tls.crt = server.crt --from-file = tls.key = server.key --from-file = ca.crt = ca.crt Inject OBIE signed certs, keys and uri: When using OBIE signed certificates and keys, there are many objects that can be injected. The certificate signing pem file i.e obsigning.pem , the signing key i.e obsigning-oajsdij8927123.key , the certificate transport pem file i.e obtransport.pem , the transport key i.e obtransport-sdfe4234234.key , the transport truststore p12 i.e ob-transport-truststore.p12 , and the jwks uri https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks . base64 encrypt all .pem and .key files. cat obsigning.pem | base64 | tr -d '\\n' > obsigningbase64.pem cat obsigning-oajsdij8927123.key | base64 | tr -d '\\n' > obsigningbase64.key cat obtransport.pem | base64 | tr -d '\\n' > obtransportbase64.pem cat obtransport-sdfe4234234.key | base64 | tr -d '\\n' > obtransportbase64.key Generate your transport truststore or convert it to .p12 format. Please name it as ob-transport-truststore.p12 cat obissuingca.pem obrootca.pem obsigningca.pem > transport-truststore.crt keytool -importcert -file transport-truststore.crt -keystore ob-transport-truststore.p12 -alias obkeystore base64 encrypt the ob-transport-truststore.p12 cat ob-transport-truststore.p12 | base64 | tr -d '\\n' > obtransporttruststorebase64.pem Add the kid as the alias for the JKS used for the OB AS external signing crt. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G. This kid value should exist inside the jwks uri endpoint. Add those values to override.yaml : global : # -- Open banking external signing jwks uri. Used in SSA Validation. cnObExtSigningJwksUri : \"\" # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksCrt : # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKey : # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKeyPassPhrase : # -- Open banking external signing AS Alias. This is a kid value. Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G cnObExtSigningAlias : # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G cnObStaticSigningKeyKid : # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. cnObTransportCrt : # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. cnObTransportKey : # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. cnObTransportKeyPassPhrase : # -- Open banking transport Alias used inside the JVM. cnObTransportAlias : \"\" # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. cnObTransportTrustStore : Please note that the password for the keystores created can be fetched by executing the following command: kubectl get secret cn -n gluu --template={{.data.auth_openid_jks_pass}} | base64 -d The above password is needed in custom scripts such as the Client Registration script After finishing all the tweaks to the override.yaml file, run helm install or helm upgrade if Gluu is already installed helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Install on microK8s(development/testing) # On your Ubuntu VM, run the following commands: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/main/automation/startopenabankingdemo.sh && chmod u+x startopenabankingdemo.sh && ./startopenabankingdemo.sh Running this script will install the Gluu Open Banking Platform with mTLS enabled along with the mysql backend as a persistence. After running the script, you can go ahead and test the setup . Testing the setup # After successful installation, you can access and test the Gluu Open Banking Platform using either curl or Jans-CLI . Changing the signing key kid for the AS dynamically # Get a client id and its associated password. We will use the jans-config-api client id and secret TESTCLIENT = $( kubectl get cm cn -n gluu --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n gluu --template ={{ .data.jca_client_pw }} | base64 -d ) Get a token. To pass mTLS, we will use client.crt and client.key: curl -k -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/jans-auth-server/config/properties.write\" --cert client.crt --key client.key Add the entry staticKid to force the AS to use a specific signing key. Please modify XhCYDfFM7UFXHfykNaLk1aLCnZM to the kid to be used: curl -k -X PATCH \"https:///jans-config-api/api/v1/jans-auth-server/config\" -H \"accept: application/json\" -H \"Content-Type: application/json-patch+json\" -H \"Authorization:Bearer 170e8412-1d55-4b19-ssss-8fcdeaafb954\" -d \"[{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/staticKid\\\",\\\"value\\\":\\\"XhCYDfFM7UFXHfykNaLk1aLCnZM\\\"}]\" Perform a rolling restart for the auth-server and config-api deployments. kubectl rollout restart deployment -auth-server -n gluu kubectl rollout restart deployment -config-api -n gluu Adding custom scopes upon installation # Download the original scopes file wget https://raw.githubusercontent.com/JanssenProject/docker-jans-persistence-loader/master/templates/scopes.ob.ldif Add to the file the custom scopes desired. Create a configmap with the scopes file kubectl create cm custom-scopes -n gluu --from-file=scopes.ob.ldif Mount the configmap in your override.yaml under persistence.volumes and persistence.volumeMounts persistence : volumes : - name : custom-scopes configMap : name : custom-scopes volumeMounts : - name : custom-scopes mountPath : \"/app/templates/scopes.ob.ldif\" subPath : scopes.ob.ldif Run helm install or helm upgrade if Gluu has already been installed.","title":"Cloud-Native"},{"location":"openbanking/install-cn/#system-requirements","text":"Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth-server 2.5 2.5GB N/A 64 Bit Yes config - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs persistence - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if not ALB or Istio config-api 1 1GB N/A 64 Bit No","title":"System Requirements"},{"location":"openbanking/install-cn/#installation","text":"","title":"Installation"},{"location":"openbanking/install-cn/#install-using-helmproduction-ready","text":"The below certificates and keys are needed to complete the installation. Certificate / key Description OB Issuing CA Used in nginx as a certificate authority OB Root CA Used in nginx as a certificate authority OB Signing CA Used in nginx as a certificate authority OB AS Transport key Used for mTLS. This will also be added to the JVM OB AS Transport crt Used for mTLS. This will also be added to the JVM OB AS signing crt Added to the JVM. Used in SSA Validation OB AS signing key Added to the JVM. Used in SSA Validation OB transport truststore Used in SSA Validation. Generated from OB Root CA nd Issuing CA Based on the provider/platform you're using, you can follow the docs to install your platform prerequistes, nginx-ingress, and the yaml changes needed in override.yaml based on the Gluu persistence choosed. To enable mTLS in ingress-nginx, add the following to your override.yaml : nginx-ingress : ingress : additionalAnnotations : nginx.ingress.kubernetes.io/auth-tls-verify-client : \"optional\" nginx.ingress.kubernetes.io/auth-tls-secret : \"gluu/tls-ob-ca-certificates\" nginx.ingress.kubernetes.io/auth-tls-verify-depth : \"1\" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream : \"true\" Adding these annotations will enable client certificate authentication . Enable authServerProtectedToken and authServerProtectedRegister : global auth-server : ingress : authServerProtectedToken : true authServerProtectedRegister : true Enable HTTPS During fresh installation, the config-job checks if SSL certificates and keys are mounted as files. If no mounted files are found, it attempts to download SSL certificates from the FQDN supplied. If the download is successful, an empty key file is generated. If no mounted or downloaded files are found, it generates self-signed SSL certificates, CA certificates, and keys. certificates and keys of interest in https Notes web_https.crt (nginx) web server certificate. This is commonly referred to as server.crt web_https.key (nginx) web server key. This is commonly referred to as server.key web_https.csr (nginx) web server certificate signing request. This is commonly referred to as server.csr web_https_ca.crt Certificate authority certificate that signed/signs the web server certificate. web_https_ca.key Certificate authority key that signed/signs the web server certificate. Create a secret containing the OB CA certificates (issuing, root, and signing CAs) and the OB AS transport crt. For more information read here . cat web_https_ca.crt issuingca.crt rootca.crt signingca.crt >> ca.crt kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file = tls.crt = web_https.crt --from-file = tls.key = web_https.key --from-file = ca.crt = ca.crt If you have an existing helm deployment, those secrets can be retrieved and then create using the following commands: kubectl get secret cn -n gluu --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_cert }} | base64 -d > server.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_key }} | base64 -d > server.key kubectl create secret generic ca-secret -n gluu --from-file = tls.crt = server.crt --from-file = tls.key = server.key --from-file = ca.crt = ca.crt Inject OBIE signed certs, keys and uri: When using OBIE signed certificates and keys, there are many objects that can be injected. The certificate signing pem file i.e obsigning.pem , the signing key i.e obsigning-oajsdij8927123.key , the certificate transport pem file i.e obtransport.pem , the transport key i.e obtransport-sdfe4234234.key , the transport truststore p12 i.e ob-transport-truststore.p12 , and the jwks uri https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks . base64 encrypt all .pem and .key files. cat obsigning.pem | base64 | tr -d '\\n' > obsigningbase64.pem cat obsigning-oajsdij8927123.key | base64 | tr -d '\\n' > obsigningbase64.key cat obtransport.pem | base64 | tr -d '\\n' > obtransportbase64.pem cat obtransport-sdfe4234234.key | base64 | tr -d '\\n' > obtransportbase64.key Generate your transport truststore or convert it to .p12 format. Please name it as ob-transport-truststore.p12 cat obissuingca.pem obrootca.pem obsigningca.pem > transport-truststore.crt keytool -importcert -file transport-truststore.crt -keystore ob-transport-truststore.p12 -alias obkeystore base64 encrypt the ob-transport-truststore.p12 cat ob-transport-truststore.p12 | base64 | tr -d '\\n' > obtransporttruststorebase64.pem Add the kid as the alias for the JKS used for the OB AS external signing crt. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G. This kid value should exist inside the jwks uri endpoint. Add those values to override.yaml : global : # -- Open banking external signing jwks uri. Used in SSA Validation. cnObExtSigningJwksUri : \"\" # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksCrt : # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKey : # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKeyPassPhrase : # -- Open banking external signing AS Alias. This is a kid value. Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G cnObExtSigningAlias : # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G cnObStaticSigningKeyKid : # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. cnObTransportCrt : # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. cnObTransportKey : # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. cnObTransportKeyPassPhrase : # -- Open banking transport Alias used inside the JVM. cnObTransportAlias : \"\" # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. cnObTransportTrustStore : Please note that the password for the keystores created can be fetched by executing the following command: kubectl get secret cn -n gluu --template={{.data.auth_openid_jks_pass}} | base64 -d The above password is needed in custom scripts such as the Client Registration script After finishing all the tweaks to the override.yaml file, run helm install or helm upgrade if Gluu is already installed helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Install using Helm(production-ready)"},{"location":"openbanking/install-cn/#install-on-microk8sdevelopmenttesting","text":"On your Ubuntu VM, run the following commands: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/main/automation/startopenabankingdemo.sh && chmod u+x startopenabankingdemo.sh && ./startopenabankingdemo.sh Running this script will install the Gluu Open Banking Platform with mTLS enabled along with the mysql backend as a persistence. After running the script, you can go ahead and test the setup .","title":"Install on microK8s(development/testing)"},{"location":"openbanking/install-cn/#testing-the-setup","text":"After successful installation, you can access and test the Gluu Open Banking Platform using either curl or Jans-CLI .","title":"Testing the setup"},{"location":"openbanking/install-cn/#changing-the-signing-key-kid-for-the-as-dynamically","text":"Get a client id and its associated password. We will use the jans-config-api client id and secret TESTCLIENT = $( kubectl get cm cn -n gluu --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n gluu --template ={{ .data.jca_client_pw }} | base64 -d ) Get a token. To pass mTLS, we will use client.crt and client.key: curl -k -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/jans-auth-server/config/properties.write\" --cert client.crt --key client.key Add the entry staticKid to force the AS to use a specific signing key. Please modify XhCYDfFM7UFXHfykNaLk1aLCnZM to the kid to be used: curl -k -X PATCH \"https:///jans-config-api/api/v1/jans-auth-server/config\" -H \"accept: application/json\" -H \"Content-Type: application/json-patch+json\" -H \"Authorization:Bearer 170e8412-1d55-4b19-ssss-8fcdeaafb954\" -d \"[{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/staticKid\\\",\\\"value\\\":\\\"XhCYDfFM7UFXHfykNaLk1aLCnZM\\\"}]\" Perform a rolling restart for the auth-server and config-api deployments. kubectl rollout restart deployment -auth-server -n gluu kubectl rollout restart deployment -config-api -n gluu","title":"Changing the signing key kid for the AS dynamically"},{"location":"openbanking/install-cn/#adding-custom-scopes-upon-installation","text":"Download the original scopes file wget https://raw.githubusercontent.com/JanssenProject/docker-jans-persistence-loader/master/templates/scopes.ob.ldif Add to the file the custom scopes desired. Create a configmap with the scopes file kubectl create cm custom-scopes -n gluu --from-file=scopes.ob.ldif Mount the configmap in your override.yaml under persistence.volumes and persistence.volumeMounts persistence : volumes : - name : custom-scopes configMap : name : custom-scopes volumeMounts : - name : custom-scopes mountPath : \"/app/templates/scopes.ob.ldif\" subPath : scopes.ob.ldif Run helm install or helm upgrade if Gluu has already been installed.","title":"Adding custom scopes upon installation"},{"location":"openbanking/install-vm/","text":"VM Based Distribution # This section covers details on installing Gluu Openbanking Indentity Platform 1.0 in a VM. We recommend the Cloud Native Distribution for production environment. However, for development and testing VM distribution will be easier. VM Preparation # Prepare a VM with the following minimum specs: 4 GB RAM 2 GB swap space 2 CPU units 50 GB disk space The VM must have a static IP address and a resolvable hostname. A fully qualified domain name (FQDN) is required for production deployments. The Gluu Open Banking Identity Platform can be installed on main Linux distributions. Installation # Download the installer ( install.py ) wget https://raw.githubusercontent.com/JanssenProject/jans/main/jans-linux-setup/jans_setup/install.py Execute the installer: sudo python3 install.py --profile openbanking The installation script will install required tools, programs, packages and then it will prompt the user for setup instructions. Answer the following questions: Certificate Generation Setup # Prompt Description Enter IP Address The IP address for the VM. Use an IP address assigned to one of this server's network interfaces (usage of addresses assigned to loopback interfaces is not supported) Enter Hostname The hostname for the VM. Recommended to be a FQDN Enter your city or locality Used to generate X.509 certificates. Enter your state or province two letter code Used to generate X.509 certificates. Enter two letter Country Code Used to generate X.509 certificates. Enter Organization Name Used to generate X.509 certificates. Enter email address for support at your organization Used to generate X.509 certificates. Architecture Setup # Prompt Description Enter maximum RAM for applications in MB Maximum RAM Size in MB RDBM Type Backend type. Currently only MySQL is supported Use remote RDBM Select if connecting to an external MySQL server Enter Openbanking static kid The fallback key when key is not passed in requests (as required by Openbanking) Use external key If yes, link to an external Open Banking key file Before the last question installer process will display the selected choices and confirm to proceed. Prompt Description Proceed with these values [Y/n] Confirmation before setting up the services. Uninstalling Janssen Server # Execute the installation script with the -uninstall argument. MTLS Configuration # For MTLS, OBIE-issued (for openbanking UK) certificates and keys should be used. The following discussion assumes that the file ca.crt has a CA certificate and ca.key has a CA private key. Following command generates self-signed ca.crt and ca.key: openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.crt The following set of commands is an example of how to create the server\u2019s private key ( server.key ), Certificate Signing Request (CSR) ( server.csr ) and certificate ( server.crt) : openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 100 -days 365 -outform PEM -out server.crt Now, store the server key ( server.key ) and certificate ( server.crt ) file in some location (preferably inside /etc/certs ) and set its path in the apache .conf file ( /etc/apache2/sites-enabled/https_jans.conf ) with SSLCertificateFile and SSLCertificateKeyFile directives: SSLCertificateFile /etc/certs/bankgluu/server.crt SSLCertificateKeyFile /etc/certs/bankgluu/server.key The path of CA certificate file should be set to SSLCACertificateFile directive as: SSLCACertificateFile /etc/apache2/certs/matls.pem The following commands will create client\u2019s private key ( client.key ), CSR ( client.csr ) and certificate ( client.crt ): openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 101 -days 365 -outform PEM -out client.crt The following command will create a client certification chain (private key, public certificate and ca certificate) into the file client.pem : cat client.key client.crt ca.crt >client.pem Use this pem file to create JWKs for the clients (if required). To create a JWK, you can use a free utility published at https://mkjwk.org . Or you can download the command-line tool from GitHub . There are numerous other online PEM-to-JWKS tools available like JWKConvertFunctions . We may need to add/update some data in these generated JWKs. Note It is important to give different values of the Common Name field (\u201cCommon Name (e.g. server FQDN or YOUR name) []\u201d) for the CA, Server and clients. Other fields may have common values but the same values for Common Name of all certificates result in certificate verification failing at runtime. Importing the CA certificate in JVM truststore and signing, encryption keys into auth-Server keystore: # The command line utility keytool is installed with JDK, it can be used to import the CA certificate in JVM truststore (/opt/jre/lib/security/cacerts) and signing,encryption keys into the jans-auth server\u2019s keystore(/etc/certs/jans-auth-keys.jks). ./keytool -importcert -file /path/to/file/filename.cer -keystore /etc/certs/jans-auth-keys.jks -alias yourkeystore ./keytool -importkeystore -srckeystore /path/to/file/filename.jks -srcstoretype JKS -destkeystore /opt/jre/lib/security/cacerts -deststoretype JKS Accessing the Platform # After successful installation, access the Gluu Open Banking Platform using either jans-cli or curl .","title":"VM (only recommended for development/testing)"},{"location":"openbanking/install-vm/#vm-based-distribution","text":"This section covers details on installing Gluu Openbanking Indentity Platform 1.0 in a VM. We recommend the Cloud Native Distribution for production environment. However, for development and testing VM distribution will be easier.","title":"VM Based Distribution"},{"location":"openbanking/install-vm/#vm-preparation","text":"Prepare a VM with the following minimum specs: 4 GB RAM 2 GB swap space 2 CPU units 50 GB disk space The VM must have a static IP address and a resolvable hostname. A fully qualified domain name (FQDN) is required for production deployments. The Gluu Open Banking Identity Platform can be installed on main Linux distributions.","title":"VM Preparation"},{"location":"openbanking/install-vm/#installation","text":"Download the installer ( install.py ) wget https://raw.githubusercontent.com/JanssenProject/jans/main/jans-linux-setup/jans_setup/install.py Execute the installer: sudo python3 install.py --profile openbanking The installation script will install required tools, programs, packages and then it will prompt the user for setup instructions. Answer the following questions:","title":"Installation"},{"location":"openbanking/install-vm/#certificate-generation-setup","text":"Prompt Description Enter IP Address The IP address for the VM. Use an IP address assigned to one of this server's network interfaces (usage of addresses assigned to loopback interfaces is not supported) Enter Hostname The hostname for the VM. Recommended to be a FQDN Enter your city or locality Used to generate X.509 certificates. Enter your state or province two letter code Used to generate X.509 certificates. Enter two letter Country Code Used to generate X.509 certificates. Enter Organization Name Used to generate X.509 certificates. Enter email address for support at your organization Used to generate X.509 certificates.","title":"Certificate Generation Setup"},{"location":"openbanking/install-vm/#architecture-setup","text":"Prompt Description Enter maximum RAM for applications in MB Maximum RAM Size in MB RDBM Type Backend type. Currently only MySQL is supported Use remote RDBM Select if connecting to an external MySQL server Enter Openbanking static kid The fallback key when key is not passed in requests (as required by Openbanking) Use external key If yes, link to an external Open Banking key file Before the last question installer process will display the selected choices and confirm to proceed. Prompt Description Proceed with these values [Y/n] Confirmation before setting up the services.","title":"Architecture Setup"},{"location":"openbanking/install-vm/#uninstalling-janssen-server","text":"Execute the installation script with the -uninstall argument.","title":"Uninstalling Janssen Server"},{"location":"openbanking/install-vm/#mtls-configuration","text":"For MTLS, OBIE-issued (for openbanking UK) certificates and keys should be used. The following discussion assumes that the file ca.crt has a CA certificate and ca.key has a CA private key. Following command generates self-signed ca.crt and ca.key: openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.crt The following set of commands is an example of how to create the server\u2019s private key ( server.key ), Certificate Signing Request (CSR) ( server.csr ) and certificate ( server.crt) : openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 100 -days 365 -outform PEM -out server.crt Now, store the server key ( server.key ) and certificate ( server.crt ) file in some location (preferably inside /etc/certs ) and set its path in the apache .conf file ( /etc/apache2/sites-enabled/https_jans.conf ) with SSLCertificateFile and SSLCertificateKeyFile directives: SSLCertificateFile /etc/certs/bankgluu/server.crt SSLCertificateKeyFile /etc/certs/bankgluu/server.key The path of CA certificate file should be set to SSLCACertificateFile directive as: SSLCACertificateFile /etc/apache2/certs/matls.pem The following commands will create client\u2019s private key ( client.key ), CSR ( client.csr ) and certificate ( client.crt ): openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 101 -days 365 -outform PEM -out client.crt The following command will create a client certification chain (private key, public certificate and ca certificate) into the file client.pem : cat client.key client.crt ca.crt >client.pem Use this pem file to create JWKs for the clients (if required). To create a JWK, you can use a free utility published at https://mkjwk.org . Or you can download the command-line tool from GitHub . There are numerous other online PEM-to-JWKS tools available like JWKConvertFunctions . We may need to add/update some data in these generated JWKs. Note It is important to give different values of the Common Name field (\u201cCommon Name (e.g. server FQDN or YOUR name) []\u201d) for the CA, Server and clients. Other fields may have common values but the same values for Common Name of all certificates result in certificate verification failing at runtime.","title":"MTLS Configuration"},{"location":"openbanking/install-vm/#importing-the-ca-certificate-in-jvm-truststore-and-signing-encryption-keys-into-auth-server-keystore","text":"The command line utility keytool is installed with JDK, it can be used to import the CA certificate in JVM truststore (/opt/jre/lib/security/cacerts) and signing,encryption keys into the jans-auth server\u2019s keystore(/etc/certs/jans-auth-keys.jks). ./keytool -importcert -file /path/to/file/filename.cer -keystore /etc/certs/jans-auth-keys.jks -alias yourkeystore ./keytool -importkeystore -srckeystore /path/to/file/filename.jks -srcstoretype JKS -destkeystore /opt/jre/lib/security/cacerts -deststoretype JKS","title":"Importing the CA certificate in JVM truststore and signing, encryption keys into auth-Server keystore:"},{"location":"openbanking/install-vm/#accessing-the-platform","text":"After successful installation, access the Gluu Open Banking Platform using either jans-cli or curl .","title":"Accessing the Platform"},{"location":"openbanking/jans-cli/","text":"Introduction # Jans-cli is a command line interface to configure the Janssen software and it supports both interactive and command-line options for configuration. Jans-cli calls the Jans-Config-API to perform various operations. During Janssen installation, the installer creates a client to use Jans Config API. Jans-cli uses this client to call Jans Config API. Supported Operations # Jans-cli supports the following six operations on custom scripts: get-config-scripts : gets a list of custom scripts. post-config-scripts : adds a new custom script. put-config-scripts : updates a custom script. get-config-scripts-by-type : requires an argument --url-suffix TYPE: <> . You can specify the following types: PERSON_AUTHENTICATION , INTROSPECTION , RESOURCE_OWNER_PASSWORD_CREDENTIALS , APPLICATION_SESSION , CACHE_REFRESH , UPDATE_USER , USER_REGISTRATION , CLIENT_REGISTRATION , ID_GENERATOR , UMA_RPT_POLICY , UMA_RPT_CLAIMS , UMA_CLAIMS_GATHERING , CONSENT_GATHERING , DYNAMIC_SCOPE , SPONTANEOUS_SCOPE , END_SESSION , POST_AUTHN , SCIM , CIBA_END_USER_NOTIFICATION , PERSISTENCE_EXTENSION , IDP , or UPDATE_TOKEN . get-config-scripts-by-inum : requires an argument --url-suffix inum: <> delete-config-scripts-by-inum : requires an argument --url-suffix inum: <> Using jans-cli # Download jans-cli.pyz . This package can be built manually too. Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. We need to pass this certificate, key as the token endpoint is under MTLS and jans-cli obtains an appropriate token before performing the operation. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys for operating jans-cli as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt Run the jans-cli in interactive mode and try it out: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --CC client.crt --CK client.key Examples # The post-config-scripts and put-config-scripts require various details about the scripts. The following command gives the basic schema of the custom scripts to pass to these operations. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --schema /components/schemas/CustomScript The output of the above command will be similar as: { \"dn\" : null , \"inum\" : null , \"name\" : \"string\" , \"aliases\" : [], \"description\" : null , \"script\" : \"string\" , \"scriptType\" : \"IDP\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null }, \"configurationProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null , \"hide\" : true }, \"level\" : \"integer\" , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : { \"raisedAt\" : null , \"stackTrace\" : null }, \"modified\" : false , \"internal\" : false } To add or modify a script first, we need to create the script's python file (e.g. /tmp/sample.py) and then create a JSON file by following the above schema and update the fields as : /tmp/sample.json { \"name\" : \"mySampleScript\" , \"aliases\" : null , \"description\" : \"This is a sample script\" , \"script\" : \"_file /tmp/sample.py\" , \"scriptType\" : \"PERSON_AUTHENTICATION\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : [ { \"value1\" : \"mayvalue1\" , \"value2\" : \"myvalues2\" , \"description\" : \"description for property\" } ], \"configurationProperties\" : null , \"level\" : 1 , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : null , \"modified\" : false , \"internal\" : false } Add a new custom script, update and delete existing custom script # The following command will add a new script with details given in /tmp/sampleadd.json file. The jans-cli will generate a unique inum of this new script if we skip inum in the json file. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id post-config-scripts --data /tmp/sampleadd.json \\ --CC client.crt --CK client.key The following command will modify/update the existing script with details given in /tmp/samplemodify.json file. Remember to set inum field in samplemodify.json to the inum of the script to update. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id put-config-scripts --data /tmp/samplemodify.json \\ --CC client.crt --CK client.key To delete a custom script by its inum, use the following command: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id delete-config-scripts-by-inum --url-suffix inum:HKM-TEST \\ --CC client.crt --CK client.key Print details of existing custom scripts # These commands to print the details are important, as using them we can get the inum of these scripts which is required to perform update or delete operations. The following command will display the details of all the existing custom scripts. This will be helpful to get the inum of scripts to perform the update and delete operation. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts --CC client.crt --CK client.key The following command displays the details of selected custom script (by inum). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-inum --url-suffix inum:_____ \\ --CC client.crt --CK client.key Use the following command to display the details of existing custom scripts of a given type (for example: INTROSPECTION). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-type --url-suffix type:INTROSPECTION \\ --CC client.crt --CK client.key","title":"Managing Scripts with the jans-cli"},{"location":"openbanking/jans-cli/#introduction","text":"Jans-cli is a command line interface to configure the Janssen software and it supports both interactive and command-line options for configuration. Jans-cli calls the Jans-Config-API to perform various operations. During Janssen installation, the installer creates a client to use Jans Config API. Jans-cli uses this client to call Jans Config API.","title":"Introduction"},{"location":"openbanking/jans-cli/#supported-operations","text":"Jans-cli supports the following six operations on custom scripts: get-config-scripts : gets a list of custom scripts. post-config-scripts : adds a new custom script. put-config-scripts : updates a custom script. get-config-scripts-by-type : requires an argument --url-suffix TYPE: <> . You can specify the following types: PERSON_AUTHENTICATION , INTROSPECTION , RESOURCE_OWNER_PASSWORD_CREDENTIALS , APPLICATION_SESSION , CACHE_REFRESH , UPDATE_USER , USER_REGISTRATION , CLIENT_REGISTRATION , ID_GENERATOR , UMA_RPT_POLICY , UMA_RPT_CLAIMS , UMA_CLAIMS_GATHERING , CONSENT_GATHERING , DYNAMIC_SCOPE , SPONTANEOUS_SCOPE , END_SESSION , POST_AUTHN , SCIM , CIBA_END_USER_NOTIFICATION , PERSISTENCE_EXTENSION , IDP , or UPDATE_TOKEN . get-config-scripts-by-inum : requires an argument --url-suffix inum: <> delete-config-scripts-by-inum : requires an argument --url-suffix inum: <>","title":"Supported Operations"},{"location":"openbanking/jans-cli/#using-jans-cli","text":"Download jans-cli.pyz . This package can be built manually too. Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. We need to pass this certificate, key as the token endpoint is under MTLS and jans-cli obtains an appropriate token before performing the operation. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys for operating jans-cli as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt Run the jans-cli in interactive mode and try it out: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --CC client.crt --CK client.key","title":"Using jans-cli"},{"location":"openbanking/jans-cli/#examples","text":"The post-config-scripts and put-config-scripts require various details about the scripts. The following command gives the basic schema of the custom scripts to pass to these operations. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --schema /components/schemas/CustomScript The output of the above command will be similar as: { \"dn\" : null , \"inum\" : null , \"name\" : \"string\" , \"aliases\" : [], \"description\" : null , \"script\" : \"string\" , \"scriptType\" : \"IDP\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null }, \"configurationProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null , \"hide\" : true }, \"level\" : \"integer\" , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : { \"raisedAt\" : null , \"stackTrace\" : null }, \"modified\" : false , \"internal\" : false } To add or modify a script first, we need to create the script's python file (e.g. /tmp/sample.py) and then create a JSON file by following the above schema and update the fields as : /tmp/sample.json { \"name\" : \"mySampleScript\" , \"aliases\" : null , \"description\" : \"This is a sample script\" , \"script\" : \"_file /tmp/sample.py\" , \"scriptType\" : \"PERSON_AUTHENTICATION\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : [ { \"value1\" : \"mayvalue1\" , \"value2\" : \"myvalues2\" , \"description\" : \"description for property\" } ], \"configurationProperties\" : null , \"level\" : 1 , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : null , \"modified\" : false , \"internal\" : false }","title":"Examples"},{"location":"openbanking/jans-cli/#add-a-new-custom-script-update-and-delete-existing-custom-script","text":"The following command will add a new script with details given in /tmp/sampleadd.json file. The jans-cli will generate a unique inum of this new script if we skip inum in the json file. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id post-config-scripts --data /tmp/sampleadd.json \\ --CC client.crt --CK client.key The following command will modify/update the existing script with details given in /tmp/samplemodify.json file. Remember to set inum field in samplemodify.json to the inum of the script to update. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id put-config-scripts --data /tmp/samplemodify.json \\ --CC client.crt --CK client.key To delete a custom script by its inum, use the following command: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id delete-config-scripts-by-inum --url-suffix inum:HKM-TEST \\ --CC client.crt --CK client.key","title":"Add a new custom script, update and delete existing custom script"},{"location":"openbanking/jans-cli/#print-details-of-existing-custom-scripts","text":"These commands to print the details are important, as using them we can get the inum of these scripts which is required to perform update or delete operations. The following command will display the details of all the existing custom scripts. This will be helpful to get the inum of scripts to perform the update and delete operation. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts --CC client.crt --CK client.key The following command displays the details of selected custom script (by inum). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-inum --url-suffix inum:_____ \\ --CC client.crt --CK client.key Use the following command to display the details of existing custom scripts of a given type (for example: INTROSPECTION). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-type --url-suffix type:INTROSPECTION \\ --CC client.crt --CK client.key","title":"Print details of existing custom scripts"},{"location":"openbanking/par-jarm/","text":"Pushed Authorization Requests(PAR) and JWT Secured Authorization Response Mode(JARM) # This section covers details of two important features required by the open banking ecosystem. The latest Gluu Open Banking Identity Platform supports PAR and JARM specifications. These two features are bundled in the installation so when you install the Gluu Open Banking Identity Platform the Authorization Server(AS) will support these features by default. The older/existing installation may require updating the WAR/ image. Moreover, these features are also FAPI certified for Brazil Open Banking (Based on FAPI 1 Advanced Final) . Pushed Authorization Requests-PAR: # PAR are handled by an additional endpoint of Authorization Server (AS). Clients POST their authorization parameters to this endpoint, in return the clients gets a reference (named as request URI value) that will be used in further authorization requests by the client. PAR enables the OAuth clients to push the payload of an authorization request directly to the authorization server in exchange for a request URI value. This request URI value is used as a reference to the authorization request payload data in a subsequent call to the authorization endpoint. We can set different PAR lifetimes for different clients . PAR lifetime will be 600 seconds if it is unspecified . We have two new configuration properties for PAR: * parEndpoint - String , corresponds to pushed_authorization_request_endpoint as defined by specification . * requirePar - Boolean parameter indicating whether the only means of initiating an authorization request the client is allowed to use is a pushed authorization request . If omitted , the default value is \"false\" . Moreover, there is a new client configuration: * parLifetime: An integer parameter representing the lifetime (in seconds) of the pushed authorization request. JWT Secured Authorization Response Mode-JARM # This is a new JWT-based response mode to encode authorization responses known as JARM, (see Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 ). Here clients are enabled to request the transmission of the authorization response parameters along with additional data in JWT format. This mechanism enhances the security of the standard authorization response since it adds support for signing and encryption,sender authentication, and audience restriction. It also provides protection from replay, credential leakage, and mix-up attacks. It can be combined with any response type. For this feature AS supports new response modes ( query.jwt , fragment.jwt , form_post.jwt , jwt ) and additional signing, encryption algorithms.","title":"PAR and JARM"},{"location":"openbanking/par-jarm/#pushed-authorization-requestspar-and-jwt-secured-authorization-response-modejarm","text":"This section covers details of two important features required by the open banking ecosystem. The latest Gluu Open Banking Identity Platform supports PAR and JARM specifications. These two features are bundled in the installation so when you install the Gluu Open Banking Identity Platform the Authorization Server(AS) will support these features by default. The older/existing installation may require updating the WAR/ image. Moreover, these features are also FAPI certified for Brazil Open Banking (Based on FAPI 1 Advanced Final) .","title":"Pushed Authorization Requests(PAR) and JWT Secured Authorization Response Mode(JARM)"},{"location":"openbanking/par-jarm/#pushed-authorization-requests-par","text":"PAR are handled by an additional endpoint of Authorization Server (AS). Clients POST their authorization parameters to this endpoint, in return the clients gets a reference (named as request URI value) that will be used in further authorization requests by the client. PAR enables the OAuth clients to push the payload of an authorization request directly to the authorization server in exchange for a request URI value. This request URI value is used as a reference to the authorization request payload data in a subsequent call to the authorization endpoint. We can set different PAR lifetimes for different clients . PAR lifetime will be 600 seconds if it is unspecified . We have two new configuration properties for PAR: * parEndpoint - String , corresponds to pushed_authorization_request_endpoint as defined by specification . * requirePar - Boolean parameter indicating whether the only means of initiating an authorization request the client is allowed to use is a pushed authorization request . If omitted , the default value is \"false\" . Moreover, there is a new client configuration: * parLifetime: An integer parameter representing the lifetime (in seconds) of the pushed authorization request.","title":"Pushed Authorization Requests-PAR:"},{"location":"openbanking/par-jarm/#jwt-secured-authorization-response-mode-jarm","text":"This is a new JWT-based response mode to encode authorization responses known as JARM, (see Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 ). Here clients are enabled to request the transmission of the authorization response parameters along with additional data in JWT format. This mechanism enhances the security of the standard authorization response since it adds support for signing and encryption,sender authentication, and audience restriction. It also provides protection from replay, credential leakage, and mix-up attacks. It can be combined with any response type. For this feature AS supports new response modes ( query.jwt , fragment.jwt , form_post.jwt , jwt ) and additional signing, encryption algorithms.","title":"JWT Secured Authorization Response Mode-JARM"},{"location":"reference/","tags":["administration","reference"],"text":"Overview # The Gluu Flex reference guide includes technical references for Flex-specific components and deployments. References for Janssen components, including database references, can be found in the Janssen Project documentation .","title":"Overview"},{"location":"reference/#overview","text":"The Gluu Flex reference guide includes technical references for Flex-specific components and deployments. References for Janssen components, including database references, can be found in the Janssen Project documentation .","title":"Overview"},{"location":"reference/json-config/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"reference/json-config/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/json-config/properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"reference/json-config/properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/json-config/properties/casa-properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Casa properties"},{"location":"reference/json-config/properties/casa-properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/json-config/properties/casaconfig-properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Casaconfig properties"},{"location":"reference/json-config/properties/casaconfig-properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/kubernetes/","tags":["administration","reference","kubernetes","architecture","components"],"text":"Overview # This Reference guide helps you learn about the components and architecture of Gluu Flex. Gluu Flex components # auth-server : The OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-key-rotation : Responsible for regenerating auth-keys per x hours. config-api : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Fido : Provides the server side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be internet facing. SCIM : a JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet facing. Casa : self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. Admin UI : The admin web portal to configure and control your Gluu server. Architectural diagram of Gluu #","title":"Overview"},{"location":"reference/kubernetes/#overview","text":"This Reference guide helps you learn about the components and architecture of Gluu Flex.","title":"Overview"},{"location":"reference/kubernetes/#gluu-flex-components","text":"auth-server : The OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-key-rotation : Responsible for regenerating auth-keys per x hours. config-api : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Fido : Provides the server side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be internet facing. SCIM : a JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet facing. Casa : self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. Admin UI : The admin web portal to configure and control your Gluu server.","title":"Gluu Flex components"},{"location":"reference/kubernetes/#architectural-diagram-of-gluu","text":"","title":"Architectural diagram of Gluu"},{"location":"reference/kubernetes/docker-admin-ui/","tags":["administration","reference","kubernetes","docker image"],"text":"docker-admin-ui # A containerized application for Gluu Admin UI frontend. Versions # See Releases for stable versions. For bleeding-edge/unstable version, use gluufederation/admin-ui:0.0.0-nightly . Environment Variables # The following environment variables are supported by the container: CN_CONFIG_ADAPTER : The config backend adapter, can be consul (default), kubernetes , or google . CN_CONFIG_CONSUL_HOST : hostname or IP of Consul (default to localhost ). CN_CONFIG_CONSUL_PORT : port of Consul (default to 8500 ). CN_CONFIG_CONSUL_CONSISTENCY : Consul consistency mode (choose one of default , consistent , or stale ). Default to stale mode. CN_CONFIG_CONSUL_SCHEME : supported Consul scheme ( http or https ). CN_CONFIG_CONSUL_VERIFY : whether to verify cert or not (default to false ). CN_CONFIG_CONSUL_CACERT_FILE : path to Consul CA cert file (default to /etc/certs/consul_ca.crt ). This file will be used if it exists and CN_CONFIG_CONSUL_VERIFY set to true . CN_CONFIG_CONSUL_CERT_FILE : path to Consul cert file (default to /etc/certs/consul_client.crt ). CN_CONFIG_CONSUL_KEY_FILE : path to Consul key file (default to /etc/certs/consul_client.key ). CN_CONFIG_CONSUL_TOKEN_FILE : path to file contains ACL token (default to /etc/certs/consul_token ). CN_CONFIG_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_CONFIG_KUBERNETES_CONFIGMAP : Kubernetes configmaps name (default to jans ). CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_SECRET_ADAPTER : The secrets' adapter, can be vault (default), kubernetes , or google . CN_SECRET_VAULT_VERIFY : whether to verify cert or not (default to false ). CN_SECRET_VAULT_ROLE_ID_FILE : path to file contains Vault AppRole role ID (default to /etc/certs/vault_role_id ). CN_SECRET_VAULT_SECRET_ID_FILE : path to file contains Vault AppRole secret ID (default to /etc/certs/vault_secret_id ). CN_SECRET_VAULT_CERT_FILE : path to Vault cert file (default to /etc/certs/vault_client.crt ). CN_SECRET_VAULT_KEY_FILE : path to Vault key file (default to /etc/certs/vault_client.key ). CN_SECRET_VAULT_CACERT_FILE : path to Vault CA cert file (default to /etc/certs/vault_ca.crt ). This file will be used if it exists and CN_SECRET_VAULT_VERIFY set to true . CN_SECRET_VAULT_ADDR : URL of Vault (default to http://localhost:8200 ). CN_SECRET_VAULT_NAMESPACE : Namespace used to access secrets (default to empty string). CN_SECRET_VAULT_KV_PATH : Path to KV secrets engine (default to secret ). CN_SECRET_VAULT_PREFIX : Base prefix name used to build secret path (default to jans ). CN_SECRET_VAULT_APPROLE_PATH : Path to AppRole (default to approle ). CN_SECRET_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_SECRET_KUBERNETES_CONFIGMAP : Kubernetes secrets name (default to jans ). CN_SECRET_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_WAIT_MAX_TIME : How long the startup \"health checks\" should run (default to 300 seconds). CN_WAIT_SLEEP_DURATION : Delay between startup \"health checks\" (default to 10 seconds). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . GOOGLE_APPLICATION_CREDENTIALS : Optional JSON file (contains Google credentials) that can be injected into container for authentication. Refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to for supported credentials. CN_GOOGLE_SECRET_VERSION_ID : Janssen secret version ID in Google Secret Manager. Defaults to latest , which is recommended. CN_GOOGLE_SECRET_NAME_PREFIX : Prefix for Janssen secret in Google Secret Manager. Defaults to jans . If left jans-secret secret will be created. CN_GOOGLE_SECRET_MANAGER_PASSPHRASE : Passphrase for Janssen secret in Google Secret Manager. This is recommended to be changed and defaults to secret . CN_AUTH_BASE_URL : Base URL of auth server (default to empty). CN_CONFIG_API_BASE_URL : Base URL of config-api server (default to empty). CN_TOKEN_SERVER_BASE_URL : Base URL of token server (default to empty). CN_TOKEN_SERVER_AUTHZ_ENDPOINT : Authorization endpoint at token server (default to /jans-auth/authorize.htm ). CN_TOKEN_SERVER_TOKEN_ENDPOINT : Token endpoint at token server (default to /jans-auth/restv1/token ). CN_TOKEN_SERVER_INTROSPECTION_ENDPOINT : Introspection endpoint at token server (default to /jans-auth/restv1/introspection ). CN_TOKEN_SERVER_USERINFO_ENDPOINT : User info endpoint at token server (default to /jans-auth/restv1/userinfo ). CN_TOKEN_SERVER_CLIENT_ID : Client ID registered at token server. CN_TOKEN_SERVER_CERT_FILE : Path to token server certificate (default to /etc/certs/token_server.crt ). CN_PERSISTENCE_TYPE : Persistence backend being used (one of sql , spanner , couchbase , or hybrid ; default to sql ). CN_HYBRID_MAPPING : Specify data mapping for each persistence (default to \"{}\" ). Note this environment only takes effect when CN_PERSISTENCE_TYPE is set to hybrid . See hybrid mapping section for details. CN_COUCHBASE_URL : Address of Couchbase server (default to localhost ). CN_COUCHBASE_USER : Username of Couchbase server (default to admin ). CN_COUCHBASE_CERT_FILE : Couchbase root certificate location (default to /etc/certs/couchbase.crt ). CN_COUCHBASE_PASSWORD_FILE : Path to file contains Couchbase password (default to /etc/jans/conf/couchbase_password ). CN_COUCHBASE_CONN_TIMEOUT : Connect timeout used when a bucket is opened (default to 10000 milliseconds). CN_COUCHBASE_CONN_MAX_WAIT : Maximum time to wait before retrying connection (default to 20000 milliseconds). CN_COUCHBASE_SCAN_CONSISTENCY : Default scan consistency; one of not_bounded , request_plus , or statement_plus (default to not_bounded ). CN_COUCHBASE_BUCKET_PREFIX : Prefix for Couchbase buckets (default to jans ). CN_COUCHBASE_TRUSTSTORE_ENABLE : Enable truststore for encrypted Couchbase connection (default to true ). CN_COUCHBASE_KEEPALIVE_INTERVAL : Keep-alive interval for Couchbase connection (default to 30000 milliseconds). CN_COUCHBASE_KEEPALIVE_TIMEOUT : Keep-alive timeout for Couchbase connection (default to 2500 milliseconds). CN_SQL_DB_DIALECT : Dialect name of SQL backend (one of mysql , pgsql ; default to mysql ). CN_SQL_DB_HOST : Host of SQL backend (default to localhost ). CN_SQL_DB_PORT : Port of SQL backend (default to 3306 ). CN_SQL_DB_NAME : Database name (default to jans ) CN_SQL_DB_USER : Username to interact with SQL backend (default to jans ). CN_GOOGLE_SPANNER_INSTANCE_ID : Instance ID of Google Spanner (default to empty string). CN_GOOGLE_SPANNER_DATABASE_ID : Database ID of Google Spanner (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . CN_GOOGLE_SPANNER_INSTANCE_ID : Google Spanner instance ID. CN_GOOGLE_SPANNER_DATABASE_ID : Google Spanner database ID. GLUU_ADMIN_UI_AUTH_METHOD : Authentication method for admin-ui (default to basic ). Note, changing the value require restart to jans-config-api. Hybrid mapping # Hybrid persistence supports all available persistence types. To configure hybrid persistence and its data mapping, follow steps below: Set CN_PERSISTENCE_TYPE environment variable to hybrid Set CN_HYBRID_MAPPING with the following format: { \"default\": \"\", \"user\": \"\", \"site\": \"\", \"cache\": \"\", \"token\": \"\", \"session\": \"\", } Example: { \"default\": \"sql\", \"user\": \"spanner\", \"site\": \"sql\", \"cache\": \"sql\", \"token\": \"couchbase\", \"session\": \"spanner\", }","title":"Admin UI Docker Image"},{"location":"reference/kubernetes/docker-admin-ui/#docker-admin-ui","text":"A containerized application for Gluu Admin UI frontend.","title":"docker-admin-ui"},{"location":"reference/kubernetes/docker-admin-ui/#versions","text":"See Releases for stable versions. For bleeding-edge/unstable version, use gluufederation/admin-ui:0.0.0-nightly .","title":"Versions"},{"location":"reference/kubernetes/docker-admin-ui/#environment-variables","text":"The following environment variables are supported by the container: CN_CONFIG_ADAPTER : The config backend adapter, can be consul (default), kubernetes , or google . CN_CONFIG_CONSUL_HOST : hostname or IP of Consul (default to localhost ). CN_CONFIG_CONSUL_PORT : port of Consul (default to 8500 ). CN_CONFIG_CONSUL_CONSISTENCY : Consul consistency mode (choose one of default , consistent , or stale ). Default to stale mode. CN_CONFIG_CONSUL_SCHEME : supported Consul scheme ( http or https ). CN_CONFIG_CONSUL_VERIFY : whether to verify cert or not (default to false ). CN_CONFIG_CONSUL_CACERT_FILE : path to Consul CA cert file (default to /etc/certs/consul_ca.crt ). This file will be used if it exists and CN_CONFIG_CONSUL_VERIFY set to true . CN_CONFIG_CONSUL_CERT_FILE : path to Consul cert file (default to /etc/certs/consul_client.crt ). CN_CONFIG_CONSUL_KEY_FILE : path to Consul key file (default to /etc/certs/consul_client.key ). CN_CONFIG_CONSUL_TOKEN_FILE : path to file contains ACL token (default to /etc/certs/consul_token ). CN_CONFIG_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_CONFIG_KUBERNETES_CONFIGMAP : Kubernetes configmaps name (default to jans ). CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_SECRET_ADAPTER : The secrets' adapter, can be vault (default), kubernetes , or google . CN_SECRET_VAULT_VERIFY : whether to verify cert or not (default to false ). CN_SECRET_VAULT_ROLE_ID_FILE : path to file contains Vault AppRole role ID (default to /etc/certs/vault_role_id ). CN_SECRET_VAULT_SECRET_ID_FILE : path to file contains Vault AppRole secret ID (default to /etc/certs/vault_secret_id ). CN_SECRET_VAULT_CERT_FILE : path to Vault cert file (default to /etc/certs/vault_client.crt ). CN_SECRET_VAULT_KEY_FILE : path to Vault key file (default to /etc/certs/vault_client.key ). CN_SECRET_VAULT_CACERT_FILE : path to Vault CA cert file (default to /etc/certs/vault_ca.crt ). This file will be used if it exists and CN_SECRET_VAULT_VERIFY set to true . CN_SECRET_VAULT_ADDR : URL of Vault (default to http://localhost:8200 ). CN_SECRET_VAULT_NAMESPACE : Namespace used to access secrets (default to empty string). CN_SECRET_VAULT_KV_PATH : Path to KV secrets engine (default to secret ). CN_SECRET_VAULT_PREFIX : Base prefix name used to build secret path (default to jans ). CN_SECRET_VAULT_APPROLE_PATH : Path to AppRole (default to approle ). CN_SECRET_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_SECRET_KUBERNETES_CONFIGMAP : Kubernetes secrets name (default to jans ). CN_SECRET_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_WAIT_MAX_TIME : How long the startup \"health checks\" should run (default to 300 seconds). CN_WAIT_SLEEP_DURATION : Delay between startup \"health checks\" (default to 10 seconds). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . GOOGLE_APPLICATION_CREDENTIALS : Optional JSON file (contains Google credentials) that can be injected into container for authentication. Refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to for supported credentials. CN_GOOGLE_SECRET_VERSION_ID : Janssen secret version ID in Google Secret Manager. Defaults to latest , which is recommended. CN_GOOGLE_SECRET_NAME_PREFIX : Prefix for Janssen secret in Google Secret Manager. Defaults to jans . If left jans-secret secret will be created. CN_GOOGLE_SECRET_MANAGER_PASSPHRASE : Passphrase for Janssen secret in Google Secret Manager. This is recommended to be changed and defaults to secret . CN_AUTH_BASE_URL : Base URL of auth server (default to empty). CN_CONFIG_API_BASE_URL : Base URL of config-api server (default to empty). CN_TOKEN_SERVER_BASE_URL : Base URL of token server (default to empty). CN_TOKEN_SERVER_AUTHZ_ENDPOINT : Authorization endpoint at token server (default to /jans-auth/authorize.htm ). CN_TOKEN_SERVER_TOKEN_ENDPOINT : Token endpoint at token server (default to /jans-auth/restv1/token ). CN_TOKEN_SERVER_INTROSPECTION_ENDPOINT : Introspection endpoint at token server (default to /jans-auth/restv1/introspection ). CN_TOKEN_SERVER_USERINFO_ENDPOINT : User info endpoint at token server (default to /jans-auth/restv1/userinfo ). CN_TOKEN_SERVER_CLIENT_ID : Client ID registered at token server. CN_TOKEN_SERVER_CERT_FILE : Path to token server certificate (default to /etc/certs/token_server.crt ). CN_PERSISTENCE_TYPE : Persistence backend being used (one of sql , spanner , couchbase , or hybrid ; default to sql ). CN_HYBRID_MAPPING : Specify data mapping for each persistence (default to \"{}\" ). Note this environment only takes effect when CN_PERSISTENCE_TYPE is set to hybrid . See hybrid mapping section for details. CN_COUCHBASE_URL : Address of Couchbase server (default to localhost ). CN_COUCHBASE_USER : Username of Couchbase server (default to admin ). CN_COUCHBASE_CERT_FILE : Couchbase root certificate location (default to /etc/certs/couchbase.crt ). CN_COUCHBASE_PASSWORD_FILE : Path to file contains Couchbase password (default to /etc/jans/conf/couchbase_password ). CN_COUCHBASE_CONN_TIMEOUT : Connect timeout used when a bucket is opened (default to 10000 milliseconds). CN_COUCHBASE_CONN_MAX_WAIT : Maximum time to wait before retrying connection (default to 20000 milliseconds). CN_COUCHBASE_SCAN_CONSISTENCY : Default scan consistency; one of not_bounded , request_plus , or statement_plus (default to not_bounded ). CN_COUCHBASE_BUCKET_PREFIX : Prefix for Couchbase buckets (default to jans ). CN_COUCHBASE_TRUSTSTORE_ENABLE : Enable truststore for encrypted Couchbase connection (default to true ). CN_COUCHBASE_KEEPALIVE_INTERVAL : Keep-alive interval for Couchbase connection (default to 30000 milliseconds). CN_COUCHBASE_KEEPALIVE_TIMEOUT : Keep-alive timeout for Couchbase connection (default to 2500 milliseconds). CN_SQL_DB_DIALECT : Dialect name of SQL backend (one of mysql , pgsql ; default to mysql ). CN_SQL_DB_HOST : Host of SQL backend (default to localhost ). CN_SQL_DB_PORT : Port of SQL backend (default to 3306 ). CN_SQL_DB_NAME : Database name (default to jans ) CN_SQL_DB_USER : Username to interact with SQL backend (default to jans ). CN_GOOGLE_SPANNER_INSTANCE_ID : Instance ID of Google Spanner (default to empty string). CN_GOOGLE_SPANNER_DATABASE_ID : Database ID of Google Spanner (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . CN_GOOGLE_SPANNER_INSTANCE_ID : Google Spanner instance ID. CN_GOOGLE_SPANNER_DATABASE_ID : Google Spanner database ID. GLUU_ADMIN_UI_AUTH_METHOD : Authentication method for admin-ui (default to basic ). Note, changing the value require restart to jans-config-api.","title":"Environment Variables"},{"location":"reference/kubernetes/docker-admin-ui/#hybrid-mapping","text":"Hybrid persistence supports all available persistence types. To configure hybrid persistence and its data mapping, follow steps below: Set CN_PERSISTENCE_TYPE environment variable to hybrid Set CN_HYBRID_MAPPING with the following format: { \"default\": \"\", \"user\": \"\", \"site\": \"\", \"cache\": \"\", \"token\": \"\", \"session\": \"\", } Example: { \"default\": \"sql\", \"user\": \"spanner\", \"site\": \"sql\", \"cache\": \"sql\", \"token\": \"couchbase\", \"session\": \"spanner\", }","title":"Hybrid mapping"},{"location":"reference/kubernetes/docker-flex-monolith/","tags":["administration","reference","kubernetes","docker image","docker compose"],"text":"Warning This image is for testing and development purposes only. Use Flex helm charts for production setups. Overview # Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui. Pre-requisites # Docker Docker compose Versions # See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly . Environment Variables # Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client `` How to run # Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. Configure Gluu flex # Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py Access endpoints externally # Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration Clean up # Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Flex Monolith Docker Image"},{"location":"reference/kubernetes/docker-flex-monolith/#overview","text":"Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui.","title":"Overview"},{"location":"reference/kubernetes/docker-flex-monolith/#pre-requisites","text":"Docker Docker compose","title":"Pre-requisites"},{"location":"reference/kubernetes/docker-flex-monolith/#versions","text":"See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly .","title":"Versions"},{"location":"reference/kubernetes/docker-flex-monolith/#environment-variables","text":"Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client ``","title":"Environment Variables"},{"location":"reference/kubernetes/docker-flex-monolith/#how-to-run","text":"Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"How to run"},{"location":"reference/kubernetes/docker-flex-monolith/#configure-gluu-flex","text":"Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py","title":"Configure Gluu flex"},{"location":"reference/kubernetes/docker-flex-monolith/#access-endpoints-externally","text":"Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration","title":"Access endpoints externally"},{"location":"reference/kubernetes/docker-flex-monolith/#clean-up","text":"Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Clean up"},{"location":"reference/kubernetes/helm-chart/","text":"gluu # Gluu Access and Identity Management Homepage: https://www.gluu.org Maintainers # Name Email Url moabu team@gluu.org Source Code # https://docs.gluu.org Requirements # Kubernetes: >=v1.21.0-0 Repository Name Version admin-ui 5.2.0 auth-server 1.2.0 auth-server-key-rotation 1.2.0 casa 1.2.0 cn-istio-ingress 1.2.0 config 1.2.0 config-api 1.2.0 fido2 1.2.0 kc-scheduler 1.2.0 link 1.2.0 nginx-ingress 1.2.0 persistence 1.2.0 saml 1.2.0 scim 1.2.0 Values # Key Type Default Description admin-ui object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/gluufederation/flex/admin-ui\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Admin GUI for configuration of the auth-server admin-ui.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of admin-ui.additionalLabels object {} Additional labels that will be added across the gateway in the format of admin-ui.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. admin-ui.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh admin-ui.dnsConfig object {} Add custom dns config admin-ui.dnsPolicy string \"\" Add custom dns policy admin-ui.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler admin-ui.hpa.behavior object {} Scaling Policies admin-ui.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set admin-ui.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. admin-ui.image.pullSecrets list [] Image Pull Secrets admin-ui.image.repository string \"ghcr.io/gluufederation/flex/admin-ui\" Image to use for deploying. admin-ui.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. admin-ui.livenessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the liveness healthcheck for the admin ui if needed. admin-ui.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget admin-ui.readinessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the readiness healthcheck for the admin ui if needed. admin-ui.replicas int 1 Service replica number. admin-ui.resources object {\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}} Resource specs. admin-ui.resources.limits.cpu string \"2000m\" CPU limit. admin-ui.resources.limits.memory string \"2000Mi\" Memory limit. admin-ui.resources.requests.cpu string \"2000m\" CPU request. admin-ui.resources.requests.memory string \"2000Mi\" Memory request. admin-ui.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ admin-ui.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service admin-ui.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 admin-ui.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 admin-ui.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers admin-ui.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/auth-server\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server-key-rotation object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/certmanager\",\"tag\":\"0.0.0-nightly\"},\"keysLife\":48,\"keysPushDelay\":0,\"keysPushStrategy\":\"NEWER\",\"keysStrategy\":\"NEWER\",\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for regenerating auth-keys per x hours auth-server-key-rotation.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server-key-rotation.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server-key-rotation.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. auth-server-key-rotation.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server-key-rotation.dnsConfig object {} Add custom dns config auth-server-key-rotation.dnsPolicy string \"\" Add custom dns policy auth-server-key-rotation.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server-key-rotation.image.pullSecrets list [] Image Pull Secrets auth-server-key-rotation.image.repository string \"ghcr.io/janssenproject/jans/certmanager\" Image to use for deploying. auth-server-key-rotation.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. auth-server-key-rotation.keysLife int 48 Auth server key rotation keys life in hours auth-server-key-rotation.keysPushDelay int 0 Delay (in seconds) before pushing private keys to Auth server auth-server-key-rotation.keysPushStrategy string \"NEWER\" Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) auth-server-key-rotation.keysStrategy string \"NEWER\" Set key selection strategy used by Auth server auth-server-key-rotation.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. auth-server-key-rotation.resources.limits.cpu string \"300m\" CPU limit. auth-server-key-rotation.resources.limits.memory string \"300Mi\" Memory limit. auth-server-key-rotation.resources.requests.cpu string \"300m\" CPU request. auth-server-key-rotation.resources.requests.memory string \"300Mi\" Memory request. auth-server-key-rotation.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server-key-rotation.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server-key-rotation.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server-key-rotation.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server-key-rotation.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. auth-server.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server.dnsConfig object {} Add custom dns config auth-server.dnsPolicy string \"\" Add custom dns policy auth-server.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler auth-server.hpa.behavior object {} Scaling Policies auth-server.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set auth-server.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server.image.pullSecrets list [] Image Pull Secrets auth-server.image.repository string \"ghcr.io/janssenproject/jans/auth-server\" Image to use for deploying. auth-server.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. auth-server.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. auth-server.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget auth-server.readinessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.replicas int 1 Service replica number. auth-server.resources object {\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}} Resource specs. auth-server.resources.limits.cpu string \"2500m\" CPU limit. auth-server.resources.limits.memory string \"2500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. auth-server.resources.requests.cpu string \"2500m\" CPU request. auth-server.resources.requests.memory string \"2500Mi\" Memory request. auth-server.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ auth-server.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server.volumes list [] Configure any additional volumes that need to be attached to the pod casa object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/casa\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Janssen Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. casa.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of casa.additionalLabels object {} Additional labels that will be added across the gateway in the format of casa.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. casa.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh casa.dnsConfig object {} Add custom dns config casa.dnsPolicy string \"\" Add custom dns policy casa.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler casa.hpa.behavior object {} Scaling Policies casa.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set casa.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. casa.image.pullSecrets list [] Image Pull Secrets casa.image.repository string \"ghcr.io/janssenproject/jans/casa\" Image to use for deploying. casa.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. casa.livenessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for casa if needed. casa.livenessProbe.httpGet.path string \"/jans-casa/health-check\" http liveness probe endpoint casa.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget casa.readinessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the casa if needed. casa.readinessProbe.httpGet.path string \"/jans-casa/health-check\" http readiness probe endpoint casa.replicas int 1 Service replica number. casa.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. casa.resources.limits.cpu string \"500m\" CPU limit. casa.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. casa.resources.requests.cpu string \"500m\" CPU request. casa.resources.requests.memory string \"500Mi\" Memory request. casa.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ casa.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service casa.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 casa.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 casa.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers casa.volumes list [] Configure any additional volumes that need to be attached to the pod config object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"adminPassword\":\"Test1234#\",\"city\":\"Austin\",\"configmap\":{\"cnAwsAccessKeyId\":\"\",\"cnAwsDefaultRegion\":\"us-west-1\",\"cnAwsProfile\":\"gluu\",\"cnAwsSecretAccessKey\":\"\",\"cnAwsSecretsEndpointUrl\":\"\",\"cnAwsSecretsNamePrefix\":\"gluu\",\"cnAwsSecretsReplicaRegions\":[],\"cnCacheType\":\"NATIVE_PERSISTENCE\",\"cnConfigKubernetesConfigMap\":\"cn\",\"cnGoogleProjectId\":\"google-project-to-save-config-and-secrets-to\",\"cnGoogleSecretManagerServiceAccount\":\"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\",\"cnGoogleSecretNamePrefix\":\"gluu\",\"cnGoogleSecretVersionId\":\"latest\",\"cnJettyRequestHeaderSize\":8192,\"cnMaxRamPercent\":\"75.0\",\"cnMessageType\":\"DISABLED\",\"cnOpaUrl\":\"http://opa.opa.svc.cluster.cluster.local:8181/v1\",\"cnPersistenceHybridMapping\":\"{}\",\"cnRedisSentinelGroup\":\"\",\"cnRedisSslTruststore\":\"\",\"cnRedisType\":\"STANDALONE\",\"cnRedisUrl\":\"redis.redis.svc.cluster.local:6379\",\"cnRedisUseSsl\":false,\"cnScimProtectionMode\":\"OAUTH\",\"cnSecretKubernetesSecret\":\"cn\",\"cnSqlDbDialect\":\"mysql\",\"cnSqlDbHost\":\"my-release-mysql.default.svc.cluster.local\",\"cnSqlDbName\":\"gluu\",\"cnSqlDbPort\":3306,\"cnSqlDbSchema\":\"\",\"cnSqlDbTimezone\":\"UTC\",\"cnSqlDbUser\":\"gluu\",\"cnSqldbUserPassword\":\"Test1234#\",\"cnVaultAddr\":\"http://localhost:8200\",\"cnVaultAppRolePath\":\"approle\",\"cnVaultKvPath\":\"secret\",\"cnVaultNamespace\":\"\",\"cnVaultPrefix\":\"jans\",\"cnVaultRoleId\":\"\",\"cnVaultRoleIdFile\":\"/etc/certs/vault_role_id\",\"cnVaultSecretId\":\"\",\"cnVaultSecretIdFile\":\"/etc/certs/vault_secret_id\",\"cnVaultVerify\":false,\"kcAdminPassword\":\"Test1234#\",\"kcAdminUsername\":\"admin\",\"kcDbPassword\":\"Test1234#\",\"kcDbSchema\":\"keycloak\",\"kcDbUrlDatabase\":\"keycloak\",\"kcDbUrlHost\":\"mysql.kc.svc.cluster.local\",\"kcDbUrlPort\":3306,\"kcDbUrlProperties\":\"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\",\"kcDbUsername\":\"keycloak\",\"kcDbVendor\":\"mysql\",\"kcLogLevel\":\"INFO\",\"lbAddr\":\"\",\"quarkusTransactionEnableRecovery\":true},\"countryCode\":\"US\",\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"email\":\"team@gluu.org\",\"image\":{\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/configurator\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"migration\":{\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"},\"orgName\":\"Gluu\",\"redisPassword\":\"P@assw0rd\",\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"salt\":\"\",\"state\":\"TX\",\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config-api object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/config-api\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). config-api.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config-api.additionalLabels object {} Additional labels that will be added across the gateway in the format of config-api.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. config-api.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config-api.dnsConfig object {} Add custom dns config config-api.dnsPolicy string \"\" Add custom dns policy config-api.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler config-api.hpa.behavior object {} Scaling Policies config-api.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set config-api.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. config-api.image.pullSecrets list [] Image Pull Secrets config-api.image.repository string \"ghcr.io/janssenproject/jans/config-api\" Image to use for deploying. config-api.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. config-api.livenessProbe object {\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. config-api.livenessProbe.httpGet object {\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074} http liveness probe endpoint config-api.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget config-api.readinessProbe.httpGet object {\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074} http readiness probe endpoint config-api.replicas int 1 Service replica number. config-api.resources object {\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}} Resource specs. config-api.resources.limits.cpu string \"1000m\" CPU limit. config-api.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. config-api.resources.requests.cpu string \"1000m\" CPU request. config-api.resources.requests.memory string \"1200Mi\" Memory request. config-api.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ config-api.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service config-api.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 config-api.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 config-api.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config-api.volumes list [] Configure any additional volumes that need to be attached to the pod config.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config.additionalLabels object {} Additional labels that will be added across the gateway in the format of config.adminPassword string \"Test1234#\" Admin password to log in to the UI. config.city string \"Austin\" City. Used for certificate creation. config.configmap.cnCacheType string \"NATIVE_PERSISTENCE\" Cache type. NATIVE_PERSISTENCE , REDIS . or IN_MEMORY . Defaults to NATIVE_PERSISTENCE . config.configmap.cnConfigKubernetesConfigMap string \"cn\" The name of the Kubernetes ConfigMap that will hold the configuration layer config.configmap.cnGoogleProjectId string \"google-project-to-save-config-and-secrets-to\" Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretManagerServiceAccount string \"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\" Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretNamePrefix string \"gluu\" Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretVersionId string \"latest\" Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnJettyRequestHeaderSize int 8192 Jetty header size in bytes in the auth server config.configmap.cnMaxRamPercent string \"75.0\" Value passed to Java option -XX:MaxRAMPercentage config.configmap.cnMessageType string \"DISABLED\" Message type (one of POSTGRES, REDIS, or DISABLED) config.configmap.cnOpaUrl string \"http://opa.opa.svc.cluster.cluster.local:8181/v1\" URL of OPA API config.configmap.cnPersistenceHybridMapping string \"{}\" Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when global.cnPersistenceType is set to hybrid . config.configmap.cnRedisSentinelGroup string \"\" Redis Sentinel Group. Often set when config.configmap.cnRedisType is set to SENTINEL . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisSslTruststore string \"\" Redis SSL truststore. Optional. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisType string \"STANDALONE\" Redis service type. STANDALONE or CLUSTER . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUrl string \"redis.redis.svc.cluster.local:6379\" Redis URL and port number : . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUseSsl bool false Boolean to use SSL in Redis. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnScimProtectionMode string \"OAUTH\" SCIM protection mode OAUTH config.configmap.cnSecretKubernetesSecret string \"cn\" Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. config.configmap.cnSqlDbDialect string \"mysql\" SQL database dialect. mysql or pgsql config.configmap.cnSqlDbHost string \"my-release-mysql.default.svc.cluster.local\" SQL database host uri. config.configmap.cnSqlDbName string \"gluu\" SQL database name. config.configmap.cnSqlDbPort int 3306 SQL database port. config.configmap.cnSqlDbSchema string \"\" Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as \"public\" ). config.configmap.cnSqlDbTimezone string \"UTC\" SQL database timezone. config.configmap.cnSqlDbUser string \"gluu\" SQL database username. config.configmap.cnSqldbUserPassword string \"Test1234#\" SQL password injected the secrets . config.configmap.cnVaultAddr string \"http://localhost:8200\" Base URL of Vault. config.configmap.cnVaultAppRolePath string \"approle\" Path to Vault AppRole. config.configmap.cnVaultKvPath string \"secret\" Path to Vault KV secrets engine. config.configmap.cnVaultNamespace string \"\" Vault namespace used to access the secrets. config.configmap.cnVaultPrefix string \"jans\" Base prefix name used to access secrets. config.configmap.cnVaultRoleId string \"\" Vault AppRole RoleID. config.configmap.cnVaultRoleIdFile string \"/etc/certs/vault_role_id\" Path to file contains Vault AppRole role ID. config.configmap.cnVaultSecretId string \"\" Vault AppRole SecretID. config.configmap.cnVaultSecretIdFile string \"/etc/certs/vault_secret_id\" Path to file contains Vault AppRole secret ID. config.configmap.cnVaultVerify bool false Verify connection to Vault. config.configmap.kcAdminPassword string \"Test1234#\" Keycloak admin UI password config.configmap.kcAdminUsername string \"admin\" Keycloak admin UI username config.configmap.kcDbPassword string \"Test1234#\" Password for Keycloak database access config.configmap.kcDbSchema string \"keycloak\" Keycloak database schema name (note that PostgreSQL may be using \"public\" schema). config.configmap.kcDbUrlDatabase string \"keycloak\" Keycloak database name. config.configmap.kcDbUrlHost string \"mysql.kc.svc.cluster.local\" Keycloak database host uri config.configmap.kcDbUrlPort int 3306 Keycloak database port (default to port 3306 for mysql). config.configmap.kcDbUrlProperties string \"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\" Keycloak database connection properties. If using postgresql, the value can be set to empty string. config.configmap.kcDbUsername string \"keycloak\" Keycloak database username config.configmap.kcDbVendor string \"mysql\" Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. config.configmap.kcLogLevel string \"INFO\" Keycloak logging level config.configmap.lbAddr string \"\" Load balancer address for AWS if the FQDN is not registered. config.configmap.quarkusTransactionEnableRecovery bool true Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. config.countryCode string \"US\" Country code. Used for certificate creation. config.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. config.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config.dnsConfig object {} Add custom dns config config.dnsPolicy string \"\" Add custom dns policy config.email string \"team@gluu.org\" Email address of the administrator usually. Used for certificate creation. config.image.pullSecrets list [] Image Pull Secrets config.image.repository string \"ghcr.io/janssenproject/jans/configurator\" Image to use for deploying. config.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. config.migration object {\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"} CE to CN Migration section config.migration.enabled bool false Boolean flag to enable migration from CE config.migration.migrationDataFormat string \"ldif\" migration data-format depending on persistence backend. Supported data formats are ldif, postgresql+json, and mysql+json. config.migration.migrationDir string \"/ce-migration\" Directory holding all migration files config.orgName string \"Gluu\" Organization name. Used for certificate creation. config.redisPassword string \"P@assw0rd\" Redis admin password if config.configmap.cnCacheType is set to REDIS . config.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. config.resources.limits.cpu string \"300m\" CPU limit. config.resources.limits.memory string \"300Mi\" Memory limit. config.resources.requests.cpu string \"300m\" CPU request. config.resources.requests.memory string \"300Mi\" Memory request. config.salt string \"\" Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. config.state string \"TX\" State code. Used for certificate creation. config.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. config.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 config.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 config.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config.volumes list [] Configure any additional volumes that need to be attached to the pod fido2 object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/fido2\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"service\":{\"name\":\"http-fido2\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. fido2.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of fido2.additionalLabels object {} Additional labels that will be added across the gateway in the format of fido2.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. fido2.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh fido2.dnsConfig object {} Add custom dns config fido2.dnsPolicy string \"\" Add custom dns policy fido2.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler fido2.hpa.behavior object {} Scaling Policies fido2.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set fido2.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. fido2.image.pullSecrets list [] Image Pull Secrets fido2.image.repository string \"ghcr.io/janssenproject/jans/fido2\" Image to use for deploying. fido2.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. fido2.livenessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for the fido2 if needed. fido2.livenessProbe.httpGet object {\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"} http liveness probe endpoint fido2.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget fido2.readinessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the fido2 if needed. fido2.replicas int 1 Service replica number. fido2.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. fido2.resources.limits.cpu string \"500m\" CPU limit. fido2.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. fido2.resources.requests.cpu string \"500m\" CPU request. fido2.resources.requests.memory string \"500Mi\" Memory request. fido2.service.name string \"http-fido2\" The name of the fido2 port within the fido2 service. Please keep it as default. fido2.service.port int 8080 Port of the fido2 service. Please keep it as default. fido2.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ fido2.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service fido2.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 fido2.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 fido2.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers fido2.volumes list [] Configure any additional volumes that need to be attached to the pod global object {\"admin-ui\":{\"adminUiServiceName\":\"admin-ui\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"adminUiAdditionalAnnotations\":{},\"adminUiEnabled\":false,\"adminUiLabels\":{}}},\"alb\":{\"ingress\":false},\"auth-server\":{\"appLoggers\":{\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"authEncKeys\":\"RSA1_5 RSA-OAEP\",\"authServerServiceName\":\"auth-server\",\"authSigKeys\":\"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}},\"lockEnabled\":false},\"auth-server-key-rotation\":{\"customAnnotations\":{\"cronjob\":{},\"secret\":{},\"service\":{}},\"enabled\":true,\"initKeysLife\":48},\"awsStorageType\":\"io1\",\"azureStorageAccountType\":\"Standard_LRS\",\"azureStorageKind\":\"Managed\",\"casa\":{\"appLoggers\":{\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"},\"casaServiceName\":\"casa\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}}},\"cloud\":{\"testEnviroment\":false},\"cnAwsConfigFile\":\"/etc/jans/conf/aws_config_file\",\"cnAwsSecretsReplicaRegionsFile\":\"/etc/jans/conf/aws_secrets_replica_regions\",\"cnAwsSharedCredentialsFile\":\"/etc/jans/conf/aws_shared_credential_file\",\"cnConfiguratorConfigurationFile\":\"/etc/jans/conf/configuration.json\",\"cnConfiguratorCustomSchema\":{\"secretName\":\"\"},\"cnConfiguratorDumpFile\":\"/etc/jans/conf/configuration.out.json\",\"cnDocumentStoreType\":\"DB\",\"cnGoogleApplicationCredentials\":\"/etc/jans/conf/google-credentials.json\",\"cnObExtSigningAlias\":\"\",\"cnObExtSigningJwksCrt\":\"\",\"cnObExtSigningJwksKey\":\"\",\"cnObExtSigningJwksKeyPassPhrase\":\"\",\"cnObExtSigningJwksUri\":\"\",\"cnObStaticSigningKeyKid\":\"\",\"cnObTransportAlias\":\"\",\"cnObTransportCrt\":\"\",\"cnObTransportKey\":\"\",\"cnObTransportKeyPassPhrase\":\"\",\"cnObTransportTrustStore\":\"\",\"cnPersistenceType\":\"sql\",\"cnPrometheusPort\":\"\",\"cnSqlPasswordFile\":\"/etc/jans/conf/sql_password\",\"config\":{\"customAnnotations\":{\"clusterRoleBinding\":{},\"configMap\":{},\"job\":{},\"role\":{},\"roleBinding\":{},\"secret\":{},\"service\":{},\"serviceAccount\":{}},\"enabled\":true},\"config-api\":{\"adminUiAppLoggers\":{\"adminUiAuditLogLevel\":\"INFO\",\"adminUiAuditLogTarget\":\"FILE\",\"adminUiLogLevel\":\"INFO\",\"adminUiLogTarget\":\"FILE\",\"enableStdoutLogPrefix\":\"true\"},\"appLoggers\":{\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"configApiServerServiceName\":\"config-api\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}},\"plugins\":\"admin-ui,fido2,scim,user-mgt\"},\"configAdapterName\":\"kubernetes\",\"configSecretAdapter\":\"kubernetes\",\"distribution\":\"default\",\"fido2\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"fido2ServiceName\":\"fido2\",\"ingress\":{\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}}},\"fqdn\":\"demoexample.gluu.org\",\"gcePdStorageType\":\"pd-standard\",\"isFqdnRegistered\":false,\"istio\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"enabled\":false,\"gateways\":[],\"ingress\":false,\"namespace\":\"istio-system\"},\"jobTtlSecondsAfterFinished\":300,\"kc-scheduler\":{\"enabled\":false},\"lbIp\":\"22.22.22.22\",\"link\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}},\"linkServiceName\":\"link\"},\"nginx-ingress\":{\"enabled\":true},\"persistence\":{\"customAnnotations\":{\"job\":{},\"secret\":{},\"service\":{}},\"enabled\":true},\"saml\":{\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}},\"samlServiceName\":\"saml\"},\"scim\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}},\"scimServiceName\":\"scim\"},\"serviceAccountName\":\"default\",\"storageClass\":{\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"},\"usrEnvs\":{\"normal\":{},\"secret\":{}}} Parameters used globally across all services helm charts. global.admin-ui.adminUiServiceName string \"admin-ui\" Name of the admin-ui service. Please keep it as default. global.admin-ui.enabled bool true Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. global.admin-ui.ingress.adminUiAdditionalAnnotations object {} Admin UI ingress resource additional annotations. global.admin-ui.ingress.adminUiEnabled bool false Enable Admin UI endpoints in either istio or nginx ingress depending on users choice global.admin-ui.ingress.adminUiLabels object {} Admin UI ingress resource labels. key app is taken. global.alb.ingress bool false Activates ALB ingress global.auth-server-key-rotation.enabled bool true Boolean flag to enable/disable the auth-server-key rotation cronjob chart. global.auth-server-key-rotation.initKeysLife int 48 The initial auth server key rotation keys life in hours global.auth-server.appLoggers object {\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.auth-server.appLoggers.auditStatsLogLevel string \"INFO\" jans-auth_audit.log level global.auth-server.appLoggers.auditStatsLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.appLoggers.authLogLevel string \"INFO\" jans-auth.log level global.auth-server.appLoggers.authLogTarget string \"STDOUT\" jans-auth.log target global.auth-server.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO global.auth-server.appLoggers.httpLogLevel string \"INFO\" http_request_response.log level global.auth-server.appLoggers.httpLogTarget string \"FILE\" http_request_response.log target global.auth-server.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-auth_persistence_duration.log level global.auth-server.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-auth_persistence_duration.log target global.auth-server.appLoggers.persistenceLogLevel string \"INFO\" jans-auth_persistence.log level global.auth-server.appLoggers.persistenceLogTarget string \"FILE\" jans-auth_persistence.log target global.auth-server.appLoggers.scriptLogLevel string \"INFO\" jans-auth_script.log level global.auth-server.appLoggers.scriptLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.authEncKeys string \"RSA1_5 RSA-OAEP\" space-separated key algorithm for encryption (default to RSA1_5 RSA-OAEP ) global.auth-server.authServerServiceName string \"auth-server\" Name of the auth-server service. Please keep it as default. global.auth-server.authSigKeys string \"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\" space-separated key algorithm for signing (default to RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 ) global.auth-server.cnCustomJavaOptions string \"\" passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.auth-server.enabled bool true Boolean flag to enable/disable auth-server chart. You should never set this to false. global.auth-server.ingress object {\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.auth-server.ingress.authServerAdditionalAnnotations object {} Auth server ingress resource additional annotations. global.auth-server.ingress.authServerEnabled bool true Enable Auth server endpoints /jans-auth global.auth-server.ingress.authServerLabels object {} Auth server ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedRegister bool false Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. global.auth-server.ingress.authServerProtectedRegisterAdditionalAnnotations object {} Auth server protected register ingress resource additional annotations. global.auth-server.ingress.authServerProtectedRegisterLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedToken bool false Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. global.auth-server.ingress.authServerProtectedTokenAdditionalAnnotations object {} Auth server protected token ingress resource additional annotations. global.auth-server.ingress.authServerProtectedTokenLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authzenAdditionalAnnotations object {} authzen config ingress resource additional annotations. global.auth-server.ingress.authzenConfigEnabled bool true Enable endpoint /.well-known/authzen-configuration global.auth-server.ingress.authzenConfigLabels object {} authzen config ingress resource labels. key app is taken global.auth-server.ingress.deviceCodeAdditionalAnnotations object {} device-code ingress resource additional annotations. global.auth-server.ingress.deviceCodeEnabled bool true Enable endpoint /device-code global.auth-server.ingress.deviceCodeLabels object {} device-code ingress resource labels. key app is taken global.auth-server.ingress.firebaseMessagingAdditionalAnnotations object {} Firebase Messaging ingress resource additional annotations. global.auth-server.ingress.firebaseMessagingEnabled bool true Enable endpoint /firebase-messaging-sw.js global.auth-server.ingress.firebaseMessagingLabels object {} Firebase Messaging ingress resource labels. key app is taken global.auth-server.ingress.lockAdditionalAnnotations object {} Lock ingress resource additional annotations. global.auth-server.ingress.lockConfigAdditionalAnnotations object {} Lock config ingress resource additional annotations. global.auth-server.ingress.lockConfigEnabled bool false Enable endpoint /.well-known/lock-server-configuration global.auth-server.ingress.lockConfigLabels object {} Lock config ingress resource labels. key app is taken global.auth-server.ingress.lockEnabled bool false Enable endpoint /jans-lock global.auth-server.ingress.lockLabels object {} Lock ingress resource labels. key app is taken global.auth-server.ingress.openidAdditionalAnnotations object {} openid-configuration ingress resource additional annotations. global.auth-server.ingress.openidConfigEnabled bool true Enable endpoint /.well-known/openid-configuration global.auth-server.ingress.openidConfigLabels object {} openid-configuration ingress resource labels. key app is taken global.auth-server.ingress.u2fAdditionalAnnotations object {} u2f config ingress resource additional annotations. global.auth-server.ingress.u2fConfigEnabled bool true Enable endpoint /.well-known/fido-configuration global.auth-server.ingress.u2fConfigLabels object {} u2f config ingress resource labels. key app is taken global.auth-server.ingress.uma2AdditionalAnnotations object {} uma2 config ingress resource additional annotations. global.auth-server.ingress.uma2ConfigEnabled bool true Enable endpoint /.well-known/uma2-configuration global.auth-server.ingress.uma2ConfigLabels object {} uma2 config ingress resource labels. key app is taken global.auth-server.ingress.webdiscoveryAdditionalAnnotations object {} webdiscovery ingress resource additional annotations. global.auth-server.ingress.webdiscoveryEnabled bool true Enable endpoint /.well-known/simple-web-discovery global.auth-server.ingress.webdiscoveryLabels object {} webdiscovery ingress resource labels. key app is taken global.auth-server.ingress.webfingerAdditionalAnnotations object {} webfinger ingress resource additional annotations. global.auth-server.ingress.webfingerEnabled bool true Enable endpoint /.well-known/webfinger global.auth-server.ingress.webfingerLabels object {} webfinger ingress resource labels. key app is taken global.auth-server.lockEnabled bool false Enable jans-lock as service running inside auth-server global.awsStorageType string \"io1\" Volume storage type if using AWS volumes. global.azureStorageAccountType string \"Standard_LRS\" Volume storage type if using Azure disks. global.azureStorageKind string \"Managed\" Azure storage kind if using Azure disks global.casa.appLoggers object {\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.casa.appLoggers.casaLogLevel string \"INFO\" casa.log level global.casa.appLoggers.casaLogTarget string \"STDOUT\" casa.log target global.casa.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO global.casa.appLoggers.timerLogLevel string \"INFO\" casa timer log level global.casa.appLoggers.timerLogTarget string \"FILE\" casa timer log target global.casa.casaServiceName string \"casa\" Name of the casa service. Please keep it as default. global.casa.cnCustomJavaOptions string \"\" passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.casa.enabled bool true Boolean flag to enable/disable the casa chart. global.casa.ingress object {\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.casa.ingress.casaAdditionalAnnotations object {} Casa ingress resource additional annotations. global.casa.ingress.casaEnabled bool false Enable casa endpoints /casa global.casa.ingress.casaLabels object {} Casa ingress resource labels. key app is taken global.cloud.testEnviroment bool false Boolean flag if enabled will strip resources requests and limits from all services. global.cnConfiguratorConfigurationFile string \"/etc/jans/conf/configuration.json\" Path to configuration schema file global.cnConfiguratorCustomSchema object {\"secretName\":\"\"} Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. global.cnConfiguratorCustomSchema.secretName string \"\" The name of the secrets used for storing custom configuration schema. global.cnConfiguratorDumpFile string \"/etc/jans/conf/configuration.out.json\" Path to dumped configuration schema file global.cnDocumentStoreType string \"DB\" Document store type to use for shibboleth files DB. global.cnGoogleApplicationCredentials string \"/etc/jans/conf/google-credentials.json\" Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. global.cnObExtSigningAlias string \"\" Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G global.cnObExtSigningJwksCrt string \"\" Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKey string \"\" Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKeyPassPhrase string \"\" Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksUri string \"\" Open banking external signing jwks uri. Used in SSA Validation. global.cnObStaticSigningKeyKid string \"\" Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G global.cnObTransportAlias string \"\" Open banking transport Alias used inside the JVM. global.cnObTransportCrt string \"\" Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKey string \"\" Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKeyPassPhrase string \"\" Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. global.cnObTransportTrustStore string \"\" Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. global.cnPersistenceType string \"sql\" Persistence backend to run Gluu with hybrid global.cnPrometheusPort string \"\" Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. global.cnSqlPasswordFile string \"/etc/jans/conf/sql_password\" Path to SQL password file global.config-api.adminUiAppLoggers.adminUiAuditLogLevel string \"INFO\" config-api admin-ui plugin audit log level global.config-api.adminUiAppLoggers.adminUiAuditLogTarget string \"FILE\" config-api admin-ui plugin audit log target global.config-api.adminUiAppLoggers.adminUiLogLevel string \"INFO\" config-api admin-ui plugin log target global.config-api.adminUiAppLoggers.adminUiLogTarget string \"FILE\" config-api admin-ui plugin log level global.config-api.adminUiAppLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers object {\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.config-api.appLoggers.configApiLogLevel string \"INFO\" configapi.log level global.config-api.appLoggers.configApiLogTarget string \"STDOUT\" configapi.log target global.config-api.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers.persistenceDurationLogLevel string \"INFO\" config-api_persistence_duration.log level global.config-api.appLoggers.persistenceDurationLogTarget string \"FILE\" config-api_persistence_duration.log target global.config-api.appLoggers.persistenceLogLevel string \"INFO\" config-api_persistence.log level global.config-api.appLoggers.persistenceLogTarget string \"FILE\" config-api_persistence.log target global.config-api.appLoggers.scriptLogLevel string \"INFO\" config-api_script.log level global.config-api.appLoggers.scriptLogTarget string \"FILE\" config-api_script.log target global.config-api.cnCustomJavaOptions string \"\" passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.config-api.configApiServerServiceName string \"config-api\" Name of the config-api service. Please keep it as default. global.config-api.enabled bool true Boolean flag to enable/disable the config-api chart. global.config-api.ingress object {\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.config-api.ingress.configApiAdditionalAnnotations object {} ConfigAPI ingress resource additional annotations. global.config-api.ingress.configApiLabels object {} configAPI ingress resource labels. key app is taken global.config-api.plugins string \"admin-ui,fido2,scim,user-mgt\" Comma-separated values of enabled plugins (supported plugins are \"admin-ui\",\"fido2\",\"scim\",\"user-mgt\",\"jans-link\",\"kc-saml\") global.config.enabled bool true Boolean flag to enable/disable the configuration chart. This normally should never be false global.configAdapterName string \"kubernetes\" The config backend adapter that will hold Gluu configuration layer. aws global.configSecretAdapter string \"kubernetes\" The config backend adapter that will hold Gluu secret layer. vault global.distribution string \"default\" Gluu distributions supported are: default global.fido2.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.fido2.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO global.fido2.appLoggers.fido2LogLevel string \"INFO\" fido2.log level global.fido2.appLoggers.fido2LogTarget string \"STDOUT\" fido2.log target global.fido2.appLoggers.persistenceDurationLogLevel string \"INFO\" fido2_persistence_duration.log level global.fido2.appLoggers.persistenceDurationLogTarget string \"FILE\" fido2_persistence_duration.log target global.fido2.appLoggers.persistenceLogLevel string \"INFO\" fido2_persistence.log level global.fido2.appLoggers.persistenceLogTarget string \"FILE\" fido2_persistence.log target global.fido2.appLoggers.scriptLogLevel string \"INFO\" fido2_script.log level global.fido2.appLoggers.scriptLogTarget string \"FILE\" fido2_script.log target global.fido2.cnCustomJavaOptions string \"\" passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.fido2.enabled bool true Boolean flag to enable/disable the fido2 chart. global.fido2.fido2ServiceName string \"fido2\" Name of the fido2 service. Please keep it as default. global.fido2.ingress object {\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.fido2.ingress.fido2AdditionalAnnotations object {} fido2 ingress resource additional annotations. global.fido2.ingress.fido2ConfigAdditionalAnnotations object {} fido2 config ingress resource additional annotations. global.fido2.ingress.fido2ConfigEnabled bool false Enable endpoint /.well-known/fido2-configuration global.fido2.ingress.fido2ConfigLabels object {} fido2 config ingress resource labels. key app is taken global.fido2.ingress.fido2Enabled bool false Enable endpoint /jans-fido2 global.fido2.ingress.fido2Labels object {} fido2 ingress resource labels. key app is taken global.fido2.ingress.fido2WebauthnAdditionalAnnotations object {} fido2 webauthn ingress resource additional annotations. global.fido2.ingress.fido2WebauthnEnabled bool false Enable endpoint /.well-known/webauthn global.fido2.ingress.fido2WebauthnLabels object {} fido2 webauthn ingress resource labels. key app is taken global.fqdn string \"demoexample.gluu.org\" Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. global.gcePdStorageType string \"pd-standard\" GCE storage kind if using Google disks global.isFqdnRegistered bool false Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. global.istio.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of global.istio.additionalLabels object {} Additional labels that will be added across the gateway in the format of global.istio.enabled bool false Boolean flag that enables using istio side-cars with Gluu services. global.istio.gateways list [] Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. global.istio.ingress bool false Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. global.istio.namespace string \"istio-system\" The namespace istio is deployed in. The is normally istio-system. global.jobTtlSecondsAfterFinished int 300 https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ global.kc-scheduler.enabled bool false Boolean flag to enable/disable the kc-scheduler cronjob chart. global.lbIp string \"22.22.22.22\" The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if global.fqdn is globally resolvable. global.link.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.link.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO global.link.appLoggers.linkLogLevel string \"INFO\" cacherefresh.log level global.link.appLoggers.linkLogTarget string \"STDOUT\" cacherefresh.log target global.link.appLoggers.persistenceDurationLogLevel string \"INFO\" cacherefresh_persistence_duration.log level global.link.appLoggers.persistenceDurationLogTarget string \"FILE\" cacherefresh_persistence_duration.log target global.link.appLoggers.persistenceLogLevel string \"INFO\" cacherefresh_persistence.log level global.link.appLoggers.persistenceLogTarget string \"FILE\" cacherefresh_persistence.log target global.link.appLoggers.scriptLogLevel string \"INFO\" cacherefresh_script.log level global.link.appLoggers.scriptLogTarget string \"FILE\" cacherefresh_script.log target global.link.cnCustomJavaOptions string \"\" passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.link.customAnnotations object {\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}} Add custom annotations for kubernetes resources for the service global.link.enabled bool false Boolean flag to enable/disable the link chart. global.link.ingress object {\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.link.ingress.linkAdditionalAnnotations object {} link ingress resource additional annotations. global.link.ingress.linkLabels object {} link ingress resource labels. key app is taken global.link.linkServiceName string \"link\" Name of the link service. Please keep it as default. global.nginx-ingress.enabled bool true Boolean flag to enable/disable the nginx-ingress definitions chart. global.persistence.enabled bool true Boolean flag to enable/disable the persistence chart. global.saml.cnCustomJavaOptions string \"\" passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. global.saml.enabled bool false Boolean flag to enable/disable the saml chart. global.saml.ingress object {\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.saml.ingress.samlAdditionalAnnotations object {} SAML ingress resource additional annotations. global.saml.ingress.samlLabels object {} SAML ingress resource labels. key app is taken global.saml.samlServiceName string \"saml\" Name of the saml service. Please keep it as default. global.scim.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.scim.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO global.scim.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-scim_persistence_duration.log level global.scim.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-scim_persistence_duration.log target global.scim.appLoggers.persistenceLogLevel string \"INFO\" jans-scim_persistence.log level global.scim.appLoggers.persistenceLogTarget string \"FILE\" jans-scim_persistence.log target global.scim.appLoggers.scimLogLevel string \"INFO\" jans-scim.log level global.scim.appLoggers.scimLogTarget string \"STDOUT\" jans-scim.log target global.scim.appLoggers.scriptLogLevel string \"INFO\" jans-scim_script.log level global.scim.appLoggers.scriptLogTarget string \"FILE\" jans-scim_script.log target global.scim.cnCustomJavaOptions string \"\" passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.scim.enabled bool true Boolean flag to enable/disable the SCIM chart. global.scim.ingress object {\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.scim.ingress.scimAdditionalAnnotations object {} SCIM ingress resource additional annotations. global.scim.ingress.scimConfigAdditionalAnnotations object {} SCIM config ingress resource additional annotations. global.scim.ingress.scimConfigEnabled bool false Enable endpoint /.well-known/scim-configuration global.scim.ingress.scimConfigLabels object {} SCIM config ingress resource labels. key app is taken global.scim.ingress.scimEnabled bool false Enable SCIM endpoints /jans-scim global.scim.ingress.scimLabels object {} SCIM ingress resource labels. key app is taken global.scim.scimServiceName string \"scim\" Name of the scim service. Please keep it as default. global.serviceAccountName string \"default\" service account used by Kubernetes resources global.storageClass object {\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"} StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. global.storageClass.parameters object {} parameters: fsType: \"\" kind: \"\" pool: \"\" storageAccountType: \"\" type: \"\" global.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services global.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 global.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 installer-settings object {\"acceptLicense\":\"\",\"aws\":{\"arn\":{\"arnAcmCert\":\"\",\"enabled\":\"\"},\"lbType\":\"\",\"vpcCidr\":\"0.0.0.0/0\"},\"confirmSettings\":false,\"currentVersion\":\"\",\"google\":{\"useSecretManager\":\"\"},\"images\":{\"edit\":\"\"},\"namespace\":\"\",\"nginxIngress\":{\"namespace\":\"\",\"releaseName\":\"\"},\"nodes\":{\"ips\":\"\",\"names\":\"\",\"zones\":\"\"},\"openbanking\":{\"cnObTransportTrustStoreP12password\":\"\",\"hasCnObTransportTrustStore\":false},\"postgres\":{\"install\":\"\",\"namespace\":\"\"},\"redis\":{\"install\":\"\",\"namespace\":\"\"},\"releaseName\":\"\",\"sql\":{\"install\":\"\",\"namespace\":\"\"},\"volumeProvisionStrategy\":\"\"} Only used by the installer. These settings do not affect nor are used by the chart kc-scheduler object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/kc-scheduler\",\"tag\":\"0.0.0-nightly\"},\"interval\":10,\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for synchronizing Keycloak SAML clients kc-scheduler.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of kc-scheduler.additionalLabels object {} Additional labels that will be added across the gateway in the format of kc-scheduler.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. kc-scheduler.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh kc-scheduler.dnsConfig object {} Add custom dns config kc-scheduler.dnsPolicy string \"\" Add custom dns policy kc-scheduler.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. kc-scheduler.image.pullSecrets list [] Image Pull Secrets kc-scheduler.image.repository string \"ghcr.io/janssenproject/jans/kc-scheduler\" Image to use for deploying. kc-scheduler.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. kc-scheduler.interval int 10 Interval of running the scheduler (in minutes) kc-scheduler.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. kc-scheduler.resources.limits.cpu string \"300m\" CPU limit. kc-scheduler.resources.limits.memory string \"300Mi\" Memory limit. kc-scheduler.resources.requests.cpu string \"300m\" CPU request. kc-scheduler.resources.requests.memory string \"300Mi\" Memory request. kc-scheduler.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service kc-scheduler.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 kc-scheduler.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 kc-scheduler.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers kc-scheduler.volumes list [] Configure any additional volumes that need to be attached to the pod link object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/link\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Link. link.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of link.additionalLabels object {} Additional labels that will be added across the gateway in the format of link.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. link.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh link.dnsConfig object {} Add custom dns config link.dnsPolicy string \"\" Add custom dns policy link.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler link.hpa.behavior object {} Scaling Policies link.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set link.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. link.image.pullSecrets list [] Image Pull Secrets link.image.repository string \"ghcr.io/janssenproject/jans/link\" Image to use for deploying. link.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. link.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. link.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint link.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget link.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint link.replicas int 1 Service replica number. link.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. link.resources.limits.cpu string \"500m\" CPU limit. link.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. link.resources.requests.cpu string \"500m\" CPU request. link.resources.requests.memory string \"1200Mi\" Memory request. link.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ link.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service link.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 link.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 link.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers link.volumes list [] Configure any additional volumes that need to be attached to the pod nginx-ingress object {\"certManager\":{\"certificate\":{\"enabled\":false,\"issuerGroup\":\"cert-manager.io\",\"issuerKind\":\"ClusterIssuer\",\"issuerName\":\"\"}},\"ingress\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"hosts\":[\"demoexample.gluu.org\"],\"ingressClassName\":\"nginx\",\"path\":\"/\",\"tls\":[{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}]}} Nginx ingress definitions chart nginx-ingress.ingress.additionalAnnotations object {} Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: \"optional\" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: \"gluu/tls-certificate\" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: \"1\" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: \"true\" nginx-ingress.ingress.additionalLabels object {} Additional labels that will be added across all ingress definitions in the format of nginx-ingress.ingress.tls list [{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}] Secrets holding HTTPS CA cert and key. persistence object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/persistence-loader\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Job to generate data and initial config for Gluu Server persistence layer. persistence.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of persistence.additionalLabels object {} Additional labels that will be added across the gateway in the format of persistence.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. persistence.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh persistence.dnsConfig object {} Add custom dns config persistence.dnsPolicy string \"\" Add custom dns policy persistence.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. persistence.image.pullSecrets list [] Image Pull Secrets persistence.image.repository string \"ghcr.io/janssenproject/jans/persistence-loader\" Image to use for deploying. persistence.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. persistence.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. persistence.resources.limits.cpu string \"300m\" CPU limit persistence.resources.limits.memory string \"300Mi\" Memory limit. persistence.resources.requests.cpu string \"300m\" CPU request. persistence.resources.requests.memory string \"300Mi\" Memory request. persistence.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service persistence.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 persistence.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 persistence.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers persistence.volumes list [] Configure any additional volumes that need to be attached to the pod saml object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/saml\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} SAML. saml.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of saml.additionalLabels object {} Additional labels that will be added across the gateway in the format of saml.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. saml.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh saml.dnsConfig object {} Add custom dns config saml.dnsPolicy string \"\" Add custom dns policy saml.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler saml.hpa.behavior object {} Scaling Policies saml.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set saml.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. saml.image.pullSecrets list [] Image Pull Secrets saml.image.repository string \"ghcr.io/janssenproject/jans/saml\" Image to use for deploying. saml.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. saml.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. saml.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint saml.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget saml.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint saml.replicas int 1 Service replica number. saml.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. saml.resources.limits.cpu string \"500m\" CPU limit. saml.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. saml.resources.requests.cpu string \"500m\" CPU request. saml.resources.requests.memory string \"1200Mi\" Memory request. saml.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ saml.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service saml.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 saml.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 saml.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers saml.volumes list [] Configure any additional volumes that need to be attached to the pod scim object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/scim\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"service\":{\"name\":\"http-scim\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} System for Cross-domain Identity Management (SCIM) version 2.0 scim.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of scim.additionalLabels object {} Additional labels that will be added across the gateway in the format of scim.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. scim.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh scim.dnsConfig object {} Add custom dns config scim.dnsPolicy string \"\" Add custom dns policy scim.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler scim.hpa.behavior object {} Scaling Policies scim.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set scim.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. scim.image.pullSecrets list [] Image Pull Secrets scim.image.repository string \"ghcr.io/janssenproject/jans/scim\" Image to use for deploying. scim.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. scim.livenessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for SCIM if needed. scim.livenessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http liveness probe endpoint scim.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget scim.readinessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the SCIM if needed. scim.readinessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http readiness probe endpoint scim.replicas int 1 Service replica number. scim.resources.limits.cpu string \"1000m\" CPU limit. scim.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. scim.resources.requests.cpu string \"1000m\" CPU request. scim.resources.requests.memory string \"1200Mi\" Memory request. scim.service.name string \"http-scim\" The name of the scim port within the scim service. Please keep it as default. scim.service.port int 8080 Port of the scim service. Please keep it as default. scim.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ scim.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service scim.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 scim.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 scim.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers scim.volumes list [] Configure any additional volumes that need to be attached to the pod","title":"Flex Helm Chart"},{"location":"reference/kubernetes/helm-chart/#gluu","text":"Gluu Access and Identity Management Homepage: https://www.gluu.org","title":"gluu"},{"location":"reference/kubernetes/helm-chart/#maintainers","text":"Name Email Url moabu team@gluu.org","title":"Maintainers"},{"location":"reference/kubernetes/helm-chart/#source-code","text":"https://docs.gluu.org","title":"Source Code"},{"location":"reference/kubernetes/helm-chart/#requirements","text":"Kubernetes: >=v1.21.0-0 Repository Name Version admin-ui 5.2.0 auth-server 1.2.0 auth-server-key-rotation 1.2.0 casa 1.2.0 cn-istio-ingress 1.2.0 config 1.2.0 config-api 1.2.0 fido2 1.2.0 kc-scheduler 1.2.0 link 1.2.0 nginx-ingress 1.2.0 persistence 1.2.0 saml 1.2.0 scim 1.2.0","title":"Requirements"},{"location":"reference/kubernetes/helm-chart/#values","text":"Key Type Default Description admin-ui object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/gluufederation/flex/admin-ui\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Admin GUI for configuration of the auth-server admin-ui.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of admin-ui.additionalLabels object {} Additional labels that will be added across the gateway in the format of admin-ui.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. admin-ui.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh admin-ui.dnsConfig object {} Add custom dns config admin-ui.dnsPolicy string \"\" Add custom dns policy admin-ui.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler admin-ui.hpa.behavior object {} Scaling Policies admin-ui.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set admin-ui.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. admin-ui.image.pullSecrets list [] Image Pull Secrets admin-ui.image.repository string \"ghcr.io/gluufederation/flex/admin-ui\" Image to use for deploying. admin-ui.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. admin-ui.livenessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the liveness healthcheck for the admin ui if needed. admin-ui.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget admin-ui.readinessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the readiness healthcheck for the admin ui if needed. admin-ui.replicas int 1 Service replica number. admin-ui.resources object {\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}} Resource specs. admin-ui.resources.limits.cpu string \"2000m\" CPU limit. admin-ui.resources.limits.memory string \"2000Mi\" Memory limit. admin-ui.resources.requests.cpu string \"2000m\" CPU request. admin-ui.resources.requests.memory string \"2000Mi\" Memory request. admin-ui.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ admin-ui.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service admin-ui.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 admin-ui.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 admin-ui.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers admin-ui.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/auth-server\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server-key-rotation object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/certmanager\",\"tag\":\"0.0.0-nightly\"},\"keysLife\":48,\"keysPushDelay\":0,\"keysPushStrategy\":\"NEWER\",\"keysStrategy\":\"NEWER\",\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for regenerating auth-keys per x hours auth-server-key-rotation.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server-key-rotation.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server-key-rotation.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. auth-server-key-rotation.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server-key-rotation.dnsConfig object {} Add custom dns config auth-server-key-rotation.dnsPolicy string \"\" Add custom dns policy auth-server-key-rotation.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server-key-rotation.image.pullSecrets list [] Image Pull Secrets auth-server-key-rotation.image.repository string \"ghcr.io/janssenproject/jans/certmanager\" Image to use for deploying. auth-server-key-rotation.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. auth-server-key-rotation.keysLife int 48 Auth server key rotation keys life in hours auth-server-key-rotation.keysPushDelay int 0 Delay (in seconds) before pushing private keys to Auth server auth-server-key-rotation.keysPushStrategy string \"NEWER\" Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) auth-server-key-rotation.keysStrategy string \"NEWER\" Set key selection strategy used by Auth server auth-server-key-rotation.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. auth-server-key-rotation.resources.limits.cpu string \"300m\" CPU limit. auth-server-key-rotation.resources.limits.memory string \"300Mi\" Memory limit. auth-server-key-rotation.resources.requests.cpu string \"300m\" CPU request. auth-server-key-rotation.resources.requests.memory string \"300Mi\" Memory request. auth-server-key-rotation.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server-key-rotation.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server-key-rotation.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server-key-rotation.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server-key-rotation.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. auth-server.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server.dnsConfig object {} Add custom dns config auth-server.dnsPolicy string \"\" Add custom dns policy auth-server.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler auth-server.hpa.behavior object {} Scaling Policies auth-server.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set auth-server.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server.image.pullSecrets list [] Image Pull Secrets auth-server.image.repository string \"ghcr.io/janssenproject/jans/auth-server\" Image to use for deploying. auth-server.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. auth-server.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. auth-server.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget auth-server.readinessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.replicas int 1 Service replica number. auth-server.resources object {\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}} Resource specs. auth-server.resources.limits.cpu string \"2500m\" CPU limit. auth-server.resources.limits.memory string \"2500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. auth-server.resources.requests.cpu string \"2500m\" CPU request. auth-server.resources.requests.memory string \"2500Mi\" Memory request. auth-server.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ auth-server.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server.volumes list [] Configure any additional volumes that need to be attached to the pod casa object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/casa\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Janssen Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. casa.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of casa.additionalLabels object {} Additional labels that will be added across the gateway in the format of casa.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. casa.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh casa.dnsConfig object {} Add custom dns config casa.dnsPolicy string \"\" Add custom dns policy casa.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler casa.hpa.behavior object {} Scaling Policies casa.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set casa.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. casa.image.pullSecrets list [] Image Pull Secrets casa.image.repository string \"ghcr.io/janssenproject/jans/casa\" Image to use for deploying. casa.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. casa.livenessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for casa if needed. casa.livenessProbe.httpGet.path string \"/jans-casa/health-check\" http liveness probe endpoint casa.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget casa.readinessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the casa if needed. casa.readinessProbe.httpGet.path string \"/jans-casa/health-check\" http readiness probe endpoint casa.replicas int 1 Service replica number. casa.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. casa.resources.limits.cpu string \"500m\" CPU limit. casa.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. casa.resources.requests.cpu string \"500m\" CPU request. casa.resources.requests.memory string \"500Mi\" Memory request. casa.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ casa.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service casa.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 casa.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 casa.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers casa.volumes list [] Configure any additional volumes that need to be attached to the pod config object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"adminPassword\":\"Test1234#\",\"city\":\"Austin\",\"configmap\":{\"cnAwsAccessKeyId\":\"\",\"cnAwsDefaultRegion\":\"us-west-1\",\"cnAwsProfile\":\"gluu\",\"cnAwsSecretAccessKey\":\"\",\"cnAwsSecretsEndpointUrl\":\"\",\"cnAwsSecretsNamePrefix\":\"gluu\",\"cnAwsSecretsReplicaRegions\":[],\"cnCacheType\":\"NATIVE_PERSISTENCE\",\"cnConfigKubernetesConfigMap\":\"cn\",\"cnGoogleProjectId\":\"google-project-to-save-config-and-secrets-to\",\"cnGoogleSecretManagerServiceAccount\":\"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\",\"cnGoogleSecretNamePrefix\":\"gluu\",\"cnGoogleSecretVersionId\":\"latest\",\"cnJettyRequestHeaderSize\":8192,\"cnMaxRamPercent\":\"75.0\",\"cnMessageType\":\"DISABLED\",\"cnOpaUrl\":\"http://opa.opa.svc.cluster.cluster.local:8181/v1\",\"cnPersistenceHybridMapping\":\"{}\",\"cnRedisSentinelGroup\":\"\",\"cnRedisSslTruststore\":\"\",\"cnRedisType\":\"STANDALONE\",\"cnRedisUrl\":\"redis.redis.svc.cluster.local:6379\",\"cnRedisUseSsl\":false,\"cnScimProtectionMode\":\"OAUTH\",\"cnSecretKubernetesSecret\":\"cn\",\"cnSqlDbDialect\":\"mysql\",\"cnSqlDbHost\":\"my-release-mysql.default.svc.cluster.local\",\"cnSqlDbName\":\"gluu\",\"cnSqlDbPort\":3306,\"cnSqlDbSchema\":\"\",\"cnSqlDbTimezone\":\"UTC\",\"cnSqlDbUser\":\"gluu\",\"cnSqldbUserPassword\":\"Test1234#\",\"cnVaultAddr\":\"http://localhost:8200\",\"cnVaultAppRolePath\":\"approle\",\"cnVaultKvPath\":\"secret\",\"cnVaultNamespace\":\"\",\"cnVaultPrefix\":\"jans\",\"cnVaultRoleId\":\"\",\"cnVaultRoleIdFile\":\"/etc/certs/vault_role_id\",\"cnVaultSecretId\":\"\",\"cnVaultSecretIdFile\":\"/etc/certs/vault_secret_id\",\"cnVaultVerify\":false,\"kcAdminPassword\":\"Test1234#\",\"kcAdminUsername\":\"admin\",\"kcDbPassword\":\"Test1234#\",\"kcDbSchema\":\"keycloak\",\"kcDbUrlDatabase\":\"keycloak\",\"kcDbUrlHost\":\"mysql.kc.svc.cluster.local\",\"kcDbUrlPort\":3306,\"kcDbUrlProperties\":\"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\",\"kcDbUsername\":\"keycloak\",\"kcDbVendor\":\"mysql\",\"kcLogLevel\":\"INFO\",\"lbAddr\":\"\",\"quarkusTransactionEnableRecovery\":true},\"countryCode\":\"US\",\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"email\":\"team@gluu.org\",\"image\":{\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/configurator\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"migration\":{\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"},\"orgName\":\"Gluu\",\"redisPassword\":\"P@assw0rd\",\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"salt\":\"\",\"state\":\"TX\",\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config-api object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/config-api\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). config-api.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config-api.additionalLabels object {} Additional labels that will be added across the gateway in the format of config-api.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. config-api.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config-api.dnsConfig object {} Add custom dns config config-api.dnsPolicy string \"\" Add custom dns policy config-api.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler config-api.hpa.behavior object {} Scaling Policies config-api.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set config-api.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. config-api.image.pullSecrets list [] Image Pull Secrets config-api.image.repository string \"ghcr.io/janssenproject/jans/config-api\" Image to use for deploying. config-api.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. config-api.livenessProbe object {\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. config-api.livenessProbe.httpGet object {\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074} http liveness probe endpoint config-api.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget config-api.readinessProbe.httpGet object {\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074} http readiness probe endpoint config-api.replicas int 1 Service replica number. config-api.resources object {\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}} Resource specs. config-api.resources.limits.cpu string \"1000m\" CPU limit. config-api.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. config-api.resources.requests.cpu string \"1000m\" CPU request. config-api.resources.requests.memory string \"1200Mi\" Memory request. config-api.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ config-api.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service config-api.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 config-api.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 config-api.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config-api.volumes list [] Configure any additional volumes that need to be attached to the pod config.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config.additionalLabels object {} Additional labels that will be added across the gateway in the format of config.adminPassword string \"Test1234#\" Admin password to log in to the UI. config.city string \"Austin\" City. Used for certificate creation. config.configmap.cnCacheType string \"NATIVE_PERSISTENCE\" Cache type. NATIVE_PERSISTENCE , REDIS . or IN_MEMORY . Defaults to NATIVE_PERSISTENCE . config.configmap.cnConfigKubernetesConfigMap string \"cn\" The name of the Kubernetes ConfigMap that will hold the configuration layer config.configmap.cnGoogleProjectId string \"google-project-to-save-config-and-secrets-to\" Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretManagerServiceAccount string \"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\" Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretNamePrefix string \"gluu\" Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretVersionId string \"latest\" Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnJettyRequestHeaderSize int 8192 Jetty header size in bytes in the auth server config.configmap.cnMaxRamPercent string \"75.0\" Value passed to Java option -XX:MaxRAMPercentage config.configmap.cnMessageType string \"DISABLED\" Message type (one of POSTGRES, REDIS, or DISABLED) config.configmap.cnOpaUrl string \"http://opa.opa.svc.cluster.cluster.local:8181/v1\" URL of OPA API config.configmap.cnPersistenceHybridMapping string \"{}\" Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when global.cnPersistenceType is set to hybrid . config.configmap.cnRedisSentinelGroup string \"\" Redis Sentinel Group. Often set when config.configmap.cnRedisType is set to SENTINEL . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisSslTruststore string \"\" Redis SSL truststore. Optional. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisType string \"STANDALONE\" Redis service type. STANDALONE or CLUSTER . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUrl string \"redis.redis.svc.cluster.local:6379\" Redis URL and port number : . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUseSsl bool false Boolean to use SSL in Redis. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnScimProtectionMode string \"OAUTH\" SCIM protection mode OAUTH config.configmap.cnSecretKubernetesSecret string \"cn\" Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. config.configmap.cnSqlDbDialect string \"mysql\" SQL database dialect. mysql or pgsql config.configmap.cnSqlDbHost string \"my-release-mysql.default.svc.cluster.local\" SQL database host uri. config.configmap.cnSqlDbName string \"gluu\" SQL database name. config.configmap.cnSqlDbPort int 3306 SQL database port. config.configmap.cnSqlDbSchema string \"\" Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as \"public\" ). config.configmap.cnSqlDbTimezone string \"UTC\" SQL database timezone. config.configmap.cnSqlDbUser string \"gluu\" SQL database username. config.configmap.cnSqldbUserPassword string \"Test1234#\" SQL password injected the secrets . config.configmap.cnVaultAddr string \"http://localhost:8200\" Base URL of Vault. config.configmap.cnVaultAppRolePath string \"approle\" Path to Vault AppRole. config.configmap.cnVaultKvPath string \"secret\" Path to Vault KV secrets engine. config.configmap.cnVaultNamespace string \"\" Vault namespace used to access the secrets. config.configmap.cnVaultPrefix string \"jans\" Base prefix name used to access secrets. config.configmap.cnVaultRoleId string \"\" Vault AppRole RoleID. config.configmap.cnVaultRoleIdFile string \"/etc/certs/vault_role_id\" Path to file contains Vault AppRole role ID. config.configmap.cnVaultSecretId string \"\" Vault AppRole SecretID. config.configmap.cnVaultSecretIdFile string \"/etc/certs/vault_secret_id\" Path to file contains Vault AppRole secret ID. config.configmap.cnVaultVerify bool false Verify connection to Vault. config.configmap.kcAdminPassword string \"Test1234#\" Keycloak admin UI password config.configmap.kcAdminUsername string \"admin\" Keycloak admin UI username config.configmap.kcDbPassword string \"Test1234#\" Password for Keycloak database access config.configmap.kcDbSchema string \"keycloak\" Keycloak database schema name (note that PostgreSQL may be using \"public\" schema). config.configmap.kcDbUrlDatabase string \"keycloak\" Keycloak database name. config.configmap.kcDbUrlHost string \"mysql.kc.svc.cluster.local\" Keycloak database host uri config.configmap.kcDbUrlPort int 3306 Keycloak database port (default to port 3306 for mysql). config.configmap.kcDbUrlProperties string \"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\" Keycloak database connection properties. If using postgresql, the value can be set to empty string. config.configmap.kcDbUsername string \"keycloak\" Keycloak database username config.configmap.kcDbVendor string \"mysql\" Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. config.configmap.kcLogLevel string \"INFO\" Keycloak logging level config.configmap.lbAddr string \"\" Load balancer address for AWS if the FQDN is not registered. config.configmap.quarkusTransactionEnableRecovery bool true Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. config.countryCode string \"US\" Country code. Used for certificate creation. config.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. config.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config.dnsConfig object {} Add custom dns config config.dnsPolicy string \"\" Add custom dns policy config.email string \"team@gluu.org\" Email address of the administrator usually. Used for certificate creation. config.image.pullSecrets list [] Image Pull Secrets config.image.repository string \"ghcr.io/janssenproject/jans/configurator\" Image to use for deploying. config.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. config.migration object {\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"} CE to CN Migration section config.migration.enabled bool false Boolean flag to enable migration from CE config.migration.migrationDataFormat string \"ldif\" migration data-format depending on persistence backend. Supported data formats are ldif, postgresql+json, and mysql+json. config.migration.migrationDir string \"/ce-migration\" Directory holding all migration files config.orgName string \"Gluu\" Organization name. Used for certificate creation. config.redisPassword string \"P@assw0rd\" Redis admin password if config.configmap.cnCacheType is set to REDIS . config.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. config.resources.limits.cpu string \"300m\" CPU limit. config.resources.limits.memory string \"300Mi\" Memory limit. config.resources.requests.cpu string \"300m\" CPU request. config.resources.requests.memory string \"300Mi\" Memory request. config.salt string \"\" Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. config.state string \"TX\" State code. Used for certificate creation. config.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. config.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 config.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 config.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config.volumes list [] Configure any additional volumes that need to be attached to the pod fido2 object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/fido2\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"service\":{\"name\":\"http-fido2\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. fido2.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of fido2.additionalLabels object {} Additional labels that will be added across the gateway in the format of fido2.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. fido2.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh fido2.dnsConfig object {} Add custom dns config fido2.dnsPolicy string \"\" Add custom dns policy fido2.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler fido2.hpa.behavior object {} Scaling Policies fido2.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set fido2.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. fido2.image.pullSecrets list [] Image Pull Secrets fido2.image.repository string \"ghcr.io/janssenproject/jans/fido2\" Image to use for deploying. fido2.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. fido2.livenessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for the fido2 if needed. fido2.livenessProbe.httpGet object {\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"} http liveness probe endpoint fido2.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget fido2.readinessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the fido2 if needed. fido2.replicas int 1 Service replica number. fido2.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. fido2.resources.limits.cpu string \"500m\" CPU limit. fido2.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. fido2.resources.requests.cpu string \"500m\" CPU request. fido2.resources.requests.memory string \"500Mi\" Memory request. fido2.service.name string \"http-fido2\" The name of the fido2 port within the fido2 service. Please keep it as default. fido2.service.port int 8080 Port of the fido2 service. Please keep it as default. fido2.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ fido2.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service fido2.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 fido2.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 fido2.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers fido2.volumes list [] Configure any additional volumes that need to be attached to the pod global object {\"admin-ui\":{\"adminUiServiceName\":\"admin-ui\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"adminUiAdditionalAnnotations\":{},\"adminUiEnabled\":false,\"adminUiLabels\":{}}},\"alb\":{\"ingress\":false},\"auth-server\":{\"appLoggers\":{\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"authEncKeys\":\"RSA1_5 RSA-OAEP\",\"authServerServiceName\":\"auth-server\",\"authSigKeys\":\"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}},\"lockEnabled\":false},\"auth-server-key-rotation\":{\"customAnnotations\":{\"cronjob\":{},\"secret\":{},\"service\":{}},\"enabled\":true,\"initKeysLife\":48},\"awsStorageType\":\"io1\",\"azureStorageAccountType\":\"Standard_LRS\",\"azureStorageKind\":\"Managed\",\"casa\":{\"appLoggers\":{\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"},\"casaServiceName\":\"casa\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}}},\"cloud\":{\"testEnviroment\":false},\"cnAwsConfigFile\":\"/etc/jans/conf/aws_config_file\",\"cnAwsSecretsReplicaRegionsFile\":\"/etc/jans/conf/aws_secrets_replica_regions\",\"cnAwsSharedCredentialsFile\":\"/etc/jans/conf/aws_shared_credential_file\",\"cnConfiguratorConfigurationFile\":\"/etc/jans/conf/configuration.json\",\"cnConfiguratorCustomSchema\":{\"secretName\":\"\"},\"cnConfiguratorDumpFile\":\"/etc/jans/conf/configuration.out.json\",\"cnDocumentStoreType\":\"DB\",\"cnGoogleApplicationCredentials\":\"/etc/jans/conf/google-credentials.json\",\"cnObExtSigningAlias\":\"\",\"cnObExtSigningJwksCrt\":\"\",\"cnObExtSigningJwksKey\":\"\",\"cnObExtSigningJwksKeyPassPhrase\":\"\",\"cnObExtSigningJwksUri\":\"\",\"cnObStaticSigningKeyKid\":\"\",\"cnObTransportAlias\":\"\",\"cnObTransportCrt\":\"\",\"cnObTransportKey\":\"\",\"cnObTransportKeyPassPhrase\":\"\",\"cnObTransportTrustStore\":\"\",\"cnPersistenceType\":\"sql\",\"cnPrometheusPort\":\"\",\"cnSqlPasswordFile\":\"/etc/jans/conf/sql_password\",\"config\":{\"customAnnotations\":{\"clusterRoleBinding\":{},\"configMap\":{},\"job\":{},\"role\":{},\"roleBinding\":{},\"secret\":{},\"service\":{},\"serviceAccount\":{}},\"enabled\":true},\"config-api\":{\"adminUiAppLoggers\":{\"adminUiAuditLogLevel\":\"INFO\",\"adminUiAuditLogTarget\":\"FILE\",\"adminUiLogLevel\":\"INFO\",\"adminUiLogTarget\":\"FILE\",\"enableStdoutLogPrefix\":\"true\"},\"appLoggers\":{\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"configApiServerServiceName\":\"config-api\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}},\"plugins\":\"admin-ui,fido2,scim,user-mgt\"},\"configAdapterName\":\"kubernetes\",\"configSecretAdapter\":\"kubernetes\",\"distribution\":\"default\",\"fido2\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"fido2ServiceName\":\"fido2\",\"ingress\":{\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}}},\"fqdn\":\"demoexample.gluu.org\",\"gcePdStorageType\":\"pd-standard\",\"isFqdnRegistered\":false,\"istio\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"enabled\":false,\"gateways\":[],\"ingress\":false,\"namespace\":\"istio-system\"},\"jobTtlSecondsAfterFinished\":300,\"kc-scheduler\":{\"enabled\":false},\"lbIp\":\"22.22.22.22\",\"link\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}},\"linkServiceName\":\"link\"},\"nginx-ingress\":{\"enabled\":true},\"persistence\":{\"customAnnotations\":{\"job\":{},\"secret\":{},\"service\":{}},\"enabled\":true},\"saml\":{\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}},\"samlServiceName\":\"saml\"},\"scim\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}},\"scimServiceName\":\"scim\"},\"serviceAccountName\":\"default\",\"storageClass\":{\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"},\"usrEnvs\":{\"normal\":{},\"secret\":{}}} Parameters used globally across all services helm charts. global.admin-ui.adminUiServiceName string \"admin-ui\" Name of the admin-ui service. Please keep it as default. global.admin-ui.enabled bool true Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. global.admin-ui.ingress.adminUiAdditionalAnnotations object {} Admin UI ingress resource additional annotations. global.admin-ui.ingress.adminUiEnabled bool false Enable Admin UI endpoints in either istio or nginx ingress depending on users choice global.admin-ui.ingress.adminUiLabels object {} Admin UI ingress resource labels. key app is taken. global.alb.ingress bool false Activates ALB ingress global.auth-server-key-rotation.enabled bool true Boolean flag to enable/disable the auth-server-key rotation cronjob chart. global.auth-server-key-rotation.initKeysLife int 48 The initial auth server key rotation keys life in hours global.auth-server.appLoggers object {\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.auth-server.appLoggers.auditStatsLogLevel string \"INFO\" jans-auth_audit.log level global.auth-server.appLoggers.auditStatsLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.appLoggers.authLogLevel string \"INFO\" jans-auth.log level global.auth-server.appLoggers.authLogTarget string \"STDOUT\" jans-auth.log target global.auth-server.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO global.auth-server.appLoggers.httpLogLevel string \"INFO\" http_request_response.log level global.auth-server.appLoggers.httpLogTarget string \"FILE\" http_request_response.log target global.auth-server.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-auth_persistence_duration.log level global.auth-server.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-auth_persistence_duration.log target global.auth-server.appLoggers.persistenceLogLevel string \"INFO\" jans-auth_persistence.log level global.auth-server.appLoggers.persistenceLogTarget string \"FILE\" jans-auth_persistence.log target global.auth-server.appLoggers.scriptLogLevel string \"INFO\" jans-auth_script.log level global.auth-server.appLoggers.scriptLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.authEncKeys string \"RSA1_5 RSA-OAEP\" space-separated key algorithm for encryption (default to RSA1_5 RSA-OAEP ) global.auth-server.authServerServiceName string \"auth-server\" Name of the auth-server service. Please keep it as default. global.auth-server.authSigKeys string \"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\" space-separated key algorithm for signing (default to RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 ) global.auth-server.cnCustomJavaOptions string \"\" passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.auth-server.enabled bool true Boolean flag to enable/disable auth-server chart. You should never set this to false. global.auth-server.ingress object {\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.auth-server.ingress.authServerAdditionalAnnotations object {} Auth server ingress resource additional annotations. global.auth-server.ingress.authServerEnabled bool true Enable Auth server endpoints /jans-auth global.auth-server.ingress.authServerLabels object {} Auth server ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedRegister bool false Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. global.auth-server.ingress.authServerProtectedRegisterAdditionalAnnotations object {} Auth server protected register ingress resource additional annotations. global.auth-server.ingress.authServerProtectedRegisterLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedToken bool false Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. global.auth-server.ingress.authServerProtectedTokenAdditionalAnnotations object {} Auth server protected token ingress resource additional annotations. global.auth-server.ingress.authServerProtectedTokenLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authzenAdditionalAnnotations object {} authzen config ingress resource additional annotations. global.auth-server.ingress.authzenConfigEnabled bool true Enable endpoint /.well-known/authzen-configuration global.auth-server.ingress.authzenConfigLabels object {} authzen config ingress resource labels. key app is taken global.auth-server.ingress.deviceCodeAdditionalAnnotations object {} device-code ingress resource additional annotations. global.auth-server.ingress.deviceCodeEnabled bool true Enable endpoint /device-code global.auth-server.ingress.deviceCodeLabels object {} device-code ingress resource labels. key app is taken global.auth-server.ingress.firebaseMessagingAdditionalAnnotations object {} Firebase Messaging ingress resource additional annotations. global.auth-server.ingress.firebaseMessagingEnabled bool true Enable endpoint /firebase-messaging-sw.js global.auth-server.ingress.firebaseMessagingLabels object {} Firebase Messaging ingress resource labels. key app is taken global.auth-server.ingress.lockAdditionalAnnotations object {} Lock ingress resource additional annotations. global.auth-server.ingress.lockConfigAdditionalAnnotations object {} Lock config ingress resource additional annotations. global.auth-server.ingress.lockConfigEnabled bool false Enable endpoint /.well-known/lock-server-configuration global.auth-server.ingress.lockConfigLabels object {} Lock config ingress resource labels. key app is taken global.auth-server.ingress.lockEnabled bool false Enable endpoint /jans-lock global.auth-server.ingress.lockLabels object {} Lock ingress resource labels. key app is taken global.auth-server.ingress.openidAdditionalAnnotations object {} openid-configuration ingress resource additional annotations. global.auth-server.ingress.openidConfigEnabled bool true Enable endpoint /.well-known/openid-configuration global.auth-server.ingress.openidConfigLabels object {} openid-configuration ingress resource labels. key app is taken global.auth-server.ingress.u2fAdditionalAnnotations object {} u2f config ingress resource additional annotations. global.auth-server.ingress.u2fConfigEnabled bool true Enable endpoint /.well-known/fido-configuration global.auth-server.ingress.u2fConfigLabels object {} u2f config ingress resource labels. key app is taken global.auth-server.ingress.uma2AdditionalAnnotations object {} uma2 config ingress resource additional annotations. global.auth-server.ingress.uma2ConfigEnabled bool true Enable endpoint /.well-known/uma2-configuration global.auth-server.ingress.uma2ConfigLabels object {} uma2 config ingress resource labels. key app is taken global.auth-server.ingress.webdiscoveryAdditionalAnnotations object {} webdiscovery ingress resource additional annotations. global.auth-server.ingress.webdiscoveryEnabled bool true Enable endpoint /.well-known/simple-web-discovery global.auth-server.ingress.webdiscoveryLabels object {} webdiscovery ingress resource labels. key app is taken global.auth-server.ingress.webfingerAdditionalAnnotations object {} webfinger ingress resource additional annotations. global.auth-server.ingress.webfingerEnabled bool true Enable endpoint /.well-known/webfinger global.auth-server.ingress.webfingerLabels object {} webfinger ingress resource labels. key app is taken global.auth-server.lockEnabled bool false Enable jans-lock as service running inside auth-server global.awsStorageType string \"io1\" Volume storage type if using AWS volumes. global.azureStorageAccountType string \"Standard_LRS\" Volume storage type if using Azure disks. global.azureStorageKind string \"Managed\" Azure storage kind if using Azure disks global.casa.appLoggers object {\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.casa.appLoggers.casaLogLevel string \"INFO\" casa.log level global.casa.appLoggers.casaLogTarget string \"STDOUT\" casa.log target global.casa.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO global.casa.appLoggers.timerLogLevel string \"INFO\" casa timer log level global.casa.appLoggers.timerLogTarget string \"FILE\" casa timer log target global.casa.casaServiceName string \"casa\" Name of the casa service. Please keep it as default. global.casa.cnCustomJavaOptions string \"\" passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.casa.enabled bool true Boolean flag to enable/disable the casa chart. global.casa.ingress object {\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.casa.ingress.casaAdditionalAnnotations object {} Casa ingress resource additional annotations. global.casa.ingress.casaEnabled bool false Enable casa endpoints /casa global.casa.ingress.casaLabels object {} Casa ingress resource labels. key app is taken global.cloud.testEnviroment bool false Boolean flag if enabled will strip resources requests and limits from all services. global.cnConfiguratorConfigurationFile string \"/etc/jans/conf/configuration.json\" Path to configuration schema file global.cnConfiguratorCustomSchema object {\"secretName\":\"\"} Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. global.cnConfiguratorCustomSchema.secretName string \"\" The name of the secrets used for storing custom configuration schema. global.cnConfiguratorDumpFile string \"/etc/jans/conf/configuration.out.json\" Path to dumped configuration schema file global.cnDocumentStoreType string \"DB\" Document store type to use for shibboleth files DB. global.cnGoogleApplicationCredentials string \"/etc/jans/conf/google-credentials.json\" Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. global.cnObExtSigningAlias string \"\" Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G global.cnObExtSigningJwksCrt string \"\" Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKey string \"\" Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKeyPassPhrase string \"\" Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksUri string \"\" Open banking external signing jwks uri. Used in SSA Validation. global.cnObStaticSigningKeyKid string \"\" Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G global.cnObTransportAlias string \"\" Open banking transport Alias used inside the JVM. global.cnObTransportCrt string \"\" Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKey string \"\" Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKeyPassPhrase string \"\" Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. global.cnObTransportTrustStore string \"\" Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. global.cnPersistenceType string \"sql\" Persistence backend to run Gluu with hybrid global.cnPrometheusPort string \"\" Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. global.cnSqlPasswordFile string \"/etc/jans/conf/sql_password\" Path to SQL password file global.config-api.adminUiAppLoggers.adminUiAuditLogLevel string \"INFO\" config-api admin-ui plugin audit log level global.config-api.adminUiAppLoggers.adminUiAuditLogTarget string \"FILE\" config-api admin-ui plugin audit log target global.config-api.adminUiAppLoggers.adminUiLogLevel string \"INFO\" config-api admin-ui plugin log target global.config-api.adminUiAppLoggers.adminUiLogTarget string \"FILE\" config-api admin-ui plugin log level global.config-api.adminUiAppLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers object {\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.config-api.appLoggers.configApiLogLevel string \"INFO\" configapi.log level global.config-api.appLoggers.configApiLogTarget string \"STDOUT\" configapi.log target global.config-api.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers.persistenceDurationLogLevel string \"INFO\" config-api_persistence_duration.log level global.config-api.appLoggers.persistenceDurationLogTarget string \"FILE\" config-api_persistence_duration.log target global.config-api.appLoggers.persistenceLogLevel string \"INFO\" config-api_persistence.log level global.config-api.appLoggers.persistenceLogTarget string \"FILE\" config-api_persistence.log target global.config-api.appLoggers.scriptLogLevel string \"INFO\" config-api_script.log level global.config-api.appLoggers.scriptLogTarget string \"FILE\" config-api_script.log target global.config-api.cnCustomJavaOptions string \"\" passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.config-api.configApiServerServiceName string \"config-api\" Name of the config-api service. Please keep it as default. global.config-api.enabled bool true Boolean flag to enable/disable the config-api chart. global.config-api.ingress object {\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.config-api.ingress.configApiAdditionalAnnotations object {} ConfigAPI ingress resource additional annotations. global.config-api.ingress.configApiLabels object {} configAPI ingress resource labels. key app is taken global.config-api.plugins string \"admin-ui,fido2,scim,user-mgt\" Comma-separated values of enabled plugins (supported plugins are \"admin-ui\",\"fido2\",\"scim\",\"user-mgt\",\"jans-link\",\"kc-saml\") global.config.enabled bool true Boolean flag to enable/disable the configuration chart. This normally should never be false global.configAdapterName string \"kubernetes\" The config backend adapter that will hold Gluu configuration layer. aws global.configSecretAdapter string \"kubernetes\" The config backend adapter that will hold Gluu secret layer. vault global.distribution string \"default\" Gluu distributions supported are: default global.fido2.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.fido2.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO global.fido2.appLoggers.fido2LogLevel string \"INFO\" fido2.log level global.fido2.appLoggers.fido2LogTarget string \"STDOUT\" fido2.log target global.fido2.appLoggers.persistenceDurationLogLevel string \"INFO\" fido2_persistence_duration.log level global.fido2.appLoggers.persistenceDurationLogTarget string \"FILE\" fido2_persistence_duration.log target global.fido2.appLoggers.persistenceLogLevel string \"INFO\" fido2_persistence.log level global.fido2.appLoggers.persistenceLogTarget string \"FILE\" fido2_persistence.log target global.fido2.appLoggers.scriptLogLevel string \"INFO\" fido2_script.log level global.fido2.appLoggers.scriptLogTarget string \"FILE\" fido2_script.log target global.fido2.cnCustomJavaOptions string \"\" passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.fido2.enabled bool true Boolean flag to enable/disable the fido2 chart. global.fido2.fido2ServiceName string \"fido2\" Name of the fido2 service. Please keep it as default. global.fido2.ingress object {\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.fido2.ingress.fido2AdditionalAnnotations object {} fido2 ingress resource additional annotations. global.fido2.ingress.fido2ConfigAdditionalAnnotations object {} fido2 config ingress resource additional annotations. global.fido2.ingress.fido2ConfigEnabled bool false Enable endpoint /.well-known/fido2-configuration global.fido2.ingress.fido2ConfigLabels object {} fido2 config ingress resource labels. key app is taken global.fido2.ingress.fido2Enabled bool false Enable endpoint /jans-fido2 global.fido2.ingress.fido2Labels object {} fido2 ingress resource labels. key app is taken global.fido2.ingress.fido2WebauthnAdditionalAnnotations object {} fido2 webauthn ingress resource additional annotations. global.fido2.ingress.fido2WebauthnEnabled bool false Enable endpoint /.well-known/webauthn global.fido2.ingress.fido2WebauthnLabels object {} fido2 webauthn ingress resource labels. key app is taken global.fqdn string \"demoexample.gluu.org\" Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. global.gcePdStorageType string \"pd-standard\" GCE storage kind if using Google disks global.isFqdnRegistered bool false Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. global.istio.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of global.istio.additionalLabels object {} Additional labels that will be added across the gateway in the format of global.istio.enabled bool false Boolean flag that enables using istio side-cars with Gluu services. global.istio.gateways list [] Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. global.istio.ingress bool false Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. global.istio.namespace string \"istio-system\" The namespace istio is deployed in. The is normally istio-system. global.jobTtlSecondsAfterFinished int 300 https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ global.kc-scheduler.enabled bool false Boolean flag to enable/disable the kc-scheduler cronjob chart. global.lbIp string \"22.22.22.22\" The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if global.fqdn is globally resolvable. global.link.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.link.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO global.link.appLoggers.linkLogLevel string \"INFO\" cacherefresh.log level global.link.appLoggers.linkLogTarget string \"STDOUT\" cacherefresh.log target global.link.appLoggers.persistenceDurationLogLevel string \"INFO\" cacherefresh_persistence_duration.log level global.link.appLoggers.persistenceDurationLogTarget string \"FILE\" cacherefresh_persistence_duration.log target global.link.appLoggers.persistenceLogLevel string \"INFO\" cacherefresh_persistence.log level global.link.appLoggers.persistenceLogTarget string \"FILE\" cacherefresh_persistence.log target global.link.appLoggers.scriptLogLevel string \"INFO\" cacherefresh_script.log level global.link.appLoggers.scriptLogTarget string \"FILE\" cacherefresh_script.log target global.link.cnCustomJavaOptions string \"\" passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.link.customAnnotations object {\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}} Add custom annotations for kubernetes resources for the service global.link.enabled bool false Boolean flag to enable/disable the link chart. global.link.ingress object {\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.link.ingress.linkAdditionalAnnotations object {} link ingress resource additional annotations. global.link.ingress.linkLabels object {} link ingress resource labels. key app is taken global.link.linkServiceName string \"link\" Name of the link service. Please keep it as default. global.nginx-ingress.enabled bool true Boolean flag to enable/disable the nginx-ingress definitions chart. global.persistence.enabled bool true Boolean flag to enable/disable the persistence chart. global.saml.cnCustomJavaOptions string \"\" passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. global.saml.enabled bool false Boolean flag to enable/disable the saml chart. global.saml.ingress object {\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.saml.ingress.samlAdditionalAnnotations object {} SAML ingress resource additional annotations. global.saml.ingress.samlLabels object {} SAML ingress resource labels. key app is taken global.saml.samlServiceName string \"saml\" Name of the saml service. Please keep it as default. global.scim.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.scim.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO global.scim.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-scim_persistence_duration.log level global.scim.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-scim_persistence_duration.log target global.scim.appLoggers.persistenceLogLevel string \"INFO\" jans-scim_persistence.log level global.scim.appLoggers.persistenceLogTarget string \"FILE\" jans-scim_persistence.log target global.scim.appLoggers.scimLogLevel string \"INFO\" jans-scim.log level global.scim.appLoggers.scimLogTarget string \"STDOUT\" jans-scim.log target global.scim.appLoggers.scriptLogLevel string \"INFO\" jans-scim_script.log level global.scim.appLoggers.scriptLogTarget string \"FILE\" jans-scim_script.log target global.scim.cnCustomJavaOptions string \"\" passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.scim.enabled bool true Boolean flag to enable/disable the SCIM chart. global.scim.ingress object {\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.scim.ingress.scimAdditionalAnnotations object {} SCIM ingress resource additional annotations. global.scim.ingress.scimConfigAdditionalAnnotations object {} SCIM config ingress resource additional annotations. global.scim.ingress.scimConfigEnabled bool false Enable endpoint /.well-known/scim-configuration global.scim.ingress.scimConfigLabels object {} SCIM config ingress resource labels. key app is taken global.scim.ingress.scimEnabled bool false Enable SCIM endpoints /jans-scim global.scim.ingress.scimLabels object {} SCIM ingress resource labels. key app is taken global.scim.scimServiceName string \"scim\" Name of the scim service. Please keep it as default. global.serviceAccountName string \"default\" service account used by Kubernetes resources global.storageClass object {\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"} StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. global.storageClass.parameters object {} parameters: fsType: \"\" kind: \"\" pool: \"\" storageAccountType: \"\" type: \"\" global.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services global.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 global.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 installer-settings object {\"acceptLicense\":\"\",\"aws\":{\"arn\":{\"arnAcmCert\":\"\",\"enabled\":\"\"},\"lbType\":\"\",\"vpcCidr\":\"0.0.0.0/0\"},\"confirmSettings\":false,\"currentVersion\":\"\",\"google\":{\"useSecretManager\":\"\"},\"images\":{\"edit\":\"\"},\"namespace\":\"\",\"nginxIngress\":{\"namespace\":\"\",\"releaseName\":\"\"},\"nodes\":{\"ips\":\"\",\"names\":\"\",\"zones\":\"\"},\"openbanking\":{\"cnObTransportTrustStoreP12password\":\"\",\"hasCnObTransportTrustStore\":false},\"postgres\":{\"install\":\"\",\"namespace\":\"\"},\"redis\":{\"install\":\"\",\"namespace\":\"\"},\"releaseName\":\"\",\"sql\":{\"install\":\"\",\"namespace\":\"\"},\"volumeProvisionStrategy\":\"\"} Only used by the installer. These settings do not affect nor are used by the chart kc-scheduler object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/kc-scheduler\",\"tag\":\"0.0.0-nightly\"},\"interval\":10,\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for synchronizing Keycloak SAML clients kc-scheduler.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of kc-scheduler.additionalLabels object {} Additional labels that will be added across the gateway in the format of kc-scheduler.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. kc-scheduler.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh kc-scheduler.dnsConfig object {} Add custom dns config kc-scheduler.dnsPolicy string \"\" Add custom dns policy kc-scheduler.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. kc-scheduler.image.pullSecrets list [] Image Pull Secrets kc-scheduler.image.repository string \"ghcr.io/janssenproject/jans/kc-scheduler\" Image to use for deploying. kc-scheduler.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. kc-scheduler.interval int 10 Interval of running the scheduler (in minutes) kc-scheduler.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. kc-scheduler.resources.limits.cpu string \"300m\" CPU limit. kc-scheduler.resources.limits.memory string \"300Mi\" Memory limit. kc-scheduler.resources.requests.cpu string \"300m\" CPU request. kc-scheduler.resources.requests.memory string \"300Mi\" Memory request. kc-scheduler.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service kc-scheduler.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 kc-scheduler.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 kc-scheduler.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers kc-scheduler.volumes list [] Configure any additional volumes that need to be attached to the pod link object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/link\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Link. link.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of link.additionalLabels object {} Additional labels that will be added across the gateway in the format of link.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. link.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh link.dnsConfig object {} Add custom dns config link.dnsPolicy string \"\" Add custom dns policy link.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler link.hpa.behavior object {} Scaling Policies link.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set link.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. link.image.pullSecrets list [] Image Pull Secrets link.image.repository string \"ghcr.io/janssenproject/jans/link\" Image to use for deploying. link.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. link.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. link.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint link.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget link.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint link.replicas int 1 Service replica number. link.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. link.resources.limits.cpu string \"500m\" CPU limit. link.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. link.resources.requests.cpu string \"500m\" CPU request. link.resources.requests.memory string \"1200Mi\" Memory request. link.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ link.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service link.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 link.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 link.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers link.volumes list [] Configure any additional volumes that need to be attached to the pod nginx-ingress object {\"certManager\":{\"certificate\":{\"enabled\":false,\"issuerGroup\":\"cert-manager.io\",\"issuerKind\":\"ClusterIssuer\",\"issuerName\":\"\"}},\"ingress\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"hosts\":[\"demoexample.gluu.org\"],\"ingressClassName\":\"nginx\",\"path\":\"/\",\"tls\":[{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}]}} Nginx ingress definitions chart nginx-ingress.ingress.additionalAnnotations object {} Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: \"optional\" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: \"gluu/tls-certificate\" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: \"1\" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: \"true\" nginx-ingress.ingress.additionalLabels object {} Additional labels that will be added across all ingress definitions in the format of nginx-ingress.ingress.tls list [{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}] Secrets holding HTTPS CA cert and key. persistence object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/persistence-loader\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Job to generate data and initial config for Gluu Server persistence layer. persistence.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of persistence.additionalLabels object {} Additional labels that will be added across the gateway in the format of persistence.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. persistence.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh persistence.dnsConfig object {} Add custom dns config persistence.dnsPolicy string \"\" Add custom dns policy persistence.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. persistence.image.pullSecrets list [] Image Pull Secrets persistence.image.repository string \"ghcr.io/janssenproject/jans/persistence-loader\" Image to use for deploying. persistence.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. persistence.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. persistence.resources.limits.cpu string \"300m\" CPU limit persistence.resources.limits.memory string \"300Mi\" Memory limit. persistence.resources.requests.cpu string \"300m\" CPU request. persistence.resources.requests.memory string \"300Mi\" Memory request. persistence.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service persistence.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 persistence.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 persistence.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers persistence.volumes list [] Configure any additional volumes that need to be attached to the pod saml object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/saml\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} SAML. saml.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of saml.additionalLabels object {} Additional labels that will be added across the gateway in the format of saml.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. saml.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh saml.dnsConfig object {} Add custom dns config saml.dnsPolicy string \"\" Add custom dns policy saml.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler saml.hpa.behavior object {} Scaling Policies saml.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set saml.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. saml.image.pullSecrets list [] Image Pull Secrets saml.image.repository string \"ghcr.io/janssenproject/jans/saml\" Image to use for deploying. saml.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. saml.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. saml.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint saml.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget saml.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint saml.replicas int 1 Service replica number. saml.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. saml.resources.limits.cpu string \"500m\" CPU limit. saml.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. saml.resources.requests.cpu string \"500m\" CPU request. saml.resources.requests.memory string \"1200Mi\" Memory request. saml.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ saml.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service saml.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 saml.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 saml.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers saml.volumes list [] Configure any additional volumes that need to be attached to the pod scim object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/scim\",\"tag\":\"0.0.0-nightly\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"service\":{\"name\":\"http-scim\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} System for Cross-domain Identity Management (SCIM) version 2.0 scim.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of scim.additionalLabels object {} Additional labels that will be added across the gateway in the format of scim.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. scim.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh scim.dnsConfig object {} Add custom dns config scim.dnsPolicy string \"\" Add custom dns policy scim.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler scim.hpa.behavior object {} Scaling Policies scim.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set scim.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. scim.image.pullSecrets list [] Image Pull Secrets scim.image.repository string \"ghcr.io/janssenproject/jans/scim\" Image to use for deploying. scim.image.tag string \"0.0.0-nightly\" Image tag to use for deploying. scim.livenessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for SCIM if needed. scim.livenessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http liveness probe endpoint scim.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget scim.readinessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the SCIM if needed. scim.readinessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http readiness probe endpoint scim.replicas int 1 Service replica number. scim.resources.limits.cpu string \"1000m\" CPU limit. scim.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. scim.resources.requests.cpu string \"1000m\" CPU request. scim.resources.requests.memory string \"1200Mi\" Memory request. scim.service.name string \"http-scim\" The name of the scim port within the scim service. Please keep it as default. scim.service.port int 8080 Port of the scim service. Please keep it as default. scim.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ scim.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service scim.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 scim.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 scim.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers scim.volumes list [] Configure any additional volumes that need to be attached to the pod","title":"Values"},{"location":"supergluu/","tags":["Super Gluu","Introduction"],"text":"Super Gluu Documentation # Super Gluu is a free and secure two-factor authentication (2FA) mobile app. Super Gluu app can be used to achieve 2FA for web and mobile applications with Janssen Server , Gluu Flex , and Gluu Server working as authentication servers. Super Gluu documentation is organized into the following sections: User Guide Admin Guide Developer Guide Compatibility # Super Gluu is compatible with all versions of Gluu Flex. FIDO Security # During Super Gluu authentication, the Gluu Flex does more than look at the device ID to grant access. Super Gluu uses the Gluu Flex Server's FIDO U2F endpoints to enroll a public key. The private key is stored on the device. At authentication time, the Gluu Flex sends a challenge-response to the device to check for the corresponding private key. This adds an extra layer of security to Super Gluu push notification authentications. How to Use Super Gluu # Super Gluu is tightly bundled with Janssen. Follow the Flex installation guide to deploy Gluu Flex, then follow the Super Gluu admin guide to configure and begin using Super Gluu for strong authentication. Workflows # Super Gluu supports multiple workflows, including: A one-step, passwordless authentication, where the person scans a QR code with their Super Gluu app and the Gluu Flex looks up which person is associated with that device. A two-step authentication, where the person enters their username and then receives an out-of-band push notification to the mobile device to authorize access (a.k.a identifier first authentication). A two-step authentication, where the person enters their username and password and then receives an out-of-band push notification to the mobile device to authorize access. In all scenarios, users are prompted to scan a QR code on their first Super Gluu authentication to bind their device and account. In the second and third workflows listed above, users begin receiving push notifications for all authentications after the initial device registration process. Testing locally # Super Gluu security is based on SSL and therefore expects a public server with valid certificates. To test locally on a non-public server, follow these steps Download Super Gluu # Super Gluu is available for free on the iOS and Android app marketplaces! Download the Android app Download the iOS app Contributors # The next version of Super Gluu will support localization in many languages. We'd like to extend our sincere appreciation to the following people for helping translate Super Gluu content: Jose Gonzalez, Gluu Gasmyr Mougang, Gluu Yumi Sano, iBridge Andrea Patricelli, Tirasa Yuriy Zabrovarrnay, Gluu Aliaksander Sameseu, Gluu Andre Koot, Nixu Mohammad Abudayyeh, Gluu Ganesh Dutt Sharma, Gluu Mohib Zico, Gluu Mustafa Baser, Gluu","title":"Super Gluu Documentation"},{"location":"supergluu/#super-gluu-documentation","text":"Super Gluu is a free and secure two-factor authentication (2FA) mobile app. Super Gluu app can be used to achieve 2FA for web and mobile applications with Janssen Server , Gluu Flex , and Gluu Server working as authentication servers. Super Gluu documentation is organized into the following sections: User Guide Admin Guide Developer Guide","title":"Super Gluu Documentation"},{"location":"supergluu/#compatibility","text":"Super Gluu is compatible with all versions of Gluu Flex.","title":"Compatibility"},{"location":"supergluu/#fido-security","text":"During Super Gluu authentication, the Gluu Flex does more than look at the device ID to grant access. Super Gluu uses the Gluu Flex Server's FIDO U2F endpoints to enroll a public key. The private key is stored on the device. At authentication time, the Gluu Flex sends a challenge-response to the device to check for the corresponding private key. This adds an extra layer of security to Super Gluu push notification authentications.","title":"FIDO Security"},{"location":"supergluu/#how-to-use-super-gluu","text":"Super Gluu is tightly bundled with Janssen. Follow the Flex installation guide to deploy Gluu Flex, then follow the Super Gluu admin guide to configure and begin using Super Gluu for strong authentication.","title":"How to Use Super Gluu"},{"location":"supergluu/#workflows","text":"Super Gluu supports multiple workflows, including: A one-step, passwordless authentication, where the person scans a QR code with their Super Gluu app and the Gluu Flex looks up which person is associated with that device. A two-step authentication, where the person enters their username and then receives an out-of-band push notification to the mobile device to authorize access (a.k.a identifier first authentication). A two-step authentication, where the person enters their username and password and then receives an out-of-band push notification to the mobile device to authorize access. In all scenarios, users are prompted to scan a QR code on their first Super Gluu authentication to bind their device and account. In the second and third workflows listed above, users begin receiving push notifications for all authentications after the initial device registration process.","title":"Workflows"},{"location":"supergluu/#testing-locally","text":"Super Gluu security is based on SSL and therefore expects a public server with valid certificates. To test locally on a non-public server, follow these steps","title":"Testing locally"},{"location":"supergluu/#download-super-gluu","text":"Super Gluu is available for free on the iOS and Android app marketplaces! Download the Android app Download the iOS app","title":"Download Super Gluu"},{"location":"supergluu/#contributors","text":"The next version of Super Gluu will support localization in many languages. We'd like to extend our sincere appreciation to the following people for helping translate Super Gluu content: Jose Gonzalez, Gluu Gasmyr Mougang, Gluu Yumi Sano, iBridge Andrea Patricelli, Tirasa Yuriy Zabrovarrnay, Gluu Aliaksander Sameseu, Gluu Andre Koot, Nixu Mohammad Abudayyeh, Gluu Ganesh Dutt Sharma, Gluu Mohib Zico, Gluu Mustafa Baser, Gluu","title":"Contributors"},{"location":"supergluu/admin-guide/","tags":["Super Gluu","administration","configuration"],"text":"Super Gluu Administration Guide # Obtaining an SSA # In order to set up Super Gluu, the administrator must obtain a Software Statement Assertion from Agama Lab . Login with GitHub or email, then sign up for a SCAN subscription. The free tier will give you 500 credits, which can be used for 500 SuperGluu API calls (1 call = 1 credit). Then, go over to the SSA tab and create a new SSA with the supergluu software role and an expiry date of your choice. Your SSA will no longer be useable after that date. After creating the SSA, you can click on Details and view the base64 encoded string of characters that represent the SSA. You will need this string during setup. Configuration on Gluu Flex # Log into Flex UI Navigate to Admin > Scripts > super_gluu Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Enable super_gluu script Navigate to FIDO and Enable SuperGluu At this point, the Super Gluu module on Gluu Flex is configured and ready. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated. Configuration on Gluu Server 4.x # To get started, log into the Gluu Server dashboard (a.k.a. oxTrust) and do the following: Navigate to Configuration > Manage Custom Scripts . In the Person Authentication tab find the super_gluu authentication module. Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Scroll down and find the Enable check box. Enable the script by clicking the check box. Scroll to the bottom of the page and click Update . Now Super Gluu is an available authentication mechanism for your Gluu Server. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated. Migration from old setups # If you are using a setup from before SCAN was implemented, you will need to migrate to the latest super_gluu interception script. Obtain the latest super_gluu interception script for Gluu Server or Jans Open the script configuration using one of the methods mentioned above, and navigate to super_gluu Replace the contents of the script with the new one Disable the script, and click Update . This will update the properties of the script configuration. Populate the AS_SSA and AS_ENDPOINT fields as described above. Enable the script by clicking the Enable check box Scroll to the bottom of the page and click Update The latest version of Super Gluu is now enabled on your server. Note To make sure Super Gluu has been enabled successfully, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration . Find acr_values_supported and you should see super_gluu . Test 2FA Authentication Flow # To test the Super Gluu configuration from end to end, an administrator can follow the steps below: Change the default authentication method to super_gluu using this guide Keep this browser window active so you can revert the authentication method to the default one. Prepare your mobile device by following Super Gluu mobile app user guide Perform tests using a test user","title":"Administration Guide"},{"location":"supergluu/admin-guide/#super-gluu-administration-guide","text":"","title":"Super Gluu Administration Guide"},{"location":"supergluu/admin-guide/#obtaining-an-ssa","text":"In order to set up Super Gluu, the administrator must obtain a Software Statement Assertion from Agama Lab . Login with GitHub or email, then sign up for a SCAN subscription. The free tier will give you 500 credits, which can be used for 500 SuperGluu API calls (1 call = 1 credit). Then, go over to the SSA tab and create a new SSA with the supergluu software role and an expiry date of your choice. Your SSA will no longer be useable after that date. After creating the SSA, you can click on Details and view the base64 encoded string of characters that represent the SSA. You will need this string during setup.","title":"Obtaining an SSA"},{"location":"supergluu/admin-guide/#configuration-on-gluu-flex","text":"Log into Flex UI Navigate to Admin > Scripts > super_gluu Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Enable super_gluu script Navigate to FIDO and Enable SuperGluu At this point, the Super Gluu module on Gluu Flex is configured and ready. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated.","title":"Configuration on Gluu Flex"},{"location":"supergluu/admin-guide/#configuration-on-gluu-server-4x","text":"To get started, log into the Gluu Server dashboard (a.k.a. oxTrust) and do the following: Navigate to Configuration > Manage Custom Scripts . In the Person Authentication tab find the super_gluu authentication module. Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Scroll down and find the Enable check box. Enable the script by clicking the check box. Scroll to the bottom of the page and click Update . Now Super Gluu is an available authentication mechanism for your Gluu Server. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated.","title":"Configuration on Gluu Server 4.x"},{"location":"supergluu/admin-guide/#migration-from-old-setups","text":"If you are using a setup from before SCAN was implemented, you will need to migrate to the latest super_gluu interception script. Obtain the latest super_gluu interception script for Gluu Server or Jans Open the script configuration using one of the methods mentioned above, and navigate to super_gluu Replace the contents of the script with the new one Disable the script, and click Update . This will update the properties of the script configuration. Populate the AS_SSA and AS_ENDPOINT fields as described above. Enable the script by clicking the Enable check box Scroll to the bottom of the page and click Update The latest version of Super Gluu is now enabled on your server. Note To make sure Super Gluu has been enabled successfully, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration . Find acr_values_supported and you should see super_gluu .","title":"Migration from old setups"},{"location":"supergluu/admin-guide/#test-2fa-authentication-flow","text":"To test the Super Gluu configuration from end to end, an administrator can follow the steps below: Change the default authentication method to super_gluu using this guide Keep this browser window active so you can revert the authentication method to the default one. Prepare your mobile device by following Super Gluu mobile app user guide Perform tests using a test user","title":"Test 2FA Authentication Flow"},{"location":"supergluu/developer-guide/","tags":["Super Gluu","Developer"],"text":"Super Gluu Developer Guide # Super Gluu is a two-factor authentication mobile application for iOS and Android. Super Gluu can be used as a strong authentication mechanism to access resources that are protected by Gluu's free open source central authentication server, called the Gluu Server . The below documentation describes what is happening during user enrollment and authentication. QR Code # During enrollment and authentication, the app goes through a few steps: The user scans the QR code, which contains identification data in the following format: { \"app\" : \"https://example.gluu.org\", \"state\" : \"dek4nwk6-dk56-sr43-4frt-4jfi30fltimd\" \"issuer\" : \"https://example.gluu.org\" \"created\" : \"2016-06-12T12:00:01.874000\" } Data from the QR code is changed into Fido U2F metadata: String discoveryUrl = oxPush2Request.getIssuer(); discoveryUrl += \"/.well-known/fido-u2f-configuration\"; final String discoveryJson = CommunicationService.get(discoveryUrl, null); final U2fMetaData u2fMetaData = new Gson().fromJson(discoveryJson, U2fMetaData.class); This metadata is sent to the server: ``` final List keyHandles = dataStore.getKeyHandlesByIssuerAndAppId(oxPush2Request.getIssuer(), oxPush2Request.getApp()); final boolean isEnroll = (keyHandles.size() == 0) || StringUtils.equals(oxPush2Request.getMethod(), \"enroll\"); final String u2fEndpoint; if (isEnroll) u2fEndpoint = u2fMetaData.getRegistrationEndpoint();// if enroll then get registration endpoint } else { u2fEndpoint = u2fMetaData.getAuthenticationEndpoint();// if authentication then get corresponding endpoint } validChallengeJsonResponse = CommunicationService.get(u2fEndpoint, parameters); ``` When the result comes back, it decides whether to enroll a new device or authenticate an existing one: if (isEnroll) { tokenResponse = oxPush2RequestListener.onEnroll(challengeJson, oxPush2Request, isDeny); } else { tokenResponse = oxPush2RequestListener.onSign(challengeJson, u2fMetaData.getIssuer(), isDeny); } Enrollment Process # If you scan a QR code for the first time and your device's UDID isn't attached to your user ID, the app will enroll it. First, it needs to prepare the data properties, as follows: > String version = request.getString(JSON_PROPERTY_VERSION); > String appParam = request.getString(JSON_PROPERTY_APP_ID); > String challenge = request.getString(JSON_PROPERTY_SERVER_CHALLENGE); > String origin = oxPush2Request.getIssuer(); > > EnrollmentResponse enrollmentResponse = u2fKey.register(new EnrollmentRequest(version, appParam, challenge, oxPush2Request)); During registration, the app generates a unique keyHandle and keyPair (public/private keys) to sign all data and uses an ECC algorithm to encode the required data, as follows: > TokenEntry tokenEntry = new TokenEntry(keyPairGenerator.keyPairToJson(keyPair), enrollmentRequest.getApplication(), enrollmentRequest.getOxPush2Request().getIssuer()); > . > . > . > dataStore.storeTokenEntry(keyHandle, tokenEntry); > byte[] userPublicKey = keyPairGenerator.encodePublicKey(keyPair.getPublic()); > > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeRegistrationSignedBytes(applicationSha256, challengeSha256, keyHandle, userPublicKey); > byte[] signature = keyPairGenerator.sign(signedData, certificatePrivateKey); > return new EnrollmentResponse(userPublicKey, keyHandle, vendorCertificate, signature); Now, all the data is converted into one-byte array, then one additional parameter is added, determining if the request is approved or denied, as follows: > JSONObject clientData = new JSONObject(); > if (isDeny){ > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REGISTER_CANCEL_TYPE);//Deny > } else { > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REQUEST_TYPE_REGISTER);//Approve > } > clientData.put(JSON_PROPERTY_SERVER_CHALLENGE, challenge); > clientData.put(JSON_PROPERTY_SERVER_ORIGIN, origin); > > String clientDataString = clientData.toString(); > byte[] resp = rawMessageCodec.encodeRegisterResponse(enrollmentResponse); > > JSONObject response = new JSONObject(); > response.put(\"registrationData\", Utils.base64UrlEncode(resp)); > response.put(\"clientData\", Utils.base64UrlEncode(clientDataString.getBytes(Charset.forName(\"ASCII\")))); > response.put(\"deviceData\", Utils.base64UrlEncode(deviceDataString.getBytes(Charset.forName(\"ASCII\")))); > > TokenResponse tokenResponse = new TokenResponse(); > tokenResponse.setResponse(response.toString()); > tokenResponse.setChallenge(new String(challenge)); > tokenResponse.setKeyHandle(new String(enrollmentResponse.getKeyHandle())); > > return tokenResponse; For authentication, all information is associated with your device UDID and the app retrieves the data from the data store each time, as follows: > TokenEntry tokenEntry = dataStore.getTokenEntry(keyHandle); > String keyPairJson = tokenEntry.getKeyPair(); > keyPair = keyPairGenerator.keyPairFromJson(keyPairJson); > int counter = dataStore.incrementCounter(keyHandle); > byte userPresence = userPresenceVerifier.verifyUserPresence(); > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeAuthenticateSignedBytes(applicationSha256, userPresence, counter, challengeSha256); > return new AuthenticateResponse(userPresence, counter, signature); The onEnroll and onSign methods prepare the parameters and data before the call to the server. For more information about these two methods, see the Super Gluu Git repo. Now, the app makes one last call to the server: > final Map parameters = new HashMap(); > parameters.put(\"username\", oxPush2Request.getUserName()); > parameters.put(\"tokenResponse\", tokenResponse.getResponse()); > > final String resultJsonResponse = CommunicationService.post(u2fEndpoint, parameters); The string resultJsonResponse contains the JSON result. The app extracts some additional information from this result. Check enrollment or authentication success using the u2fOperationResult.getStatus() field, as follows: > LogInfo log = new LogInfo(); > log.setIssuer(oxPush2Request.getIssuer()); > log.setUserName(oxPush2Request.getUserName()); > log.setLocationIP(oxPush2Request.getLocationIP()); > log.setLocationAddress(oxPush2Request.getLocationCity()); > log.setCreatedDate(String.valueOf(System.currentTimeMillis()));//oxPush2Request.getCreated()); > log.setMethod(oxPush2Request.getMethod()); Testing locally # The following is a method for testing Super Gluu locally on a non-public server. This guide assumes a Gluu Server has been installed and is operational. Warning The following testing steps mimic a MITM attack, so needless to say, these instructions are for development purposes only! In the Gluu Server VM settings, change the network adapter connection type from NAT to Bridged; The Gluu Server and smartphone should be connected to WiFi on the same local network Log into the VM and run ifconfig in the terminal to get the IP address of the Gluu Server In oxTrust, enable the Super Gluu authentication script Update the host file on the machine where you are running the browser to log in. Example: 192.168.1.232 c67.example.info Run ipconfig / ifconfig on the machine where you are planning to run your DNS server. Configure any DNS server to allow resovle u144.example.info.=192.168.1.232 . For example you can use a lightweight WindowsDNS DNS proxy server Create a dns.config file in the folder with dedserver.jar. Example file content: u144.example.info.=192.168.1.232 Checkut and build https://github.com/JonahAragon/WindowsDNS Run the DNS server using a command like this: java -jar dedserver.jar Create a dns.config file in the folder with dedserver.jar . Example file content: u144.example.info.=192.168.1.232 Run the DNS server using a command like this: java -jar dedserver.jar On your mobile phone, open the WiFi connection details and specify the DNS server IP from Step 6 Now you can test Super Gluu After you finish testing, don't forget to change your WiFi connection type on the mobile phone back to use the automatic settings.","title":"Developer Guide"},{"location":"supergluu/developer-guide/#super-gluu-developer-guide","text":"Super Gluu is a two-factor authentication mobile application for iOS and Android. Super Gluu can be used as a strong authentication mechanism to access resources that are protected by Gluu's free open source central authentication server, called the Gluu Server . The below documentation describes what is happening during user enrollment and authentication.","title":"Super Gluu Developer Guide"},{"location":"supergluu/developer-guide/#qr-code","text":"During enrollment and authentication, the app goes through a few steps: The user scans the QR code, which contains identification data in the following format: { \"app\" : \"https://example.gluu.org\", \"state\" : \"dek4nwk6-dk56-sr43-4frt-4jfi30fltimd\" \"issuer\" : \"https://example.gluu.org\" \"created\" : \"2016-06-12T12:00:01.874000\" } Data from the QR code is changed into Fido U2F metadata: String discoveryUrl = oxPush2Request.getIssuer(); discoveryUrl += \"/.well-known/fido-u2f-configuration\"; final String discoveryJson = CommunicationService.get(discoveryUrl, null); final U2fMetaData u2fMetaData = new Gson().fromJson(discoveryJson, U2fMetaData.class); This metadata is sent to the server: ``` final List keyHandles = dataStore.getKeyHandlesByIssuerAndAppId(oxPush2Request.getIssuer(), oxPush2Request.getApp()); final boolean isEnroll = (keyHandles.size() == 0) || StringUtils.equals(oxPush2Request.getMethod(), \"enroll\"); final String u2fEndpoint; if (isEnroll) u2fEndpoint = u2fMetaData.getRegistrationEndpoint();// if enroll then get registration endpoint } else { u2fEndpoint = u2fMetaData.getAuthenticationEndpoint();// if authentication then get corresponding endpoint } validChallengeJsonResponse = CommunicationService.get(u2fEndpoint, parameters); ``` When the result comes back, it decides whether to enroll a new device or authenticate an existing one: if (isEnroll) { tokenResponse = oxPush2RequestListener.onEnroll(challengeJson, oxPush2Request, isDeny); } else { tokenResponse = oxPush2RequestListener.onSign(challengeJson, u2fMetaData.getIssuer(), isDeny); }","title":"QR Code"},{"location":"supergluu/developer-guide/#enrollment-process","text":"If you scan a QR code for the first time and your device's UDID isn't attached to your user ID, the app will enroll it. First, it needs to prepare the data properties, as follows: > String version = request.getString(JSON_PROPERTY_VERSION); > String appParam = request.getString(JSON_PROPERTY_APP_ID); > String challenge = request.getString(JSON_PROPERTY_SERVER_CHALLENGE); > String origin = oxPush2Request.getIssuer(); > > EnrollmentResponse enrollmentResponse = u2fKey.register(new EnrollmentRequest(version, appParam, challenge, oxPush2Request)); During registration, the app generates a unique keyHandle and keyPair (public/private keys) to sign all data and uses an ECC algorithm to encode the required data, as follows: > TokenEntry tokenEntry = new TokenEntry(keyPairGenerator.keyPairToJson(keyPair), enrollmentRequest.getApplication(), enrollmentRequest.getOxPush2Request().getIssuer()); > . > . > . > dataStore.storeTokenEntry(keyHandle, tokenEntry); > byte[] userPublicKey = keyPairGenerator.encodePublicKey(keyPair.getPublic()); > > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeRegistrationSignedBytes(applicationSha256, challengeSha256, keyHandle, userPublicKey); > byte[] signature = keyPairGenerator.sign(signedData, certificatePrivateKey); > return new EnrollmentResponse(userPublicKey, keyHandle, vendorCertificate, signature); Now, all the data is converted into one-byte array, then one additional parameter is added, determining if the request is approved or denied, as follows: > JSONObject clientData = new JSONObject(); > if (isDeny){ > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REGISTER_CANCEL_TYPE);//Deny > } else { > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REQUEST_TYPE_REGISTER);//Approve > } > clientData.put(JSON_PROPERTY_SERVER_CHALLENGE, challenge); > clientData.put(JSON_PROPERTY_SERVER_ORIGIN, origin); > > String clientDataString = clientData.toString(); > byte[] resp = rawMessageCodec.encodeRegisterResponse(enrollmentResponse); > > JSONObject response = new JSONObject(); > response.put(\"registrationData\", Utils.base64UrlEncode(resp)); > response.put(\"clientData\", Utils.base64UrlEncode(clientDataString.getBytes(Charset.forName(\"ASCII\")))); > response.put(\"deviceData\", Utils.base64UrlEncode(deviceDataString.getBytes(Charset.forName(\"ASCII\")))); > > TokenResponse tokenResponse = new TokenResponse(); > tokenResponse.setResponse(response.toString()); > tokenResponse.setChallenge(new String(challenge)); > tokenResponse.setKeyHandle(new String(enrollmentResponse.getKeyHandle())); > > return tokenResponse; For authentication, all information is associated with your device UDID and the app retrieves the data from the data store each time, as follows: > TokenEntry tokenEntry = dataStore.getTokenEntry(keyHandle); > String keyPairJson = tokenEntry.getKeyPair(); > keyPair = keyPairGenerator.keyPairFromJson(keyPairJson); > int counter = dataStore.incrementCounter(keyHandle); > byte userPresence = userPresenceVerifier.verifyUserPresence(); > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeAuthenticateSignedBytes(applicationSha256, userPresence, counter, challengeSha256); > return new AuthenticateResponse(userPresence, counter, signature); The onEnroll and onSign methods prepare the parameters and data before the call to the server. For more information about these two methods, see the Super Gluu Git repo. Now, the app makes one last call to the server: > final Map parameters = new HashMap(); > parameters.put(\"username\", oxPush2Request.getUserName()); > parameters.put(\"tokenResponse\", tokenResponse.getResponse()); > > final String resultJsonResponse = CommunicationService.post(u2fEndpoint, parameters); The string resultJsonResponse contains the JSON result. The app extracts some additional information from this result. Check enrollment or authentication success using the u2fOperationResult.getStatus() field, as follows: > LogInfo log = new LogInfo(); > log.setIssuer(oxPush2Request.getIssuer()); > log.setUserName(oxPush2Request.getUserName()); > log.setLocationIP(oxPush2Request.getLocationIP()); > log.setLocationAddress(oxPush2Request.getLocationCity()); > log.setCreatedDate(String.valueOf(System.currentTimeMillis()));//oxPush2Request.getCreated()); > log.setMethod(oxPush2Request.getMethod());","title":"Enrollment Process"},{"location":"supergluu/developer-guide/#testing-locally","text":"The following is a method for testing Super Gluu locally on a non-public server. This guide assumes a Gluu Server has been installed and is operational. Warning The following testing steps mimic a MITM attack, so needless to say, these instructions are for development purposes only! In the Gluu Server VM settings, change the network adapter connection type from NAT to Bridged; The Gluu Server and smartphone should be connected to WiFi on the same local network Log into the VM and run ifconfig in the terminal to get the IP address of the Gluu Server In oxTrust, enable the Super Gluu authentication script Update the host file on the machine where you are running the browser to log in. Example: 192.168.1.232 c67.example.info Run ipconfig / ifconfig on the machine where you are planning to run your DNS server. Configure any DNS server to allow resovle u144.example.info.=192.168.1.232 . For example you can use a lightweight WindowsDNS DNS proxy server Create a dns.config file in the folder with dedserver.jar. Example file content: u144.example.info.=192.168.1.232 Checkut and build https://github.com/JonahAragon/WindowsDNS Run the DNS server using a command like this: java -jar dedserver.jar Create a dns.config file in the folder with dedserver.jar . Example file content: u144.example.info.=192.168.1.232 Run the DNS server using a command like this: java -jar dedserver.jar On your mobile phone, open the WiFi connection details and specify the DNS server IP from Step 6 Now you can test Super Gluu After you finish testing, don't forget to change your WiFi connection type on the mobile phone back to use the automatic settings.","title":"Testing locally"},{"location":"supergluu/user-guide/","tags":["Super Gluu","User Guide"],"text":"Super Gluu User Guide # This guide will show how to use the Super Gluu two-factor authentication mobile application. It covers the initial setup, managing keys and logs, and general settings. Note The screenshots below are shown in iOS. Android is roughly the same. Initial Setup # Camera Access Prompt # After installation, Super Gluu will request access to use your camera, which is used to scan a QR code to set up your two-factor authentication. Choose Login Method # For additional security, Super Gluu gives you the option to configure either a passcode or TouchID to access Super Gluu. This choice can be changed in the application settings later. Note After 5 unsuccessful attempts to enter the passcode, the app is locked for 10 minutes. Screen for the passcode and TouchID selection Screen for enabling passcode Screen for enabling TouchID Confirm Push Notification # Next, it will ask for permission to send push notifications from the Flex. This choice can be changed later in the device settings. More information about the push notification will be covered later in the document. Main Screen # After configuration, the main screen is displayed. It features the main enrollment button in the center and the menu button in the top right. QR Code Enrollment # To enroll a device, enter the credentials in your Flex web app to generate a QR code, then click the Scan QR Code button on the Super Gluu app's Home screen: After it scans the code and the server returns the request correctly, it will prompt to Approve or Deny . To continue the enrollment/authentication process, click Approve : The timer on the top right of the screen shows the time limit to choose to Approve or Deny . As time runs out, the number's color will change: yellow if it's under 20 seconds, red if it's under 10. Next, it will redirect to the main page and display a success message. Menu # After pressing the menu button, you'll get the option to view logs, keys, settings, and help files. You can also check the current app version in the bottom right corner. Tapping it for several seconds will show the details of the latest commit. Logs # Each time it enrolls or authenticates a device, the app will save corresponding logs in the Logs tab. The log details whether authentication was successful, with more details available if the log is tapped on. Clear these logs if desired by swiping left on the log, then tapping the red button. The Log tab will report the enrollment and authentication process and display who logged in, when, and from where. Just tap on the log to get to the information screen. The information screen contains data about: Flex name & server URL Username IP address & location Time & date Keys # This tab contains all available keys for each Flex. A key is a unique file that is generated during enrollment and is used to authenticate the device on the server. If a key for a server is deleted, enroll again with a new key. Note If you delete a key from your app but wish to re-enroll the same device against the same server, the corresponding entry for that device also needs to be removed from the user record in the Flex. To change a key's name, swipe left on it and tap the green button. To delete a key, swipe left on the key, then tap the red button. Settings # In the Settings tab, there are options to configure the passcode or TouchID. Push Notifications # Super Gluu can receive push notifications from Flex. The server can send an enrollment or authentication request to the application, as if it scanned the QR code directly. After choosing to receive push notifications either during initial setup or through the Settings tab later, enroll through the server. Super Gluu will send a token to the server, which will be used to send push notifications to the device. After receiving the notification, tap Approve or Deny directly from the push menu. Super Gluu can receive a notification when the application is running in the foreground. It will look just like the original authentication screen. Device Settings, iPad Support # There are a few options for Super Gluu in the device settings - push notifications, location, access to the camera, and passcode protection. Any change made in the device settings will take effect in the application. Super Gluu can run on iPads, and the layout is the same for all IOS devices. For more information, please see the Gluu Website","title":"User Guide"},{"location":"supergluu/user-guide/#super-gluu-user-guide","text":"This guide will show how to use the Super Gluu two-factor authentication mobile application. It covers the initial setup, managing keys and logs, and general settings. Note The screenshots below are shown in iOS. Android is roughly the same.","title":"Super Gluu User Guide"},{"location":"supergluu/user-guide/#initial-setup","text":"","title":"Initial Setup"},{"location":"supergluu/user-guide/#camera-access-prompt","text":"After installation, Super Gluu will request access to use your camera, which is used to scan a QR code to set up your two-factor authentication.","title":"Camera Access Prompt"},{"location":"supergluu/user-guide/#choose-login-method","text":"For additional security, Super Gluu gives you the option to configure either a passcode or TouchID to access Super Gluu. This choice can be changed in the application settings later. Note After 5 unsuccessful attempts to enter the passcode, the app is locked for 10 minutes. Screen for the passcode and TouchID selection Screen for enabling passcode Screen for enabling TouchID","title":"Choose Login Method"},{"location":"supergluu/user-guide/#confirm-push-notification","text":"Next, it will ask for permission to send push notifications from the Flex. This choice can be changed later in the device settings. More information about the push notification will be covered later in the document.","title":"Confirm Push Notification"},{"location":"supergluu/user-guide/#main-screen","text":"After configuration, the main screen is displayed. It features the main enrollment button in the center and the menu button in the top right.","title":"Main Screen"},{"location":"supergluu/user-guide/#qr-code-enrollment","text":"To enroll a device, enter the credentials in your Flex web app to generate a QR code, then click the Scan QR Code button on the Super Gluu app's Home screen: After it scans the code and the server returns the request correctly, it will prompt to Approve or Deny . To continue the enrollment/authentication process, click Approve : The timer on the top right of the screen shows the time limit to choose to Approve or Deny . As time runs out, the number's color will change: yellow if it's under 20 seconds, red if it's under 10. Next, it will redirect to the main page and display a success message.","title":"QR Code Enrollment"},{"location":"supergluu/user-guide/#menu","text":"After pressing the menu button, you'll get the option to view logs, keys, settings, and help files. You can also check the current app version in the bottom right corner. Tapping it for several seconds will show the details of the latest commit.","title":"Menu"},{"location":"supergluu/user-guide/#logs","text":"Each time it enrolls or authenticates a device, the app will save corresponding logs in the Logs tab. The log details whether authentication was successful, with more details available if the log is tapped on. Clear these logs if desired by swiping left on the log, then tapping the red button. The Log tab will report the enrollment and authentication process and display who logged in, when, and from where. Just tap on the log to get to the information screen. The information screen contains data about: Flex name & server URL Username IP address & location Time & date","title":"Logs"},{"location":"supergluu/user-guide/#keys","text":"This tab contains all available keys for each Flex. A key is a unique file that is generated during enrollment and is used to authenticate the device on the server. If a key for a server is deleted, enroll again with a new key. Note If you delete a key from your app but wish to re-enroll the same device against the same server, the corresponding entry for that device also needs to be removed from the user record in the Flex. To change a key's name, swipe left on it and tap the green button. To delete a key, swipe left on the key, then tap the red button.","title":"Keys"},{"location":"supergluu/user-guide/#settings","text":"In the Settings tab, there are options to configure the passcode or TouchID.","title":"Settings"},{"location":"supergluu/user-guide/#push-notifications","text":"Super Gluu can receive push notifications from Flex. The server can send an enrollment or authentication request to the application, as if it scanned the QR code directly. After choosing to receive push notifications either during initial setup or through the Settings tab later, enroll through the server. Super Gluu will send a token to the server, which will be used to send push notifications to the device. After receiving the notification, tap Approve or Deny directly from the push menu. Super Gluu can receive a notification when the application is running in the foreground. It will look just like the original authentication screen.","title":"Push Notifications"},{"location":"supergluu/user-guide/#device-settings-ipad-support","text":"There are a few options for Super Gluu in the device settings - push notifications, location, access to the camera, and passcode protection. Any change made in the device settings will take effect in the application. Super Gluu can run on iPads, and the layout is the same for all IOS devices. For more information, please see the Gluu Website","title":"Device Settings, iPad Support"}]} \ No newline at end of file +{"config":{"indexing":"full","lang":["en"],"min_search_length":3,"prebuild_index":false,"separator":"[\\s\\-]+"},"docs":[{"location":"","text":"Gluu Flex Documentation # Introduction # Designed from the ground up to support cloud-native deployments, Gluu Flex is a self-hosted software stack to enable your organization to build a world-class digital identity platform to authenticate both people and software. With Helm charts available out of the box, Gluu Flex can handle the most demanding requirements for concurrency. Thanks to cloud-native auto-scaling and zero downtime updates, you can build a robust, multi-datacenter topology. You can take advantage of new cloud databases like Amazon Aurora and Google Spanner. Common use cases include: Single sign-on (SSO) Mobile authentication API access management Two-factor authentication (2FA) Customer identity and access management (CIAM) Identity federation Built on Janssen # Gluu Flex is a downstream product of the Linux Foundation Janssen Project . It was created for enterprise customers who want a commercially supported distribution, plus some additional tools to ease administration. Harness Low Code Authentication Flows with Agama # Gluu Flex uses Agama to offer an alternative way to build web-based authentication flows. Traditionally, person authentication flows are defined in the server with jython scripts that adhere to a predefined API. With Agama, flows are coded using a DSL (domain specific language) designed for the sole purpose of writing web flows. Agama flows are simpler, more intuitive, and quicker to build. Support # The Gluu Flex contract includes guaranteed response times and consultative support via our support portal . Looking for older documentation versions? # The Janssen Project posts the last five versions of the documentation. If you are looking for older versions, you can find them unprocessed in the docs folder. Select the version of choice from the tag dropdown in GitHub. If you want to process them you may do so by following the steps below : Testing Documentation Changes Locally # While contributing documentation to official Gluu documentation it is important to make sure that documents meet style guidelines and have been proofread to remove any typographical or grammatical errors. Gluu uses Material for MkDocs to create the documentation site. Before new content is pushed to the repository on GitHub, it should be tested locally by the author. Author can do this by deploying Material for MkDocs locally. High-level steps involve: Install Material for MkDocs Install required plugins Preview as you write","title":"Overview"},{"location":"#gluu-flex-documentation","text":"","title":"Gluu Flex Documentation"},{"location":"#introduction","text":"Designed from the ground up to support cloud-native deployments, Gluu Flex is a self-hosted software stack to enable your organization to build a world-class digital identity platform to authenticate both people and software. With Helm charts available out of the box, Gluu Flex can handle the most demanding requirements for concurrency. Thanks to cloud-native auto-scaling and zero downtime updates, you can build a robust, multi-datacenter topology. You can take advantage of new cloud databases like Amazon Aurora and Google Spanner. Common use cases include: Single sign-on (SSO) Mobile authentication API access management Two-factor authentication (2FA) Customer identity and access management (CIAM) Identity federation","title":"Introduction"},{"location":"#built-on-janssen","text":"Gluu Flex is a downstream product of the Linux Foundation Janssen Project . It was created for enterprise customers who want a commercially supported distribution, plus some additional tools to ease administration.","title":"Built on Janssen"},{"location":"#harness-low-code-authentication-flows-with-agama","text":"Gluu Flex uses Agama to offer an alternative way to build web-based authentication flows. Traditionally, person authentication flows are defined in the server with jython scripts that adhere to a predefined API. With Agama, flows are coded using a DSL (domain specific language) designed for the sole purpose of writing web flows. Agama flows are simpler, more intuitive, and quicker to build.","title":"Harness Low Code Authentication Flows with Agama"},{"location":"#support","text":"The Gluu Flex contract includes guaranteed response times and consultative support via our support portal .","title":"Support"},{"location":"#looking-for-older-documentation-versions","text":"The Janssen Project posts the last five versions of the documentation. If you are looking for older versions, you can find them unprocessed in the docs folder. Select the version of choice from the tag dropdown in GitHub. If you want to process them you may do so by following the steps below :","title":"Looking for older documentation versions?"},{"location":"#testing-documentation-changes-locally","text":"While contributing documentation to official Gluu documentation it is important to make sure that documents meet style guidelines and have been proofread to remove any typographical or grammatical errors. Gluu uses Material for MkDocs to create the documentation site. Before new content is pushed to the repository on GitHub, it should be tested locally by the author. Author can do this by deploying Material for MkDocs locally. High-level steps involve: Install Material for MkDocs Install required plugins Preview as you write","title":"Testing Documentation Changes Locally"},{"location":"CHANGELOG/","text":"Changelog # 5.0.0-21 (2023-12-18) # Bug Fixes # prepare for 5.0.0-21 release ( cee44ca ) 5.0.0-20 (2023-11-16) # Features # aio chart ( #1436 ) ( a20a695 ) Bug Fixes # docs: update casa base URI ( #1440 ) ( 495536c ) prepare for 5.0.0-20 release ( f74643c ) 5.0.0-19 (2023-10-12) # Features # docs: remove Casa files from Flex ( a5b7fcd ) Bug Fixes # docs: remove Casa image assets ( 0b9f0b4 ) docs: update docs w.r.t casa move to Jans ( 5b7d3fd ) docs: update docs w.r.t casa move to Jans ( 16f647c ) prepare for 5.0.0-19 release ( 2d8e13d ) 5.0.0-18 (2023-09-23) # Features # adding configuration and logs details ( d136f3d ) updating configuration docs ( a1933e3 ) Bug Fixes # prepare for 5.0.0-18 release ( 29f822f ) prepare for 5.0.0-18 release ( 4af69cb ) versioning ( 1abf437 ) 5.0.0-16 (2023-08-14) # Bug Fixes # prepare for 5.0.0-16 release ( 699d534 ) 5.0.0-15 (2023-07-14) # Features # adding tags ( 7841e03 ) documentation of admin-ui #1063 ( 3cf1e7b ) documentation of admin-ui #1063 ( 48233d3 ) edit flex license contents ( 8d7f749 ) making changes as per review comments ( 1bcd39b ) making changes as per review comments ( 5c636fb ) Bug Fixes # doc: added How to configure SuperGluu in Flex ( 6b7beef ) doc: adding SG screenshot - 2 ( e06bd79 ) doc: adding SG screenshot-1 ( b581a03 ) doc: enable SG - 2 ( d86ec85 ) doc: Flex SG doc review - How to Use SuperGluu ( f564dd1 ) doc: hiding ad removal related doc ( 5354e84 ) doc: how to enable SG in Flex-UI ( 4851205 ) doc: index page flex ( 7d48422 ) doc: removing key list from user record info ( 01b671a ) docs: flex-ui SG -- Compatability ( f78c46a ) doc: SG flex - How to use Super Gluu-1 ( e07641c ) doc: sg flex - how to use Super Gluu-screenshot location ( 7798023 ) doc: sg workflows ( 601b237 ) docs: test SG authentication ( 32f6b24 ) doc: test authentication SG ( 6d0f550 ) doc: Test authentication user guide ( a554646 ) doc: uploading modified screenshot ( 0e9e0cf ) prepare for 5.0.0-15 release ( 664553a ) 5.0.0-14 (2023-06-12) # Bug Fixes # prepare for 5.0.0-14 release ( 9481f55 ) 5.0.0-13 (2023-05-12) # Bug Fixes # admin-ui: add apply button ( d334103 ) blockUI converted to functional component ( 4b8e7bd ) email_2fa_core/install.bat has been removed; ( f27e461 ) prepare for 5.0.13 release ( 8578827 ) profile details is distorted when multiple roles assigned to the user ( e4603d8 ) revert prod webpack config of static & fonts files ( 96fa135 ) 5.0.0-12 (2023-04-18) # Bug Fixes # prepare for 5.0.12 release ( 994c985 ) 5.0.0-11 (2023-04-06) # Bug Fixes # prepare for 5.0.11 release ( d3cc35a ) 5.0.0-10 (2023-03-16) # Bug Fixes # add cn license enforcment to chart ( 55fb0c9 ) prepare for 5.0.10 release ( 1ffcbc7 ) 5.0.0-9 (2023-03-09) # Bug Fixes # docs: ubuntu install download location ( bb3a5cd ) prepare for 5.0.0-9 release ( 716d309 ) 5.0.0-8 (2023-03-02) # Bug Fixes # prepare for 5.0.0-8 release ( 29e0cbb ) 5.0.0-7 (2023-02-22) # Bug Fixes # prepare for 5.0.0-7 release ( 7f96937 ) 5.0.0-4 (2022-12-08) # Bug Fixes # getting ready for a release ( a0de091 ) 5.0.0-3 (2022-11-08) # Features # admin-ui: reviewed previously updated dependencies #416 ( ab81760 ) Bug Fixes # getting ready to release 5.0.0-3 ( e8f3ecc ) Miscellaneous Chores # release 5.0.0-2 ( 06c6e64 )","title":"Changelog"},{"location":"CHANGELOG/#changelog","text":"","title":"Changelog"},{"location":"CHANGELOG/#500-21-2023-12-18","text":"","title":"5.0.0-21 (2023-12-18)"},{"location":"CHANGELOG/#bug-fixes","text":"prepare for 5.0.0-21 release ( cee44ca )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-20-2023-11-16","text":"","title":"5.0.0-20 (2023-11-16)"},{"location":"CHANGELOG/#features","text":"aio chart ( #1436 ) ( a20a695 )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_1","text":"docs: update casa base URI ( #1440 ) ( 495536c ) prepare for 5.0.0-20 release ( f74643c )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-19-2023-10-12","text":"","title":"5.0.0-19 (2023-10-12)"},{"location":"CHANGELOG/#features_1","text":"docs: remove Casa files from Flex ( a5b7fcd )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_2","text":"docs: remove Casa image assets ( 0b9f0b4 ) docs: update docs w.r.t casa move to Jans ( 5b7d3fd ) docs: update docs w.r.t casa move to Jans ( 16f647c ) prepare for 5.0.0-19 release ( 2d8e13d )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-182023-09-23","text":"","title":"5.0.0-18(2023-09-23)"},{"location":"CHANGELOG/#features_2","text":"adding configuration and logs details ( d136f3d ) updating configuration docs ( a1933e3 )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_3","text":"prepare for 5.0.0-18 release ( 29f822f ) prepare for 5.0.0-18 release ( 4af69cb ) versioning ( 1abf437 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-16-2023-08-14","text":"","title":"5.0.0-16 (2023-08-14)"},{"location":"CHANGELOG/#bug-fixes_4","text":"prepare for 5.0.0-16 release ( 699d534 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-15-2023-07-14","text":"","title":"5.0.0-15 (2023-07-14)"},{"location":"CHANGELOG/#features_3","text":"adding tags ( 7841e03 ) documentation of admin-ui #1063 ( 3cf1e7b ) documentation of admin-ui #1063 ( 48233d3 ) edit flex license contents ( 8d7f749 ) making changes as per review comments ( 1bcd39b ) making changes as per review comments ( 5c636fb )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_5","text":"doc: added How to configure SuperGluu in Flex ( 6b7beef ) doc: adding SG screenshot - 2 ( e06bd79 ) doc: adding SG screenshot-1 ( b581a03 ) doc: enable SG - 2 ( d86ec85 ) doc: Flex SG doc review - How to Use SuperGluu ( f564dd1 ) doc: hiding ad removal related doc ( 5354e84 ) doc: how to enable SG in Flex-UI ( 4851205 ) doc: index page flex ( 7d48422 ) doc: removing key list from user record info ( 01b671a ) docs: flex-ui SG -- Compatability ( f78c46a ) doc: SG flex - How to use Super Gluu-1 ( e07641c ) doc: sg flex - how to use Super Gluu-screenshot location ( 7798023 ) doc: sg workflows ( 601b237 ) docs: test SG authentication ( 32f6b24 ) doc: test authentication SG ( 6d0f550 ) doc: Test authentication user guide ( a554646 ) doc: uploading modified screenshot ( 0e9e0cf ) prepare for 5.0.0-15 release ( 664553a )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-14-2023-06-12","text":"","title":"5.0.0-14 (2023-06-12)"},{"location":"CHANGELOG/#bug-fixes_6","text":"prepare for 5.0.0-14 release ( 9481f55 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-13-2023-05-12","text":"","title":"5.0.0-13 (2023-05-12)"},{"location":"CHANGELOG/#bug-fixes_7","text":"admin-ui: add apply button ( d334103 ) blockUI converted to functional component ( 4b8e7bd ) email_2fa_core/install.bat has been removed; ( f27e461 ) prepare for 5.0.13 release ( 8578827 ) profile details is distorted when multiple roles assigned to the user ( e4603d8 ) revert prod webpack config of static & fonts files ( 96fa135 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-12-2023-04-18","text":"","title":"5.0.0-12 (2023-04-18)"},{"location":"CHANGELOG/#bug-fixes_8","text":"prepare for 5.0.12 release ( 994c985 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-11-2023-04-06","text":"","title":"5.0.0-11 (2023-04-06)"},{"location":"CHANGELOG/#bug-fixes_9","text":"prepare for 5.0.11 release ( d3cc35a )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-10-2023-03-16","text":"","title":"5.0.0-10 (2023-03-16)"},{"location":"CHANGELOG/#bug-fixes_10","text":"add cn license enforcment to chart ( 55fb0c9 ) prepare for 5.0.10 release ( 1ffcbc7 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-9-2023-03-09","text":"","title":"5.0.0-9 (2023-03-09)"},{"location":"CHANGELOG/#bug-fixes_11","text":"docs: ubuntu install download location ( bb3a5cd ) prepare for 5.0.0-9 release ( 716d309 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-8-2023-03-02","text":"","title":"5.0.0-8 (2023-03-02)"},{"location":"CHANGELOG/#bug-fixes_12","text":"prepare for 5.0.0-8 release ( 29e0cbb )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-7-2023-02-22","text":"","title":"5.0.0-7 (2023-02-22)"},{"location":"CHANGELOG/#bug-fixes_13","text":"prepare for 5.0.0-7 release ( 7f96937 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-4-2022-12-08","text":"","title":"5.0.0-4 (2022-12-08)"},{"location":"CHANGELOG/#bug-fixes_14","text":"getting ready for a release ( a0de091 )","title":"Bug Fixes"},{"location":"CHANGELOG/#500-3-2022-11-08","text":"","title":"5.0.0-3 (2022-11-08)"},{"location":"CHANGELOG/#features_4","text":"admin-ui: reviewed previously updated dependencies #416 ( ab81760 )","title":"Features"},{"location":"CHANGELOG/#bug-fixes_15","text":"getting ready to release 5.0.0-3 ( e8f3ecc )","title":"Bug Fixes"},{"location":"CHANGELOG/#miscellaneous-chores","text":"release 5.0.0-2 ( 06c6e64 )","title":"Miscellaneous Chores"},{"location":"admin/","text":"Gluu Flex Admin Guide # Overview # Gluu Flex is a commercially supported distribution of the Janssen Project , including the OpenID, OAuth, Config, FIDO, Casa, and SCIM Server components. Additionally, Flex includes the commercially licensed Flex Admin UI. Janssen Documentation # Central to Gluu Flex is the Janssen Project . Janssen enables organizations to build a scalable centralized authentication and authorization service using free open source software. Admin UI # The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place.","title":"Gluu Flex Admin Guide"},{"location":"admin/#gluu-flex-admin-guide","text":"","title":"Gluu Flex Admin Guide"},{"location":"admin/#overview","text":"Gluu Flex is a commercially supported distribution of the Janssen Project , including the OpenID, OAuth, Config, FIDO, Casa, and SCIM Server components. Additionally, Flex includes the commercially licensed Flex Admin UI.","title":"Overview"},{"location":"admin/#janssen-documentation","text":"Central to Gluu Flex is the Janssen Project . Janssen enables organizations to build a scalable centralized authentication and authorization service using free open source software.","title":"Janssen Documentation"},{"location":"admin/#admin-ui","text":"The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place.","title":"Admin UI"},{"location":"admin/config/","text":"Configuring Gluu Flex # Overview # After installing, there are four primary strategies to configure Gluu Flex. Text-based User Interface (TUI) # The current recommendation is to use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration, and instructions can be found in the Janssen documentation here. CURL Commands # As an alternative, the Config API can be called directly using CURL commands. Command Line Interface (CLI) # If needed, a command-line alternative to the TUI is available. Instructions can be found in the Janssen documentation here. Admin UI # The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place. The Admin UI can be accessed by accessing the hostname set during installation in the browser.","title":"Configuration"},{"location":"admin/config/#configuring-gluu-flex","text":"","title":"Configuring Gluu Flex"},{"location":"admin/config/#overview","text":"After installing, there are four primary strategies to configure Gluu Flex.","title":"Overview"},{"location":"admin/config/#text-based-user-interface-tui","text":"The current recommendation is to use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration, and instructions can be found in the Janssen documentation here.","title":"Text-based User Interface (TUI)"},{"location":"admin/config/#curl-commands","text":"As an alternative, the Config API can be called directly using CURL commands.","title":"CURL Commands"},{"location":"admin/config/#command-line-interface-cli","text":"If needed, a command-line alternative to the TUI is available. Instructions can be found in the Janssen documentation here.","title":"Command Line Interface (CLI)"},{"location":"admin/config/#admin-ui","text":"The Gluu Flex Admin UI is a reactive web interface to simplify the management and configuration of your Auth Server. The Admin UI enables you to easily view and edit configuration properties, interception scripts, clients, and metrics in one place. The Admin UI can be accessed by accessing the hostname set during installation in the browser.","title":"Admin UI"},{"location":"admin/admin-ui/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"admin/admin-ui/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/admin-ui/admin-menu/","tags":["administration","admin-ui","admin","role","permission","scripts","mau"],"text":"Admin Menu # The features like managing Roles and Permissions, Custom Scripts and monthly active users monitoring are placed under the Admin menu (in the left navigation of GUI). These features will be discussed one by one in this section. GUI Access Control # The administrator can control view/edit/delete access of users of Gluu Flex Admin UI by adding or removing the appropriate Permissions mapped to the user's Admin UI Role. For e.g. if the read Permission of OIDC clients ( https://jans.io/oauth/config/clients.readonly ) is not mapped to the logged-in user's Role, the contents of the page showing OIDC client records will not be visible to the user. In the same way, if the write and delete Permissions of OIDC clients are not mapped then the user will not be able to edit or delete any OIDC client record. Role # The logged-in administrator can create, edit or delete Admin UI Roles using the Admin UI Roles Page. The Admin UI Role can be assigned to the user using the User Management feature of this GUI. After installation, the following Admin UI Roles can be seen on Admin UI: api-viewer, api-editor, api-manager and api-admin. The default user i.e. admin is assigned with api-admin role. A user with one or more Admin UI Role(s) assigned will be able to log into Gluu Flex Admin UI. Permissions (Scopes) # Gluu Flex Admin UI uses Config API to manage and configure the Jans Auth server. Config API helps in configuring auth-server, users, fido2 and scim modules. The APIs of this rest application are protected using an authorization token containing the appropriate permissions (scopes). The user interface has the capability to add, edit and delete the Permissions used to access the APIs (i.e. rest APIs used by Admin UI). Role-Permission Mapping # The administrator can map the Admin UI Role with one or more Permission(s) using the Role-Permission Mapping page. The Role mapped with Permissions can be then assigned to the user to allow access to the corresponding operations of the GUI. The below table lists the Permissions used in Admin UI: Permission Description https://jans.io/oauth/config/attributes.readonly View Person attributes https://jans.io/oauth/config/attributes.write Add/Edit Person attributes https://jans.io/oauth/config/attributes.delete Delete Person attributes https://jans.io/oauth/config/scopes.readonly View the Scopes https://jans.io/oauth/config/scopes.write Add/Edit Scopes https://jans.io/oauth/config/scopes.delete Delete Scopes https://jans.io/oauth/config/scripts.readonly View the Scripts https://jans.io/oauth/config/scripts.write Add/Edit Scripts https://jans.io/oauth/config/scripts.delete Delete Scripts https://jans.io/oauth/config/openid/clients.readonly View the Clients https://jans.io/oauth/config/openid/clients.write Add/Edit Clients https://jans.io/oauth/config/openid/clients.delete Delete Clients https://jans.io/oauth/config/smtp.readonly View SMTP configuration https://jans.io/oauth/config/smtp.write Edit SMTP configuration https://jans.io/oauth/config/smtp.delete Remove SMTP configuration https://jans.io/oauth/config/logging.readonly View Auth server log configuration https://jans.io/oauth/config/logging.write Edit Auth server log configuration https://jans.io/oauth/config/database/ldap.readonly View LDAP persistence configuration https://jans.io/oauth/config/database/ldap.write Edit LDAP persistence configuration https://jans.io/oauth/config/database/ldap.delete Delete LDAP persistence configuration https://jans.io/oauth/config/jwks.readonly View JWKS https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly View Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write Edit Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete Delete Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly View Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write Edit Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete Delete Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly View Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write Edit Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete Delete Role-Permission Mapping Custom Scripts # Custom Scripts are used to implement custom business logic for authentication, authorization, client registration, cache refresh, scopes, token revocation etc. The Janssen Authentication Server leverages Custom Scripts when implemented can facilitate complex business workflows without changing the server code. Gluu Flex Admin UI provides the interface to add/edit/delete custom scripts. Custom Scripts fields descriptions # INUM: Unique id identifying the script. Name: Name of the custom script. Only letters, digits and underscores are allowed. Description: Description of the script. Select SAML ACRS: The SAML parameter Authentication Context Requests (ACRS). Script Type: The type of the script (e.g. PERSON_AUTHENTICATION, INTROSPECTION, APPLICATION_SESSION, CLIENT_REGISTRATION etc). Programming Language: Programming language of the custom script (e.g. Java and Jython). Location Type: The location of the script, either database or file. Level: The level describes how secure and reliable the script is. Custom properties (key/value): Custom properties that can be used in the script. Script: Script content. Enable: Field set to enable or disable the script. MAU Graph # This is a line graph showing month-wise active users under a selected date range. Webhooks # Webhooks can be created and mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Follow this tutorial for more details. Settings # The Gluu Flex Admin UI provides a user-friendly interface for managing various UI settings of this web application. This page has the following fields. List paging size: This field allows to define the default paging size for all search pages within the Admin UI. Config API URL: The read-only URL of the Jans Config API is used by the Admin UI for interaction. Admin UI Session Timeout (In Minutes): This field determines the maximum idle time allowed before a user is automatically logged out of the Admin UI. Admin UI authentication method (ACR): This dropdown enables user to select the default authentication method to be used in the Admin UI. Custom Parameters (for authentication): The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication.","title":"Admin"},{"location":"admin/admin-ui/admin-menu/#admin-menu","text":"The features like managing Roles and Permissions, Custom Scripts and monthly active users monitoring are placed under the Admin menu (in the left navigation of GUI). These features will be discussed one by one in this section.","title":"Admin Menu"},{"location":"admin/admin-ui/admin-menu/#gui-access-control","text":"The administrator can control view/edit/delete access of users of Gluu Flex Admin UI by adding or removing the appropriate Permissions mapped to the user's Admin UI Role. For e.g. if the read Permission of OIDC clients ( https://jans.io/oauth/config/clients.readonly ) is not mapped to the logged-in user's Role, the contents of the page showing OIDC client records will not be visible to the user. In the same way, if the write and delete Permissions of OIDC clients are not mapped then the user will not be able to edit or delete any OIDC client record.","title":"GUI Access Control"},{"location":"admin/admin-ui/admin-menu/#role","text":"The logged-in administrator can create, edit or delete Admin UI Roles using the Admin UI Roles Page. The Admin UI Role can be assigned to the user using the User Management feature of this GUI. After installation, the following Admin UI Roles can be seen on Admin UI: api-viewer, api-editor, api-manager and api-admin. The default user i.e. admin is assigned with api-admin role. A user with one or more Admin UI Role(s) assigned will be able to log into Gluu Flex Admin UI.","title":"Role"},{"location":"admin/admin-ui/admin-menu/#permissions-scopes","text":"Gluu Flex Admin UI uses Config API to manage and configure the Jans Auth server. Config API helps in configuring auth-server, users, fido2 and scim modules. The APIs of this rest application are protected using an authorization token containing the appropriate permissions (scopes). The user interface has the capability to add, edit and delete the Permissions used to access the APIs (i.e. rest APIs used by Admin UI).","title":"Permissions (Scopes)"},{"location":"admin/admin-ui/admin-menu/#role-permission-mapping","text":"The administrator can map the Admin UI Role with one or more Permission(s) using the Role-Permission Mapping page. The Role mapped with Permissions can be then assigned to the user to allow access to the corresponding operations of the GUI. The below table lists the Permissions used in Admin UI: Permission Description https://jans.io/oauth/config/attributes.readonly View Person attributes https://jans.io/oauth/config/attributes.write Add/Edit Person attributes https://jans.io/oauth/config/attributes.delete Delete Person attributes https://jans.io/oauth/config/scopes.readonly View the Scopes https://jans.io/oauth/config/scopes.write Add/Edit Scopes https://jans.io/oauth/config/scopes.delete Delete Scopes https://jans.io/oauth/config/scripts.readonly View the Scripts https://jans.io/oauth/config/scripts.write Add/Edit Scripts https://jans.io/oauth/config/scripts.delete Delete Scripts https://jans.io/oauth/config/openid/clients.readonly View the Clients https://jans.io/oauth/config/openid/clients.write Add/Edit Clients https://jans.io/oauth/config/openid/clients.delete Delete Clients https://jans.io/oauth/config/smtp.readonly View SMTP configuration https://jans.io/oauth/config/smtp.write Edit SMTP configuration https://jans.io/oauth/config/smtp.delete Remove SMTP configuration https://jans.io/oauth/config/logging.readonly View Auth server log configuration https://jans.io/oauth/config/logging.write Edit Auth server log configuration https://jans.io/oauth/config/database/ldap.readonly View LDAP persistence configuration https://jans.io/oauth/config/database/ldap.write Edit LDAP persistence configuration https://jans.io/oauth/config/database/ldap.delete Delete LDAP persistence configuration https://jans.io/oauth/config/jwks.readonly View JWKS https://jans.io/oauth/jans-auth-server/config/adminui/user/role.readonly View Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.write Edit Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/role.delete Delete Admin UI Roles https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.readonly View Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.write Edit Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/permission.delete Delete Admin UI Permissions https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.readonly View Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.write Edit Role-Permission Mapping https://jans.io/oauth/jans-auth-server/config/adminui/user/rolePermissionMapping.delete Delete Role-Permission Mapping","title":"Role-Permission Mapping"},{"location":"admin/admin-ui/admin-menu/#custom-scripts","text":"Custom Scripts are used to implement custom business logic for authentication, authorization, client registration, cache refresh, scopes, token revocation etc. The Janssen Authentication Server leverages Custom Scripts when implemented can facilitate complex business workflows without changing the server code. Gluu Flex Admin UI provides the interface to add/edit/delete custom scripts.","title":"Custom Scripts"},{"location":"admin/admin-ui/admin-menu/#custom-scripts-fields-descriptions","text":"INUM: Unique id identifying the script. Name: Name of the custom script. Only letters, digits and underscores are allowed. Description: Description of the script. Select SAML ACRS: The SAML parameter Authentication Context Requests (ACRS). Script Type: The type of the script (e.g. PERSON_AUTHENTICATION, INTROSPECTION, APPLICATION_SESSION, CLIENT_REGISTRATION etc). Programming Language: Programming language of the custom script (e.g. Java and Jython). Location Type: The location of the script, either database or file. Level: The level describes how secure and reliable the script is. Custom properties (key/value): Custom properties that can be used in the script. Script: Script content. Enable: Field set to enable or disable the script.","title":"Custom Scripts fields descriptions"},{"location":"admin/admin-ui/admin-menu/#mau-graph","text":"This is a line graph showing month-wise active users under a selected date range.","title":"MAU Graph"},{"location":"admin/admin-ui/admin-menu/#webhooks","text":"Webhooks can be created and mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Follow this tutorial for more details.","title":"Webhooks"},{"location":"admin/admin-ui/admin-menu/#settings","text":"The Gluu Flex Admin UI provides a user-friendly interface for managing various UI settings of this web application. This page has the following fields. List paging size: This field allows to define the default paging size for all search pages within the Admin UI. Config API URL: The read-only URL of the Jans Config API is used by the Admin UI for interaction. Admin UI Session Timeout (In Minutes): This field determines the maximum idle time allowed before a user is automatically logged out of the Admin UI. Admin UI authentication method (ACR): This dropdown enables user to select the default authentication method to be used in the Admin UI. Custom Parameters (for authentication): The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication.","title":"Settings"},{"location":"admin/admin-ui/auth-server-interaction/","tags":["administration","admin-ui","interaction"],"text":"Interaction with Jans Auth Server # This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API . Here, we'll explore the working mechanism of the Gluu Flex Admin UI, focusing on its interaction with the Jans Auth Server and the key steps involved. When accessing the Gluu Flex Admin UI through a web browser, the following steps are involved: License Verification # The user accesses the Gluu Flex Admin UI frontend through a web browser. The frontend requests the Admin UI backend to retrieve Admin UI configuration from Janssen persistence. The Admin UI configuration includes OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata. It's important to note that the Admin UI backend is implemented as a Jans Config API plugin . The frontend calls the Admin UI backend API ( /isConfigValid ) to validate the license configuration in persistence, essentially verifying the validity of the OIDC client used to access the License APIs. If it is not valid, the same API tries to register a new OIDC client using the SSA uploaded during installation. In case the SSA is invalid, the Admin UI shows a page to upload a new valid SSA. After ensuring the validity of the OIDC client, the Admin UI calls the Admin UI backend API (/isActive) to check if a valid license is present in the license configuration. The Admin UI backend then calls the SCAN API (/scan/license/isActive) to verify the validity of the license. If a valid license is not present, the frontend calls the backend API (/retrieve) to retrieve the license for the user via the SCAN API (/scan/license/retrieve). The license can only be retrieved from SCAN if the user has subscribed to the Admin UI license in Agama Lab. If the user has not already subscribed to a valid license in Agama Lab, the Admin UI displays a page to generate a 30-day trial license. The user cannot generate another trial license after expiry of a generated trial license and will need to subscribe to the Admin UI license in Agama Lab to access the user interface. After verification of valid license the frontend initiates the Authorization Code Flow by redirecting the user to the login page. sequenceDiagram title License Verification autonumber actor User User->>Browser: open Admin UI URL Browser->>Gluu Flex Admin UI: launch Admin UI Gluu Flex Admin UI->>Admin UI Backend: /config Admin UI Backend->>Gluu Flex Admin UI: Admin UI config Gluu Flex Admin UI->>Admin UI Backend: /license/isConfigValid Note over Gluu Flex Admin UI,Admin UI Backend: validate license OIDC client alt license client valid Admin UI Backend->>Gluu Flex Admin UI: true else license client invalid Admin UI Backend->>account.gluu.org: DCR using SSA alt DCR success account.gluu.org->>Admin UI Backend: client credentials Admin UI Backend->>Admin UI Backend: save client credentials in persistence Admin UI Backend->>Gluu Flex Admin UI: true else DCR fails Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to Upload SSA end end Gluu Flex Admin UI->>Admin UI Backend: /license/isActive Note over Gluu Flex Admin UI,Admin UI Backend: validate license Admin UI Backend->>SCAN: /scan/license/isActive alt license active SCAN->>Admin UI Backend: true else license inactive / not present SCAN->>Admin UI Backend: false Admin UI Backend->>SCAN: /retrieve alt license subscribed SCAN->>Admin UI Backend: license else license not subscribed SCAN->>Admin UI Backend: false Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to generate Trial license end end Admin UI Backend->>Gluu Flex Admin UI: login page The Authorization Code Flow # The frontend initiates the Authorization Code Flow by calling authorization url and redirecting the user to the login page of the Janssen authorization server for user authentication. Upon successful authentication, the authorization server sends an authorization code and a state to the frontend. The frontend verifies the state. The frontend utilizes the authorization code to first obtain an access token ( AT1 ) from the token endpoint of the authorization server. With AT1, the frontend requests the User-Info in JWT format ( UJWT ) from the authorization server by calling userInfo endpoint. The frontend stores the UJWT and its claims, including the user's role ( claim name is jansAdminUIRole ) and other relevant information, in the Redux store. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Jans Auth Server: /authorize Jans Auth Server->>Gluu Flex Admin UI:code Gluu Flex Admin UI->>Jans Auth Server: /token Note right of Gluu Flex Admin UI: code as parameter Jans Auth Server->>Gluu Flex Admin UI: access_token Note right of Gluu Flex Admin UI: access_token as parameter Gluu Flex Admin UI->>Jans Auth Server: /userInfo Jans Auth Server->>Gluu Flex Admin UI: user-info (UJWT) Gluu Flex Admin UI->>Gluu Flex Admin UI: extract & store claims from UJWT API Protection and Scopes # To ensure security and access control, Gluu Flex Admin UI leverages API protection and scopes: The Jans Config API's endpoints are protected and can only be accessed using a token ( AT2 ) with the required scopes. To generate an AT2, the frontend requests the Token Server via the backend. The Token Server and Authorization Server can be the same or different. The Token Server employs an introspection script that validates the UJWT and refers to the role-scope mapping in the Token Server persistence. The introspection script validates the UJWT and includes the appropriate scopes in AT2 based on the user's role. The frontend receives AT2 and associated scopes from the backend. Features in the frontend are enabled or disabled based on the scopes provided in AT2. Refer this doc for GUI access control. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI:extracts scopes from AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI: GUI access control based on scopes from AT2 Accessing Config-API Endpoints # To access config-api endpoints, the following steps are taken: The Admin UI frontend requests AT2 from the Token Server through the backend. Armed with AT2, the frontend sends a request to the desired Jans Config API endpoint. AT2 is included in the authorization header, along with other request parameters. At the Jans Config API, AT2 is validated, and the provided scopes are verified to ensure the necessary scope for the requested endpoint is present. If the above steps are successful, the requested data is fetched from the Jans Config API and forwarded to the frontend. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Jans Config API: request API with AT2 Jans Config API<<->>Jans Token Server: introspect AT2 Jans Token Server->>Jans Config API: AT2 JSON Jans Config API->>Jans Config API: Enforcement: verify required scopes Jans Config API->>Jans Config API: validate params Jans Config API->>Jans Auth Server:call API with request params Jans Auth Server->>Jans Config API:response Jans Config API->>Gluu Flex Admin UI:response Conclusion # The Gluu Flex Admin UI simplifies the process of managing configuration and features of the Jans Auth Server through an intuitive graphical user interface. By following the Authorization Code Flow and leveraging API protection and scopes, the Gluu Flex Admin UI ensures secure and controlled interaction with the Jans Auth Server's REST API layer. This seamless interaction empowers administrators to efficiently manage the Jans Auth Server's settings while adhering to strict access controls and security protocols.","title":"Auth Server Interaction"},{"location":"admin/admin-ui/auth-server-interaction/#interaction-with-jans-auth-server","text":"This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API . Here, we'll explore the working mechanism of the Gluu Flex Admin UI, focusing on its interaction with the Jans Auth Server and the key steps involved. When accessing the Gluu Flex Admin UI through a web browser, the following steps are involved:","title":"Interaction with Jans Auth Server"},{"location":"admin/admin-ui/auth-server-interaction/#license-verification","text":"The user accesses the Gluu Flex Admin UI frontend through a web browser. The frontend requests the Admin UI backend to retrieve Admin UI configuration from Janssen persistence. The Admin UI configuration includes OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata. It's important to note that the Admin UI backend is implemented as a Jans Config API plugin . The frontend calls the Admin UI backend API ( /isConfigValid ) to validate the license configuration in persistence, essentially verifying the validity of the OIDC client used to access the License APIs. If it is not valid, the same API tries to register a new OIDC client using the SSA uploaded during installation. In case the SSA is invalid, the Admin UI shows a page to upload a new valid SSA. After ensuring the validity of the OIDC client, the Admin UI calls the Admin UI backend API (/isActive) to check if a valid license is present in the license configuration. The Admin UI backend then calls the SCAN API (/scan/license/isActive) to verify the validity of the license. If a valid license is not present, the frontend calls the backend API (/retrieve) to retrieve the license for the user via the SCAN API (/scan/license/retrieve). The license can only be retrieved from SCAN if the user has subscribed to the Admin UI license in Agama Lab. If the user has not already subscribed to a valid license in Agama Lab, the Admin UI displays a page to generate a 30-day trial license. The user cannot generate another trial license after expiry of a generated trial license and will need to subscribe to the Admin UI license in Agama Lab to access the user interface. After verification of valid license the frontend initiates the Authorization Code Flow by redirecting the user to the login page. sequenceDiagram title License Verification autonumber actor User User->>Browser: open Admin UI URL Browser->>Gluu Flex Admin UI: launch Admin UI Gluu Flex Admin UI->>Admin UI Backend: /config Admin UI Backend->>Gluu Flex Admin UI: Admin UI config Gluu Flex Admin UI->>Admin UI Backend: /license/isConfigValid Note over Gluu Flex Admin UI,Admin UI Backend: validate license OIDC client alt license client valid Admin UI Backend->>Gluu Flex Admin UI: true else license client invalid Admin UI Backend->>account.gluu.org: DCR using SSA alt DCR success account.gluu.org->>Admin UI Backend: client credentials Admin UI Backend->>Admin UI Backend: save client credentials in persistence Admin UI Backend->>Gluu Flex Admin UI: true else DCR fails Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to Upload SSA end end Gluu Flex Admin UI->>Admin UI Backend: /license/isActive Note over Gluu Flex Admin UI,Admin UI Backend: validate license Admin UI Backend->>SCAN: /scan/license/isActive alt license active SCAN->>Admin UI Backend: true else license inactive / not present SCAN->>Admin UI Backend: false Admin UI Backend->>SCAN: /retrieve alt license subscribed SCAN->>Admin UI Backend: license else license not subscribed SCAN->>Admin UI Backend: false Admin UI Backend->>Gluu Flex Admin UI: false Gluu Flex Admin UI->>Browser: Screen to generate Trial license end end Admin UI Backend->>Gluu Flex Admin UI: login page","title":"License Verification"},{"location":"admin/admin-ui/auth-server-interaction/#the-authorization-code-flow","text":"The frontend initiates the Authorization Code Flow by calling authorization url and redirecting the user to the login page of the Janssen authorization server for user authentication. Upon successful authentication, the authorization server sends an authorization code and a state to the frontend. The frontend verifies the state. The frontend utilizes the authorization code to first obtain an access token ( AT1 ) from the token endpoint of the authorization server. With AT1, the frontend requests the User-Info in JWT format ( UJWT ) from the authorization server by calling userInfo endpoint. The frontend stores the UJWT and its claims, including the user's role ( claim name is jansAdminUIRole ) and other relevant information, in the Redux store. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Jans Auth Server: /authorize Jans Auth Server->>Gluu Flex Admin UI:code Gluu Flex Admin UI->>Jans Auth Server: /token Note right of Gluu Flex Admin UI: code as parameter Jans Auth Server->>Gluu Flex Admin UI: access_token Note right of Gluu Flex Admin UI: access_token as parameter Gluu Flex Admin UI->>Jans Auth Server: /userInfo Jans Auth Server->>Gluu Flex Admin UI: user-info (UJWT) Gluu Flex Admin UI->>Gluu Flex Admin UI: extract & store claims from UJWT","title":"The Authorization Code Flow"},{"location":"admin/admin-ui/auth-server-interaction/#api-protection-and-scopes","text":"To ensure security and access control, Gluu Flex Admin UI leverages API protection and scopes: The Jans Config API's endpoints are protected and can only be accessed using a token ( AT2 ) with the required scopes. To generate an AT2, the frontend requests the Token Server via the backend. The Token Server and Authorization Server can be the same or different. The Token Server employs an introspection script that validates the UJWT and refers to the role-scope mapping in the Token Server persistence. The introspection script validates the UJWT and includes the appropriate scopes in AT2 based on the user's role. The frontend receives AT2 and associated scopes from the backend. Features in the frontend are enabled or disabled based on the scopes provided in AT2. Refer this doc for GUI access control. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI:extracts scopes from AT2 Gluu Flex Admin UI->>Gluu Flex Admin UI: GUI access control based on scopes from AT2","title":"API Protection and Scopes"},{"location":"admin/admin-ui/auth-server-interaction/#accessing-config-api-endpoints","text":"To access config-api endpoints, the following steps are taken: The Admin UI frontend requests AT2 from the Token Server through the backend. Armed with AT2, the frontend sends a request to the desired Jans Config API endpoint. AT2 is included in the authorization header, along with other request parameters. At the Jans Config API, AT2 is validated, and the provided scopes are verified to ensure the necessary scope for the requested endpoint is present. If the above steps are successful, the requested data is fetched from the Jans Config API and forwarded to the frontend. sequenceDiagram title License Verification autonumber actor User Gluu Flex Admin UI->>Admin UI Backend: /api-protection-token?ujwt=... Admin UI Backend->>Jans Token Server: /token Jans Token Server->>Jans Token Server: Verify ujwt Jans Token Server->>Jans Token Server: Add scopes to token based on role (AT2) Jans Token Server->>Admin UI Backend: AT2 Admin UI Backend->>Gluu Flex Admin UI: AT2 Gluu Flex Admin UI->>Jans Config API: request API with AT2 Jans Config API<<->>Jans Token Server: introspect AT2 Jans Token Server->>Jans Config API: AT2 JSON Jans Config API->>Jans Config API: Enforcement: verify required scopes Jans Config API->>Jans Config API: validate params Jans Config API->>Jans Auth Server:call API with request params Jans Auth Server->>Jans Config API:response Jans Config API->>Gluu Flex Admin UI:response","title":"Accessing Config-API Endpoints"},{"location":"admin/admin-ui/auth-server-interaction/#conclusion","text":"The Gluu Flex Admin UI simplifies the process of managing configuration and features of the Jans Auth Server through an intuitive graphical user interface. By following the Authorization Code Flow and leveraging API protection and scopes, the Gluu Flex Admin UI ensures secure and controlled interaction with the Jans Auth Server's REST API layer. This seamless interaction empowers administrators to efficiently manage the Jans Auth Server's settings while adhering to strict access controls and security protocols.","title":"Conclusion"},{"location":"admin/admin-ui/auth-server-menu/","tags":["administration","admin-ui","auth server","sessions","configuration","keys","logging","clients","scopes"],"text":"Auth Server Menu # The Auth Server menu covers the following important sub-menus to configure and manage Auth server. Sessions Server configuration Keys Logging Clients Scopes Enabled Acrs Agama deployment Sessions # The Janssen Authentication Server stores user session data in persistence. This screen lists the active session details and the administrator can revoke the sessions of the selected user. Keys # The JSON Web Key Sets (JWKS) is a set of public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server. Auth Server Configuration Properties # The auth server configuration properties can be updated using GUI. Logging # Following AS configuration properties can be used to customize AS logging: Log level: Specify the log levels of loggers Log layout: Logging layout used for Jans Authorization Server loggers Enable HTTP Logging: Enable/disable the request/response logging filter. Disabled by default. Disable JDK Logger?: Choose whether to disable JDK loggers Enable Oauth Audit Logging?: enable OAuth Audit Logging Clients # The logged-in user with appropriate permissions can view, register, edit and delete OIDC clients on auth server using Gluu Flex Admin UI. The Client details are as follows: Client fields Description Client name Name of the Client to be presented to the End-User. Client secret Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. Description Description of the client. Authn method token endpoint Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none. Subject type Subject type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. Grants List of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Response types List of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Active Specifies whether the client is enabled. Application type Kind of the application. The default, if omitted, is web. Redirect URIs List of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request Redirect Regex When this field is set then redirect-URI must match with regex. Scopes List of scopes granted to the client. Access token type Type of the access token (JWT or reference) generated by the client. Include claims in id_token The claims will be included in id_token if this field is enabled Add auth_time to id_token When enabled then the auth_time claim is required in id_token. Run Introspection Script Before AccessToken As Jwt Creation And Include Claims When this field is enabled then Introspection Script will run before access token generation. Token binding confirmation method for id_token Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports the Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support the Token Binding of ID Tokens. Access token additional audiences The client audiences. Access token lifetime The client-specific access-token expiration. Refresh token lifetime The client-specific refresh-token expiration. Default max authn age The default maximum authentication age. Front channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when rendered in an iframe by the OP. This is used in the front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent. Post logout redirect URI Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. Back channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when sent a Logout Token by the OP. This is used in the back-channel logout mechanisms, which communicate logout requests directly between the OP and RPs. Back channel. logout session required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. Front channel. logout session required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. Client URI URL of the home page of the Client. The value of this field must point to a valid Web page. Policy URI URL that the Relying Party Client provides to the End-User to read about how the profile data will be used. Logo URI URL that references a logo for the Client application. Terms of service URI URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. Contacts OpenID connect client contacts list. Authorized JS origins Specifies authorized JavaScript origins. Software id Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Software version Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. Software statement Specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. CIBA: Token delivery method Specifies how backchannel token will be delivered. CIBA: Client notification endpoint Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. CIBA: Require user code param If selected the auth_time claim is included in id_token. PAR: Require lifetime Represents the lifetime of Pushed Authorisation Request (PAR). PAR: Require PAR Is Pushed Authorisation Request (PAR) required? UMA: RPT token type Type of RPT token (JWT or reference). UMA: Claims redirect URI Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. UMA: RPT Modification Script List of Requesting Party Token (RPT) claims scripts. Client JWKS URI URL for the Client's JSON Web Key Set (JWK) document containing the key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client''s encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage. Client JWKS List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. id_token subject type The subject identifiers in ID tokens. Persist Authorizations Specifies if the client authorization details are to be persisted. The default value is true. Allow spontaneous scopes Whether to allow spontaneous scopes for the client. Spontaneous scope validation regex List of spontaneous scope regular expression. Spontaneous scopes Spontaneous scopes created using the client. Initiate Login URI Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. Request URIs Provide a list of requests_uri values that are pre-registered by the Client for use at the Authorization Server. Default ACR Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. Allowed ACRs Allowed ACRs Default prompt=login If enabled then sets prompt=login to the authorization request, which causes the authorization server to force the user to sign in again before it will show the authorization prompt. TLS Subject DN String representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. Is Expirable Client? Specifies whether client is expirable Client Scripts The custom scripts specific to the client. Scopes # The scope is a mechanism to limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. Please check here for detail documentation on scopes. OAuth 2.0 scopes # This scope type would only have a description, but no claims. Once a client obtains this token, it may be passed to the backend API. OpenID scopes # Specify what access privileges are being requested for Access Tokens. The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints. For OpenID Connect, scopes can be used to request that specific sets of information be made available as Claim Values. Spontaneous scopes # Spontaneous scopes are scopes with random part in it which are not known in advance. For e.g. transaction:4685456787, pis-552fds where 4685456787 or 552fds are generated part of the scope. Spontaneous scopes are disabled by default and can be enabled per client. The admins cannot create a spontaneous scope. Creation only happens when an authorized client presents a spontaneous scope at the token endpoint. There are the following client properties available during dynamic registration of the client related to spontaneous scopes: allowSpontaneousScopes OPTIONAL, boolean, false by default. Whether spontaneous scopes are allowed for the given client. spontaneousScopes OPTIONAL, array of strings. Regular expressions which should match to scope. If matched scope is allowed. Example: [\"^transaction:.+$\"]. It matches transaction:245 but not transaction:. UMA scopes # UMA scope can either be created by the user or auto-created by the authentication server. UMA scope cannot be modified using Gluu Flex Admin UI. If the logged-in user creates UMA scope then the creator type will be USER and the creator Id will be logged-in user's INUM. If auth server has auto-created a UMA scope then it will have the creator type as AUTO and no creator Id. Dynamic Scopes # The dynamic scope custom script allows to generate a list of claims (and their values) on the fly, depending on circumstances like the id of the client requesting it, logged user's session parameters, values of other user's attributes, results of some calculations implementing specific business logic and/or requests to remote APIs or databases. Claims are then returned the usual way in response to a call to the user info endpoint. In order to configure a dynamic scope the following steps are required: The script of type DYNAMIC_SCOPE must be configured and enabled. Create scope of scope type Dynamic and select Dynamic scope script and claims inputs. Authn # Authentication Context Class Reference (ACR) enables applications to request and verify the level of authentication assurance or the context of the authentication process used for user authentication. This page allows the administrator to view all enabled ACRs and select the default ACR which refers to the predefined or default authentication assurance when no specific ACR value is requested or specified. Agama # This menu addresses deployment of Agama project packages (file with .gama extension). To make sure that package is untempered, the file containing sha256 checksum also need to be uploaded on UI. The project name, description, version, deployment start/end date-time and deployment error (if any) can be seen on details popup of the record. User can export sample and current configuration or import configuration.","title":"Auth server"},{"location":"admin/admin-ui/auth-server-menu/#auth-server-menu","text":"The Auth Server menu covers the following important sub-menus to configure and manage Auth server. Sessions Server configuration Keys Logging Clients Scopes Enabled Acrs Agama deployment","title":"Auth Server Menu"},{"location":"admin/admin-ui/auth-server-menu/#sessions","text":"The Janssen Authentication Server stores user session data in persistence. This screen lists the active session details and the administrator can revoke the sessions of the selected user.","title":"Sessions"},{"location":"admin/admin-ui/auth-server-menu/#keys","text":"The JSON Web Key Sets (JWKS) is a set of public keys that should be used to verify any JSON Web Token (JWT) issued by the authorization server.","title":"Keys"},{"location":"admin/admin-ui/auth-server-menu/#auth-server-configuration-properties","text":"The auth server configuration properties can be updated using GUI.","title":"Auth Server Configuration Properties"},{"location":"admin/admin-ui/auth-server-menu/#logging","text":"Following AS configuration properties can be used to customize AS logging: Log level: Specify the log levels of loggers Log layout: Logging layout used for Jans Authorization Server loggers Enable HTTP Logging: Enable/disable the request/response logging filter. Disabled by default. Disable JDK Logger?: Choose whether to disable JDK loggers Enable Oauth Audit Logging?: enable OAuth Audit Logging","title":"Logging"},{"location":"admin/admin-ui/auth-server-menu/#clients","text":"The logged-in user with appropriate permissions can view, register, edit and delete OIDC clients on auth server using Gluu Flex Admin UI. The Client details are as follows: Client fields Description Client name Name of the Client to be presented to the End-User. Client secret Client Secret. The same Client Secret value MUST NOT be assigned to multiple Clients. Description Description of the client. Authn method token endpoint Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none. Subject type Subject type requested for responses to this Client. The subject_types_supported Discovery parameter contains a list of the supported subject_type values for this server. Valid types include pairwise and public. Sector Identifier URI URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OP. The URL references a file with a single JSON array of redirect_uri values. Grants List of the OAuth 2.0 Grant Types that the Client is declaring that it will restrict itself to using. Response types List of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Active Specifies whether the client is enabled. Application type Kind of the application. The default, if omitted, is web. Redirect URIs List of Redirection URI values used by the Client. One of these registered Redirection URI values MUST exactly match the redirect_uri parameter value used in each Authorization Request Redirect Regex When this field is set then redirect-URI must match with regex. Scopes List of scopes granted to the client. Access token type Type of the access token (JWT or reference) generated by the client. Include claims in id_token The claims will be included in id_token if this field is enabled Add auth_time to id_token When enabled then the auth_time claim is required in id_token. Run Introspection Script Before AccessToken As Jwt Creation And Include Claims When this field is enabled then Introspection Script will run before access token generation. Token binding confirmation method for id_token Specifies the JWT Confirmation Method member name (e.g. tbh) that the Relying Party expects when receiving Token Bound ID Tokens. The presence of this parameter indicates that the Relying Party supports the Token Binding of ID Tokens. If omitted, the default is that the Relying Party does not support the Token Binding of ID Tokens. Access token additional audiences The client audiences. Access token lifetime The client-specific access-token expiration. Refresh token lifetime The client-specific refresh-token expiration. Default max authn age The default maximum authentication age. Front channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when rendered in an iframe by the OP. This is used in the front-channel logout mechanisms, which communicate logout requests from the OP to RPs via the User Agent. Post logout redirect URI Provide the URLs supplied by the RP to request that the user be redirected to this location after a logout has been performed. Back channel. logout URI Relying Party (RP) URL that will cause the RP to log itself out when sent a Logout Token by the OP. This is used in the back-channel logout mechanisms, which communicate logout requests directly between the OP and RPs. Back channel. logout session required Boolean value specifying whether the RP requires that a sid (session ID) Claim be included in the Logout Token to identify the RP session with the OP when the backchannel_logout_uri is used. Front channel. logout session required Boolean value specifying whether the RP requires that iss (issuer) and sid (session ID) query parameters be included to identify the RP session with the OP when the frontchannel_logout_uri is used. Client URI URL of the home page of the Client. The value of this field must point to a valid Web page. Policy URI URL that the Relying Party Client provides to the End-User to read about how the profile data will be used. Logo URI URL that references a logo for the Client application. Terms of service URI URL that the Relying Party Client provides to the End-User to read about the Relying Party's terms of service. Contacts OpenID connect client contacts list. Authorized JS origins Specifies authorized JavaScript origins. Software id Specifies a unique identifier string (UUID) assigned by the client developer or software publisher used by registration endpoints to identify the client software to be dynamically registered. Software version Specifies a version identifier string for the client software identified by 'software_id'. The value of the 'software_version' should change on any update to the client software identified by the same 'software_id'. Software statement Specifies a software statement containing client metadata values about the client software as claims. This is a string value containing the entire signed JWT. CIBA: Token delivery method Specifies how backchannel token will be delivered. CIBA: Client notification endpoint Client Initiated Backchannel Authentication (CIBA) enables a Client to initiate the authentication of an end-user by means of out-of-band mechanisms. Upon receipt of the notification, the Client makes a request to the token endpoint to obtain the tokens. CIBA: Require user code param If selected the auth_time claim is included in id_token. PAR: Require lifetime Represents the lifetime of Pushed Authorisation Request (PAR). PAR: Require PAR Is Pushed Authorisation Request (PAR) required? UMA: RPT token type Type of RPT token (JWT or reference). UMA: Claims redirect URI Array of The Claims Redirect URIs to which the client wishes the authorization server to direct the requesting party's user agent after completing its interaction. UMA: RPT Modification Script List of Requesting Party Token (RPT) claims scripts. Client JWKS URI URL for the Client's JSON Web Key Set (JWK) document containing the key(s) that are used for signing requests to the OP. The JWK Set may also contain the Client''s encryption keys(s) that are used by the OP to encrypt the responses to the Client. When both signing and encryption keys are made available, a use (Key Use) parameter value is required for all keys in the document to indicate each key's intended usage. Client JWKS List of JSON Web Key (JWK) - A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value. id_token subject type The subject identifiers in ID tokens. Persist Authorizations Specifies if the client authorization details are to be persisted. The default value is true. Allow spontaneous scopes Whether to allow spontaneous scopes for the client. Spontaneous scope validation regex List of spontaneous scope regular expression. Spontaneous scopes Spontaneous scopes created using the client. Initiate Login URI Specifies the URI using the https scheme that the authorization server can call to initiate a login at the client. Request URIs Provide a list of requests_uri values that are pre-registered by the Client for use at the Authorization Server. Default ACR Array of default requested Authentication Context Class Reference values that the Authorization Server must use for processing requests from the Client. Allowed ACRs Allowed ACRs Default prompt=login If enabled then sets prompt=login to the authorization request, which causes the authorization server to force the user to sign in again before it will show the authorization prompt. TLS Subject DN String representation of the expected subject distinguished name of the certificate, which the OAuth client will use in mutual TLS authentication. Is Expirable Client? Specifies whether client is expirable Client Scripts The custom scripts specific to the client.","title":"Clients"},{"location":"admin/admin-ui/auth-server-menu/#scopes","text":"The scope is a mechanism to limit an application's access to a user's account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted. Please check here for detail documentation on scopes.","title":"Scopes"},{"location":"admin/admin-ui/auth-server-menu/#oauth-20-scopes","text":"This scope type would only have a description, but no claims. Once a client obtains this token, it may be passed to the backend API.","title":"OAuth 2.0 scopes"},{"location":"admin/admin-ui/auth-server-menu/#openid-scopes","text":"Specify what access privileges are being requested for Access Tokens. The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints. For OpenID Connect, scopes can be used to request that specific sets of information be made available as Claim Values.","title":"OpenID scopes"},{"location":"admin/admin-ui/auth-server-menu/#spontaneous-scopes","text":"Spontaneous scopes are scopes with random part in it which are not known in advance. For e.g. transaction:4685456787, pis-552fds where 4685456787 or 552fds are generated part of the scope. Spontaneous scopes are disabled by default and can be enabled per client. The admins cannot create a spontaneous scope. Creation only happens when an authorized client presents a spontaneous scope at the token endpoint. There are the following client properties available during dynamic registration of the client related to spontaneous scopes: allowSpontaneousScopes OPTIONAL, boolean, false by default. Whether spontaneous scopes are allowed for the given client. spontaneousScopes OPTIONAL, array of strings. Regular expressions which should match to scope. If matched scope is allowed. Example: [\"^transaction:.+$\"]. It matches transaction:245 but not transaction:.","title":"Spontaneous scopes"},{"location":"admin/admin-ui/auth-server-menu/#uma-scopes","text":"UMA scope can either be created by the user or auto-created by the authentication server. UMA scope cannot be modified using Gluu Flex Admin UI. If the logged-in user creates UMA scope then the creator type will be USER and the creator Id will be logged-in user's INUM. If auth server has auto-created a UMA scope then it will have the creator type as AUTO and no creator Id.","title":"UMA scopes"},{"location":"admin/admin-ui/auth-server-menu/#dynamic-scopes","text":"The dynamic scope custom script allows to generate a list of claims (and their values) on the fly, depending on circumstances like the id of the client requesting it, logged user's session parameters, values of other user's attributes, results of some calculations implementing specific business logic and/or requests to remote APIs or databases. Claims are then returned the usual way in response to a call to the user info endpoint. In order to configure a dynamic scope the following steps are required: The script of type DYNAMIC_SCOPE must be configured and enabled. Create scope of scope type Dynamic and select Dynamic scope script and claims inputs.","title":"Dynamic Scopes"},{"location":"admin/admin-ui/auth-server-menu/#authn","text":"Authentication Context Class Reference (ACR) enables applications to request and verify the level of authentication assurance or the context of the authentication process used for user authentication. This page allows the administrator to view all enabled ACRs and select the default ACR which refers to the predefined or default authentication assurance when no specific ACR value is requested or specified.","title":"Authn"},{"location":"admin/admin-ui/auth-server-menu/#agama","text":"This menu addresses deployment of Agama project packages (file with .gama extension). To make sure that package is untempered, the file containing sha256 checksum also need to be uploaded on UI. The project name, description, version, deployment start/end date-time and deployment error (if any) can be seen on details popup of the record. User can export sample and current configuration or import configuration.","title":"Agama"},{"location":"admin/admin-ui/configuration/","tags":["administration","admin-ui","configuration"],"text":"Configuration # This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include role-permission mapping, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata. Configuration Components # Role-Permission Mapping # Role-permission mapping defines which administrative roles are granted specific permissions within the Gluu Flex Admin UI. This mapping ensures that administrators can only access and modify functionalities relevant to their roles. The mapping is stored in json format with following attributes. Roles Attribute Name Description roles Array of all roles role Role name description Role description deletable If set to true then entire role-permission mapping with respect to the role can be deleted. Default value: false Permissions Attribute Name Description permissions Array of all available permissions permission Permission name description Permission description defaultPermissionInToken If set to true , it indicates that permission will need authentication and valid role during /token request to include in token Mapping Attribute Name Description rolePermissionMapping List of all role-permission mapping role Role name permission Array of all permission mapped to the role Sample role-permission mapping stored in persistence { \"roles\": [ { \"role\": \"sample-role\", \"description\": \"role description\", \"deletable\": false } ], \"permissions\": [ { \"permission\": \"sample-permission1\", \"description\": \"permission1 description\", \"defaultPermissionInToken\": false }, { \"permission\": \"sample-permission2\", \"description\": \"permission2 description\", \"defaultPermissionInToken\": true } ], \"rolePermissionMapping\": [ { \"role\": \"sample-role\", \"permissions\": [ \"sample-permission1\", \"sample-permission2\" ] } ] } OIDC Client Details for Auth Server # To establish secure communication with the Auth Server, Gluu Flex Admin UI requires the OIDC client details, including client ID and client secret. These details are used for authentication and authorization purposes. The information is stored in json format with following attributes. Attribute Name Description auiWebClient Object with Web OIDC client details opHost Auth Server hostname clientId Client Id of OIDC client used to access Auth server clientSecret Client Secret of OIDC client used to access Auth server scopes Scopes required for Admin UI authentication acrValues ACR required for Admin UI authentication redirectUri Redirect UI which is Admin UI home page postLogoutUri Url to be redirected after Admin UI logout frontchannelLogoutUri Front channel Logout Uri additionalParameters The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication. Format: [{\"key\": \"custom-param-key\", \"value\": \"custom-param-value\"}, ...] OIDC Client Details for Backend API Server # Similarly, Gluu Flex Admin UI needs OIDC client details to interact with the Janssen Server via. Jans Config API protected APIs. The Backend API client enables the UI to request and manage access tokens required to access Jans Config API protected resources. The information is stored in json format with following attributes. Attribute Name Description auiBackendApiClient Object with Backend API client details opHost Token Server hostname clientId Client Id of OIDC client used to access Token server clientSecret Client Secret of OIDC client used to access Token server tokenEndpoint Token endpoint of token server Configuration Properties for User-Interface # Attribute Name Description uiConfig Object with UI configuration attributes sessionTimeoutInMins The admin UI will auto-logout after a period of inactivity defined in this field. OIDC Client Details for License Server # Access to the License APIs is managed through OIDC client details. These details allows the Gluu Flex Admin UI Backend to generated access token to allow the retrieval of license-related information using license APIs. The information is stored in json format with following attributes. Attribute Name Description opHost Auth Server hostname used to generate token to access License APIs clientId Client Id of OIDC client used to generate token to access License APIs clientSecret Client Secret of OIDC client used to generate token to access License APIs License Metadata # License metadata includes relevant information about the Gluu Flex Admin UI's licensing, such as License Key, Hardware id, License server url, License Auth server url, SSA used to register license auth server client. The information is stored in json format with following attributes. Attribute Name Description licenseConfig Object with License configuration details ssa SSA used to register OIDC client to access license APIs scanLicenseApiHostname SCAN License server hostname licenseHardwareKey Hardware key (org_id) to access license APIs Sample configuration stored in persistence { \"oidcConfig\": { \"auiWebClient\": { \"redirectUri\": \"https://your.host.com/admin\", \"postLogoutUri\": \"https://your.gost.com/admin\", \"frontchannelLogoutUri\": \"https://your.host.com/admin/logout\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"acrValues\": [ \"basic\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\". \"additionalParameters\": [] }, \"auiBackendApiClient\": { \"tokenEndpoint\": \"https://your.host.com/jans-auth/restv1/token\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\" } }, \"uiConfig\": { \"sessionTimeoutInMins\": 30 }, \"licenseConfig\": { \"ssa\": \"...ssa in jwt format...\", \"scanLicenseApiHostname\": \"https://cloud-dev.gluu.cloud\", \"licenseKey\": \"XXXX-XXXX-XXXX-XXXX\", \"licenseHardwareKey\": \"github:ghUsername\", \"oidcClient\": { \"opHost\": \"https://account-dev.gluu.cloud\", \"clientId\": \"36a43e2b-a77b-4e9c-a966-a9d98af1665c\", \"clientSecret\": \"211188d8-a2d8-4562-ab53-80907c1bb5ba\" } } }","title":"Configuration"},{"location":"admin/admin-ui/configuration/#configuration","text":"This document outlines the configuration process for Gluu Flex Admin UI, with a focus on essential components stored in the Auth Server's persistence layer. These components include role-permission mapping, OIDC client details for accessing the Auth Server, OIDC client details for accessing the Token Server, OIDC client details for accessing the License APIs, and license metadata.","title":"Configuration"},{"location":"admin/admin-ui/configuration/#configuration-components","text":"","title":"Configuration Components"},{"location":"admin/admin-ui/configuration/#role-permission-mapping","text":"Role-permission mapping defines which administrative roles are granted specific permissions within the Gluu Flex Admin UI. This mapping ensures that administrators can only access and modify functionalities relevant to their roles. The mapping is stored in json format with following attributes. Roles Attribute Name Description roles Array of all roles role Role name description Role description deletable If set to true then entire role-permission mapping with respect to the role can be deleted. Default value: false Permissions Attribute Name Description permissions Array of all available permissions permission Permission name description Permission description defaultPermissionInToken If set to true , it indicates that permission will need authentication and valid role during /token request to include in token Mapping Attribute Name Description rolePermissionMapping List of all role-permission mapping role Role name permission Array of all permission mapped to the role Sample role-permission mapping stored in persistence { \"roles\": [ { \"role\": \"sample-role\", \"description\": \"role description\", \"deletable\": false } ], \"permissions\": [ { \"permission\": \"sample-permission1\", \"description\": \"permission1 description\", \"defaultPermissionInToken\": false }, { \"permission\": \"sample-permission2\", \"description\": \"permission2 description\", \"defaultPermissionInToken\": true } ], \"rolePermissionMapping\": [ { \"role\": \"sample-role\", \"permissions\": [ \"sample-permission1\", \"sample-permission2\" ] } ] }","title":"Role-Permission Mapping"},{"location":"admin/admin-ui/configuration/#oidc-client-details-for-auth-server","text":"To establish secure communication with the Auth Server, Gluu Flex Admin UI requires the OIDC client details, including client ID and client secret. These details are used for authentication and authorization purposes. The information is stored in json format with following attributes. Attribute Name Description auiWebClient Object with Web OIDC client details opHost Auth Server hostname clientId Client Id of OIDC client used to access Auth server clientSecret Client Secret of OIDC client used to access Auth server scopes Scopes required for Admin UI authentication acrValues ACR required for Admin UI authentication redirectUri Redirect UI which is Admin UI home page postLogoutUri Url to be redirected after Admin UI logout frontchannelLogoutUri Front channel Logout Uri additionalParameters The custom parameters allow you to pass additional information to the authorization server during Admin UI authentication. Format: [{\"key\": \"custom-param-key\", \"value\": \"custom-param-value\"}, ...]","title":"OIDC Client Details for Auth Server"},{"location":"admin/admin-ui/configuration/#oidc-client-details-for-backend-api-server","text":"Similarly, Gluu Flex Admin UI needs OIDC client details to interact with the Janssen Server via. Jans Config API protected APIs. The Backend API client enables the UI to request and manage access tokens required to access Jans Config API protected resources. The information is stored in json format with following attributes. Attribute Name Description auiBackendApiClient Object with Backend API client details opHost Token Server hostname clientId Client Id of OIDC client used to access Token server clientSecret Client Secret of OIDC client used to access Token server tokenEndpoint Token endpoint of token server","title":"OIDC Client Details for Backend API Server"},{"location":"admin/admin-ui/configuration/#configuration-properties-for-user-interface","text":"Attribute Name Description uiConfig Object with UI configuration attributes sessionTimeoutInMins The admin UI will auto-logout after a period of inactivity defined in this field.","title":"Configuration Properties for User-Interface"},{"location":"admin/admin-ui/configuration/#oidc-client-details-for-license-server","text":"Access to the License APIs is managed through OIDC client details. These details allows the Gluu Flex Admin UI Backend to generated access token to allow the retrieval of license-related information using license APIs. The information is stored in json format with following attributes. Attribute Name Description opHost Auth Server hostname used to generate token to access License APIs clientId Client Id of OIDC client used to generate token to access License APIs clientSecret Client Secret of OIDC client used to generate token to access License APIs","title":"OIDC Client Details for License Server"},{"location":"admin/admin-ui/configuration/#license-metadata","text":"License metadata includes relevant information about the Gluu Flex Admin UI's licensing, such as License Key, Hardware id, License server url, License Auth server url, SSA used to register license auth server client. The information is stored in json format with following attributes. Attribute Name Description licenseConfig Object with License configuration details ssa SSA used to register OIDC client to access license APIs scanLicenseApiHostname SCAN License server hostname licenseHardwareKey Hardware key (org_id) to access license APIs Sample configuration stored in persistence { \"oidcConfig\": { \"auiWebClient\": { \"redirectUri\": \"https://your.host.com/admin\", \"postLogoutUri\": \"https://your.gost.com/admin\", \"frontchannelLogoutUri\": \"https://your.host.com/admin/logout\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"acrValues\": [ \"basic\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\". \"additionalParameters\": [] }, \"auiBackendApiClient\": { \"tokenEndpoint\": \"https://your.host.com/jans-auth/restv1/token\", \"scopes\": [ \"openid\", \"profile\", \"user_name\", \"email\" ], \"opHost\": \"https://your.host.com\", \"clientId\": \"2001.aaf0b8eb-a82e-4798-b1a0-e007803a6568\", \"clientSecret\": \"GGO4t1uixrTpl4Rizt3zag==\" } }, \"uiConfig\": { \"sessionTimeoutInMins\": 30 }, \"licenseConfig\": { \"ssa\": \"...ssa in jwt format...\", \"scanLicenseApiHostname\": \"https://cloud-dev.gluu.cloud\", \"licenseKey\": \"XXXX-XXXX-XXXX-XXXX\", \"licenseHardwareKey\": \"github:ghUsername\", \"oidcClient\": { \"opHost\": \"https://account-dev.gluu.cloud\", \"clientId\": \"36a43e2b-a77b-4e9c-a966-a9d98af1665c\", \"clientSecret\": \"211188d8-a2d8-4562-ab53-80907c1bb5ba\" } } }","title":"License Metadata"},{"location":"admin/admin-ui/dashboard/","tags":["administration","admin-ui","dashboard"],"text":"Dashboard # After successful authentication, the administrator is taken to the dashboard. The dashboard brings an organized presentation of crucial details at one place adding to the convenience of users in tracking and analysis of auth server and other details. Dashboard fields descriptions # OIDC Clients Count: The count of OIDC clients created on auth server. Active Users Count: The count of active users on auth server. Token Issued Count: This figure is the sum of the access-tokens with grant-type client credentials and authorization code and id-token. OAuth server status: The health status of the auth server. For e.g. Running or Down . Database status: The health status of the persistence (e.g. PostgreSQL, MySQL, Google Spanner etc). License Details # Admin UI uses LicenseSpring platform for customer license management. Product Name: The name of the product created on the LicenseSpring platform. The license issued for Admin UI activation is created under this product. Check LicenseSpring docs for more details. License Type: The type of license issued. For e.g. Perpetual, Time Limited, Subscription and Consumption. Customer Email: To issue a license, we need to enter customer details like first name, last name, company, email and phone number in the LicenseSpring platform. This field displays the email of the customer of the license. Company Name: The company name of the registered product. License Status: The status of the license (e.g. active or inactive). Access Token Graph # The dashboard has a bar graph showing month-wise access-token with grant-type client credentials , authorization code and id_token generated from auth server. Localization and Theme selection # Admin UI supports localization. The default language is English. The other supported languages are French and Portuguese. A new preferred language can be selected from the top right corner of the dashboard which will convert the labels and tooltip to the selected language. The administrator can also select from four website themes in Admin UI.","title":"Home"},{"location":"admin/admin-ui/dashboard/#dashboard","text":"After successful authentication, the administrator is taken to the dashboard. The dashboard brings an organized presentation of crucial details at one place adding to the convenience of users in tracking and analysis of auth server and other details.","title":"Dashboard"},{"location":"admin/admin-ui/dashboard/#dashboard-fields-descriptions","text":"OIDC Clients Count: The count of OIDC clients created on auth server. Active Users Count: The count of active users on auth server. Token Issued Count: This figure is the sum of the access-tokens with grant-type client credentials and authorization code and id-token. OAuth server status: The health status of the auth server. For e.g. Running or Down . Database status: The health status of the persistence (e.g. PostgreSQL, MySQL, Google Spanner etc).","title":"Dashboard fields descriptions"},{"location":"admin/admin-ui/dashboard/#license-details","text":"Admin UI uses LicenseSpring platform for customer license management. Product Name: The name of the product created on the LicenseSpring platform. The license issued for Admin UI activation is created under this product. Check LicenseSpring docs for more details. License Type: The type of license issued. For e.g. Perpetual, Time Limited, Subscription and Consumption. Customer Email: To issue a license, we need to enter customer details like first name, last name, company, email and phone number in the LicenseSpring platform. This field displays the email of the customer of the license. Company Name: The company name of the registered product. License Status: The status of the license (e.g. active or inactive).","title":"License Details"},{"location":"admin/admin-ui/dashboard/#access-token-graph","text":"The dashboard has a bar graph showing month-wise access-token with grant-type client credentials , authorization code and id_token generated from auth server.","title":"Access Token Graph"},{"location":"admin/admin-ui/dashboard/#localization-and-theme-selection","text":"Admin UI supports localization. The default language is English. The other supported languages are French and Portuguese. A new preferred language can be selected from the top right corner of the dashboard which will convert the labels and tooltip to the selected language. The administrator can also select from four website themes in Admin UI.","title":"Localization and Theme selection"},{"location":"admin/admin-ui/faq/","text":"Frequently Asked Questions (FAQ) # Why is the Gluu Flex Admin UI displaying the following error messages after the Flex VM installation? # The requested page not found # Error Code: 404 The requested page was not found on this server. If a user encounters the above error when visiting the Admin UI URL, it indicates that the Admin UI is not properly installed. Please verify whether the Admin UI build is located at /var/www/html/admin . If the build is not present at this location, Janssen displays this error. Admin UI backend is down # Error Code: 503 Gluu Flex Admin UI is not getting any response from the backend (Jans Config Api). Gluu Flex Admin UI facilitates interaction with the Jans Auth Server through a REST API layer, Jans Config API . This error prompts administrators to perform a series of troubleshooting steps. Verify the status of the Jans Config API service by using the command systemctl status jans-config-api.service . In the majority of cases, this error is displayed when the Jans Config API is not running. It is essential to verify the server's network connectivity, including firewall rules, ports, and routing, to ensure that there are no network-related impediments preventing communication with the Jans Config API. Jans Config API runs at port 8074 for Janssen vm installation. Check the Jans Config API logs at /opt/jans/jetty/jans-config-api/logs/configapi.log for any potential errors. Review the Admin UI logs at /opt/jans/jetty/jans-config-api/logs/adminui.log to check for any potential errors. Confirm the existence of the /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar file. This file serves as the backend jar for the Admin UI and is used as a Jans Config API extension. It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues. Internal server error in generating Jans Config Api token # Error Code: 500 Error in generating token to access Jans Config Api endpoints. This error is displayed when there is an internal server error in generating an access token for the Jans Config API. The Jans Config API endpoints are protected and require a token with the appropriate scopes for access. Inspect the Gluu Flex Admin UI log at /opt/jans/jetty/jans-config-api/logs/adminui.log for any errors related to token requests. Examine the Janssen Auth server log at /opt/jans/jetty/jans-auth/logs/jans-auth.log while it is in debug/trace mode to identify any errors that may occur during token generation. Why is the Gluu Flex Admin UI is displaying following page to upload SSA? # During installation, it is necessary to provide a Software Statement Assertion (SSA), which the Admin UI utilizes to register an OIDC client for accessing license APIs. To obtain a new SSA or renew an existing one, please follow the steps outlined in the provided guide from the Agama Lab web interface. If the SSA used during the installation has expired or become invalidated, you will need to upload a fresh SSA to regain access to the Admin UI. Why is the Gluu Flex Admin UI is displaying following message on screen to generate trial license? # Payment Required. This message indicates that in order to enjoy long-term access to the Gluu Flex Admin UI, you will need to subscribe for a Admin UI license on the Agama Lab website. License validity period has expired. This message is displayed when a user attempts to generate a trial license (from the Admin UI) after the previously generated trial license has expired. Please note that the Admin UI 30-day trial license can only be generated once per Agama Lab user.","title":"FAQ & Troubleshooting"},{"location":"admin/admin-ui/faq/#frequently-asked-questions-faq","text":"","title":"Frequently Asked Questions (FAQ)"},{"location":"admin/admin-ui/faq/#why-is-the-gluu-flex-admin-ui-displaying-the-following-error-messages-after-the-flex-vm-installation","text":"","title":"Why is the Gluu Flex Admin UI displaying the following error messages after the Flex VM installation?"},{"location":"admin/admin-ui/faq/#the-requested-page-not-found","text":"Error Code: 404 The requested page was not found on this server. If a user encounters the above error when visiting the Admin UI URL, it indicates that the Admin UI is not properly installed. Please verify whether the Admin UI build is located at /var/www/html/admin . If the build is not present at this location, Janssen displays this error.","title":"The requested page not found"},{"location":"admin/admin-ui/faq/#admin-ui-backend-is-down","text":"Error Code: 503 Gluu Flex Admin UI is not getting any response from the backend (Jans Config Api). Gluu Flex Admin UI facilitates interaction with the Jans Auth Server through a REST API layer, Jans Config API . This error prompts administrators to perform a series of troubleshooting steps. Verify the status of the Jans Config API service by using the command systemctl status jans-config-api.service . In the majority of cases, this error is displayed when the Jans Config API is not running. It is essential to verify the server's network connectivity, including firewall rules, ports, and routing, to ensure that there are no network-related impediments preventing communication with the Jans Config API. Jans Config API runs at port 8074 for Janssen vm installation. Check the Jans Config API logs at /opt/jans/jetty/jans-config-api/logs/configapi.log for any potential errors. Review the Admin UI logs at /opt/jans/jetty/jans-config-api/logs/adminui.log to check for any potential errors. Confirm the existence of the /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar file. This file serves as the backend jar for the Admin UI and is used as a Jans Config API extension. It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues.","title":"Admin UI backend is down"},{"location":"admin/admin-ui/faq/#internal-server-error-in-generating-jans-config-api-token","text":"Error Code: 500 Error in generating token to access Jans Config Api endpoints. This error is displayed when there is an internal server error in generating an access token for the Jans Config API. The Jans Config API endpoints are protected and require a token with the appropriate scopes for access. Inspect the Gluu Flex Admin UI log at /opt/jans/jetty/jans-config-api/logs/adminui.log for any errors related to token requests. Examine the Janssen Auth server log at /opt/jans/jetty/jans-auth/logs/jans-auth.log while it is in debug/trace mode to identify any errors that may occur during token generation.","title":"Internal server error in generating Jans Config Api token"},{"location":"admin/admin-ui/faq/#why-is-the-gluu-flex-admin-ui-is-displaying-following-page-to-upload-ssa","text":"During installation, it is necessary to provide a Software Statement Assertion (SSA), which the Admin UI utilizes to register an OIDC client for accessing license APIs. To obtain a new SSA or renew an existing one, please follow the steps outlined in the provided guide from the Agama Lab web interface. If the SSA used during the installation has expired or become invalidated, you will need to upload a fresh SSA to regain access to the Admin UI.","title":"Why is the Gluu Flex Admin UI is displaying following page to upload SSA?"},{"location":"admin/admin-ui/faq/#why-is-the-gluu-flex-admin-ui-is-displaying-following-message-on-screen-to-generate-trial-license","text":"Payment Required. This message indicates that in order to enjoy long-term access to the Gluu Flex Admin UI, you will need to subscribe for a Admin UI license on the Agama Lab website. License validity period has expired. This message is displayed when a user attempts to generate a trial license (from the Admin UI) after the previously generated trial license has expired. Please note that the Admin UI 30-day trial license can only be generated once per Agama Lab user.","title":"Why is the Gluu Flex Admin UI is displaying following message on screen to generate trial license?"},{"location":"admin/admin-ui/fido-menu/","tags":["administration","admin-ui","fido2"],"text":"FIDO Configuration # FIDO 2.0 (FIDO2) is an open authentication standard that enables people to leverage common devices to authenticate to online services in both mobile and desktop environments. FIDO2 comprises the W3C\u2019s Web Authentication specification (WebAuthn) and FIDO\u2019s corresponding Client-to-Authenticator Protocol (CTAP). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services. Gluu Flex Admin UI allows configuring parameters of Janssen's FIDO2 server. Check following documnetation for details of FIDO2 configuration parameters.","title":"FIDO"},{"location":"admin/admin-ui/fido-menu/#fido-configuration","text":"FIDO 2.0 (FIDO2) is an open authentication standard that enables people to leverage common devices to authenticate to online services in both mobile and desktop environments. FIDO2 comprises the W3C\u2019s Web Authentication specification (WebAuthn) and FIDO\u2019s corresponding Client-to-Authenticator Protocol (CTAP). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services. Gluu Flex Admin UI allows configuring parameters of Janssen's FIDO2 server. Check following documnetation for details of FIDO2 configuration parameters.","title":"FIDO Configuration"},{"location":"admin/admin-ui/introduction/","tags":["administration","admin-ui","installation","license"],"text":"Gluu Flex Admin UI # Gluu Flex Admin UI is a web interface to simplify the management and configuration of your Janssen Authentication Server. One of the key services offered by Gluu Flex is the ability to view and edit configuration properties, interception scripts, clients, users, metrics, and more, all in one place. This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API. The above diagram explains interaction between various depending components. Admin UI Frontend # This user facing GUI has been developed using React.js and Redux is used for state management. The Admin UI utilizes an OpenAPI JavaScript client for Jans Config API, facilitating API calls to Jans Config API endpoints. The GUI utilizes popular libraries such as Material-UI , Axios, Formik , etc. Webpack is responsible for compiling and bundling the application, optimizing its performance, and generating the necessary production files. The Admin UI bundle is hosted on an Apache HTTP server , which is included as a component with the Janssen server installation. This setup ensures that the GUI is readily accessible and efficiently served to users. Admin UI Backend # The GUI utilizes a dedicated Java backend to handle specific tasks, such as reading the Admin UI configuration from persistence, managing Admin UI roles and permission mapping in configuration, performing audit logging, and making calls to license APIs on SCAN. The Jans Config API follows a flexible plugin architecture, allowing the addition of new APIs through extensions known as plugins, without the need to modify the core application. The Admin UI Backend has been incorporated into the Jans Config API as a plugin to address Admin UI-specific tasks. Installation # Gluu Flex can be installed using VM installer or using Rancher on Cloud Native. During installation, we need to provide a Software Statement Assertion (SSA) which is used by Admin UI to register an OIDC client to access license APIs. Check the following guide for the steps to issue SSA from the Agama Lab web interface. Gluu Flex License # After installation, the Admin UI can be accessed at https://hostname/admin (the hostname is provided during setup). Access to this web interface is granted only after subscribing to the Admin UI license from Agama Lab. There is a provision to generate a 30-day free trial license of Gluu Flex which will help users to enter and understand this web interface. After license activation, the user can log into Gluu Flex Admin UI using the default username ( admin ) and the password (the admin password provided during installation). Flex services dependencies # Gluu Flex Admin UI depends on following Flex services: Janssen Config API service (jans-config-api.service) The Apache HTTP Server (apache2.service)","title":"Introduction"},{"location":"admin/admin-ui/introduction/#gluu-flex-admin-ui","text":"Gluu Flex Admin UI is a web interface to simplify the management and configuration of your Janssen Authentication Server. One of the key services offered by Gluu Flex is the ability to view and edit configuration properties, interception scripts, clients, users, metrics, and more, all in one place. This user-friendly interface facilitates interaction with the Jans Auth Server through a REST API layer known as the Jans Config API. The above diagram explains interaction between various depending components.","title":"Gluu Flex Admin UI"},{"location":"admin/admin-ui/introduction/#admin-ui-frontend","text":"This user facing GUI has been developed using React.js and Redux is used for state management. The Admin UI utilizes an OpenAPI JavaScript client for Jans Config API, facilitating API calls to Jans Config API endpoints. The GUI utilizes popular libraries such as Material-UI , Axios, Formik , etc. Webpack is responsible for compiling and bundling the application, optimizing its performance, and generating the necessary production files. The Admin UI bundle is hosted on an Apache HTTP server , which is included as a component with the Janssen server installation. This setup ensures that the GUI is readily accessible and efficiently served to users.","title":"Admin UI Frontend"},{"location":"admin/admin-ui/introduction/#admin-ui-backend","text":"The GUI utilizes a dedicated Java backend to handle specific tasks, such as reading the Admin UI configuration from persistence, managing Admin UI roles and permission mapping in configuration, performing audit logging, and making calls to license APIs on SCAN. The Jans Config API follows a flexible plugin architecture, allowing the addition of new APIs through extensions known as plugins, without the need to modify the core application. The Admin UI Backend has been incorporated into the Jans Config API as a plugin to address Admin UI-specific tasks.","title":"Admin UI Backend"},{"location":"admin/admin-ui/introduction/#installation","text":"Gluu Flex can be installed using VM installer or using Rancher on Cloud Native. During installation, we need to provide a Software Statement Assertion (SSA) which is used by Admin UI to register an OIDC client to access license APIs. Check the following guide for the steps to issue SSA from the Agama Lab web interface.","title":"Installation"},{"location":"admin/admin-ui/introduction/#gluu-flex-license","text":"After installation, the Admin UI can be accessed at https://hostname/admin (the hostname is provided during setup). Access to this web interface is granted only after subscribing to the Admin UI license from Agama Lab. There is a provision to generate a 30-day free trial license of Gluu Flex which will help users to enter and understand this web interface. After license activation, the user can log into Gluu Flex Admin UI using the default username ( admin ) and the password (the admin password provided during installation).","title":"Gluu Flex License"},{"location":"admin/admin-ui/introduction/#flex-services-dependencies","text":"Gluu Flex Admin UI depends on following Flex services: Janssen Config API service (jans-config-api.service) The Apache HTTP Server (apache2.service)","title":"Flex services dependencies"},{"location":"admin/admin-ui/left-nav-menu/","tags":["administration","admin-ui","left navigation menu"],"text":"Left Navigation Menu # In the realm of web design and user experience, the left navigation menu holds a prominent position. It serves as a vital element in organizing and navigating the content within web applications. In Gluu Flex Admin UI the left navigation menu establishes a clear information hierarchy to access the core features. Gluu Flex Admin UI has the following main menus on the left navigation: Home Admin Auth server Schema Services SMTP Users Sign out","title":"Left Navigation Menu"},{"location":"admin/admin-ui/left-nav-menu/#left-navigation-menu","text":"In the realm of web design and user experience, the left navigation menu holds a prominent position. It serves as a vital element in organizing and navigating the content within web applications. In Gluu Flex Admin UI the left navigation menu establishes a clear information hierarchy to access the core features. Gluu Flex Admin UI has the following main menus on the left navigation: Home Admin Auth server Schema Services SMTP Users Sign out","title":"Left Navigation Menu"},{"location":"admin/admin-ui/logs/","tags":["administration","admin-ui","installation","logs"],"text":"Logs # Log files are essential components of a web application's infrastructure as they provide valuable insights into its functioning, performance, and potential issues. Log files play a critical role in maintaining, troubleshooting, and monitoring the Gluu Flex Admin UI application. Understanding the different log types, their locations, and the process of accessing and analyzing them will empower administrators to efficiently manage the application's health and quickly address any issues that may arise. Log File Types # The Gluu Flex Admin UI generates two types of log files: adminui.log : This is the backend log file that captures various activities, errors, and events related to the Gluu Flex Admin UI's operation. It provides insights into the application's behavior and potential issues. adminuiAudit.log : This audit log file records user interactions, actions, and events related to administrative activities. It's particularly useful for tracking changes made to the system and ensuring accountability. Configuration of Log Locations # The log locations for Gluu Flex Admin UI can be configured by modifying the log4j2-adminui.xml file located at: /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml Within this configuration file, you can adjust various settings such as log levels, appenders, and formats. Default Log Location # The default log location for the Admin UI backend is: /var/log/adminui It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues.","title":"Logs"},{"location":"admin/admin-ui/logs/#logs","text":"Log files are essential components of a web application's infrastructure as they provide valuable insights into its functioning, performance, and potential issues. Log files play a critical role in maintaining, troubleshooting, and monitoring the Gluu Flex Admin UI application. Understanding the different log types, their locations, and the process of accessing and analyzing them will empower administrators to efficiently manage the application's health and quickly address any issues that may arise.","title":"Logs"},{"location":"admin/admin-ui/logs/#log-file-types","text":"The Gluu Flex Admin UI generates two types of log files: adminui.log : This is the backend log file that captures various activities, errors, and events related to the Gluu Flex Admin UI's operation. It provides insights into the application's behavior and potential issues. adminuiAudit.log : This audit log file records user interactions, actions, and events related to administrative activities. It's particularly useful for tracking changes made to the system and ensuring accountability.","title":"Log File Types"},{"location":"admin/admin-ui/logs/#configuration-of-log-locations","text":"The log locations for Gluu Flex Admin UI can be configured by modifying the log4j2-adminui.xml file located at: /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml Within this configuration file, you can adjust various settings such as log levels, appenders, and formats.","title":"Configuration of Log Locations"},{"location":"admin/admin-ui/logs/#default-log-location","text":"The default log location for the Admin UI backend is: /var/log/adminui It is also recommended to check the browser's console log and network tab for any failing requests, as this can provide additional information to diagnose and troubleshoot issues.","title":"Default Log Location"},{"location":"admin/admin-ui/properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Properties"},{"location":"admin/admin-ui/properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/admin-ui/schema-menu/","tags":["administration","admin-ui","schema","person","attributes"],"text":"Schema # Attributes are individual pieces of user data, like uid or email, that are required by applications in order to identify a user and grant access to protected resources. The Person attributes that are available in your Janssen server can be found by navigating Schema > Person . The following fields are supported in the Person (attribute) creation form: Name: This field defines the name of the Person attribute. The name must be unique in the Janssen Server persistence tree. Display Name: The display name can be anything that is human-readable. Description: The description of the attribute. Status: Used to mark the attribute as Active so that it can be used in your federation service or choose Inactive to create the attribute that can be activated at a later date. Data Type: Select what type of attribute is being added in this field. Edit Type: This field controls who can edit this attribute. If user is selected, this will enable each user to edit this attribute in their Janssen server user profile. View Type: This field controls which type of user is allowed to view the corresponding attribute on the web user interface. oxAuth claim name: If this attribute will be used as a 'claim' in your OpenID Connect service, add the name of the claim here. Generally, the name of the attribute == name of the claim . Multivalued?: If the attribute contains more than one value, set this field to True. Hide On Discovery?: Boolean value indicating if the attribute should be shown on the discovery page. Include In SCIM Extension?: Boolean value indicating if the attribute is a SCIM custom attribute. Enable custom validation for this attribute?: If you plan to set minimum and maximum lengths or a regex pattern, as described below, you will need to enable custom validation for this attribute. Otherwise, you can leave this disabled. Regular expression: You can set a regex pattern to enforce the proper formatting of an attribute. For example, you could set a regex expression for an email attribute like this: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$. This would make sure that a value is added for the attribute only if it follows standard email formatting. Minimum length: This is the minimum length of a value associated with this attribute. Maximum length: This is the maximum length of a value associated with this attribute. Saml1 URI: This field can contain a SAML v1 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value. Saml2 URI: This field can contain a SAML v2 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value.","title":"Schema"},{"location":"admin/admin-ui/schema-menu/#schema","text":"Attributes are individual pieces of user data, like uid or email, that are required by applications in order to identify a user and grant access to protected resources. The Person attributes that are available in your Janssen server can be found by navigating Schema > Person . The following fields are supported in the Person (attribute) creation form: Name: This field defines the name of the Person attribute. The name must be unique in the Janssen Server persistence tree. Display Name: The display name can be anything that is human-readable. Description: The description of the attribute. Status: Used to mark the attribute as Active so that it can be used in your federation service or choose Inactive to create the attribute that can be activated at a later date. Data Type: Select what type of attribute is being added in this field. Edit Type: This field controls who can edit this attribute. If user is selected, this will enable each user to edit this attribute in their Janssen server user profile. View Type: This field controls which type of user is allowed to view the corresponding attribute on the web user interface. oxAuth claim name: If this attribute will be used as a 'claim' in your OpenID Connect service, add the name of the claim here. Generally, the name of the attribute == name of the claim . Multivalued?: If the attribute contains more than one value, set this field to True. Hide On Discovery?: Boolean value indicating if the attribute should be shown on the discovery page. Include In SCIM Extension?: Boolean value indicating if the attribute is a SCIM custom attribute. Enable custom validation for this attribute?: If you plan to set minimum and maximum lengths or a regex pattern, as described below, you will need to enable custom validation for this attribute. Otherwise, you can leave this disabled. Regular expression: You can set a regex pattern to enforce the proper formatting of an attribute. For example, you could set a regex expression for an email attribute like this: ^[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,6}$. This would make sure that a value is added for the attribute only if it follows standard email formatting. Minimum length: This is the minimum length of a value associated with this attribute. Maximum length: This is the maximum length of a value associated with this attribute. Saml1 URI: This field can contain a SAML v1 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value. Saml2 URI: This field can contain a SAML v2 supported nameformat for the new attribute. If this field is left blank the Janssen Server will automatically populate a value.","title":"Schema"},{"location":"admin/admin-ui/services-menu/","tags":["administration","admin-ui","services","cache-configuration"],"text":"Services # This menu allows user to configure Cache Provider and LDAP schemas which can be used by the auth server. Cache Provider Configuration # The following cache providers are supported in Janssen's auth server: In Memory : recommended for small deployments only Memcached : recommended for single cache server deployment Redis : recommended for cluster deployments Native Persistence : recommended avoiding additional components' installation. All cache entries are saved in persistence layers. Cache Provider Properties # The following tables include the name and description of each Cache Provider's properties. Cache Configuration # Name Description Cache Provider Type The cache provider type Memcached Configuration # Name Description Server Details Server details separated by spaces (e.g. `server1:8080 server2:8081) Max Operation Queue Length Maximum number of operations that can be queued Buffer Size Buffer size in bytes Default Put Expiration Expiration timeout value in seconds Connection Factory Type Connection factory type In-Memory Configuration # Name Description Default Put Expiration Default put expiration timeout value in seconds Redis Configuration # Name Description Redis Provider Type Type of connection: standalone, clustered, sharded, sentinel Server Details Server details separated by commas (e.g. 'server1:8080,server2:8081') Use SSL Enable SSL communication between Gluu Server and Redis cache Password Redis password Sentinel Master Group Name Sentinel Master Group Name (required if SENTINEL type of connection is selected) SSL Trust Store File Path Directory Path to Trust Store Default Put Expiration Default expiration time for the object put into cache in seconds Max Retry Attempts Max retry attepts in case of failure So Timeout With this option set to a non-zero timeout, a read() call on the InputStream associated with this Socket will block for only this amount of time. If the timeout expires, a java.net.SocketTimeoutException is raised, though the Socket is still valid. The option must be enabled prior to entering the blocking operation to have effect. The timeout must be > 0. A timeout of zero is interpreted as an infinite timeout. Max Idle Connections The cap on the number of \\\"idle\\\" instances in the pool. If maxIdle is set too low on heavily loaded systems it is possible you will see objects being destroyed and almost immediately new objects being created. This is a result of the active threads momentarily returning objects faster than they are requesting them, causing the number of idle objects to rise above maxIdle. The best value for maxIdle for heavily loaded system will vary but the default is a good starting point. Max Total Connections The number of maximum connection instances in the pool Connection Timeout Connection time out Native Persistence Configuration # Name Description Default Put Expiration Default expiration time for the object put into cache in seconds Default Cleanup Batch Size Default cleanup batch page size Delete Expired OnGetRequest whether to delete on GET request","title":"Services"},{"location":"admin/admin-ui/services-menu/#services","text":"This menu allows user to configure Cache Provider and LDAP schemas which can be used by the auth server.","title":"Services"},{"location":"admin/admin-ui/services-menu/#cache-provider-configuration","text":"The following cache providers are supported in Janssen's auth server: In Memory : recommended for small deployments only Memcached : recommended for single cache server deployment Redis : recommended for cluster deployments Native Persistence : recommended avoiding additional components' installation. All cache entries are saved in persistence layers.","title":"Cache Provider Configuration"},{"location":"admin/admin-ui/services-menu/#cache-provider-properties","text":"The following tables include the name and description of each Cache Provider's properties.","title":"Cache Provider Properties"},{"location":"admin/admin-ui/services-menu/#cache-configuration","text":"Name Description Cache Provider Type The cache provider type","title":"Cache Configuration"},{"location":"admin/admin-ui/services-menu/#memcached-configuration","text":"Name Description Server Details Server details separated by spaces (e.g. `server1:8080 server2:8081) Max Operation Queue Length Maximum number of operations that can be queued Buffer Size Buffer size in bytes Default Put Expiration Expiration timeout value in seconds Connection Factory Type Connection factory type","title":"Memcached Configuration"},{"location":"admin/admin-ui/services-menu/#in-memory-configuration","text":"Name Description Default Put Expiration Default put expiration timeout value in seconds","title":"In-Memory Configuration"},{"location":"admin/admin-ui/services-menu/#redis-configuration","text":"Name Description Redis Provider Type Type of connection: standalone, clustered, sharded, sentinel Server Details Server details separated by commas (e.g. 'server1:8080,server2:8081') Use SSL Enable SSL communication between Gluu Server and Redis cache Password Redis password Sentinel Master Group Name Sentinel Master Group Name (required if SENTINEL type of connection is selected) SSL Trust Store File Path Directory Path to Trust Store Default Put Expiration Default expiration time for the object put into cache in seconds Max Retry Attempts Max retry attepts in case of failure So Timeout With this option set to a non-zero timeout, a read() call on the InputStream associated with this Socket will block for only this amount of time. If the timeout expires, a java.net.SocketTimeoutException is raised, though the Socket is still valid. The option must be enabled prior to entering the blocking operation to have effect. The timeout must be > 0. A timeout of zero is interpreted as an infinite timeout. Max Idle Connections The cap on the number of \\\"idle\\\" instances in the pool. If maxIdle is set too low on heavily loaded systems it is possible you will see objects being destroyed and almost immediately new objects being created. This is a result of the active threads momentarily returning objects faster than they are requesting them, causing the number of idle objects to rise above maxIdle. The best value for maxIdle for heavily loaded system will vary but the default is a good starting point. Max Total Connections The number of maximum connection instances in the pool Connection Timeout Connection time out","title":"Redis Configuration"},{"location":"admin/admin-ui/services-menu/#native-persistence-configuration","text":"Name Description Default Put Expiration Default expiration time for the object put into cache in seconds Default Cleanup Batch Size Default cleanup batch page size Delete Expired OnGetRequest whether to delete on GET request","title":"Native Persistence Configuration"},{"location":"admin/admin-ui/smtp-menu/","tags":["administration","admin-ui","smtp"],"text":"SMTP Configuration # The description of all the fields in SMTP configuration form: Fields Description SMTP Host Hostname of the SMTP server Connect Protection Protocol to protect connection From Name Name of the sender From Email Address Email Address of the Sender Requires Authentication This checkbox enables sender authentication SMTP User Name Username of the SMTP SMTP User Password Password for the SMTP Requires SSL This checkbox enables the SSL SMTP Port Port number of the SMTP server Keystore","title":"SMTP"},{"location":"admin/admin-ui/smtp-menu/#smtp-configuration","text":"The description of all the fields in SMTP configuration form: Fields Description SMTP Host Hostname of the SMTP server Connect Protection Protocol to protect connection From Name Name of the sender From Email Address Email Address of the Sender Requires Authentication This checkbox enables sender authentication SMTP User Name Username of the SMTP SMTP User Password Password for the SMTP Requires SSL This checkbox enables the SSL SMTP Port Port number of the SMTP server Keystore","title":"SMTP Configuration"},{"location":"admin/admin-ui/userMgmt-menu/","tags":["administration","admin-ui","users"],"text":"Users # This interface allows the administrator to create, edit, delete and search user records in Janssen persistence. The user creation/modification form has First Name, Middle Name, Last Name, Username, Display Name, Email, Status and Password fields populated by default on it. The administrator can select and add more user attributes to the form from the right Available Claims panel. To add a new user claim, please follow this document . Different Admin UI Roles can be assigned to the user in the jansAdminUIRole attribute (to be selected from the Available Claims panel).","title":"Users"},{"location":"admin/admin-ui/userMgmt-menu/#users","text":"This interface allows the administrator to create, edit, delete and search user records in Janssen persistence. The user creation/modification form has First Name, Middle Name, Last Name, Username, Display Name, Email, Status and Password fields populated by default on it. The administrator can select and add more user attributes to the form from the right Available Claims panel. To add a new user claim, please follow this document . Different Admin UI Roles can be assigned to the user in the jansAdminUIRole attribute (to be selected from the Available Claims panel).","title":"Users"},{"location":"admin/admin-ui/webhooks/","tags":["administration","admin-ui","webhooks"],"text":"Webhooks # Gluu Flex Admin UI serves as a powerful web interface designed to streamline the management and configuration of the Janssen Authentication Server. To further extend its capabilities, Gluu Flex Admin UI integrates the use of webhooks, enabling the execution of custom business logic during the creation, update, and deletion of information on the Janssen Authentication Server. The seamless integration of webhooks into this interface enhances its functionality, offering a dynamic and extensible solution. Webhooks are a mechanism for automating workflows by allowing external systems to be notified of specific events. In the context of Gluu Flex Admin UI, webhooks can be mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Administrators can map one or more webhooks to specific feature events using the user interface. Webhook management on the UI # The webhook create/update form consists for following fields. Field Description Required Webhook Id The unique identifier of webhook Yes. Generated by Admin UI Webhook Name The name give to webhook Yes URL The webhook url Yes HTTP Method The type HTTP request (e.g. GET, POST, PUT, PATCH, DELETE ) Yes Description Webhook description No Webhook Headers The HTTP request headers No Request Body The HTTP request body Mandatory for POST, PUT, PATCH requests Enabled Toggle switch to enable/disable webhook Yes Admin UI Features The Admin UI features which can be mapped to the webhook No Once a webhook is created it can be searched, edited or deleted. Shortcodes # When working with webhooks, shortcodes play a crucial role in dynamically injecting data into URLs and request bodies. They allow for flexible and customizable communication between different systems. Shortcode is denoted by curly braces ${} . Using shortcodes in webhook url: Shortcodes can be used in path parameters or query parameters of webhook url. https://example.com/webhook/ ${ inum } /update https://example.com/webhook?action = ${ action } & user_id = ${ userId } Using shortcodes in webhook request-body: Webhook request bodies can utilize placeholders to dynamically populate data sent to the recipient system. { \"username\" : \" ${ username } \" , \"email\" : \" ${ email } \" , \"password\" : \" ${ password } \" } Triggering webhooks # The webhooks can be mapped with one or more Admin UI feature(s) using the webhook create/update form . The following Admin UI features can be mapped to the webhooks. Feature Name Action Permission Custom Script Add/Edit https://jans.io/oauth/config/scripts.write Custom Script Delete https://jans.io/oauth/config/scripts.delete FIDO Configuration Edit https://jans.io/oauth/jans-auth-server/config/properties.write Jans Link Edit https://jans.io/oauth/config/jans-link.write OIDC Clients Add/Edit https://jans.io/oauth/config/openid/clients.write OIDC Clients Delete https://jans.io/oauth/config/openid/clients.delete Scopes Add/Edit https://jans.io/oauth/config/scopes.write Scopes Delete https://jans.io/oauth/config/scopes.delete Schema:Person Add/Edit https://jans.io/oauth/config/attributes.write Schema:Person Delete https://jans.io/oauth/config/attributes.delete SCIM Configuration Edit https://jans.io/scim/config.write SMTP Configuration Edit https://jans.io/oauth/config/smtp.write Users Add/Edit https://jans.io/oauth/config/user.write Users Delete https://jans.io/oauth/config/user.delete When the feature action is performed (e.g. submitting the \"create new user\" form), the Admin UI displays the consent dialog with a list of webhooks that will be triggered upon the successful execution of the event. If the user clicks on the Accept button, all the enabled webhooks will be triggered during the event execution. The Admin UI is unable to proceed with event execution if any webhook fails during the process.","title":"Webhooks"},{"location":"admin/admin-ui/webhooks/#webhooks","text":"Gluu Flex Admin UI serves as a powerful web interface designed to streamline the management and configuration of the Janssen Authentication Server. To further extend its capabilities, Gluu Flex Admin UI integrates the use of webhooks, enabling the execution of custom business logic during the creation, update, and deletion of information on the Janssen Authentication Server. The seamless integration of webhooks into this interface enhances its functionality, offering a dynamic and extensible solution. Webhooks are a mechanism for automating workflows by allowing external systems to be notified of specific events. In the context of Gluu Flex Admin UI, webhooks can be mapped to various Admin UI features to execute custom business logic when events associated with those features occur. Administrators can map one or more webhooks to specific feature events using the user interface.","title":"Webhooks"},{"location":"admin/admin-ui/webhooks/#webhook-management-on-the-ui","text":"The webhook create/update form consists for following fields. Field Description Required Webhook Id The unique identifier of webhook Yes. Generated by Admin UI Webhook Name The name give to webhook Yes URL The webhook url Yes HTTP Method The type HTTP request (e.g. GET, POST, PUT, PATCH, DELETE ) Yes Description Webhook description No Webhook Headers The HTTP request headers No Request Body The HTTP request body Mandatory for POST, PUT, PATCH requests Enabled Toggle switch to enable/disable webhook Yes Admin UI Features The Admin UI features which can be mapped to the webhook No Once a webhook is created it can be searched, edited or deleted.","title":"Webhook management on the UI"},{"location":"admin/admin-ui/webhooks/#shortcodes","text":"When working with webhooks, shortcodes play a crucial role in dynamically injecting data into URLs and request bodies. They allow for flexible and customizable communication between different systems. Shortcode is denoted by curly braces ${} . Using shortcodes in webhook url: Shortcodes can be used in path parameters or query parameters of webhook url. https://example.com/webhook/ ${ inum } /update https://example.com/webhook?action = ${ action } & user_id = ${ userId } Using shortcodes in webhook request-body: Webhook request bodies can utilize placeholders to dynamically populate data sent to the recipient system. { \"username\" : \" ${ username } \" , \"email\" : \" ${ email } \" , \"password\" : \" ${ password } \" }","title":"Shortcodes"},{"location":"admin/admin-ui/webhooks/#triggering-webhooks","text":"The webhooks can be mapped with one or more Admin UI feature(s) using the webhook create/update form . The following Admin UI features can be mapped to the webhooks. Feature Name Action Permission Custom Script Add/Edit https://jans.io/oauth/config/scripts.write Custom Script Delete https://jans.io/oauth/config/scripts.delete FIDO Configuration Edit https://jans.io/oauth/jans-auth-server/config/properties.write Jans Link Edit https://jans.io/oauth/config/jans-link.write OIDC Clients Add/Edit https://jans.io/oauth/config/openid/clients.write OIDC Clients Delete https://jans.io/oauth/config/openid/clients.delete Scopes Add/Edit https://jans.io/oauth/config/scopes.write Scopes Delete https://jans.io/oauth/config/scopes.delete Schema:Person Add/Edit https://jans.io/oauth/config/attributes.write Schema:Person Delete https://jans.io/oauth/config/attributes.delete SCIM Configuration Edit https://jans.io/scim/config.write SMTP Configuration Edit https://jans.io/oauth/config/smtp.write Users Add/Edit https://jans.io/oauth/config/user.write Users Delete https://jans.io/oauth/config/user.delete When the feature action is performed (e.g. submitting the \"create new user\" form), the Admin UI displays the consent dialog with a list of webhooks that will be triggered upon the successful execution of the event. If the user clicks on the Accept button, all the enabled webhooks will be triggered during the event execution. The Admin UI is unable to proceed with event execution if any webhook fails during the process.","title":"Triggering webhooks"},{"location":"admin/kubernetes-ops/","tags":["administration","kubernetes","operations"],"text":"Overview # This Operation guide helps you learn about the common operations for Gluu Flex on Kubernetes. Note Since Flex = Janssen + Admin-UI. The Kubernetes Operations in Gluu Flex are identitical to Janssen . You will mostly only need to change the helm chart reference from janssen/janssen to gluu-flex/gluu , along with the helm release name and namespace. Here's an example how would the upgrade of Flex looks like. Common Operations # Upgrade Admin-UI Private Scaling Backup and Restore Certificate Management Customization Start Order Logs External Secrets and Configmaps Health Check TUI K8s Custom Attributes Jans SAML/Keycloak Memory Dump","title":"Overview"},{"location":"admin/kubernetes-ops/#overview","text":"This Operation guide helps you learn about the common operations for Gluu Flex on Kubernetes. Note Since Flex = Janssen + Admin-UI. The Kubernetes Operations in Gluu Flex are identitical to Janssen . You will mostly only need to change the helm chart reference from janssen/janssen to gluu-flex/gluu , along with the helm release name and namespace. Here's an example how would the upgrade of Flex looks like.","title":"Overview"},{"location":"admin/kubernetes-ops/#common-operations","text":"Upgrade Admin-UI Private Scaling Backup and Restore Certificate Management Customization Start Order Logs External Secrets and Configmaps Health Check TUI K8s Custom Attributes Jans SAML/Keycloak Memory Dump","title":"Common Operations"},{"location":"admin/kubernetes-ops/admin-ui-private/","tags":["administration","kubernetes","operations","private","internal","admin-ui"],"text":"Overview # This document demonstrates a method to override the URLs in the admin-ui used to connect to the backend services, such as the config API. This way the calls are made privately without hitting the FQDN through the internet. Configuration # We will install nginx in ingress-nginx namespace using the following command: helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx and thus, the svc is accessible at ingress-nginx-controller.ingress-nginx.svc.cluster.local Modify values.yaml : admin-ui : usrEnvs : normal : CN_CONFIG_API_BASE_URL : https://ingress.local:8443 CN_AUTH_BASE_URL : https://ingress.local:8443 CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local config-api : usrEnvs : normal : CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local nginx-ingress : ingress : hosts : - demoexample.gluu.org # adjust Gluu FQDN used as needed - ingress-nginx-controller.ingress-nginx.svc.cluster.local - ingress.local Deploy the flex helm chart using the updated values.yaml To allow the browser to access internal service, add an entry inside /etc/hosts file: 127.0.0.1 ingress.local ingress-nginx-controller.ingress-nginx.svc.cluster.local By default, the ingress-nginx-controller deployment uses fake certificate generated by k8s. Add a new certificate (self-signed certificate and key are sufficient) as the default certificate into the ingress controller. Generate SSL cert and key using your preferred tool. Make sure to add domain ingress-nginx-controller.ingress-nginx.svc.cluster.local and ingress.local in SAN section. Example: openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout ingress.local.key -out ingress.local.crt -subj \"/CN=ingress.local\" -addext \"subjectAltName=DNS:ingress.local,DNS:ingress-nginx-controller.ingress-nginx.svc.cluster.local\" Create secrets to store the certificate and key, for example: kubectl -n create secret tls internal-tls-certificate --cert /path/to/cert --key /path/to/key Modify the ingress-nginx-controller deployment: apiVersion : apps/v1 kind : Deployment metadata : name : ingress-nginx-controller namespace : ingress-nginx spec : template : spec : containers : - args : # some arguments are omitted # add a new argument to load self-signed cert - --default-ssl-certificate=/internal-tls-certificate Rollout restart the ingress-nginx-controller deployment. Expose the service IP (port 443) to host (port 8443): kubectl -n ingress-nginx port-forward svc/ingress-nginx-controller 8443:443 & OPTIONAL : if the K8s cluster is deployed at a remote VM, make SSH tunneling before accessing the admin-ui web: ssh -N -L 8443:localhost:8443 @ & Hit https://ingress.local:8443 and allow the browser to skip certificate validation. Visit https:///admin","title":"Admin-UI Private"},{"location":"admin/kubernetes-ops/admin-ui-private/#overview","text":"This document demonstrates a method to override the URLs in the admin-ui used to connect to the backend services, such as the config API. This way the calls are made privately without hitting the FQDN through the internet.","title":"Overview"},{"location":"admin/kubernetes-ops/admin-ui-private/#configuration","text":"We will install nginx in ingress-nginx namespace using the following command: helm install ingress-nginx ingress-nginx/ingress-nginx -n ingress-nginx and thus, the svc is accessible at ingress-nginx-controller.ingress-nginx.svc.cluster.local Modify values.yaml : admin-ui : usrEnvs : normal : CN_CONFIG_API_BASE_URL : https://ingress.local:8443 CN_AUTH_BASE_URL : https://ingress.local:8443 CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local config-api : usrEnvs : normal : CN_TOKEN_SERVER_BASE_URL : https://ingress-nginx-controller.ingress-nginx.svc.cluster.local nginx-ingress : ingress : hosts : - demoexample.gluu.org # adjust Gluu FQDN used as needed - ingress-nginx-controller.ingress-nginx.svc.cluster.local - ingress.local Deploy the flex helm chart using the updated values.yaml To allow the browser to access internal service, add an entry inside /etc/hosts file: 127.0.0.1 ingress.local ingress-nginx-controller.ingress-nginx.svc.cluster.local By default, the ingress-nginx-controller deployment uses fake certificate generated by k8s. Add a new certificate (self-signed certificate and key are sufficient) as the default certificate into the ingress controller. Generate SSL cert and key using your preferred tool. Make sure to add domain ingress-nginx-controller.ingress-nginx.svc.cluster.local and ingress.local in SAN section. Example: openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes -keyout ingress.local.key -out ingress.local.crt -subj \"/CN=ingress.local\" -addext \"subjectAltName=DNS:ingress.local,DNS:ingress-nginx-controller.ingress-nginx.svc.cluster.local\" Create secrets to store the certificate and key, for example: kubectl -n create secret tls internal-tls-certificate --cert /path/to/cert --key /path/to/key Modify the ingress-nginx-controller deployment: apiVersion : apps/v1 kind : Deployment metadata : name : ingress-nginx-controller namespace : ingress-nginx spec : template : spec : containers : - args : # some arguments are omitted # add a new argument to load self-signed cert - --default-ssl-certificate=/internal-tls-certificate Rollout restart the ingress-nginx-controller deployment. Expose the service IP (port 443) to host (port 8443): kubectl -n ingress-nginx port-forward svc/ingress-nginx-controller 8443:443 & OPTIONAL : if the K8s cluster is deployed at a remote VM, make SSH tunneling before accessing the admin-ui web: ssh -N -L 8443:localhost:8443 @ & Hit https://ingress.local:8443 and allow the browser to skip certificate validation. Visit https:///admin","title":"Configuration"},{"location":"admin/kubernetes-ops/upgrade/","tags":["administration","kubernetes","operations","helm","upgrade"],"text":"This guide shows how to upgrade a Gluu Flex helm deployment. helm ls -n Keep note of the helm release version Add your changes to override.yaml Apply your upgrade: helm upgrade gluu-flex/gluu -n -f override.yaml --version=replace-flex-version","title":"Upgrade"},{"location":"admin/recipes/","tags":["administration","recipes"],"text":"Overview # Please use the left navigation menu to browse the content of this section while we are still working on developing content for Overview page.","title":"Overview"},{"location":"admin/recipes/#overview","text":"Please use the left navigation menu to browse the content of this section while we are still working on developing content for Overview page.","title":"Overview"},{"location":"admin/recipes/getting-started-rancher/","text":"Overview # Gluu Flex (\u201cFlex\u201d) is a cloud-native digital identity platform that enables organizations to authenticate and authorize people and software through the use of open standards like OpenID Connect, OAuth, and FIDO. It is a downstream commercial distribution of the Linux Foundation Janssen Project software, plus a web administration tool(Gluu Admin-UI). SUSE Rancher\u2019s helm-based deployment approach simplifies the deployment and configuration of Flex, enabling organizations to take advantage of Flex\u2019s modular design to improve their security posture while simultaneously enabling just-in-time auto-scaling. The key services of Flex include: (REQUIRED) Jans Auth Server : This component is the OAuth Authorization Server, the OpenID Connect Provider, and the UMA Authorization Server for person and software authentication. This service must be Internet-facing. (REQUIRED) Jans Config API : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Gluu Admin UI : Web admin tool for ad-hoc configuration. Jans Fido : This component provides the server-side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be Internet-facing. Jans SCIM : System for Cross-domain Identity Management ( SCIM ) is JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet-facing. Jans Casa : A self-service web portal for end-users to manage authentication and authorization preferences for their account in the Gluu Flex server. Typically, it enables people to manage their MFA credentials, like FIDO tokens and OTP authenticators. It's also extensible if your organization has any other self-service requirements. Building Blocks # Scope # In this Quickstart Guide, we will: Deploy Flex and add some users. Enable two-factor authentication. Protect content on an Apache web server with OpenID Connect. Audience # This document is intended for DevOps engineers, site reliability engineers (SREs), platform engineers, software engineers, and developers who are responsible for managing and running stateful workloads in Kubernetes clusters. Technical overview # In addition to the core services listed in the Introduction above, the SUSE Rancher deployment includes the following components: PostgreSQL/MySQL : SQL database dialect used to store configuration, people clients, sessions and other data needed for Gluu Flex operation. Cert Manager : Used for managing X.509 certificates and crypto keys lifecycle in Janssen Server. Key Rotation : A cronjob that implements Cert Manager to rotate the auth keys Configuration job : loads (generate/restore) and dumps (backup) the configuration and secrets. Persistence job : This job loads initial data for the backend used (SQL or Couchbase). ConfigMaps : Stores configuration needed for Flex environment setup. Secrets : Contains sensitive or confidential data such as a password, a token, or a key. Config and Secret keys # The Configuration job creates a set of configurations and secrets used by all services in the Flex setup. To check the values of the configuration keys(configmaps) in the installation: kubectl get cm cn -o json -n To check the values of the secret keys in installation: kubectl get secret cn -o json -n Gluu Config Keys # Key Example Values admin_email team@gluu.org admin_inum d3afef58-c026-4514-9d4c-e0a3efb4c29d admin_ui_client_id 1901.a6575c1e-4688-4c11-8c95-d9e570b13ee8 auth_enc_keys RSA1_5 RSA-OAEP auth_key_rotated_at 1653517558 auth_legacyIdTokenClaims false auth_openidScopeBackwardCompatibility false auth_openid_jks_fn /etc/certs/auth-keys.jks auth_openid_jwks_fn /etc/certs/auth-keys.json casa_client_id 0008-db36db1f-025e-4164-aeed-f82df064eee8 auth_sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS384 PS512 city Austin country_code US default_openid_jks_dn_name CN=Janssen Auth CA Certificate fido2ConfigFolder /etc/jans/conf/fido2 hostname demoexample.gluu.org jca_client_id 1801.4df6c3ba-ebf6-4836-8fb5-6da927586f61 optional_scopes [\\\"casa\\\", \\\"sql\\\", \\\"fido2\\\", \\\"scim\\\"] orgName Gluu tui_client_id 2000.9313cd4b-147c-4a67-96be-8a69ddbaf7e9 scim_client_id 1201.1cbcc731-3fca-4668-a480-1b5f5a7d6a53 state TX token_server_admin_ui_client_id 1901.57a858dc-69f3-4967-befe-e089fe376638 Gluu Secret Keys # Key Example Values admin_ui_client_encoded_pw QlBMMTZUZWVYeWczVlpNUk1XN0pzdzrg admin_ui_client_pw WnJYZEcyVlNBWG9d auth_jks_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx auth_openid_jks_pass TWZoR3Rlb0NnUHEP auth_openid_key_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx casa_client_encoded_pw b3NabG9oVGNncFVVWFpxNEJMU3V0dzrg casa_client_pw M1g0Z1dEbGNPQ19d encoded_admin_password e3NzaGF9eGpOaDRyblU3dzJZbmpPclovMUlheTdkR0RrOTdLe encoded_salt Um9NSEJnOU9IbTRvRkJHVVZETVZIeXEP jca_client_encoded_pw Um9NSEJnOU9IbTRvRkJHVVZETVZIeX58 jca_client_pw Um9NSEJnOU9IbTRvR otp_configuration xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pairwiseCalculationKey ZHd2VW01Y3VOUW6638ZHd2VW pairwiseCalculationSalt ZHd2VW01Y3VOUW6638ZHd2VW0 plugins_admin_ui_properties xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx tui_client_encoded_pw ZHd2VW01Y3VOUW66388PS512 tui_client_pw AusZHd2VW01Y3VOUW6638 scim_client_encoded_pw UZHd2VW01Y3VOUW6638ZHd2VW01Y3VOUW6638 scim_client_pw ZHd2VW01Y3VOUW6638 sql_password ZHd2VW01Y3V638 ssl_ca_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_ca_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_csr xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx super_gluu_creds xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3 token_server_admin_ui_client_encoded_pw Q1Z1cmtYWUlYSVg4U2tLTldVcnZVTUF token_server_admin_ui_client_pw ZHd2VW01Y3VOUW6638 Prerequisites # SUSE Rancher installed with an accessible UI Kubernetes cluster running on SUSE Rancher with at least 1 worker node Sufficient RBAC permissions to deploy and manage applications in the cluster. LinuxIO kernel modules on the worker nodes Docker running locally (Linux preferred) Essential tools and CLI utilities are installed on your local workstation and are available in your $PATH : curl , kubectl An entry in the /etc/hosts file of your local workstation to resolve the hostname of the Gluu Flex installation. This step is for testing purposes. Installation # Summary of steps : Install Database: Note For the Database test setup to work, a PV provisioner support must be present in the underlying infrastructure. Install PostgreSQL database # Note If you are willing to use MySQL installation, skip this section and head to the Install MySQL section. To install a quick setup with PostgreSQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Apps --> Charts and search for Postgres . Click on Install on the right side of the window. Create a new namespace called postgres and hit Next . You should be on the Edit YAML page. Modify the below keys as desired. These values will be inputted in the installation of Gluu Flex Key auth.database auth.username auth.password Click Install at the bottom right of the page. Install MySQL database # Note Skip this section if you installed PostgreSQL . This section is only needed if you are willing to use MySQL. To install a quick setup with MySQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Open a kubectl shell from the top right navigation menu >_ . Run: helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update kubectl create ns gluu #Create gluu namespace Pass in a custom password for the database. Here we used Test1234# . The admin user will be left as root . Notice we are installing in the gluu namespace. Run helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu Successful Installation # After the installation is successful, you should have a Statefulset active in the rancher UI as shown in the screenshot below. Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx To get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Install Gluu Flex: Head to Apps --> Charts and search for Gluu Click on Install on the right side of the window. Change the namespace from default to gluu , then click on Next . Scroll through the sections to get familiar with the options. For minimal setup follow with the next instructions. Add License SSA . Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Click on the Persistence section. Change SQL database host uri to postgresql.postgres.svc.cluster.local in the case of PostgreSQL or my-release-mysql.gluu.svc.cluster.local in the case of MySQL . Also set SQL database username , SQL password , and SQL database name to the values you used during the database installation. To enable Casa and the Admin UI, navigate to the Optional Services section and check the Enable casa and boolean flag to enable admin UI boxes. You can also enable different services like Client API and Jackrabbit . Click on the section named Ingress and enable all the endpoints. You might add LB IP or address if you don't have FQDN for Gluu . To pass your FQDN or Domain that is intended to serve the Gluu Flex IDP, head to the Configuration section: Add your FQDN and check the box Is the FQDN globally resolvable . Click on the Edit YAML tab and add your FQDN to nginx-ingress.ingress.hosts and nginx-ingress.ingress.tls.hosts . Click on Install on the bottom right of the window. Note You can upgrade your installation after the deployment. To do that, go to the SUSE Rancher Dashboard -> Apps -> Installed Apps -> gluu -> Click on the 3 dots on the right -> Upgrade -> Make your changes -> Click Update. The running deployment and services of different Gluu Flex components like casa , admin-ui , scim , auth-server , etc can be viewed by navigating through the SUSE Rancher. Go to Workloads and see the running pods. Go under Service Discovery and checkout the Ingresses and Services . All deployed components should be in a healthy and running state like in the screenshot shown below. Connecting to the Setup # Note You can skip this section if you have a globally resolvable FQDN . In the event you used microk8s or your fqdn is not registered, the below steps will help with connecting to your setup. To access the setup from a browser or another VM, we need to change the ingress class annotation from kubernetes.io/ingress.class: nginx to kubernetes.io/ingress.class: public e.g., for the specific component you want to access publicly in the browser; Navigate through the SUSE Rancher UI to Service Discovery -> Ingresses Choose the ingress for the targeted component. For example gluu-nginx-ingress-auth-server for auth-server Click on the three dots in the top right corner Click on Edit Yaml On line 8, change the kubernetes.io/ingress.class annotation value from nginx to public Click Save The LoadBalancer IP needs to get mapped inside /etc/hosts with the domain chosen for gluu flex . If the domain you used in the setup is demoexample.gluu.org: 3.65.27.95 demoexample.gluu.org You can do the same edit for every component you want to access publicly from the browser. Testing Configuration endpoints # Try accessing some Gluu Flex endpoints like https://demoexample.gluu.org/.well-known/openid-configuration in the browser and you'll get back a JSON response; Note that you can also access those endpoints via curl command, E.g. curl -k https://demoexample.gluu.org/.well-known/openid-configuration You should get a similar response like the one below; {\"version\":\"1.1\",\"issuer\":\"https://demoexample.gluu.org\",\"attestation\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/result\"},\"assertion\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/result\"}} Login and Add a New User # After inputting the license keys, you can then use admin and the password you set to login to the Admin UI and you should see the Admin UI dashboard. You could also add another test user via the admin UI that will be used for testing Casa and 2FA as shown in the screenshot below. Navigate to Users and click on + in the top right corner to add a user. Testing Casa # Jans Casa (\"Casa\") is a self-service web portal for managing account security preferences. The primary use case for Casa is self-service 2FA, but other use cases and functionalities can be supported via Casa plugins. Although you have not enabled two-factor authentication yet, you should still be able to login to Casa as the admin user and the password is the one you set during installation. Point your browser to https://demoexample.gluu.org/jans-casa and you should be welcomed by the Casa login page as shown below. After logging in, you'll be welcomed by the home page as shown below. Enabling Two-Factor Authentication # In this part, we are going to enable two standard authentication mechanisms: OTP and FIDO. This can be done through the admin UI. 2FA can be turned on by clicking the switch in the Second Factor Authentication widget. By default, you will be able to choose from a few 2FA policies: Always (upon every login attempt) If the location (e.g. city) detected in the login attempt is unrecognized If the device used to login is unrecognized To reduce the chance of account lockout, enroll at least two different types of 2FA credentials -- e.g. one security key and one OTP app; or one OTP app and one SMS phone number, etc. This way, regardless of which device you're using to access a protected resource, you will have a usable option for passing strong authentication. To enable 2FA, firstly the OTP and FIDO components have to be enabled in the Casa admin UI then login to Casa as an end user, and register an OTP device (i.e. Google Authenticator) and a FIDO device. Register OTP device To add a new OTP token, navigate to 2FA credentials > OTP Tokens. You can either add a soft OTP token by choosing the Soft token option or a hard token by choosing the Hard Token Option Check the soft OTP token and click ready Before proceeding to the next step, Download Google Authenticator from Google Play or Appstore Then proceed and scan the QR code with your app Enter the 6-digit code that appears in your authenticator app and validate the enrollment. Register Fido device To add a new FIDO 2 credential, navigate to 2FA credentials > Security Keys and built-in Platform Authenticators Insert the fido key and click Ready. Casa will prompt you to press the button on the key. Add a nickname and click Add. Once added, the new device will appear in a list on the same page. Click the pencil to edit the device's nickname Testing Apache OIDC Locally # In this part, we are going to use docker to locally configure an apache web server, and then install the mod_auth_openidc module and configure it accordingly. Using local docker containers, our approach is to first register a client, then spin up two Apache containers, one serving static content (with server-side includes configured so we can display headers and environment information), and one acting as the OpenID Connect authenticating reverse proxy. Register an OpenID Connect client # On the Janssen server, you can register a new client in the Flex Admin UI or the jans-cli. In this section, we are going to show both ways of doing it from the Admin UI and using jans-cli Admin UI # Navigate to Auth server -> Clients and click on + in the top right corner to create a client. Take note of the following keys:values because they configure the right client that we need scopes: email_,openid_,profile responseTypes: code The screenshot below shows an example of the Admin UI section from where a client is created Jans TUI # On the Janssen server, we are going to register a new client using the jans-cli. There are two ways you can register an OIDC client with the Janssen server, Manual Client Registration and Dynamic Client Registration (DCR). Here we will use manual client registration. We will use jans-tui tool provided by the Janssen server. jans-tui has a menu-driven interface that makes it easy to configure the Janssen server. Here we will use the menu-driven approach to register a new client. Download jans-cli-tui from the release assets depending on your OS. For example: wget https://github.com/JanssenProject/jans/releases/download/vreplace-janssen-version/jans-cli-tui-linux-ubuntu-X86-64.pyz Now we have jans-cli-tui-linux-ubuntu-X86-64.pyz downloaded. Now we can grab the FQDN, client-id, client-secret, and connect using the following commands: FQDN= #Add your FQDN here TUI_CLIENT_ID=$(kubectl get cm cn -n --template={{.data.tui_client_id}}) TUI_CLIENT_SECRET=$(kubectl get secret cn -n --template={{.data.tui_client_pw}} | base64 -d) #add -noverify if your FQDN is not registered Get schema file using this command python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --schema /components/schemas/Client Add values for required params and store this JSON in a text file. Take keynote of the following properties. schema-json-file.json { \"dn\": null, \"inum\": null, \"displayName\": \"\", \"clientSecret\": \"\", \"frontChannelLogoutUri\": null, \"frontChannelLogoutSessionRequired\": null, \"registrationAccessToken\": null, \"clientIdIssuedAt\": null, \"clientSecretExpiresAt\": null, \"redirectUris\": [ \"\" ], \"claimRedirectUris\": null, \"responseTypes\": [ \"code\" ], \"grantTypes\": [ \"authorization_code\" ], \"applicationType\": \"web\", \"contacts\": null, \"idTokenTokenBindingCnf\": null, \"logoUri\": null, \"clientUri\": null, \"policyUri\": null, \"tosUri\": null, \"jwksUri\": null, \"jwks\": null, \"sectorIdentifierUri\": null, \"subjectType\": \"public\", \"idTokenSignedResponseAlg\": null, \"idTokenEncryptedResponseAlg\": null, \"idTokenEncryptedResponseEnc\": null, \"userInfoSignedResponseAlg\": null, \"userInfoEncryptedResponseAlg\": null, \"userInfoEncryptedResponseEnc\": null, \"requestObjectSigningAlg\": null, \"requestObjectEncryptionAlg\": null, \"requestObjectEncryptionEnc\": null, \"tokenEndpointAuthMethod\": \"client_secret_basic\", \"tokenEndpointAuthSigningAlg\": null, \"defaultMaxAge\": null, \"requireAuthTime\": null, \"defaultAcrValues\": null, \"initiateLoginUri\": null, \"postLogoutRedirectUris\": null, \"requestUris\": null, \"scopes\": [ \"email\", \"openid\", \"profile\" ], \"claims\": null, \"trustedClient\": false, \"lastAccessTime\": null, \"lastLogonTime\": null, \"persistClientAuthorizations\": null, \"includeClaimsInIdToken\": false, \"refreshTokenLifetime\": null, \"accessTokenLifetime\": null, \"customAttributes\": null, \"customObjectClasses\": null, \"rptAsJwt\": null, \"accessTokenAsJwt\": null, \"accessTokenSigningAlg\": null, \"disabled\": false, \"authorizedOrigins\": null, \"softwareId\": null, \"softwareVersion\": null, \"softwareStatement\": null, \"attributes\": null, \"backchannelTokenDeliveryMode\": null, \"backchannelClientNotificationEndpoint\": null, \"backchannelAuthenticationRequestSigningAlg\": null, \"backchannelUserCodeParameter\": null, \"expirationDate\": null, \"deletable\": false, \"jansId\": null, \"description\": null } Now you can use that JSON file as input to the command below and register your client python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --operation-id=post-oauth-openid-client --data /schema-json-file.json After the client is successfully registered, there will be data that describes the newly registered client. Some of these values, like inum and clientSecret , will be required before we configure mod_auth_openidc So keep in mind that we shall get back to this. Create an Application Container # An application docker container will be run locally which will act as the protected resource (PR) / external application. The following files have code for the small application. We shall create a directory locally / on your machine called test and add the required files. Firstly create a project folder named test by running mkdir test && cd test and add the following files with their content; app.conf ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule unixd_module modules/mod_unixd.so LoadModule dir_module modules/mod_dir.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks Includes AllowOverride None Require all granted SetEnvIf X-Remote-User \"(.*)\" REMOTE_USER=$0 SetEnvIf X-Remote-User-Name \"(.*)\" REMOTE_USER_NAME=$0 SetEnvIf X-Remote-User-Email \"(.*)\" REMOTE_USER_EMAIL=$0 DirectoryIndex index.html Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common CustomLog /proc/self/fd/1 common TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml user.shtml Hello User

Hello !

You authenticated as:

Your email address is:

Environment:

!

index.html Hello World

Hello world!

Dockerfile FROM httpd:2.4.54@sha256:c9eba4494b9d856843b49eb897f9a583a0873b1c14c86d5ab77e5bdedd6ad05d # \"Created\": \"2022-06-08T18:45:46.260791323Z\" , \"Version\":\"2.4.54\" RUN apt-get update \\ && apt-get install -y --no-install-recommends wget ca-certificates libcjose0 libhiredis0.14 apache2-api-20120211 apache2-bin\\ && wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.11.2/libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && dpkg -i libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && ln -s /usr/lib/apache2/modules/mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so \\ && rm -rf /var/log/dpkg.log /var/log/alternatives.log /var/log/apt \\ && touch /usr/local/apache2/conf/extra/secret.conf \\ && touch /usr/local/apache2/conf/extra/oidc.conf RUN echo \"\\n\\nLoadModule auth_openidc_module modules/mod_auth_openidc.so\\n\\nInclude conf/extra/secret.conf\\nInclude conf/extra/oidc.conf\\n\" >> /usr/local/apache2/conf/httpd.conf gluu.secret.conf OIDCClientID OIDCCryptoPassphrase OIDCClientSecret OIDCResponseType code OIDCScope \"openid email profile\" OIDCProviderTokenEndpointAuth client_secret_basic OIDCSSLValidateServer Off OIDCRedirectURI http://localhost:8111/oauth2callback OIDCCryptoPassphrase Require valid-user AuthType openid-connect After, run an Apache container which will play the role of an application being protected by the authenticating reverse proxy. docker run -dit -p 8110:80 \\ -v \"$PWD/app.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/index.html\":/usr/local/apache2/htdocs/index.html \\ -v \"$PWD/user.shtml\":/usr/local/apache2/htdocs/user.shtml \\ --name apache-app httpd:2.4 Note that we are using a popular pre-built image useful for acting as a reverse proxy for authentication in front of an application. It contains a stripped-down Apache with minimal modules, and adds the mod_auth_openidc module for performing OpenID Connect authentication. Make a test curl command call to ensure you get back some content as shown in the screenshot below curl http://localhost:8110/user.shtml Create an Authenticating Reverse Proxy Container # We shall use Apache, but this time we use a Docker image that has mod_auth_oidc installed and configured. This proxy will require authentication, handle the authentication flow with redirects, and then forward requests to the application. In order to use this, you will need to have registered a new OpenID Connect client on the Janssen server. We did that in the step 1 above Add the following files to the test folder. oidc.conf # Unset to make sure clients can't control these RequestHeader unset X-Remote-User RequestHeader unset X-Remote-User-Name RequestHeader unset X-Remote-User-Email # If you want to see tons of logs for your experimentation #LogLevel trace8 OIDCClientID OIDCProviderMetadataURL https://idp-proxy.med.stanford.edu/auth/realms/med-all/.well-known/openid-configuration #OIDCProviderMetadataURL https://idp-proxy-stage.med.stanford.edu/auth/realms/choir/.well-known/openid-configuration OIDCRedirectURI http://localhost:8111/oauth2callback OIDCScope \"openid email profile\" OIDCRemoteUserClaim principal OIDCPassClaimsAs environment AuthType openid-connect Require valid-user ProxyPass http://app:80/ ProxyPassReverse http://app:80/ RequestHeader set X-Remote-User %{OIDC_CLAIM_principal}e RequestHeader set X-Remote-User-Name %{OIDC_CLAIM_name}e RequestHeader set X-Remote-User-Email %{OIDC_CLAIM_email}e proxy.conf # This is the main Apache HTTP server configuration file. For documentation, see: # http://httpd.apache.org/docs/2.4/ # http://httpd.apache.org/docs/2.4/mod/directives.html # # This is intended to be a hardened configuration, with minimal security surface area necessary # to run mod_auth_openidc. ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule unixd_module modules/mod_unixd.so #LoadModule status_module modules/mod_status.so #LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so User daemon Group daemon ServerAdmin you@example.com AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Options None Require all denied Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\" %I %O\" combinedio CustomLog /proc/self/fd/1 common ScriptAlias /cgi-bin/ \"/usr/local/apache2/cgi-bin/\" AllowOverride None Options None Require all granted RequestHeader unset Proxy early TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin TraceEnable off ServerTokens Prod ServerSignature Off LoadModule auth_openidc_module modules/mod_auth_openidc.so Include conf/extra/secret.conf Include conf/extra/oidc.conf Edit the file to include the client secret for the client you created during DCR, and add a securely generated pass phrase for the session keys docker build --pull -t apache-oidc -f Dockerfile . docker run -dit -p 8111:80 \\ -v \"$PWD/proxy.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/gluu.secret.conf\":/usr/local/apache2/conf/extra/secret.conf \\ -v \"$PWD/oidc.conf\":/usr/local/apache2/conf/extra/oidc.conf \\ --link apache-app:app \\ --name apache-proxy apache-oidc Now open a fresh web browser with private (incognito) mode, and go to this url http://localhost:8111/user.shtml To check the proxy logs docker logs -f apache-proxy To see the app logs docker logs -f apache-app If you modified the configuration files, just restart the proxy. docker restart apache-proxy","title":"Getting Started with Rancher"},{"location":"admin/recipes/getting-started-rancher/#overview","text":"Gluu Flex (\u201cFlex\u201d) is a cloud-native digital identity platform that enables organizations to authenticate and authorize people and software through the use of open standards like OpenID Connect, OAuth, and FIDO. It is a downstream commercial distribution of the Linux Foundation Janssen Project software, plus a web administration tool(Gluu Admin-UI). SUSE Rancher\u2019s helm-based deployment approach simplifies the deployment and configuration of Flex, enabling organizations to take advantage of Flex\u2019s modular design to improve their security posture while simultaneously enabling just-in-time auto-scaling. The key services of Flex include: (REQUIRED) Jans Auth Server : This component is the OAuth Authorization Server, the OpenID Connect Provider, and the UMA Authorization Server for person and software authentication. This service must be Internet-facing. (REQUIRED) Jans Config API : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Gluu Admin UI : Web admin tool for ad-hoc configuration. Jans Fido : This component provides the server-side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be Internet-facing. Jans SCIM : System for Cross-domain Identity Management ( SCIM ) is JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet-facing. Jans Casa : A self-service web portal for end-users to manage authentication and authorization preferences for their account in the Gluu Flex server. Typically, it enables people to manage their MFA credentials, like FIDO tokens and OTP authenticators. It's also extensible if your organization has any other self-service requirements.","title":"Overview"},{"location":"admin/recipes/getting-started-rancher/#building-blocks","text":"","title":"Building Blocks"},{"location":"admin/recipes/getting-started-rancher/#scope","text":"In this Quickstart Guide, we will: Deploy Flex and add some users. Enable two-factor authentication. Protect content on an Apache web server with OpenID Connect.","title":"Scope"},{"location":"admin/recipes/getting-started-rancher/#audience","text":"This document is intended for DevOps engineers, site reliability engineers (SREs), platform engineers, software engineers, and developers who are responsible for managing and running stateful workloads in Kubernetes clusters.","title":"Audience"},{"location":"admin/recipes/getting-started-rancher/#technical-overview","text":"In addition to the core services listed in the Introduction above, the SUSE Rancher deployment includes the following components: PostgreSQL/MySQL : SQL database dialect used to store configuration, people clients, sessions and other data needed for Gluu Flex operation. Cert Manager : Used for managing X.509 certificates and crypto keys lifecycle in Janssen Server. Key Rotation : A cronjob that implements Cert Manager to rotate the auth keys Configuration job : loads (generate/restore) and dumps (backup) the configuration and secrets. Persistence job : This job loads initial data for the backend used (SQL or Couchbase). ConfigMaps : Stores configuration needed for Flex environment setup. Secrets : Contains sensitive or confidential data such as a password, a token, or a key.","title":"Technical overview"},{"location":"admin/recipes/getting-started-rancher/#config-and-secret-keys","text":"The Configuration job creates a set of configurations and secrets used by all services in the Flex setup. To check the values of the configuration keys(configmaps) in the installation: kubectl get cm cn -o json -n To check the values of the secret keys in installation: kubectl get secret cn -o json -n ","title":"Config and Secret keys"},{"location":"admin/recipes/getting-started-rancher/#gluu-config-keys","text":"Key Example Values admin_email team@gluu.org admin_inum d3afef58-c026-4514-9d4c-e0a3efb4c29d admin_ui_client_id 1901.a6575c1e-4688-4c11-8c95-d9e570b13ee8 auth_enc_keys RSA1_5 RSA-OAEP auth_key_rotated_at 1653517558 auth_legacyIdTokenClaims false auth_openidScopeBackwardCompatibility false auth_openid_jks_fn /etc/certs/auth-keys.jks auth_openid_jwks_fn /etc/certs/auth-keys.json casa_client_id 0008-db36db1f-025e-4164-aeed-f82df064eee8 auth_sig_keys RS256 RS384 RS512 ES256 ES384 ES512 PS384 PS512 city Austin country_code US default_openid_jks_dn_name CN=Janssen Auth CA Certificate fido2ConfigFolder /etc/jans/conf/fido2 hostname demoexample.gluu.org jca_client_id 1801.4df6c3ba-ebf6-4836-8fb5-6da927586f61 optional_scopes [\\\"casa\\\", \\\"sql\\\", \\\"fido2\\\", \\\"scim\\\"] orgName Gluu tui_client_id 2000.9313cd4b-147c-4a67-96be-8a69ddbaf7e9 scim_client_id 1201.1cbcc731-3fca-4668-a480-1b5f5a7d6a53 state TX token_server_admin_ui_client_id 1901.57a858dc-69f3-4967-befe-e089fe376638","title":"Gluu Config Keys"},{"location":"admin/recipes/getting-started-rancher/#gluu-secret-keys","text":"Key Example Values admin_ui_client_encoded_pw QlBMMTZUZWVYeWczVlpNUk1XN0pzdzrg admin_ui_client_pw WnJYZEcyVlNBWG9d auth_jks_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx auth_openid_jks_pass TWZoR3Rlb0NnUHEP auth_openid_key_base64 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx casa_client_encoded_pw b3NabG9oVGNncFVVWFpxNEJMU3V0dzrg casa_client_pw M1g0Z1dEbGNPQ19d encoded_admin_password e3NzaGF9eGpOaDRyblU3dzJZbmpPclovMUlheTdkR0RrOTdLe encoded_salt Um9NSEJnOU9IbTRvRkJHVVZETVZIeXEP jca_client_encoded_pw Um9NSEJnOU9IbTRvRkJHVVZETVZIeX58 jca_client_pw Um9NSEJnOU9IbTRvR otp_configuration xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pairwiseCalculationKey ZHd2VW01Y3VOUW6638ZHd2VW pairwiseCalculationSalt ZHd2VW01Y3VOUW6638ZHd2VW0 plugins_admin_ui_properties xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx tui_client_encoded_pw ZHd2VW01Y3VOUW66388PS512 tui_client_pw AusZHd2VW01Y3VOUW6638 scim_client_encoded_pw UZHd2VW01Y3VOUW6638ZHd2VW01Y3VOUW6638 scim_client_pw ZHd2VW01Y3VOUW6638 sql_password ZHd2VW01Y3V638 ssl_ca_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_ca_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_cert xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_csr xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ssl_key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx super_gluu_creds xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx3 token_server_admin_ui_client_encoded_pw Q1Z1cmtYWUlYSVg4U2tLTldVcnZVTUF token_server_admin_ui_client_pw ZHd2VW01Y3VOUW6638","title":"Gluu Secret Keys"},{"location":"admin/recipes/getting-started-rancher/#prerequisites","text":"SUSE Rancher installed with an accessible UI Kubernetes cluster running on SUSE Rancher with at least 1 worker node Sufficient RBAC permissions to deploy and manage applications in the cluster. LinuxIO kernel modules on the worker nodes Docker running locally (Linux preferred) Essential tools and CLI utilities are installed on your local workstation and are available in your $PATH : curl , kubectl An entry in the /etc/hosts file of your local workstation to resolve the hostname of the Gluu Flex installation. This step is for testing purposes.","title":"Prerequisites"},{"location":"admin/recipes/getting-started-rancher/#installation","text":"Summary of steps : Install Database: Note For the Database test setup to work, a PV provisioner support must be present in the underlying infrastructure.","title":"Installation"},{"location":"admin/recipes/getting-started-rancher/#install-postgresql-database","text":"Note If you are willing to use MySQL installation, skip this section and head to the Install MySQL section. To install a quick setup with PostgreSQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Apps --> Charts and search for Postgres . Click on Install on the right side of the window. Create a new namespace called postgres and hit Next . You should be on the Edit YAML page. Modify the below keys as desired. These values will be inputted in the installation of Gluu Flex Key auth.database auth.username auth.password Click Install at the bottom right of the page.","title":"Install PostgreSQL database"},{"location":"admin/recipes/getting-started-rancher/#install-mysql-database","text":"Note Skip this section if you installed PostgreSQL . This section is only needed if you are willing to use MySQL. To install a quick setup with MySQL as the backend, you need to provide the connection parameters of a fresh setup. For a test setup, you can follow the below instructions: Open a kubectl shell from the top right navigation menu >_ . Run: helm repo add bitnami https://charts.bitnami.com/bitnami helm repo update kubectl create ns gluu #Create gluu namespace Pass in a custom password for the database. Here we used Test1234# . The admin user will be left as root . Notice we are installing in the gluu namespace. Run helm install my-release --set auth.rootPassword=Test1234#,auth.database=jans bitnami/mysql -n gluu","title":"Install MySQL database"},{"location":"admin/recipes/getting-started-rancher/#successful-installation","text":"After the installation is successful, you should have a Statefulset active in the rancher UI as shown in the screenshot below. Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx To get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Install Gluu Flex: Head to Apps --> Charts and search for Gluu Click on Install on the right side of the window. Change the namespace from default to gluu , then click on Next . Scroll through the sections to get familiar with the options. For minimal setup follow with the next instructions. Add License SSA . Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Click on the Persistence section. Change SQL database host uri to postgresql.postgres.svc.cluster.local in the case of PostgreSQL or my-release-mysql.gluu.svc.cluster.local in the case of MySQL . Also set SQL database username , SQL password , and SQL database name to the values you used during the database installation. To enable Casa and the Admin UI, navigate to the Optional Services section and check the Enable casa and boolean flag to enable admin UI boxes. You can also enable different services like Client API and Jackrabbit . Click on the section named Ingress and enable all the endpoints. You might add LB IP or address if you don't have FQDN for Gluu . To pass your FQDN or Domain that is intended to serve the Gluu Flex IDP, head to the Configuration section: Add your FQDN and check the box Is the FQDN globally resolvable . Click on the Edit YAML tab and add your FQDN to nginx-ingress.ingress.hosts and nginx-ingress.ingress.tls.hosts . Click on Install on the bottom right of the window. Note You can upgrade your installation after the deployment. To do that, go to the SUSE Rancher Dashboard -> Apps -> Installed Apps -> gluu -> Click on the 3 dots on the right -> Upgrade -> Make your changes -> Click Update. The running deployment and services of different Gluu Flex components like casa , admin-ui , scim , auth-server , etc can be viewed by navigating through the SUSE Rancher. Go to Workloads and see the running pods. Go under Service Discovery and checkout the Ingresses and Services . All deployed components should be in a healthy and running state like in the screenshot shown below.","title":"Successful Installation"},{"location":"admin/recipes/getting-started-rancher/#connecting-to-the-setup","text":"Note You can skip this section if you have a globally resolvable FQDN . In the event you used microk8s or your fqdn is not registered, the below steps will help with connecting to your setup. To access the setup from a browser or another VM, we need to change the ingress class annotation from kubernetes.io/ingress.class: nginx to kubernetes.io/ingress.class: public e.g., for the specific component you want to access publicly in the browser; Navigate through the SUSE Rancher UI to Service Discovery -> Ingresses Choose the ingress for the targeted component. For example gluu-nginx-ingress-auth-server for auth-server Click on the three dots in the top right corner Click on Edit Yaml On line 8, change the kubernetes.io/ingress.class annotation value from nginx to public Click Save The LoadBalancer IP needs to get mapped inside /etc/hosts with the domain chosen for gluu flex . If the domain you used in the setup is demoexample.gluu.org: 3.65.27.95 demoexample.gluu.org You can do the same edit for every component you want to access publicly from the browser.","title":"Connecting to the Setup"},{"location":"admin/recipes/getting-started-rancher/#testing-configuration-endpoints","text":"Try accessing some Gluu Flex endpoints like https://demoexample.gluu.org/.well-known/openid-configuration in the browser and you'll get back a JSON response; Note that you can also access those endpoints via curl command, E.g. curl -k https://demoexample.gluu.org/.well-known/openid-configuration You should get a similar response like the one below; {\"version\":\"1.1\",\"issuer\":\"https://demoexample.gluu.org\",\"attestation\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/attestation/result\"},\"assertion\":{\"base_path\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion\",\"options_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/options\",\"result_enpoint\":\"https://demoexample.gluu.org/jans-fido2/restv1/assertion/result\"}}","title":"Testing Configuration endpoints"},{"location":"admin/recipes/getting-started-rancher/#login-and-add-a-new-user","text":"After inputting the license keys, you can then use admin and the password you set to login to the Admin UI and you should see the Admin UI dashboard. You could also add another test user via the admin UI that will be used for testing Casa and 2FA as shown in the screenshot below. Navigate to Users and click on + in the top right corner to add a user.","title":"Login and Add a New User"},{"location":"admin/recipes/getting-started-rancher/#testing-casa","text":"Jans Casa (\"Casa\") is a self-service web portal for managing account security preferences. The primary use case for Casa is self-service 2FA, but other use cases and functionalities can be supported via Casa plugins. Although you have not enabled two-factor authentication yet, you should still be able to login to Casa as the admin user and the password is the one you set during installation. Point your browser to https://demoexample.gluu.org/jans-casa and you should be welcomed by the Casa login page as shown below. After logging in, you'll be welcomed by the home page as shown below.","title":"Testing Casa"},{"location":"admin/recipes/getting-started-rancher/#enabling-two-factor-authentication","text":"In this part, we are going to enable two standard authentication mechanisms: OTP and FIDO. This can be done through the admin UI. 2FA can be turned on by clicking the switch in the Second Factor Authentication widget. By default, you will be able to choose from a few 2FA policies: Always (upon every login attempt) If the location (e.g. city) detected in the login attempt is unrecognized If the device used to login is unrecognized To reduce the chance of account lockout, enroll at least two different types of 2FA credentials -- e.g. one security key and one OTP app; or one OTP app and one SMS phone number, etc. This way, regardless of which device you're using to access a protected resource, you will have a usable option for passing strong authentication. To enable 2FA, firstly the OTP and FIDO components have to be enabled in the Casa admin UI then login to Casa as an end user, and register an OTP device (i.e. Google Authenticator) and a FIDO device. Register OTP device To add a new OTP token, navigate to 2FA credentials > OTP Tokens. You can either add a soft OTP token by choosing the Soft token option or a hard token by choosing the Hard Token Option Check the soft OTP token and click ready Before proceeding to the next step, Download Google Authenticator from Google Play or Appstore Then proceed and scan the QR code with your app Enter the 6-digit code that appears in your authenticator app and validate the enrollment. Register Fido device To add a new FIDO 2 credential, navigate to 2FA credentials > Security Keys and built-in Platform Authenticators Insert the fido key and click Ready. Casa will prompt you to press the button on the key. Add a nickname and click Add. Once added, the new device will appear in a list on the same page. Click the pencil to edit the device's nickname","title":"Enabling Two-Factor Authentication"},{"location":"admin/recipes/getting-started-rancher/#testing-apache-oidc-locally","text":"In this part, we are going to use docker to locally configure an apache web server, and then install the mod_auth_openidc module and configure it accordingly. Using local docker containers, our approach is to first register a client, then spin up two Apache containers, one serving static content (with server-side includes configured so we can display headers and environment information), and one acting as the OpenID Connect authenticating reverse proxy.","title":"Testing Apache OIDC Locally"},{"location":"admin/recipes/getting-started-rancher/#register-an-openid-connect-client","text":"On the Janssen server, you can register a new client in the Flex Admin UI or the jans-cli. In this section, we are going to show both ways of doing it from the Admin UI and using jans-cli","title":"Register an OpenID Connect client"},{"location":"admin/recipes/getting-started-rancher/#admin-ui","text":"Navigate to Auth server -> Clients and click on + in the top right corner to create a client. Take note of the following keys:values because they configure the right client that we need scopes: email_,openid_,profile responseTypes: code The screenshot below shows an example of the Admin UI section from where a client is created","title":"Admin UI"},{"location":"admin/recipes/getting-started-rancher/#jans-tui","text":"On the Janssen server, we are going to register a new client using the jans-cli. There are two ways you can register an OIDC client with the Janssen server, Manual Client Registration and Dynamic Client Registration (DCR). Here we will use manual client registration. We will use jans-tui tool provided by the Janssen server. jans-tui has a menu-driven interface that makes it easy to configure the Janssen server. Here we will use the menu-driven approach to register a new client. Download jans-cli-tui from the release assets depending on your OS. For example: wget https://github.com/JanssenProject/jans/releases/download/vreplace-janssen-version/jans-cli-tui-linux-ubuntu-X86-64.pyz Now we have jans-cli-tui-linux-ubuntu-X86-64.pyz downloaded. Now we can grab the FQDN, client-id, client-secret, and connect using the following commands: FQDN= #Add your FQDN here TUI_CLIENT_ID=$(kubectl get cm cn -n --template={{.data.tui_client_id}}) TUI_CLIENT_SECRET=$(kubectl get secret cn -n --template={{.data.tui_client_pw}} | base64 -d) #add -noverify if your FQDN is not registered Get schema file using this command python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --schema /components/schemas/Client Add values for required params and store this JSON in a text file. Take keynote of the following properties. schema-json-file.json { \"dn\": null, \"inum\": null, \"displayName\": \"\", \"clientSecret\": \"\", \"frontChannelLogoutUri\": null, \"frontChannelLogoutSessionRequired\": null, \"registrationAccessToken\": null, \"clientIdIssuedAt\": null, \"clientSecretExpiresAt\": null, \"redirectUris\": [ \"\" ], \"claimRedirectUris\": null, \"responseTypes\": [ \"code\" ], \"grantTypes\": [ \"authorization_code\" ], \"applicationType\": \"web\", \"contacts\": null, \"idTokenTokenBindingCnf\": null, \"logoUri\": null, \"clientUri\": null, \"policyUri\": null, \"tosUri\": null, \"jwksUri\": null, \"jwks\": null, \"sectorIdentifierUri\": null, \"subjectType\": \"public\", \"idTokenSignedResponseAlg\": null, \"idTokenEncryptedResponseAlg\": null, \"idTokenEncryptedResponseEnc\": null, \"userInfoSignedResponseAlg\": null, \"userInfoEncryptedResponseAlg\": null, \"userInfoEncryptedResponseEnc\": null, \"requestObjectSigningAlg\": null, \"requestObjectEncryptionAlg\": null, \"requestObjectEncryptionEnc\": null, \"tokenEndpointAuthMethod\": \"client_secret_basic\", \"tokenEndpointAuthSigningAlg\": null, \"defaultMaxAge\": null, \"requireAuthTime\": null, \"defaultAcrValues\": null, \"initiateLoginUri\": null, \"postLogoutRedirectUris\": null, \"requestUris\": null, \"scopes\": [ \"email\", \"openid\", \"profile\" ], \"claims\": null, \"trustedClient\": false, \"lastAccessTime\": null, \"lastLogonTime\": null, \"persistClientAuthorizations\": null, \"includeClaimsInIdToken\": false, \"refreshTokenLifetime\": null, \"accessTokenLifetime\": null, \"customAttributes\": null, \"customObjectClasses\": null, \"rptAsJwt\": null, \"accessTokenAsJwt\": null, \"accessTokenSigningAlg\": null, \"disabled\": false, \"authorizedOrigins\": null, \"softwareId\": null, \"softwareVersion\": null, \"softwareStatement\": null, \"attributes\": null, \"backchannelTokenDeliveryMode\": null, \"backchannelClientNotificationEndpoint\": null, \"backchannelAuthenticationRequestSigningAlg\": null, \"backchannelUserCodeParameter\": null, \"expirationDate\": null, \"deletable\": false, \"jansId\": null, \"description\": null } Now you can use that JSON file as input to the command below and register your client python3 jans-cli-tui-linux-ubuntu-X86-64.pyz --host --client-id --client-secret --no-tui --operation-id=post-oauth-openid-client --data /schema-json-file.json After the client is successfully registered, there will be data that describes the newly registered client. Some of these values, like inum and clientSecret , will be required before we configure mod_auth_openidc So keep in mind that we shall get back to this.","title":"Jans TUI"},{"location":"admin/recipes/getting-started-rancher/#create-an-application-container","text":"An application docker container will be run locally which will act as the protected resource (PR) / external application. The following files have code for the small application. We shall create a directory locally / on your machine called test and add the required files. Firstly create a project folder named test by running mkdir test && cd test and add the following files with their content; app.conf ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule unixd_module modules/mod_unixd.so LoadModule dir_module modules/mod_dir.so User daemon Group daemon AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks Includes AllowOverride None Require all granted SetEnvIf X-Remote-User \"(.*)\" REMOTE_USER=$0 SetEnvIf X-Remote-User-Name \"(.*)\" REMOTE_USER_NAME=$0 SetEnvIf X-Remote-User-Email \"(.*)\" REMOTE_USER_EMAIL=$0 DirectoryIndex index.html Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common CustomLog /proc/self/fd/1 common TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz AddType text/html .shtml AddOutputFilter INCLUDES .shtml user.shtml Hello User

Hello !

You authenticated as:

Your email address is:

Environment:

!

index.html Hello World

Hello world!

Dockerfile FROM httpd:2.4.54@sha256:c9eba4494b9d856843b49eb897f9a583a0873b1c14c86d5ab77e5bdedd6ad05d # \"Created\": \"2022-06-08T18:45:46.260791323Z\" , \"Version\":\"2.4.54\" RUN apt-get update \\ && apt-get install -y --no-install-recommends wget ca-certificates libcjose0 libhiredis0.14 apache2-api-20120211 apache2-bin\\ && wget https://github.com/zmartzone/mod_auth_openidc/releases/download/v2.4.11.2/libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && dpkg -i libapache2-mod-auth-openidc_2.4.11.2-1.buster+1_amd64.deb \\ && ln -s /usr/lib/apache2/modules/mod_auth_openidc.so /usr/local/apache2/modules/mod_auth_openidc.so \\ && rm -rf /var/log/dpkg.log /var/log/alternatives.log /var/log/apt \\ && touch /usr/local/apache2/conf/extra/secret.conf \\ && touch /usr/local/apache2/conf/extra/oidc.conf RUN echo \"\\n\\nLoadModule auth_openidc_module modules/mod_auth_openidc.so\\n\\nInclude conf/extra/secret.conf\\nInclude conf/extra/oidc.conf\\n\" >> /usr/local/apache2/conf/httpd.conf gluu.secret.conf OIDCClientID OIDCCryptoPassphrase OIDCClientSecret OIDCResponseType code OIDCScope \"openid email profile\" OIDCProviderTokenEndpointAuth client_secret_basic OIDCSSLValidateServer Off OIDCRedirectURI http://localhost:8111/oauth2callback OIDCCryptoPassphrase Require valid-user AuthType openid-connect After, run an Apache container which will play the role of an application being protected by the authenticating reverse proxy. docker run -dit -p 8110:80 \\ -v \"$PWD/app.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/index.html\":/usr/local/apache2/htdocs/index.html \\ -v \"$PWD/user.shtml\":/usr/local/apache2/htdocs/user.shtml \\ --name apache-app httpd:2.4 Note that we are using a popular pre-built image useful for acting as a reverse proxy for authentication in front of an application. It contains a stripped-down Apache with minimal modules, and adds the mod_auth_openidc module for performing OpenID Connect authentication. Make a test curl command call to ensure you get back some content as shown in the screenshot below curl http://localhost:8110/user.shtml","title":"Create an Application Container"},{"location":"admin/recipes/getting-started-rancher/#create-an-authenticating-reverse-proxy-container","text":"We shall use Apache, but this time we use a Docker image that has mod_auth_oidc installed and configured. This proxy will require authentication, handle the authentication flow with redirects, and then forward requests to the application. In order to use this, you will need to have registered a new OpenID Connect client on the Janssen server. We did that in the step 1 above Add the following files to the test folder. oidc.conf # Unset to make sure clients can't control these RequestHeader unset X-Remote-User RequestHeader unset X-Remote-User-Name RequestHeader unset X-Remote-User-Email # If you want to see tons of logs for your experimentation #LogLevel trace8 OIDCClientID OIDCProviderMetadataURL https://idp-proxy.med.stanford.edu/auth/realms/med-all/.well-known/openid-configuration #OIDCProviderMetadataURL https://idp-proxy-stage.med.stanford.edu/auth/realms/choir/.well-known/openid-configuration OIDCRedirectURI http://localhost:8111/oauth2callback OIDCScope \"openid email profile\" OIDCRemoteUserClaim principal OIDCPassClaimsAs environment AuthType openid-connect Require valid-user ProxyPass http://app:80/ ProxyPassReverse http://app:80/ RequestHeader set X-Remote-User %{OIDC_CLAIM_principal}e RequestHeader set X-Remote-User-Name %{OIDC_CLAIM_name}e RequestHeader set X-Remote-User-Email %{OIDC_CLAIM_email}e proxy.conf # This is the main Apache HTTP server configuration file. For documentation, see: # http://httpd.apache.org/docs/2.4/ # http://httpd.apache.org/docs/2.4/mod/directives.html # # This is intended to be a hardened configuration, with minimal security surface area necessary # to run mod_auth_openidc. ServerRoot \"/usr/local/apache2\" Listen 80 LoadModule mpm_event_module modules/mod_mpm_event.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_core_module modules/mod_authn_core.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule access_compat_module modules/mod_access_compat.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule filter_module modules/mod_filter.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule env_module modules/mod_env.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so #LoadModule version_module modules/mod_version.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule unixd_module modules/mod_unixd.so #LoadModule status_module modules/mod_status.so #LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule alias_module modules/mod_alias.so User daemon Group daemon ServerAdmin you@example.com AllowOverride none Require all denied DocumentRoot \"/usr/local/apache2/htdocs\" Options Indexes FollowSymLinks AllowOverride None Require all granted DirectoryIndex index.html Options None Require all denied Require all denied ErrorLog /proc/self/fd/2 LogLevel warn LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\" %I %O\" combinedio CustomLog /proc/self/fd/1 common ScriptAlias /cgi-bin/ \"/usr/local/apache2/cgi-bin/\" AllowOverride None Options None Require all granted RequestHeader unset Proxy early TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz Include conf/extra/proxy-html.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin TraceEnable off ServerTokens Prod ServerSignature Off LoadModule auth_openidc_module modules/mod_auth_openidc.so Include conf/extra/secret.conf Include conf/extra/oidc.conf Edit the file to include the client secret for the client you created during DCR, and add a securely generated pass phrase for the session keys docker build --pull -t apache-oidc -f Dockerfile . docker run -dit -p 8111:80 \\ -v \"$PWD/proxy.conf\":/usr/local/apache2/conf/httpd.conf \\ -v \"$PWD/gluu.secret.conf\":/usr/local/apache2/conf/extra/secret.conf \\ -v \"$PWD/oidc.conf\":/usr/local/apache2/conf/extra/oidc.conf \\ --link apache-app:app \\ --name apache-proxy apache-oidc Now open a fresh web browser with private (incognito) mode, and go to this url http://localhost:8111/user.shtml To check the proxy logs docker logs -f apache-proxy To see the app logs docker logs -f apache-app If you modified the configuration files, just restart the proxy. docker restart apache-proxy","title":"Create an Authenticating Reverse Proxy Container"},{"location":"admin/saml/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"admin/saml/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/saml/idp/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Idp"},{"location":"admin/saml/idp/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"admin/saml/proxy/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Proxy"},{"location":"admin/saml/proxy/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"includes/cn-system-requirements/","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"Cn system requirements"},{"location":"install/","tags":["administration","installation"],"text":"Installation Overview # The goal of Gluu Flex is to give you a lot of deployment options. This is a challenge--the more ways to install, the more ways for things to go wrong! But to build a large community, we need to provide ways to install the software in enough different ways to make at least the bulk of the community happy. Currently, that means the following installation options: VM packages for Ubuntu, SUSE and Red Hat Helm deployments for Amazon, Google, Microsoft and Rancher Docker monolith deployment for development / testing (not production) Minimal Configuration # It turns out that just installing the Flex binary object code (i.e. the bits), is totally useless. That's because in order to do anything useful with Gluu Flex, you need a minimal amount of configuration. For example, you need to generate cryptographic key pairs, you need to generate a minimal amount of data in the database, you need to generate some web server TLS certificates. For this reason, for most of the platforms, installation is a three step process. Step 1, install the bits. Step 2, run \"setup\" and answer some basic question (like the hostname of your IDP). Step 3, fire up a configuration tool to perform any other last mile configuration. Databases # Gluu Flex gives you a few options to store data: MySQL, Postgres, Couchbase, Amazon Aurora, and Spanner. You can also configure an in-memory cache server like Redis. Sometimes installation and configuration of this database is included in the setup process. Sometimes, you need to setup the database ahead of time. Please refer to the database instructions specific for your choice. And of course, you may need to refer to the database documentation itself--we don't want to duplicate any of that third party content. Optimization # Remember, installation is just a starting point. To get peak performance, you may need to tweak some of the configuration dials for your system or the database. If you intend to deploy a Gluu Flex in production for high concurrency, make sure you benchmark the exact flows you expect to serve in production.","title":"Installation Overview"},{"location":"install/#installation-overview","text":"The goal of Gluu Flex is to give you a lot of deployment options. This is a challenge--the more ways to install, the more ways for things to go wrong! But to build a large community, we need to provide ways to install the software in enough different ways to make at least the bulk of the community happy. Currently, that means the following installation options: VM packages for Ubuntu, SUSE and Red Hat Helm deployments for Amazon, Google, Microsoft and Rancher Docker monolith deployment for development / testing (not production)","title":"Installation Overview"},{"location":"install/#minimal-configuration","text":"It turns out that just installing the Flex binary object code (i.e. the bits), is totally useless. That's because in order to do anything useful with Gluu Flex, you need a minimal amount of configuration. For example, you need to generate cryptographic key pairs, you need to generate a minimal amount of data in the database, you need to generate some web server TLS certificates. For this reason, for most of the platforms, installation is a three step process. Step 1, install the bits. Step 2, run \"setup\" and answer some basic question (like the hostname of your IDP). Step 3, fire up a configuration tool to perform any other last mile configuration.","title":"Minimal Configuration"},{"location":"install/#databases","text":"Gluu Flex gives you a few options to store data: MySQL, Postgres, Couchbase, Amazon Aurora, and Spanner. You can also configure an in-memory cache server like Redis. Sometimes installation and configuration of this database is included in the setup process. Sometimes, you need to setup the database ahead of time. Please refer to the database instructions specific for your choice. And of course, you may need to refer to the database documentation itself--we don't want to duplicate any of that third party content.","title":"Databases"},{"location":"install/#optimization","text":"Remember, installation is just a starting point. To get peak performance, you may need to tweak some of the configuration dials for your system or the database. If you intend to deploy a Gluu Flex in production for high concurrency, make sure you benchmark the exact flows you expect to serve in production.","title":"Optimization"},{"location":"install/agama/prerequisites/","tags":["administration","installation"],"text":"Agama Lab # Agama Lab is a platform to manage your Gluu license. This is where you may subscribe to Gluu Flex or obtain credentials for your enterprise license. To begin, please visit Agama Lab You may register via email or login via GitHub If you want to author or test Agama projects, you will need to login via GitHub Once you have logged in, please navigate to Market > SCAN and subscribe to the free tier. SCAN is the API gateway Gluu uses to validate licenses. The free tier will give you 500 credits. As license calls do not cost credits, this will not cost you anything. Software Statement Assertions # In order to install Flex, you will need a Software Statement Assertion (SSA). An SSA is a signed JSON Web Token (JWT) that is required by the Flex install script to validate your license. Obtaining an SSA # Gluu issues SSAs through the Agama Lab web interface. You can obtain an SSA for use with Flex by following these steps: Login to Agama Lab On the left navigation bar, select Market Navigate to the tab named SSA . Sign up for a free SCAN subscription, which will give you 500 SCAN credits. Flex does not cost any SCAN credits, so you will not be charged for SCAN. Click on Create New SSA On Software Name , fill in a unique identifier for this SSA Description is optional Under Software Roles , tick license Under Expiration Date , select an appropriate date. Your SSA will not be useable after that date. Under SSA Lifetime , choose an appropriate lifetime for the Flex client. One month or longer is recommended. Deselect One time use and Rotate SSA Click Create - Click on Detail of the newly issued SSA, then click on Show JWT You will be shown a long string of characters. Copy this and save it to a file. You may now use this file during Flex installation. License # Gluu Flex uses the SSA obtained in the above step to either request a 30 day trial license or verify presence of a license tied to your Agama Lab account. One account may request one trial license in its lifetime. To purchase a full license, please navigate to the Flex tab of the marketplace where you may purchase licenses for up to 1600 MAU (monthly active users). To purchase an enterprise license for more MAU, please contact Sales . If you have subscribed to Flex via Agama Lab, the SSA obtained in the step before will automatically link your license to your installation. For enterprise licenses, please open a support ticket so that we can issue a license against your Agama account. Once this is done, you may use the SSA obtained to proceed to installation.","title":"Prerequisites"},{"location":"install/agama/prerequisites/#agama-lab","text":"Agama Lab is a platform to manage your Gluu license. This is where you may subscribe to Gluu Flex or obtain credentials for your enterprise license. To begin, please visit Agama Lab You may register via email or login via GitHub If you want to author or test Agama projects, you will need to login via GitHub Once you have logged in, please navigate to Market > SCAN and subscribe to the free tier. SCAN is the API gateway Gluu uses to validate licenses. The free tier will give you 500 credits. As license calls do not cost credits, this will not cost you anything.","title":"Agama Lab"},{"location":"install/agama/prerequisites/#software-statement-assertions","text":"In order to install Flex, you will need a Software Statement Assertion (SSA). An SSA is a signed JSON Web Token (JWT) that is required by the Flex install script to validate your license.","title":"Software Statement Assertions"},{"location":"install/agama/prerequisites/#obtaining-an-ssa","text":"Gluu issues SSAs through the Agama Lab web interface. You can obtain an SSA for use with Flex by following these steps: Login to Agama Lab On the left navigation bar, select Market Navigate to the tab named SSA . Sign up for a free SCAN subscription, which will give you 500 SCAN credits. Flex does not cost any SCAN credits, so you will not be charged for SCAN. Click on Create New SSA On Software Name , fill in a unique identifier for this SSA Description is optional Under Software Roles , tick license Under Expiration Date , select an appropriate date. Your SSA will not be useable after that date. Under SSA Lifetime , choose an appropriate lifetime for the Flex client. One month or longer is recommended. Deselect One time use and Rotate SSA Click Create - Click on Detail of the newly issued SSA, then click on Show JWT You will be shown a long string of characters. Copy this and save it to a file. You may now use this file during Flex installation.","title":"Obtaining an SSA"},{"location":"install/agama/prerequisites/#license","text":"Gluu Flex uses the SSA obtained in the above step to either request a 30 day trial license or verify presence of a license tied to your Agama Lab account. One account may request one trial license in its lifetime. To purchase a full license, please navigate to the Flex tab of the marketplace where you may purchase licenses for up to 1600 MAU (monthly active users). To purchase an enterprise license for more MAU, please contact Sales . If you have subscribed to Flex via Agama Lab, the SSA obtained in the step before will automatically link your license to your installation. For enterprise licenses, please open a support ticket so that we can issue a license against your Agama account. Once this is done, you may use the SSA obtained to proceed to installation.","title":"License"},{"location":"install/docker-install/compose/","tags":["administration","reference","kubernetes","docker image","docker compose"],"text":"Warning This image is for testing and development purposes only. Use Flex helm charts for production setups. Overview # Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui. Pre-requisites # Docker Docker compose Versions # See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly . Environment Variables # Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client `` How to run # Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. Configure Gluu flex # Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py Access endpoints externally # Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration Clean up # Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Docker compose"},{"location":"install/docker-install/compose/#overview","text":"Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui.","title":"Overview"},{"location":"install/docker-install/compose/#pre-requisites","text":"Docker Docker compose","title":"Pre-requisites"},{"location":"install/docker-install/compose/#versions","text":"See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly .","title":"Versions"},{"location":"install/docker-install/compose/#environment-variables","text":"Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client ``","title":"Environment Variables"},{"location":"install/docker-install/compose/#how-to-run","text":"Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"How to run"},{"location":"install/docker-install/compose/#configure-gluu-flex","text":"Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py","title":"Configure Gluu flex"},{"location":"install/docker-install/compose/#access-endpoints-externally","text":"Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration","title":"Access endpoints externally"},{"location":"install/docker-install/compose/#clean-up","text":"Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Clean up"},{"location":"install/docker-install/quick-start/","tags":["administration","installation","quick-start","docker"],"text":"Warning This image is for testing and development purposes only. Use Flex helm charts for production setups. Overview # The quickest way to get Gluu flex up and running is to have a Docker container-based deployment. System Requirements # System should meet minimum VM system requirements Install # Installation depends on a set of environment variables . These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. Run this command to start the installation: wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexmonolithdemo.sh && chmod u+x startflexmonolithdemo.sh && sudo bash startflexmonolithdemo.sh demoexample.gluu.org MYSQL Console messages like below confirms the successful installation: [+] Running 3/3 \u283f Network docker-flex-monolith_cloud_bridge Created 0.0s \u283f Container docker-flex-monolith-mysql-1 Started 0.6s \u283f Container docker-flex-monolith-flex-1 Started 0.9s Waiting for auth-server to come up. Depending on the resources it may take 3-5 mins for the services to be up. Testing openid-configuration endpoint.. As can be seen, the install script also accesses the well-known endpoints to verify that Gluu Flex is responsive. Verify Installation By Accessing Standard Endpoints # To access Gluu flex standard endpoints from outside of the Docker container, systems /etc/hosts file needs to be updated. Open the file and add the IP domain record which should be the IP of the instance docker is installed. And the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record, hit the standard endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration Configure Gluu flex # Access the Docker container shell using: docker exec -ti docker-flex-monolith-flex-1 bash Grab a pair of client_id and client_pw(secret) from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py Uninstall/Remove Gluu flex # This docker based installation uses docker compose under the hood to create containers. Hence uninstalling Gluu flex involves invoking docker compose with appropriate yml file. Run command below to stop and remove containers. docker compose -f /tmp/flex/docker-flex-monolith/flex-mysql-compose.yml down && rm -rf flex-* Console messages like below confirms the successful removal: [+] Running 3/3 \u283f Container docker-flex-monolith-flex-1 Removed 10.5s \u283f Container docker-flex-monolith-mysql-1 Removed 0.9s \u283f Network docker-flex-monolith_cloud_bridge Removed 0.1s","title":"Quick Start"},{"location":"install/docker-install/quick-start/#overview","text":"The quickest way to get Gluu flex up and running is to have a Docker container-based deployment.","title":"Overview"},{"location":"install/docker-install/quick-start/#system-requirements","text":"System should meet minimum VM system requirements","title":"System Requirements"},{"location":"install/docker-install/quick-start/#install","text":"Installation depends on a set of environment variables . These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. Run this command to start the installation: wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexmonolithdemo.sh && chmod u+x startflexmonolithdemo.sh && sudo bash startflexmonolithdemo.sh demoexample.gluu.org MYSQL Console messages like below confirms the successful installation: [+] Running 3/3 \u283f Network docker-flex-monolith_cloud_bridge Created 0.0s \u283f Container docker-flex-monolith-mysql-1 Started 0.6s \u283f Container docker-flex-monolith-flex-1 Started 0.9s Waiting for auth-server to come up. Depending on the resources it may take 3-5 mins for the services to be up. Testing openid-configuration endpoint.. As can be seen, the install script also accesses the well-known endpoints to verify that Gluu Flex is responsive.","title":"Install"},{"location":"install/docker-install/quick-start/#verify-installation-by-accessing-standard-endpoints","text":"To access Gluu flex standard endpoints from outside of the Docker container, systems /etc/hosts file needs to be updated. Open the file and add the IP domain record which should be the IP of the instance docker is installed. And the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record, hit the standard endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration","title":"Verify Installation By Accessing Standard Endpoints"},{"location":"install/docker-install/quick-start/#configure-gluu-flex","text":"Access the Docker container shell using: docker exec -ti docker-flex-monolith-flex-1 bash Grab a pair of client_id and client_pw(secret) from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py","title":"Configure Gluu flex"},{"location":"install/docker-install/quick-start/#uninstallremove-gluu-flex","text":"This docker based installation uses docker compose under the hood to create containers. Hence uninstalling Gluu flex involves invoking docker compose with appropriate yml file. Run command below to stop and remove containers. docker compose -f /tmp/flex/docker-flex-monolith/flex-mysql-compose.yml down && rm -rf flex-* Console messages like below confirms the successful removal: [+] Running 3/3 \u283f Container docker-flex-monolith-flex-1 Removed 10.5s \u283f Container docker-flex-monolith-mysql-1 Removed 0.9s \u283f Network docker-flex-monolith_cloud_bridge Removed 0.1s","title":"Uninstall/Remove Gluu flex"},{"location":"install/helm-install/","tags":["administration","installation","helm"],"text":"Overview # Gluu Flex enables organizations to build a scalable centralized authentication and authorization service using free open source software. The components of the project include client and server implementations of the OAuth, OpenID Connect, SCIM and FIDO standards. All these components are deployed using Gluu helm chart . You can check the reference guide to view the list of the chart components and values. Looking for older helm charts? # If you are looking for older helm charts, you need to build them from the Gluu Flex repository. We only keep the last 5 versions of the chart up. We support auto-upgrade using helm upgrade and hence want everyone to stay up to date with our charts. To build older charts manually from the Gluu Flex repository, you can use the following example which assumes we are building for janssen version v5.0.0 : git clone --filter blob:none --no-checkout https://github.com/GluuFederation/flex.git /tmp/flex \\ && cd /tmp/flex \\ && git sparse-checkout init --cone \\ && git checkout v5.0.0 \\ && git sparse-checkout add charts/gluu \\ && cd charts/gluu \\ && helm dependency update \\ && helm package .","title":"Overview"},{"location":"install/helm-install/#overview","text":"Gluu Flex enables organizations to build a scalable centralized authentication and authorization service using free open source software. The components of the project include client and server implementations of the OAuth, OpenID Connect, SCIM and FIDO standards. All these components are deployed using Gluu helm chart . You can check the reference guide to view the list of the chart components and values.","title":"Overview"},{"location":"install/helm-install/#looking-for-older-helm-charts","text":"If you are looking for older helm charts, you need to build them from the Gluu Flex repository. We only keep the last 5 versions of the chart up. We support auto-upgrade using helm upgrade and hence want everyone to stay up to date with our charts. To build older charts manually from the Gluu Flex repository, you can use the following example which assumes we are building for janssen version v5.0.0 : git clone --filter blob:none --no-checkout https://github.com/GluuFederation/flex.git /tmp/flex \\ && cd /tmp/flex \\ && git sparse-checkout init --cone \\ && git checkout v5.0.0 \\ && git sparse-checkout add charts/gluu \\ && cd charts/gluu \\ && helm dependency update \\ && helm package .","title":"Looking for older helm charts?"},{"location":"install/helm-install/amazon-eks/","tags":["administration","installation","helm","EKS","Amazon Web Services","AWS"],"text":"Install Gluu Flex on EKS # System Requirements # The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Initial Setup # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install aws cli Configure your AWS user account using aws configure command. This makes you able to authenticate before creating the cluster. Note that this user account must have permissions to work with Amazon EKS IAM roles and service linked roles, AWS CloudFormation, and a VPC and related resources Install kubectl Install eksctl Create cluster using eksctl such as the following example: eksctl create cluster --name gluu-cluster --nodegroup-name gluu-nodes --node-type NODE_TYPE --nodes 2 --managed --region REGION_CODE You can adjust node-type and nodes number as per your desired cluster size To be able to attach volumes to your pod, you need to install the Amazon EBS CSI driver Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu Gluu Flex Installation using Helm # Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer address: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : false config : configmap : lbAddr : http:// #Add LB address from previous command FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command nginx : ingress : enabled : true path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Amazon EKS"},{"location":"install/helm-install/amazon-eks/#install-gluu-flex-on-eks","text":"","title":"Install Gluu Flex on EKS"},{"location":"install/helm-install/amazon-eks/#system-requirements","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/amazon-eks/#initial-setup","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install aws cli Configure your AWS user account using aws configure command. This makes you able to authenticate before creating the cluster. Note that this user account must have permissions to work with Amazon EKS IAM roles and service linked roles, AWS CloudFormation, and a VPC and related resources Install kubectl Install eksctl Create cluster using eksctl such as the following example: eksctl create cluster --name gluu-cluster --nodegroup-name gluu-nodes --node-type NODE_TYPE --nodes 2 --managed --region REGION_CODE You can adjust node-type and nodes number as per your desired cluster size To be able to attach volumes to your pod, you need to install the Amazon EBS CSI driver Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu","title":"Initial Setup"},{"location":"install/helm-install/amazon-eks/#gluu-flex-installation-using-helm","text":"Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer address: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].hostname}' Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : false config : configmap : lbAddr : http:// #Add LB address from previous command FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command nginx : ingress : enabled : true path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Amazon RDS For testing purposes, you can deploy it on the EKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : lbAddr : http:// #Add LB address from previous command cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Gluu Flex Installation using Helm"},{"location":"install/helm-install/amazon-eks/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/google-gke/","tags":["administration","installation","helm","GKE","Google Cloud","GCP"],"text":"Install Gluu Flex on GKE # System Requirements # The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Initial Setup # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Enable GKE API if not enabled yet. If you are using Cloud Shell , you can skip to step 7. Install gcloud . Install kubectl using gcloud components install kubectl command. Install Helm3 . Create cluster using a command such as the following example: gcloud container clusters create gluu-cluster --num-nodes 2 --machine-type e2-standard-4 --zone us-west1-a You can adjust num-nodes and machine-type as per your desired cluster size Create gluu namespace where our resources will reside kubectl create namespace gluu Gluu Flex Installation using Helm # Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Google GKE"},{"location":"install/helm-install/google-gke/#install-gluu-flex-on-gke","text":"","title":"Install Gluu Flex on GKE"},{"location":"install/helm-install/google-gke/#system-requirements","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/google-gke/#initial-setup","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Enable GKE API if not enabled yet. If you are using Cloud Shell , you can skip to step 7. Install gcloud . Install kubectl using gcloud components install kubectl command. Install Helm3 . Create cluster using a command such as the following example: gcloud container clusters create gluu-cluster --num-nodes 2 --machine-type e2-standard-4 --zone us-west1-a You can adjust num-nodes and machine-type as per your desired cluster size Create gluu namespace where our resources will reside kubectl create namespace gluu","title":"Initial Setup"},{"location":"install/helm-install/google-gke/#gluu-flex-installation-using-helm","text":"Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Cloud SQL For testing purposes, you can deploy it on the GKE cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Gluu Flex Installation using Helm"},{"location":"install/helm-install/google-gke/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/local/","tags":["administration","installation","helm"],"text":"Install Gluu Server Locally with minikube and MicroK8s # System Requirements # For local deployments like minikube and MicroK8s or cloud installations in demo mode, resources may be set to the minimum as below: 8 GB RAM 4 CPU cores 50 GB hard-disk Use the listing below for a detailed estimation of minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Installation Steps # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Start a fresh Ubuntu 18.04 / 20.04 / 22.04 VM with ports 443 and 80 open. Then execute the following: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexdemo.sh && chmod u+x startflexdemo.sh && ./startflexdemo.sh This will install Docker, Microk8s, Helm and Gluu with the default settings that can be found inside values.yaml . The installer will automatically add a record to your hosts record in the VM but if you want to access the endpoints outside the VM you must map the ip of the instance running Ubuntu to the FQDN you provided and then access the endpoints at your browser such in the example in the table below. Service Example endpoint Auth server https://FQDN/.well-known/openid-configuration fido2 https://FQDN/.well-known/fido2-configuration scim https://FQDN/.well-known/scim-configuration Casa https://FQDN/jans-casa Admin-UI https://FQDN/admin Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Local Kubernetes Cluster"},{"location":"install/helm-install/local/#install-gluu-server-locally-with-minikube-and-microk8s","text":"","title":"Install Gluu Server Locally with minikube and MicroK8s"},{"location":"install/helm-install/local/#system-requirements","text":"For local deployments like minikube and MicroK8s or cloud installations in demo mode, resources may be set to the minimum as below: 8 GB RAM 4 CPU cores 50 GB hard-disk Use the listing below for a detailed estimation of minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/local/#installation-steps","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Start a fresh Ubuntu 18.04 / 20.04 / 22.04 VM with ports 443 and 80 open. Then execute the following: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/vreplace-flex-version/automation/startflexdemo.sh && chmod u+x startflexdemo.sh && ./startflexdemo.sh This will install Docker, Microk8s, Helm and Gluu with the default settings that can be found inside values.yaml . The installer will automatically add a record to your hosts record in the VM but if you want to access the endpoints outside the VM you must map the ip of the instance running Ubuntu to the FQDN you provided and then access the endpoints at your browser such in the example in the table below. Service Example endpoint Auth server https://FQDN/.well-known/openid-configuration fido2 https://FQDN/.well-known/fido2-configuration scim https://FQDN/.well-known/scim-configuration Casa https://FQDN/jans-casa Admin-UI https://FQDN/admin","title":"Installation Steps"},{"location":"install/helm-install/local/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/microsoft-azure/","tags":["administration","installation","helm","AKS","Microsoft","Azure"],"text":"Install Gluu Flex on AKS # System Requirements # The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0 Initial Setup # Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install Azure CLI Create a Resource Group az group create --name gluu-resource-group --location eastus Create an AKS cluster such as the following example: az aks create -g gluu-resource-group -n gluu-cluster --enable-managed-identity --node-vm-size NODE_TYPE --node-count 2 --enable-addons monitoring --enable-msi-auth-for-monitoring --generate-ssh-keys You can adjust node-count and node-vm-size as per your desired cluster size Connect to the cluster az aks install-cli az aks get-credentials --resource-group gluu-resource-group --name gluu-cluster Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu Gluu Flex Installation using Helm # Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Azure Database for PostgreSQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Azure Database for MySQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Configure Gluu Flex # You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Microsoft Azure AKS"},{"location":"install/helm-install/microsoft-azure/#install-gluu-flex-on-aks","text":"","title":"Install Gluu Flex on AKS"},{"location":"install/helm-install/microsoft-azure/#system-requirements","text":"The resources may be set minimally to the below: 8-13 GB RAM based on the services deployed 8-11 CPU cores based on the services deployed 50GB hard-disk Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may be increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth server 2.5 2.5GB N/A 64 Bit Yes fido2 0.5 0.5GB N/A 64 Bit No scim 1 1GB N/A 64 Bit No config - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs persistence - job 0.3 0.3GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if ALB/Istio not used auth-key-rotation 0.3 0.3GB N/A 64 Bit No [Strongly recommended] config-api 1 1GB N/A 64 Bit No casa 0.5 0.5GB N/A 64 Bit No admin-ui 2 2GB N/A 64 Bit No link 0.5 1GB N/A 64 Bit No saml 0.5 1GB N/A 64 Bit No kc-scheduler - job 0.3 0.3GB N/A 64 Bit No Releases of images are in style 1.0.0-beta.0, 1.0.0-0","title":"System Requirements"},{"location":"install/helm-install/microsoft-azure/#initial-setup","text":"Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Install Azure CLI Create a Resource Group az group create --name gluu-resource-group --location eastus Create an AKS cluster such as the following example: az aks create -g gluu-resource-group -n gluu-cluster --enable-managed-identity --node-vm-size NODE_TYPE --node-count 2 --enable-addons monitoring --enable-msi-auth-for-monitoring --generate-ssh-keys You can adjust node-count and node-vm-size as per your desired cluster size Connect to the cluster az aks install-cli az aks get-credentials --resource-group gluu-resource-group --name gluu-cluster Install Helm3 Create gluu namespace where our resources will reside kubectl create namespace gluu","title":"Initial Setup"},{"location":"install/helm-install/microsoft-azure/#gluu-flex-installation-using-helm","text":"Install Nginx-Ingress , if you are not using Istio ingress helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo add stable https://charts.helm.sh/stable helm repo update helm install nginx ingress-nginx/ingress-nginx Create a file named override.yaml and add changes as per your desired configuration: FQDN/domain is not registered: Get the Loadbalancer IP: kubectl get svc nginx-ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}' Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the Loadbalance IP from the previous command isFqdnRegistered : false FQDN/domain is registered: Add the following yaml snippet to your override.yaml file: global : lbIp : #Add the LoadBalancer IP from the previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu PostgreSQL for persistence storage In a production environment, a production grade PostgreSQL server should be used such as Azure Database for PostgreSQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.postgresPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/postgresql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 5432 cnSqlDbDialect : pgsql cnSqlDbHost : my-release-postgresql.gluu.svc cnSqlDbUser : postgres cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# MySQL for persistence storage In a production environment, a production grade MySQL server should be used such as Azure Database for MySQL For testing purposes, you can deploy it on the AKS cluster using the following command: helm install my-release --set auth.rootPassword=Test1234#,auth.database=gluu -n gluu oci://registry-1.docker.io/bitnamicharts/mysql Add the following yaml snippet to your override.yaml file: global : cnPersistenceType : sql config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# So if your desired configuration has FQDN and MySQL, the final override.yaml file will look something like that: global : cnPersistenceType : sql lbIp : \"\" #Add the LoadBalancer IP from previous command isFqdnRegistered : true fqdn : demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu nginx-ingress : ingress : path : / hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu tls : - secretName : tls-certificate hosts : - demoexample.gluu.org #CHANGE-THIS to the FQDN used for Gluu config : configmap : cnSqlDbName : gluu cnSqlDbPort : 3306 cnSqlDbDialect : mysql cnSqlDbHost : my-release-mysql.gluu.svc cnSqlDbUser : root cnSqlDbTimezone : UTC cnSqldbUserPassword : Test1234# Install Gluu Flex After finishing all the tweaks to the override.yaml file, we can use it to install gluu flex. helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Gluu Flex Installation using Helm"},{"location":"install/helm-install/microsoft-azure/#configure-gluu-flex","text":"You can use the Janssen TUI to configure Flex components. The TUI calls the Config API to perform ad hoc configuration.","title":"Configure Gluu Flex"},{"location":"install/helm-install/rancher/","tags":["administration","installation","helm"],"text":"Install Gluu Server Using Rancher Marketplace # For a more generic Gluu Flex installation on Rancher, you can follow this comprehensive guide. Also, there are multiple Rancher installation options . For this quick start setup we will use a single node Kubernetes install in docker with a self-signed certificate . Installation Steps # Note If you are deploying an Ingress controller on a single node deployment, in which Ingress utilizes ports 80 and 443, then you have to adjust the host ports mapped for the rancher/rancher container. Here's an example on how to do that. Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Provision a Linux 4 CPU, 16 GB RAM, and 50GB SSD VM with ports 443 and 80 open. Save the VM IP address. For development environments, the VM can be set up using VMWare Workstation Player or VirtualBox with Ubuntu 20.04 operating system running on a VM. Install Docker . Execute docker run -d --restart = unless-stopped -p 80 :80 -p 443 :443 --privileged rancher/rancher:latest The final line of the returned text is the container-id , which you'll need for the next step. Execute the following command to get the bootstrap password for login. docker logs 2 > & 1 | grep \"Bootstrap Password:\" Head to https:// and log in with the username admin and the password from the previous step. If you are logging into Rancher for the first time, you'll need to enter just the password, and on the next step, Rancher will ask you to reset your current password. Next, you'll see the Rancher home page with a list of existing clusters. By default, the name of the newly created cluster would be local . Click on the cluster name to go to the dashboard. From the top-left menu expand Apps and click Charts . Search for Gluu and begin your installation. During Step 1 of installation, be sure to select the Customize Helm options before install option. In Step 2, customize the settings for the Gluu installation. Specifically Optional Services from where you can enable Gluu modules. In Step 3, unselect the Wait option and start the installation.","title":"Rancher Marketplace"},{"location":"install/helm-install/rancher/#install-gluu-server-using-rancher-marketplace","text":"For a more generic Gluu Flex installation on Rancher, you can follow this comprehensive guide. Also, there are multiple Rancher installation options . For this quick start setup we will use a single node Kubernetes install in docker with a self-signed certificate .","title":"Install Gluu Server Using Rancher Marketplace"},{"location":"install/helm-install/rancher/#installation-steps","text":"Note If you are deploying an Ingress controller on a single node deployment, in which Ingress utilizes ports 80 and 443, then you have to adjust the host ports mapped for the rancher/rancher container. Here's an example on how to do that. Before initiating the setup, please obtain an SSA for Flex trial, after which you will issued a JWT. Provision a Linux 4 CPU, 16 GB RAM, and 50GB SSD VM with ports 443 and 80 open. Save the VM IP address. For development environments, the VM can be set up using VMWare Workstation Player or VirtualBox with Ubuntu 20.04 operating system running on a VM. Install Docker . Execute docker run -d --restart = unless-stopped -p 80 :80 -p 443 :443 --privileged rancher/rancher:latest The final line of the returned text is the container-id , which you'll need for the next step. Execute the following command to get the bootstrap password for login. docker logs 2 > & 1 | grep \"Bootstrap Password:\" Head to https:// and log in with the username admin and the password from the previous step. If you are logging into Rancher for the first time, you'll need to enter just the password, and on the next step, Rancher will ask you to reset your current password. Next, you'll see the Rancher home page with a list of existing clusters. By default, the name of the newly created cluster would be local . Click on the cluster name to go to the dashboard. From the top-left menu expand Apps and click Charts . Search for Gluu and begin your installation. During Step 1 of installation, be sure to select the Customize Helm options before install option. In Step 2, customize the settings for the Gluu installation. Specifically Optional Services from where you can enable Gluu modules. In Step 3, unselect the Wait option and start the installation.","title":"Installation Steps"},{"location":"install/vm-install/rhel/","tags":["administration","installation","vm","RHEL","CentOS"],"text":"Install Gluu Flex On Red Hat EL # This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux. Prerequisites # Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload ; Install EPEL and mod-auth-openidc as dependencies sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest- $( rpm -E %rhel ) .noarch.rpm sudo yum -y module enable mod_auth_openidc ; Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path. Install the Package # Download and Verify the Release Package # Download the release package from the Github Flex Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum -P /tmp Run the command below from the directory where the downloaded package and the .sha256sum files are located. cd /tmp ; sha256sum -c flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum ; Output similar to below should confirm the integrity of the downloaded package. flex-replace-flex-version-el8.x86_64.rpm : ok Install the Release Package # sudo yum install ./flex-replace-flex-version-stable.el8.x86_64.rpm Run the setup script # Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ] Verify and Access the Installation # Verify that installation has been successful and all installed components are accessible using the steps below Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py Full TUI documentation can be found here Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa Enabling HTTPS # To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open https_jans.conf sudo vi /etc/httpd/conf.d/https_jans.conf Update SSLCertificateFile and SSLCertificateKeyFile parameters values SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart httpd service for changes to take effect sudo service httpd restart Uninstallation # Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package. Uninstall Gluu Flex # Use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.931e814d-01e2-4983-898f-91bf93670f7b - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api Uninstall Janssen Packages # The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/httpd/conf.d/https_jans.conf Remove Gluu Flex Packages: # List existing Gluu packages with: sudo yum list installed | grep flex Remove packages: sudo yum remove Uninstalling Admin UI # To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Updating Admin UI # To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"RHEL"},{"location":"install/vm-install/rhel/#install-gluu-flex-on-red-hat-el","text":"This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux.","title":"Install Gluu Flex On Red Hat EL"},{"location":"install/vm-install/rhel/#prerequisites","text":"Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload ; Install EPEL and mod-auth-openidc as dependencies sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest- $( rpm -E %rhel ) .noarch.rpm sudo yum -y module enable mod_auth_openidc ; Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path.","title":"Prerequisites"},{"location":"install/vm-install/rhel/#install-the-package","text":"","title":"Install the Package"},{"location":"install/vm-install/rhel/#download-and-verify-the-release-package","text":"Download the release package from the Github Flex Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum -P /tmp Run the command below from the directory where the downloaded package and the .sha256sum files are located. cd /tmp ; sha256sum -c flex-replace-flex-version-stable.el8.x86_64.rpm.sha256sum ; Output similar to below should confirm the integrity of the downloaded package. flex-replace-flex-version-el8.x86_64.rpm : ok","title":"Download and Verify the Release Package"},{"location":"install/vm-install/rhel/#install-the-release-package","text":"sudo yum install ./flex-replace-flex-version-stable.el8.x86_64.rpm","title":"Install the Release Package"},{"location":"install/vm-install/rhel/#run-the-setup-script","text":"Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ]","title":"Run the setup script"},{"location":"install/vm-install/rhel/#verify-and-access-the-installation","text":"Verify that installation has been successful and all installed components are accessible using the steps below Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py Full TUI documentation can be found here Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa","title":"Verify and Access the Installation"},{"location":"install/vm-install/rhel/#enabling-https","text":"To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open https_jans.conf sudo vi /etc/httpd/conf.d/https_jans.conf Update SSLCertificateFile and SSLCertificateKeyFile parameters values SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart httpd service for changes to take effect sudo service httpd restart","title":"Enabling HTTPS"},{"location":"install/vm-install/rhel/#uninstallation","text":"Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package.","title":"Uninstallation"},{"location":"install/vm-install/rhel/#uninstall-gluu-flex","text":"Use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.931e814d-01e2-4983-898f-91bf93670f7b - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api","title":"Uninstall Gluu Flex"},{"location":"install/vm-install/rhel/#uninstall-janssen-packages","text":"The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall Output: [ec2-user@manojs1978-lenient-drum ~]$ sudo python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/httpd/conf.d/https_jans.conf","title":"Uninstall Janssen Packages"},{"location":"install/vm-install/rhel/#remove-gluu-flex-packages","text":"List existing Gluu packages with: sudo yum list installed | grep flex Remove packages: sudo yum remove ","title":"Remove Gluu Flex Packages:"},{"location":"install/vm-install/rhel/#uninstalling-admin-ui","text":"To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex","title":"Uninstalling Admin UI"},{"location":"install/vm-install/rhel/#updating-admin-ui","text":"To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Updating Admin UI"},{"location":"install/vm-install/suse/","tags":["administration","installation","vm","SUSE","SLES","Tumbleweed"],"text":"Install Gluu Flex On SUSE Linux # This is a step-by-step guide for installation and uninstallation of Gluu Flex on SUSE Linux distributions Prerequisites # Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload for SUSE Linux Enterprise(SLES) we need to enable PackageHub as per OS version and architecture sudo SUSEConnect -p PackageHub/15.4/x86_64 Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path. Install the Package # Download and Verify the Release Package # Download the release package from the GitHub FLEX Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm -P ~/ GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum -P ~/ Verify package integrity sha256sum -c flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum You should see: flex-replace-flex-version-suse15.x86_64.rpm: ok Install the Release Package # Use SUSE zypper to install sudo zypper install ~/flex-replace-flex-version-stable.suse15.x86_64.rpm Run the setup script # Run the setup script: Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ] Verify and Access the Installation # Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa Enabling HTTPS # To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open _https_jans.conf sudo vi /etc/apache2/vhosts.d/_https_jans.conf ``` - Update ` SSLCertificateFile ` and ` SSLCertificateKeyFile ` parameters values ``` bash SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart apache service for changes to take effect sudo /usr/sbin/rcapache2 restart Uninstallation # Removing Flex is a two step process: Uninstall Gluu Flex and Uninstall Janssen Packages Remove Gluu Packages If you have not run the setup script, you can skip step 1 and just remove the package. First use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex the output will be like this: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.732c7b51-57c4-48a5-b64d-8718b3e043bb - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /srv/www/htdocs/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api Uninstall Janssen Packages # The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall output will be like this: sudo python3 /opt/jans/jans-setup/install.py -uninstall -yes --keep-downloads --keep-setup This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [ yes/N ] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/apache2/vhosts.d/_https_jans.conf Second uninstall the package: You should see the package with: sudo rpm -qa | grep flex Remove package with: sudo zypper remove flex Updating Admin UI # To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"SUSE"},{"location":"install/vm-install/suse/#install-gluu-flex-on-suse-linux","text":"This is a step-by-step guide for installation and uninstallation of Gluu Flex on SUSE Linux distributions","title":"Install Gluu Flex On SUSE Linux"},{"location":"install/vm-install/suse/#prerequisites","text":"Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo firewall-cmd --permanent --zone = public --add-service = https sudo firewall-cmd --reload for SUSE Linux Enterprise(SLES) we need to enable PackageHub as per OS version and architecture sudo SUSEConnect -p PackageHub/15.4/x86_64 Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path.","title":"Prerequisites"},{"location":"install/vm-install/suse/#install-the-package","text":"","title":"Install the Package"},{"location":"install/vm-install/suse/#download-and-verify-the-release-package","text":"Download the release package from the GitHub FLEX Releases wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm -P ~/ GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip sudo rpm -import automation-flex-public-gpg.asc Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum -P ~/ Verify package integrity sha256sum -c flex-replace-flex-version-stable.suse15.x86_64.rpm.sha256sum You should see: flex-replace-flex-version-suse15.x86_64.rpm: ok","title":"Download and Verify the Release Package"},{"location":"install/vm-install/suse/#install-the-release-package","text":"Use SUSE zypper to install sudo zypper install ~/flex-replace-flex-version-stable.suse15.x86_64.rpm","title":"Install the Release Package"},{"location":"install/vm-install/suse/#run-the-setup-script","text":"Run the setup script: Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ]","title":"Run the setup script"},{"location":"install/vm-install/suse/#verify-and-access-the-installation","text":"Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa","title":"Verify and Access the Installation"},{"location":"install/vm-install/suse/#enabling-https","text":"To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Update the HTTPS cofiguration file https_jans.conf as shown below: Note Want to use Let's Encrypt to get a certificate? Follow this guide . Open _https_jans.conf sudo vi /etc/apache2/vhosts.d/_https_jans.conf ``` - Update ` SSLCertificateFile ` and ` SSLCertificateKeyFile ` parameters values ``` bash SSLCertificateFile location_of_fullchain.pem SSLCertificateKeyFile location_of_privkey.pem Restart apache service for changes to take effect sudo /usr/sbin/rcapache2 restart","title":"Enabling HTTPS"},{"location":"install/vm-install/suse/#uninstallation","text":"Removing Flex is a two step process: Uninstall Gluu Flex and Uninstall Janssen Packages Remove Gluu Packages If you have not run the setup script, you can skip step 1 and just remove the package. First use the command below to uninstall the Gluu Flex server sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex the output will be like this: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log /opt/jans/jans-setup/setup_app/pylib/jwt/utils.py:7: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release. from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurve Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.732c7b51-57c4-48a5-b64d-8718b3e043bb - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /srv/www/htdocs/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api","title":"Uninstallation"},{"location":"install/vm-install/suse/#uninstall-janssen-packages","text":"The command below removes and uninstall the jans package sudo python3 /opt/jans/jans-setup/install.py -uninstall output will be like this: sudo python3 /opt/jans/jans-setup/install.py -uninstall -yes --keep-downloads --keep-setup This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [ yes/N ] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/dist Removing /etc/apache2/vhosts.d/_https_jans.conf Second uninstall the package: You should see the package with: sudo rpm -qa | grep flex Remove package with: sudo zypper remove flex","title":"Uninstall Janssen Packages"},{"location":"install/vm-install/suse/#updating-admin-ui","text":"To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Updating Admin UI"},{"location":"install/vm-install/ubuntu/","tags":["administration","installation","vm","Ubuntu"],"text":"Install Gluu Flex On Ubuntu Linux # This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux Prerequisites # Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo ufw allow https Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path. Install the Package # Download and Verify the Release Package # Download the release package from the GitHub FLEX Releases . Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip ; sudo gpg --import automation-flex-public-gpg.asc ; Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package. Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum -P /tmp Verify package integrity of the package that has been downloaded by checking hash. Run the command below from the directory where the downloaded package and the .sha256sum files are located. Choose the correct command from below based on the OS version. #Ubuntu 22.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum #Ubuntu 20.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum Output similar to below should confirm the integrity of the downloaded package. flex_replace-flex-version-stable.ubuntu_amd64.deb: ok Install the Release Package # Choose the correct command from below based on the OS version. #Ubuntu 22.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb #Ubuntu 20.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb Run the setup script # Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ] Verify and Access the Installation # Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa Enabling HTTPS # To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Note Want to use Let's Encrypt to get a certificate? Follow this guide . Uninstallation # Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package. Uninstall Gluu Flex # Use the command below to uninstall the Gluu Flex server python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.e7989c7e-09b5-4e39-a7c9-a78017127cf0 - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api Uninstall Janssen Packages # The command below removes and uninstall the jans package python3 /opt/jans/jans-setup/install.py -uninstall Output : root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Stopping OpenDj Server Stopping Server... [23/Jun/2023:09:10:27 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend userRoot is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend site is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend metric is now taken offline [23/Jun/2023:09:10:28 +0000] category=CORE severity=NOTICE msgID=203 msg=The Directory Server is now stopped Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/opendj Executing rm -r -f /opt/dist Removing /etc/apache2/sites-enabled/https_jans.conf Removing /etc/apache2/sites-available/https_jans.conf Remove Gluu Flex Packages: # List existing Gluu Flex packages with: sudo apt list --installed | grep flex Remove packages: sudo apt remove Uninstalling Admin UI # To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Updating Admin UI # To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Ubuntu"},{"location":"install/vm-install/ubuntu/#install-gluu-flex-on-ubuntu-linux","text":"This is a step-by-step guide for installation and uninstallation of Gluu Flex on Ubuntu Linux","title":"Install Gluu Flex On Ubuntu Linux"},{"location":"install/vm-install/ubuntu/#prerequisites","text":"Ensure that the OS platform is one of the supported versions VM should meet VM system requirements Make sure that if SELinux is installed then it is put into permissive mode If the server firewall is running, make sure you allow https , which is needed for OpenID and FIDO. sudo ufw allow https Please obtain an SSA to trial Flex, after which you are issued a JWT that you can use during installation. SSA should be stored in a text file on an accessible path.","title":"Prerequisites"},{"location":"install/vm-install/ubuntu/#install-the-package","text":"","title":"Install the Package"},{"location":"install/vm-install/ubuntu/#download-and-verify-the-release-package","text":"Download the release package from the GitHub FLEX Releases . Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb -P /tmp GPG key is used to ensure the authenticity of the downloaded package during the installation process. If the key is not found, the installation step would fail. Use the commands below to download and import the GPG key. wget https://github.com/GluuFederation/flex/files/11814579/automation-flex-public-gpg.zip unzip automation-flex-public-gpg.zip ; sudo gpg --import automation-flex-public-gpg.asc ; Verify the integrity of the downloaded package using published sha256sum . Download the sha256sum file for the package. Choose the correct command from below based on the OS version. #Ubuntu 22.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum -P /tmp #Ubuntu 20.04 wget https://github.com/GluuFederation/flex/releases/download/vreplace-flex-version/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum -P /tmp Verify package integrity of the package that has been downloaded by checking hash. Run the command below from the directory where the downloaded package and the .sha256sum files are located. Choose the correct command from below based on the OS version. #Ubuntu 22.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu22.04_amd64.deb.sha256sum #Ubuntu 20.04 cd /tmp sha256sum -c flex_replace-flex-version-stable.ubuntu20.04_amd64.deb.sha256sum Output similar to below should confirm the integrity of the downloaded package. flex_replace-flex-version-stable.ubuntu_amd64.deb: ok","title":"Download and Verify the Release Package"},{"location":"install/vm-install/ubuntu/#install-the-release-package","text":"Choose the correct command from below based on the OS version. #Ubuntu 22.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu22.04_amd64.deb #Ubuntu 20.04 apt install -y /tmp/flex_replace-flex-version-stable.ubuntu20.04_amd64.deb","title":"Install the Release Package"},{"location":"install/vm-install/ubuntu/#run-the-setup-script","text":"Execute the setup script with command below: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py If Admin-UI component is being installed, then the script will require SSA input, either as text or as a file path. This should be the SSA or file which was acquired as part of prerequisite step . Install Admin UI [Y/n]: y Please enter path of file containing SSA or paste SSA (q to exit): Alternatively, for SSA file can be passed as a parameter to the setup script as below. sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py -admin-ui-ssa [ filename ]","title":"Run the setup script"},{"location":"install/vm-install/ubuntu/#verify-and-access-the-installation","text":"Verify that installation has been successful and all installed components are accessible using the steps below: Log in to Text User Interface (TUI) /opt/jans/jans-cli/jans_cli_tui.py TUI is a text-based configuration tool for Gluu Flex Server. Log into Admin-UI using URI below https://FQDN/admin When troubleshooting issues with Admin UI access, it's advisable to check the logs , refer to the FAQ , and review service dependencies for potential solutions. Access Casa using URI below https://FQDN/jans-casa","title":"Verify and Access the Installation"},{"location":"install/vm-install/ubuntu/#enabling-https","text":"To enable communication with Janssen Server over TLS (https) in a production environment, Janssen Server needs details about CA certificate. Note Want to use Let's Encrypt to get a certificate? Follow this guide .","title":"Enabling HTTPS"},{"location":"install/vm-install/ubuntu/#uninstallation","text":"Removing Flex is a two step process: Uninstall Gluu Flex Uninstall Janssen Packages If you have not run the setup script, you can skip step 1 and just remove the package.","title":"Uninstallation"},{"location":"install/vm-install/ubuntu/#uninstall-gluu-flex","text":"Use the command below to uninstall the Gluu Flex server python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex Output: root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex This process is irreversible. Gluu Flex Components will be removed Are you sure to uninstall Gluu Flex? [yes/N] yes Profile was detected as jans. Log Files: /opt/jans/jans-setup/logs/flex-setup.log /opt/jans/jans-setup/logs/flex-setup-error.log Please wait while collecting properties... Uninstalling Gluu Casa - Deleting /etc/default/casa - Deleting /etc/systemd/system/casa.service - Removing casa directives from apache configuration - Deleting /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar - Removing plugin /opt/jans/jetty/jans-auth/custom/libs/casa-config.jar from Jans Auth Configuration - Deleting /opt/jans/python/libs/Casa.py - Deleting /opt/jans/python/libs/casa-external_fido2.py - Deleting /opt/jans/python/libs/casa-external_otp.py - Deleting /opt/jans/python/libs/casa-external_super_gluu.py - Deleting /opt/jans/python/libs/casa-external_twilio_sms.py - Deleting casa client from db backend - Deleting casa client scopes from db backend - Deleting casa configuration from db backend - Deleting script 3000-F75A from db backend - Deleting /opt/jans/jetty/casa Uninstalling Gluu Admin-UI - Deleting Gluu Flex Admin UI Client 2001.e7989c7e-09b5-4e39-a7c9-a78017127cf0 - Removing Admin UI directives from apache configuration - Deleting /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar - Removing plugin /opt/jans/jetty/jans-config-api/custom/libs/gluu-flex-admin-ui-plugin.jar from Jans Config API Configuration - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2-adminui.xml - Deleting /opt/jans/jetty/jans-config-api/custom/config/log4j2.xml - Rewriting Jans CLI init file for plugins - Deleting /var/www/html/admin Disabling script A51E-76DA Restarting Apache Restarting Jans Auth Restarting Janssen Config Api","title":"Uninstall Gluu Flex"},{"location":"install/vm-install/ubuntu/#uninstall-janssen-packages","text":"The command below removes and uninstall the jans package python3 /opt/jans/jans-setup/install.py -uninstall Output : root@manojs1978-cute-ram:~# python3 /opt/jans/jans-setup/install.py -uninstall This process is irreversible. You will lose all data related to Janssen Server. Are you sure to uninstall Janssen Server? [yes/N] yes Uninstalling Jannsen Server... Removing /etc/default/jans-config-api Stopping jans-config-api Removing /etc/default/jans-auth Stopping jans-auth Removing /etc/default/jans-fido2 Stopping jans-fido2 Removing /etc/default/jans-scim Stopping jans-scim Removing /etc/default/jans-cache-refresh Stopping jans-cache-refresh Stopping OpenDj Server Stopping Server... [23/Jun/2023:09:10:27 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend userRoot is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend site is now taken offline [23/Jun/2023:09:10:28 +0000] category=BACKEND severity=NOTICE msgID=370 msg=The backend metric is now taken offline [23/Jun/2023:09:10:28 +0000] category=CORE severity=NOTICE msgID=203 msg=The Directory Server is now stopped Executing rm -r -f /etc/certs Executing rm -r -f /etc/jans Executing rm -r -f /opt/jans Executing rm -r -f /opt/amazon-corretto* Executing rm -r -f /opt/jre Executing rm -r -f /opt/node* Executing rm -r -f /opt/jetty* Executing rm -r -f /opt/jython* Executing rm -r -f /opt/opendj Executing rm -r -f /opt/dist Removing /etc/apache2/sites-enabled/https_jans.conf Removing /etc/apache2/sites-available/https_jans.conf","title":"Uninstall Janssen Packages"},{"location":"install/vm-install/ubuntu/#remove-gluu-flex-packages","text":"List existing Gluu Flex packages with: sudo apt list --installed | grep flex Remove packages: sudo apt remove ","title":"Remove Gluu Flex Packages:"},{"location":"install/vm-install/ubuntu/#uninstalling-admin-ui","text":"To uninstall the Admin UI from your Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --remove-flex","title":"Uninstalling Admin UI"},{"location":"install/vm-install/ubuntu/#updating-admin-ui","text":"To update the Admin UI in an existing Flex installation, execute this command: sudo python3 /opt/jans/jans-setup/flex/flex-linux-setup/flex_setup.py --update-admin-ui","title":"Updating Admin UI"},{"location":"install/vm-install/vm-requirements/","text":"VM System Requirements # Supported Versions # Gluu Flex currently provides packages for these Linux distros: Ubuntu (versions: 20.04 and 22.04) SUSE Distributions SUSE Linux Enterprise Server (SLES) 15 openSUSE Leap 15.5 openSUSE Tumbleweed RedHat Enterprise Linux (version: 8) Note This document is intended exclusively for dev and staging environments. For production deployment on a VM, refer to this documentation which utilizes Rancher and Helm deployments. Hardware Requirements # A single-VM deployment is where all services are running on one server. Although, the requirements can vary based on the size of the data and the required concurrency, the following guidelines can help you plan: 8 GB RAM 4 CPU 20 GB Disk Port Configuration # Gluu Flex requires the following ports to be open for incoming connections. Port Protocol Notes 443 TCP TLS/HTTP You may want to use a redirect on port 80 to 443, although it is not required. Of course you will also need some way to login to your server, but that is out of scope of these docs. Check your server firewall documentation to configure your firewall to allow https . Hostname / IP Address Configuration # It is recommended that you use a static ip address for Gluu Flex. Your server should also return the hostname for the hostname command, it's recommended that you add the hostname to the /etc/hosts file. File Descriptor Configuration (FD) # Like most database and Internet servers, you must have at least 65k file descriptors. If you don't, your server will hang. First, check the current file descriptor limit using command below. If the existing FD limit exceeds 65535, then you're good. # cat /proc/sys/fs/file-max If FD limit is less than 65535 (e.g. 1024), then follow the steps below to increase the value. 1) Set soft and hard limits by adding the following lines in the /etc/security/limits.conf file * soft nofile 65535 * hard nofile 262144 2) Add the following lines to /etc/pam.d/login if not already present session required pam_limits.so 3) Increase the FD limit in /proc/sys/fs/file-max echo 65535 > /proc/sys/fs/file-max** 4) Use the ulimit command to set the FD limit to the hard limit specified in /etc/security/limits.conf . If setting to hard limit doesn't work, then try to set it to the soft limit. ulimit -n 262144 5) Restart the system","title":"VM System Requirements"},{"location":"install/vm-install/vm-requirements/#vm-system-requirements","text":"","title":"VM System Requirements"},{"location":"install/vm-install/vm-requirements/#supported-versions","text":"Gluu Flex currently provides packages for these Linux distros: Ubuntu (versions: 20.04 and 22.04) SUSE Distributions SUSE Linux Enterprise Server (SLES) 15 openSUSE Leap 15.5 openSUSE Tumbleweed RedHat Enterprise Linux (version: 8) Note This document is intended exclusively for dev and staging environments. For production deployment on a VM, refer to this documentation which utilizes Rancher and Helm deployments.","title":"Supported Versions"},{"location":"install/vm-install/vm-requirements/#hardware-requirements","text":"A single-VM deployment is where all services are running on one server. Although, the requirements can vary based on the size of the data and the required concurrency, the following guidelines can help you plan: 8 GB RAM 4 CPU 20 GB Disk","title":"Hardware Requirements"},{"location":"install/vm-install/vm-requirements/#port-configuration","text":"Gluu Flex requires the following ports to be open for incoming connections. Port Protocol Notes 443 TCP TLS/HTTP You may want to use a redirect on port 80 to 443, although it is not required. Of course you will also need some way to login to your server, but that is out of scope of these docs. Check your server firewall documentation to configure your firewall to allow https .","title":"Port Configuration"},{"location":"install/vm-install/vm-requirements/#hostname-ip-address-configuration","text":"It is recommended that you use a static ip address for Gluu Flex. Your server should also return the hostname for the hostname command, it's recommended that you add the hostname to the /etc/hosts file.","title":"Hostname / IP Address Configuration"},{"location":"install/vm-install/vm-requirements/#file-descriptor-configuration-fd","text":"Like most database and Internet servers, you must have at least 65k file descriptors. If you don't, your server will hang. First, check the current file descriptor limit using command below. If the existing FD limit exceeds 65535, then you're good. # cat /proc/sys/fs/file-max If FD limit is less than 65535 (e.g. 1024), then follow the steps below to increase the value. 1) Set soft and hard limits by adding the following lines in the /etc/security/limits.conf file * soft nofile 65535 * hard nofile 262144 2) Add the following lines to /etc/pam.d/login if not already present session required pam_limits.so 3) Increase the FD limit in /proc/sys/fs/file-max echo 65535 > /proc/sys/fs/file-max** 4) Use the ulimit command to set the FD limit to the hard limit specified in /etc/security/limits.conf . If setting to hard limit doesn't work, then try to set it to the soft limit. ulimit -n 262144 5) Restart the system","title":"File Descriptor Configuration (FD)"},{"location":"openbanking/","text":"Gluu Open Banking Identity Platform # Overview # The Gluu Open Banking Identity Platform is a specific profile of the Gluu Server that is packaged and configured for certain use cases: Dynamic Client Registration using software statements Payment Authorization Identity - eKYC Client Initiated Authentication (mobile/out-of-band) Other services needed by enterprises--but not by banks--have been disabled. The goal is to reduce the security surface area to make the platform easy to deploy, easy to keep up to date, and easy to rollout new features with zero downtime. This is a cloud-native distribution. Cloud-native is essential for auto-scaling, high availability, and operational automation. For development and testing we also support its VM distribution, where the Installation Section has more details about it. This distribution of Gluu is based on the Linux Foundation Janssen Project at the Linux Foundation, the most certified OpenID Platform available. Components # Open Banking OpenID Provider : Based on the Janssen Auth-Server, this internet-facing component provides the FAPI OpenID Connect API for dynamic client registration, transaction authorization, and CIBA. Config API : Service which configures the OpenID Provider. The Client must present an access token authorized by a trusted issuer with certain scopes. Cloud Database : Database used to store configuration, client metadata, tokens, and other information required for the operation of the OpenID Provider. Open Banking API Gateway : An Internet facing gateway for the core open banking API, should enforce the presence of a token with certain scopes. Open Banking API : The core banking API. Internal Authentication and Consent Service : An OpenID Provider, SAML IDP, or another authentication service that provides access to actual customer information. This service may handle the consent, or delegate consent to another service. User Accounts : A database where the user account information is held Bank Regulatory Directory : This is hosted by the federation operator which publishes public key material and other metadata about participants in the open banking ecosystem. Fintech / Payment Processor : A service that wants to call the Open Banking API or to get data or to process a payment. PKI infrastructure # Cloud-Native Architecture #","title":"Overview"},{"location":"openbanking/#gluu-open-banking-identity-platform","text":"","title":"Gluu Open Banking Identity Platform"},{"location":"openbanking/#overview","text":"The Gluu Open Banking Identity Platform is a specific profile of the Gluu Server that is packaged and configured for certain use cases: Dynamic Client Registration using software statements Payment Authorization Identity - eKYC Client Initiated Authentication (mobile/out-of-band) Other services needed by enterprises--but not by banks--have been disabled. The goal is to reduce the security surface area to make the platform easy to deploy, easy to keep up to date, and easy to rollout new features with zero downtime. This is a cloud-native distribution. Cloud-native is essential for auto-scaling, high availability, and operational automation. For development and testing we also support its VM distribution, where the Installation Section has more details about it. This distribution of Gluu is based on the Linux Foundation Janssen Project at the Linux Foundation, the most certified OpenID Platform available.","title":"Overview"},{"location":"openbanking/#components","text":"Open Banking OpenID Provider : Based on the Janssen Auth-Server, this internet-facing component provides the FAPI OpenID Connect API for dynamic client registration, transaction authorization, and CIBA. Config API : Service which configures the OpenID Provider. The Client must present an access token authorized by a trusted issuer with certain scopes. Cloud Database : Database used to store configuration, client metadata, tokens, and other information required for the operation of the OpenID Provider. Open Banking API Gateway : An Internet facing gateway for the core open banking API, should enforce the presence of a token with certain scopes. Open Banking API : The core banking API. Internal Authentication and Consent Service : An OpenID Provider, SAML IDP, or another authentication service that provides access to actual customer information. This service may handle the consent, or delegate consent to another service. User Accounts : A database where the user account information is held Bank Regulatory Directory : This is hosted by the federation operator which publishes public key material and other metadata about participants in the open banking ecosystem. Fintech / Payment Processor : A service that wants to call the Open Banking API or to get data or to process a payment.","title":"Components"},{"location":"openbanking/#pki-infrastructure","text":"","title":"PKI infrastructure"},{"location":"openbanking/#cloud-native-architecture","text":"","title":"Cloud-Native Architecture"},{"location":"openbanking/configuration-instructions/","text":"Generate/install keys and certs for Gluu Open Banking Identity Platform # This section covers details about setting up the keys and certificates in Cloud-Native distribution. For MTLS keys, see the document that demonstrates enabling mTLS in nginx ingress . Remember, MTLS is needed not only for the TPPs to call the authorization and token endpoints for OpenID Connect flows, but also by clients that are calling the configuration API. Add/Update Custom Scripts: # To add or update custom scripts, you can use either jans-cli or curl . jans-cli in interactive mode, option 13 enables you to manage custom scripts. For more info, see the docs . jans-cli in command line argument mode is more conducive to scripting and automation. To display the available operations for custom scripts, use config-cli.py --info CustomScripts . See the docs for more info. To use curl see these docs Note: If using VM installation you can normally find jans-cli.py in the /opt/jans/jans-cli/ folder.","title":"Configuration Instructions"},{"location":"openbanking/configuration-instructions/#generateinstall-keys-and-certs-for-gluu-open-banking-identity-platform","text":"This section covers details about setting up the keys and certificates in Cloud-Native distribution. For MTLS keys, see the document that demonstrates enabling mTLS in nginx ingress . Remember, MTLS is needed not only for the TPPs to call the authorization and token endpoints for OpenID Connect flows, but also by clients that are calling the configuration API.","title":"Generate/install keys and certs for Gluu Open Banking Identity Platform"},{"location":"openbanking/configuration-instructions/#addupdate-custom-scripts","text":"To add or update custom scripts, you can use either jans-cli or curl . jans-cli in interactive mode, option 13 enables you to manage custom scripts. For more info, see the docs . jans-cli in command line argument mode is more conducive to scripting and automation. To display the available operations for custom scripts, use config-cli.py --info CustomScripts . See the docs for more info. To use curl see these docs Note: If using VM installation you can normally find jans-cli.py in the /opt/jans/jans-cli/ folder.","title":"Add/Update Custom Scripts:"},{"location":"openbanking/curl/","text":"Managing scripts with CURL # Curl Prerequisites # Gluu open banking distribution client-id client-secret client certificate client key Getting the prerequisites # Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt CURL operations # The curl commands to list, add, or update custom script require a token, so first call the token endpoint to get the token using: curl -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert client.crt --key client.key Example: curl -u '1801.bdfae945-b31d-4d60-8e47-16518153215:rjHoLfjfsv2G2qzGEasd1651813aIXvCi61NU' https://bank.gluu.org/jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert apr22.crt --key apr22.key { \"access_token\" : \"ad34ac-8f2d-4bec-aed3-343adasda2\" , \"scope\" : \"https://jans.io/oauth/config/scripts.readonly\" , \"token_type\" : \"bearer\" , \"expires_in\" :299 } Save the access_token for use in subsequent commands. Use different scope values as per the requirement: View scripts information: https://jans.io/oauth/config/scripts.readonly Manage scripts-related information: https://jans.io/oauth/config/scripts.write Delete scripts-related information: https://jans.io/oauth/config/scripts.delete Use the obtained access token to perform further operations on custom scripts as given in subsequent text: Use the following command to display details of all the available custom scripts: curl -X GET https:///jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" Example: curl -X GET https://bank.gluu.org/jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" The following command will add a new custom script (Obtain token with write scope) and if it is successful it will display the added script in JSON format. The scriptformat.json file has script details according to the custom script schema. It should have the entire script inside the scriptformat.json as a string value under the script field. Converting a multiline script into a string requires converting newlines into \\n. So curl is not a suitable choice for adding new script, jans-cli is a better option. curl -X POST \"https:///jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json Example: curl -X POST \"https://bank.gluu.org/jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json","title":"Managing scripts with CURL"},{"location":"openbanking/curl/#managing-scripts-with-curl","text":"","title":"Managing scripts with CURL"},{"location":"openbanking/curl/#curl-prerequisites","text":"Gluu open banking distribution client-id client-secret client certificate client key","title":"Curl Prerequisites"},{"location":"openbanking/curl/#getting-the-prerequisites","text":"Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt","title":"Getting the prerequisites"},{"location":"openbanking/curl/#curl-operations","text":"The curl commands to list, add, or update custom script require a token, so first call the token endpoint to get the token using: curl -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert client.crt --key client.key Example: curl -u '1801.bdfae945-b31d-4d60-8e47-16518153215:rjHoLfjfsv2G2qzGEasd1651813aIXvCi61NU' https://bank.gluu.org/jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/config/scripts.readonly\" --cert apr22.crt --key apr22.key { \"access_token\" : \"ad34ac-8f2d-4bec-aed3-343adasda2\" , \"scope\" : \"https://jans.io/oauth/config/scripts.readonly\" , \"token_type\" : \"bearer\" , \"expires_in\" :299 } Save the access_token for use in subsequent commands. Use different scope values as per the requirement: View scripts information: https://jans.io/oauth/config/scripts.readonly Manage scripts-related information: https://jans.io/oauth/config/scripts.write Delete scripts-related information: https://jans.io/oauth/config/scripts.delete Use the obtained access token to perform further operations on custom scripts as given in subsequent text: Use the following command to display details of all the available custom scripts: curl -X GET https:///jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" Example: curl -X GET https://bank.gluu.org/jans-config-api/api/v1/config/scripts -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" The following command will add a new custom script (Obtain token with write scope) and if it is successful it will display the added script in JSON format. The scriptformat.json file has script details according to the custom script schema. It should have the entire script inside the scriptformat.json as a string value under the script field. Converting a multiline script into a string requires converting newlines into \\n. So curl is not a suitable choice for adding new script, jans-cli is a better option. curl -X POST \"https:///jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer \" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json Example: curl -X POST \"https://bank.gluu.org/jans-config-api/api/v1/config/scripts\" -H \"Accept: application/json\" -H \"Authorization:Bearer ad34ac-8f2d-4bec-aed3-343adasda2\" -H \"Content-Type: application/json\" --data @/home/user/scriptformat.json","title":"CURL operations"},{"location":"openbanking/install-cn/","text":"System Requirements # Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth-server 2.5 2.5GB N/A 64 Bit Yes config - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs persistence - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if not ALB or Istio config-api 1 1GB N/A 64 Bit No Installation # Install using Helm(production-ready) # The below certificates and keys are needed to complete the installation. Certificate / key Description OB Issuing CA Used in nginx as a certificate authority OB Root CA Used in nginx as a certificate authority OB Signing CA Used in nginx as a certificate authority OB AS Transport key Used for mTLS. This will also be added to the JVM OB AS Transport crt Used for mTLS. This will also be added to the JVM OB AS signing crt Added to the JVM. Used in SSA Validation OB AS signing key Added to the JVM. Used in SSA Validation OB transport truststore Used in SSA Validation. Generated from OB Root CA nd Issuing CA Based on the provider/platform you're using, you can follow the docs to install your platform prerequistes, nginx-ingress, and the yaml changes needed in override.yaml based on the Gluu persistence choosed. To enable mTLS in ingress-nginx, add the following to your override.yaml : nginx-ingress : ingress : additionalAnnotations : nginx.ingress.kubernetes.io/auth-tls-verify-client : \"optional\" nginx.ingress.kubernetes.io/auth-tls-secret : \"gluu/tls-ob-ca-certificates\" nginx.ingress.kubernetes.io/auth-tls-verify-depth : \"1\" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream : \"true\" Adding these annotations will enable client certificate authentication . Enable authServerProtectedToken and authServerProtectedRegister : global auth-server : ingress : authServerProtectedToken : true authServerProtectedRegister : true Enable HTTPS During fresh installation, the config-job checks if SSL certificates and keys are mounted as files. If no mounted files are found, it attempts to download SSL certificates from the FQDN supplied. If the download is successful, an empty key file is generated. If no mounted or downloaded files are found, it generates self-signed SSL certificates, CA certificates, and keys. certificates and keys of interest in https Notes web_https.crt (nginx) web server certificate. This is commonly referred to as server.crt web_https.key (nginx) web server key. This is commonly referred to as server.key web_https.csr (nginx) web server certificate signing request. This is commonly referred to as server.csr web_https_ca.crt Certificate authority certificate that signed/signs the web server certificate. web_https_ca.key Certificate authority key that signed/signs the web server certificate. Create a secret containing the OB CA certificates (issuing, root, and signing CAs) and the OB AS transport crt. For more information read here . cat web_https_ca.crt issuingca.crt rootca.crt signingca.crt >> ca.crt kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file = tls.crt = web_https.crt --from-file = tls.key = web_https.key --from-file = ca.crt = ca.crt If you have an existing helm deployment, those secrets can be retrieved and then create using the following commands: kubectl get secret cn -n gluu --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_cert }} | base64 -d > server.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_key }} | base64 -d > server.key kubectl create secret generic ca-secret -n gluu --from-file = tls.crt = server.crt --from-file = tls.key = server.key --from-file = ca.crt = ca.crt Inject OBIE signed certs, keys and uri: When using OBIE signed certificates and keys, there are many objects that can be injected. The certificate signing pem file i.e obsigning.pem , the signing key i.e obsigning-oajsdij8927123.key , the certificate transport pem file i.e obtransport.pem , the transport key i.e obtransport-sdfe4234234.key , the transport truststore p12 i.e ob-transport-truststore.p12 , and the jwks uri https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks . base64 encrypt all .pem and .key files. cat obsigning.pem | base64 | tr -d '\\n' > obsigningbase64.pem cat obsigning-oajsdij8927123.key | base64 | tr -d '\\n' > obsigningbase64.key cat obtransport.pem | base64 | tr -d '\\n' > obtransportbase64.pem cat obtransport-sdfe4234234.key | base64 | tr -d '\\n' > obtransportbase64.key Generate your transport truststore or convert it to .p12 format. Please name it as ob-transport-truststore.p12 cat obissuingca.pem obrootca.pem obsigningca.pem > transport-truststore.crt keytool -importcert -file transport-truststore.crt -keystore ob-transport-truststore.p12 -alias obkeystore base64 encrypt the ob-transport-truststore.p12 cat ob-transport-truststore.p12 | base64 | tr -d '\\n' > obtransporttruststorebase64.pem Add the kid as the alias for the JKS used for the OB AS external signing crt. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G. This kid value should exist inside the jwks uri endpoint. Add those values to override.yaml : global : # -- Open banking external signing jwks uri. Used in SSA Validation. cnObExtSigningJwksUri : \"\" # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksCrt : # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKey : # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKeyPassPhrase : # -- Open banking external signing AS Alias. This is a kid value. Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G cnObExtSigningAlias : # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G cnObStaticSigningKeyKid : # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. cnObTransportCrt : # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. cnObTransportKey : # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. cnObTransportKeyPassPhrase : # -- Open banking transport Alias used inside the JVM. cnObTransportAlias : \"\" # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. cnObTransportTrustStore : Please note that the password for the keystores created can be fetched by executing the following command: kubectl get secret cn -n gluu --template={{.data.auth_openid_jks_pass}} | base64 -d The above password is needed in custom scripts such as the Client Registration script After finishing all the tweaks to the override.yaml file, run helm install or helm upgrade if Gluu is already installed helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml Install on microK8s(development/testing) # On your Ubuntu VM, run the following commands: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/main/automation/startopenabankingdemo.sh && chmod u+x startopenabankingdemo.sh && ./startopenabankingdemo.sh Running this script will install the Gluu Open Banking Platform with mTLS enabled along with the mysql backend as a persistence. After running the script, you can go ahead and test the setup . Testing the setup # After successful installation, you can access and test the Gluu Open Banking Platform using either curl or Jans-CLI . Changing the signing key kid for the AS dynamically # Get a client id and its associated password. We will use the jans-config-api client id and secret TESTCLIENT = $( kubectl get cm cn -n gluu --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n gluu --template ={{ .data.jca_client_pw }} | base64 -d ) Get a token. To pass mTLS, we will use client.crt and client.key: curl -k -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/jans-auth-server/config/properties.write\" --cert client.crt --key client.key Add the entry staticKid to force the AS to use a specific signing key. Please modify XhCYDfFM7UFXHfykNaLk1aLCnZM to the kid to be used: curl -k -X PATCH \"https:///jans-config-api/api/v1/jans-auth-server/config\" -H \"accept: application/json\" -H \"Content-Type: application/json-patch+json\" -H \"Authorization:Bearer 170e8412-1d55-4b19-ssss-8fcdeaafb954\" -d \"[{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/staticKid\\\",\\\"value\\\":\\\"XhCYDfFM7UFXHfykNaLk1aLCnZM\\\"}]\" Perform a rolling restart for the auth-server and config-api deployments. kubectl rollout restart deployment -auth-server -n gluu kubectl rollout restart deployment -config-api -n gluu Adding custom scopes upon installation # Download the original scopes file wget https://raw.githubusercontent.com/JanssenProject/docker-jans-persistence-loader/master/templates/scopes.ob.ldif Add to the file the custom scopes desired. Create a configmap with the scopes file kubectl create cm custom-scopes -n gluu --from-file=scopes.ob.ldif Mount the configmap in your override.yaml under persistence.volumes and persistence.volumeMounts persistence : volumes : - name : custom-scopes configMap : name : custom-scopes volumeMounts : - name : custom-scopes mountPath : \"/app/templates/scopes.ob.ldif\" subPath : scopes.ob.ldif Run helm install or helm upgrade if Gluu has already been installed.","title":"Cloud-Native"},{"location":"openbanking/install-cn/#system-requirements","text":"Use the listing below for a detailed estimation of the minimum required resources. The table contains the default resources recommendation per service. Depending on the use of each service the resources need may increase or decrease. Service CPU Unit RAM Disk Space Processor Type Required Auth-server 2.5 2.5GB N/A 64 Bit Yes config - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs persistence - job 0.5 0.5GB N/A 64 Bit Yes on fresh installs nginx 1 1GB N/A 64 Bit Yes if not ALB or Istio config-api 1 1GB N/A 64 Bit No","title":"System Requirements"},{"location":"openbanking/install-cn/#installation","text":"","title":"Installation"},{"location":"openbanking/install-cn/#install-using-helmproduction-ready","text":"The below certificates and keys are needed to complete the installation. Certificate / key Description OB Issuing CA Used in nginx as a certificate authority OB Root CA Used in nginx as a certificate authority OB Signing CA Used in nginx as a certificate authority OB AS Transport key Used for mTLS. This will also be added to the JVM OB AS Transport crt Used for mTLS. This will also be added to the JVM OB AS signing crt Added to the JVM. Used in SSA Validation OB AS signing key Added to the JVM. Used in SSA Validation OB transport truststore Used in SSA Validation. Generated from OB Root CA nd Issuing CA Based on the provider/platform you're using, you can follow the docs to install your platform prerequistes, nginx-ingress, and the yaml changes needed in override.yaml based on the Gluu persistence choosed. To enable mTLS in ingress-nginx, add the following to your override.yaml : nginx-ingress : ingress : additionalAnnotations : nginx.ingress.kubernetes.io/auth-tls-verify-client : \"optional\" nginx.ingress.kubernetes.io/auth-tls-secret : \"gluu/tls-ob-ca-certificates\" nginx.ingress.kubernetes.io/auth-tls-verify-depth : \"1\" nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream : \"true\" Adding these annotations will enable client certificate authentication . Enable authServerProtectedToken and authServerProtectedRegister : global auth-server : ingress : authServerProtectedToken : true authServerProtectedRegister : true Enable HTTPS During fresh installation, the config-job checks if SSL certificates and keys are mounted as files. If no mounted files are found, it attempts to download SSL certificates from the FQDN supplied. If the download is successful, an empty key file is generated. If no mounted or downloaded files are found, it generates self-signed SSL certificates, CA certificates, and keys. certificates and keys of interest in https Notes web_https.crt (nginx) web server certificate. This is commonly referred to as server.crt web_https.key (nginx) web server key. This is commonly referred to as server.key web_https.csr (nginx) web server certificate signing request. This is commonly referred to as server.csr web_https_ca.crt Certificate authority certificate that signed/signs the web server certificate. web_https_ca.key Certificate authority key that signed/signs the web server certificate. Create a secret containing the OB CA certificates (issuing, root, and signing CAs) and the OB AS transport crt. For more information read here . cat web_https_ca.crt issuingca.crt rootca.crt signingca.crt >> ca.crt kubectl create secret generic tls-ob-ca-certificates -n gluu --from-file = tls.crt = web_https.crt --from-file = tls.key = web_https.key --from-file = ca.crt = ca.crt If you have an existing helm deployment, those secrets can be retrieved and then create using the following commands: kubectl get secret cn -n gluu --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_cert }} | base64 -d > server.crt kubectl get secret cn -n gluu --template ={{ .data.ssl_key }} | base64 -d > server.key kubectl create secret generic ca-secret -n gluu --from-file = tls.crt = server.crt --from-file = tls.key = server.key --from-file = ca.crt = ca.crt Inject OBIE signed certs, keys and uri: When using OBIE signed certificates and keys, there are many objects that can be injected. The certificate signing pem file i.e obsigning.pem , the signing key i.e obsigning-oajsdij8927123.key , the certificate transport pem file i.e obtransport.pem , the transport key i.e obtransport-sdfe4234234.key , the transport truststore p12 i.e ob-transport-truststore.p12 , and the jwks uri https://mykeystore.openbanking.wow/xxxxx/xxxxx.jwks . base64 encrypt all .pem and .key files. cat obsigning.pem | base64 | tr -d '\\n' > obsigningbase64.pem cat obsigning-oajsdij8927123.key | base64 | tr -d '\\n' > obsigningbase64.key cat obtransport.pem | base64 | tr -d '\\n' > obtransportbase64.pem cat obtransport-sdfe4234234.key | base64 | tr -d '\\n' > obtransportbase64.key Generate your transport truststore or convert it to .p12 format. Please name it as ob-transport-truststore.p12 cat obissuingca.pem obrootca.pem obsigningca.pem > transport-truststore.crt keytool -importcert -file transport-truststore.crt -keystore ob-transport-truststore.p12 -alias obkeystore base64 encrypt the ob-transport-truststore.p12 cat ob-transport-truststore.p12 | base64 | tr -d '\\n' > obtransporttruststorebase64.pem Add the kid as the alias for the JKS used for the OB AS external signing crt. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e XkwIzWy44xWSlcWnMiEc8iq9s2G. This kid value should exist inside the jwks uri endpoint. Add those values to override.yaml : global : # -- Open banking external signing jwks uri. Used in SSA Validation. cnObExtSigningJwksUri : \"\" # -- Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksCrt : # -- Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKey : # -- Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when `.global.cnObExtSigningJwksUri` is set. cnObExtSigningJwksKeyPassPhrase : # -- Open banking external signing AS Alias. This is a kid value. Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G cnObExtSigningAlias : # -- Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G cnObStaticSigningKeyKid : # -- Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. cnObTransportCrt : # -- Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. cnObTransportKey : # -- Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. cnObTransportKeyPassPhrase : # -- Open banking transport Alias used inside the JVM. cnObTransportAlias : \"\" # -- Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. cnObTransportTrustStore : Please note that the password for the keystores created can be fetched by executing the following command: kubectl get secret cn -n gluu --template={{.data.auth_openid_jks_pass}} | base64 -d The above password is needed in custom scripts such as the Client Registration script After finishing all the tweaks to the override.yaml file, run helm install or helm upgrade if Gluu is already installed helm repo add gluu-flex https://docs.gluu.org/charts helm repo update helm install gluu gluu-flex/gluu -n gluu -f override.yaml","title":"Install using Helm(production-ready)"},{"location":"openbanking/install-cn/#install-on-microk8sdevelopmenttesting","text":"On your Ubuntu VM, run the following commands: sudo su - wget https://raw.githubusercontent.com/GluuFederation/flex/main/automation/startopenabankingdemo.sh && chmod u+x startopenabankingdemo.sh && ./startopenabankingdemo.sh Running this script will install the Gluu Open Banking Platform with mTLS enabled along with the mysql backend as a persistence. After running the script, you can go ahead and test the setup .","title":"Install on microK8s(development/testing)"},{"location":"openbanking/install-cn/#testing-the-setup","text":"After successful installation, you can access and test the Gluu Open Banking Platform using either curl or Jans-CLI .","title":"Testing the setup"},{"location":"openbanking/install-cn/#changing-the-signing-key-kid-for-the-as-dynamically","text":"Get a client id and its associated password. We will use the jans-config-api client id and secret TESTCLIENT = $( kubectl get cm cn -n gluu --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n gluu --template ={{ .data.jca_client_pw }} | base64 -d ) Get a token. To pass mTLS, we will use client.crt and client.key: curl -k -u $TESTCLIENT : $TESTCLIENTSECRET https:///jans-auth/restv1/token -d \"grant_type=client_credentials&scope=https://jans.io/oauth/jans-auth-server/config/properties.write\" --cert client.crt --key client.key Add the entry staticKid to force the AS to use a specific signing key. Please modify XhCYDfFM7UFXHfykNaLk1aLCnZM to the kid to be used: curl -k -X PATCH \"https:///jans-config-api/api/v1/jans-auth-server/config\" -H \"accept: application/json\" -H \"Content-Type: application/json-patch+json\" -H \"Authorization:Bearer 170e8412-1d55-4b19-ssss-8fcdeaafb954\" -d \"[{\\\"op\\\":\\\"add\\\",\\\"path\\\":\\\"/staticKid\\\",\\\"value\\\":\\\"XhCYDfFM7UFXHfykNaLk1aLCnZM\\\"}]\" Perform a rolling restart for the auth-server and config-api deployments. kubectl rollout restart deployment -auth-server -n gluu kubectl rollout restart deployment -config-api -n gluu","title":"Changing the signing key kid for the AS dynamically"},{"location":"openbanking/install-cn/#adding-custom-scopes-upon-installation","text":"Download the original scopes file wget https://raw.githubusercontent.com/JanssenProject/docker-jans-persistence-loader/master/templates/scopes.ob.ldif Add to the file the custom scopes desired. Create a configmap with the scopes file kubectl create cm custom-scopes -n gluu --from-file=scopes.ob.ldif Mount the configmap in your override.yaml under persistence.volumes and persistence.volumeMounts persistence : volumes : - name : custom-scopes configMap : name : custom-scopes volumeMounts : - name : custom-scopes mountPath : \"/app/templates/scopes.ob.ldif\" subPath : scopes.ob.ldif Run helm install or helm upgrade if Gluu has already been installed.","title":"Adding custom scopes upon installation"},{"location":"openbanking/install-vm/","text":"VM Based Distribution # This section covers details on installing Gluu Openbanking Indentity Platform 1.0 in a VM. We recommend the Cloud Native Distribution for production environment. However, for development and testing VM distribution will be easier. VM Preparation # Prepare a VM with the following minimum specs: 4 GB RAM 2 GB swap space 2 CPU units 50 GB disk space The VM must have a static IP address and a resolvable hostname. A fully qualified domain name (FQDN) is required for production deployments. The Gluu Open Banking Identity Platform can be installed on main Linux distributions. Installation # Download the installer ( install.py ) wget https://raw.githubusercontent.com/JanssenProject/jans/main/jans-linux-setup/jans_setup/install.py Execute the installer: sudo python3 install.py --profile openbanking The installation script will install required tools, programs, packages and then it will prompt the user for setup instructions. Answer the following questions: Certificate Generation Setup # Prompt Description Enter IP Address The IP address for the VM. Use an IP address assigned to one of this server's network interfaces (usage of addresses assigned to loopback interfaces is not supported) Enter Hostname The hostname for the VM. Recommended to be a FQDN Enter your city or locality Used to generate X.509 certificates. Enter your state or province two letter code Used to generate X.509 certificates. Enter two letter Country Code Used to generate X.509 certificates. Enter Organization Name Used to generate X.509 certificates. Enter email address for support at your organization Used to generate X.509 certificates. Architecture Setup # Prompt Description Enter maximum RAM for applications in MB Maximum RAM Size in MB RDBM Type Backend type. Currently only MySQL is supported Use remote RDBM Select if connecting to an external MySQL server Enter Openbanking static kid The fallback key when key is not passed in requests (as required by Openbanking) Use external key If yes, link to an external Open Banking key file Before the last question installer process will display the selected choices and confirm to proceed. Prompt Description Proceed with these values [Y/n] Confirmation before setting up the services. Uninstalling Janssen Server # Execute the installation script with the -uninstall argument. MTLS Configuration # For MTLS, OBIE-issued (for openbanking UK) certificates and keys should be used. The following discussion assumes that the file ca.crt has a CA certificate and ca.key has a CA private key. Following command generates self-signed ca.crt and ca.key: openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.crt The following set of commands is an example of how to create the server\u2019s private key ( server.key ), Certificate Signing Request (CSR) ( server.csr ) and certificate ( server.crt) : openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 100 -days 365 -outform PEM -out server.crt Now, store the server key ( server.key ) and certificate ( server.crt ) file in some location (preferably inside /etc/certs ) and set its path in the apache .conf file ( /etc/apache2/sites-enabled/https_jans.conf ) with SSLCertificateFile and SSLCertificateKeyFile directives: SSLCertificateFile /etc/certs/bankgluu/server.crt SSLCertificateKeyFile /etc/certs/bankgluu/server.key The path of CA certificate file should be set to SSLCACertificateFile directive as: SSLCACertificateFile /etc/apache2/certs/matls.pem The following commands will create client\u2019s private key ( client.key ), CSR ( client.csr ) and certificate ( client.crt ): openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 101 -days 365 -outform PEM -out client.crt The following command will create a client certification chain (private key, public certificate and ca certificate) into the file client.pem : cat client.key client.crt ca.crt >client.pem Use this pem file to create JWKs for the clients (if required). To create a JWK, you can use a free utility published at https://mkjwk.org . Or you can download the command-line tool from GitHub . There are numerous other online PEM-to-JWKS tools available like JWKConvertFunctions . We may need to add/update some data in these generated JWKs. Note It is important to give different values of the Common Name field (\u201cCommon Name (e.g. server FQDN or YOUR name) []\u201d) for the CA, Server and clients. Other fields may have common values but the same values for Common Name of all certificates result in certificate verification failing at runtime. Importing the CA certificate in JVM truststore and signing, encryption keys into auth-Server keystore: # The command line utility keytool is installed with JDK, it can be used to import the CA certificate in JVM truststore (/opt/jre/lib/security/cacerts) and signing,encryption keys into the jans-auth server\u2019s keystore(/etc/certs/jans-auth-keys.jks). ./keytool -importcert -file /path/to/file/filename.cer -keystore /etc/certs/jans-auth-keys.jks -alias yourkeystore ./keytool -importkeystore -srckeystore /path/to/file/filename.jks -srcstoretype JKS -destkeystore /opt/jre/lib/security/cacerts -deststoretype JKS Accessing the Platform # After successful installation, access the Gluu Open Banking Platform using either jans-cli or curl .","title":"VM (only recommended for development/testing)"},{"location":"openbanking/install-vm/#vm-based-distribution","text":"This section covers details on installing Gluu Openbanking Indentity Platform 1.0 in a VM. We recommend the Cloud Native Distribution for production environment. However, for development and testing VM distribution will be easier.","title":"VM Based Distribution"},{"location":"openbanking/install-vm/#vm-preparation","text":"Prepare a VM with the following minimum specs: 4 GB RAM 2 GB swap space 2 CPU units 50 GB disk space The VM must have a static IP address and a resolvable hostname. A fully qualified domain name (FQDN) is required for production deployments. The Gluu Open Banking Identity Platform can be installed on main Linux distributions.","title":"VM Preparation"},{"location":"openbanking/install-vm/#installation","text":"Download the installer ( install.py ) wget https://raw.githubusercontent.com/JanssenProject/jans/main/jans-linux-setup/jans_setup/install.py Execute the installer: sudo python3 install.py --profile openbanking The installation script will install required tools, programs, packages and then it will prompt the user for setup instructions. Answer the following questions:","title":"Installation"},{"location":"openbanking/install-vm/#certificate-generation-setup","text":"Prompt Description Enter IP Address The IP address for the VM. Use an IP address assigned to one of this server's network interfaces (usage of addresses assigned to loopback interfaces is not supported) Enter Hostname The hostname for the VM. Recommended to be a FQDN Enter your city or locality Used to generate X.509 certificates. Enter your state or province two letter code Used to generate X.509 certificates. Enter two letter Country Code Used to generate X.509 certificates. Enter Organization Name Used to generate X.509 certificates. Enter email address for support at your organization Used to generate X.509 certificates.","title":"Certificate Generation Setup"},{"location":"openbanking/install-vm/#architecture-setup","text":"Prompt Description Enter maximum RAM for applications in MB Maximum RAM Size in MB RDBM Type Backend type. Currently only MySQL is supported Use remote RDBM Select if connecting to an external MySQL server Enter Openbanking static kid The fallback key when key is not passed in requests (as required by Openbanking) Use external key If yes, link to an external Open Banking key file Before the last question installer process will display the selected choices and confirm to proceed. Prompt Description Proceed with these values [Y/n] Confirmation before setting up the services.","title":"Architecture Setup"},{"location":"openbanking/install-vm/#uninstalling-janssen-server","text":"Execute the installation script with the -uninstall argument.","title":"Uninstalling Janssen Server"},{"location":"openbanking/install-vm/#mtls-configuration","text":"For MTLS, OBIE-issued (for openbanking UK) certificates and keys should be used. The following discussion assumes that the file ca.crt has a CA certificate and ca.key has a CA private key. Following command generates self-signed ca.crt and ca.key: openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -out ca.crt The following set of commands is an example of how to create the server\u2019s private key ( server.key ), Certificate Signing Request (CSR) ( server.csr ) and certificate ( server.crt) : openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -set_serial 100 -days 365 -outform PEM -out server.crt Now, store the server key ( server.key ) and certificate ( server.crt ) file in some location (preferably inside /etc/certs ) and set its path in the apache .conf file ( /etc/apache2/sites-enabled/https_jans.conf ) with SSLCertificateFile and SSLCertificateKeyFile directives: SSLCertificateFile /etc/certs/bankgluu/server.crt SSLCertificateKeyFile /etc/certs/bankgluu/server.key The path of CA certificate file should be set to SSLCACertificateFile directive as: SSLCACertificateFile /etc/apache2/certs/matls.pem The following commands will create client\u2019s private key ( client.key ), CSR ( client.csr ) and certificate ( client.crt ): openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -set_serial 101 -days 365 -outform PEM -out client.crt The following command will create a client certification chain (private key, public certificate and ca certificate) into the file client.pem : cat client.key client.crt ca.crt >client.pem Use this pem file to create JWKs for the clients (if required). To create a JWK, you can use a free utility published at https://mkjwk.org . Or you can download the command-line tool from GitHub . There are numerous other online PEM-to-JWKS tools available like JWKConvertFunctions . We may need to add/update some data in these generated JWKs. Note It is important to give different values of the Common Name field (\u201cCommon Name (e.g. server FQDN or YOUR name) []\u201d) for the CA, Server and clients. Other fields may have common values but the same values for Common Name of all certificates result in certificate verification failing at runtime.","title":"MTLS Configuration"},{"location":"openbanking/install-vm/#importing-the-ca-certificate-in-jvm-truststore-and-signing-encryption-keys-into-auth-server-keystore","text":"The command line utility keytool is installed with JDK, it can be used to import the CA certificate in JVM truststore (/opt/jre/lib/security/cacerts) and signing,encryption keys into the jans-auth server\u2019s keystore(/etc/certs/jans-auth-keys.jks). ./keytool -importcert -file /path/to/file/filename.cer -keystore /etc/certs/jans-auth-keys.jks -alias yourkeystore ./keytool -importkeystore -srckeystore /path/to/file/filename.jks -srcstoretype JKS -destkeystore /opt/jre/lib/security/cacerts -deststoretype JKS","title":"Importing the CA certificate in JVM truststore and signing, encryption keys into auth-Server keystore:"},{"location":"openbanking/install-vm/#accessing-the-platform","text":"After successful installation, access the Gluu Open Banking Platform using either jans-cli or curl .","title":"Accessing the Platform"},{"location":"openbanking/jans-cli/","text":"Introduction # Jans-cli is a command line interface to configure the Janssen software and it supports both interactive and command-line options for configuration. Jans-cli calls the Jans-Config-API to perform various operations. During Janssen installation, the installer creates a client to use Jans Config API. Jans-cli uses this client to call Jans Config API. Supported Operations # Jans-cli supports the following six operations on custom scripts: get-config-scripts : gets a list of custom scripts. post-config-scripts : adds a new custom script. put-config-scripts : updates a custom script. get-config-scripts-by-type : requires an argument --url-suffix TYPE: <> . You can specify the following types: PERSON_AUTHENTICATION , INTROSPECTION , RESOURCE_OWNER_PASSWORD_CREDENTIALS , APPLICATION_SESSION , CACHE_REFRESH , UPDATE_USER , USER_REGISTRATION , CLIENT_REGISTRATION , ID_GENERATOR , UMA_RPT_POLICY , UMA_RPT_CLAIMS , UMA_CLAIMS_GATHERING , CONSENT_GATHERING , DYNAMIC_SCOPE , SPONTANEOUS_SCOPE , END_SESSION , POST_AUTHN , SCIM , CIBA_END_USER_NOTIFICATION , PERSISTENCE_EXTENSION , IDP , or UPDATE_TOKEN . get-config-scripts-by-inum : requires an argument --url-suffix inum: <> delete-config-scripts-by-inum : requires an argument --url-suffix inum: <> Using jans-cli # Download jans-cli.pyz . This package can be built manually too. Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. We need to pass this certificate, key as the token endpoint is under MTLS and jans-cli obtains an appropriate token before performing the operation. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys for operating jans-cli as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt Run the jans-cli in interactive mode and try it out: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --CC client.crt --CK client.key Examples # The post-config-scripts and put-config-scripts require various details about the scripts. The following command gives the basic schema of the custom scripts to pass to these operations. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --schema /components/schemas/CustomScript The output of the above command will be similar as: { \"dn\" : null , \"inum\" : null , \"name\" : \"string\" , \"aliases\" : [], \"description\" : null , \"script\" : \"string\" , \"scriptType\" : \"IDP\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null }, \"configurationProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null , \"hide\" : true }, \"level\" : \"integer\" , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : { \"raisedAt\" : null , \"stackTrace\" : null }, \"modified\" : false , \"internal\" : false } To add or modify a script first, we need to create the script's python file (e.g. /tmp/sample.py) and then create a JSON file by following the above schema and update the fields as : /tmp/sample.json { \"name\" : \"mySampleScript\" , \"aliases\" : null , \"description\" : \"This is a sample script\" , \"script\" : \"_file /tmp/sample.py\" , \"scriptType\" : \"PERSON_AUTHENTICATION\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : [ { \"value1\" : \"mayvalue1\" , \"value2\" : \"myvalues2\" , \"description\" : \"description for property\" } ], \"configurationProperties\" : null , \"level\" : 1 , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : null , \"modified\" : false , \"internal\" : false } Add a new custom script, update and delete existing custom script # The following command will add a new script with details given in /tmp/sampleadd.json file. The jans-cli will generate a unique inum of this new script if we skip inum in the json file. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id post-config-scripts --data /tmp/sampleadd.json \\ --CC client.crt --CK client.key The following command will modify/update the existing script with details given in /tmp/samplemodify.json file. Remember to set inum field in samplemodify.json to the inum of the script to update. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id put-config-scripts --data /tmp/samplemodify.json \\ --CC client.crt --CK client.key To delete a custom script by its inum, use the following command: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id delete-config-scripts-by-inum --url-suffix inum:HKM-TEST \\ --CC client.crt --CK client.key Print details of existing custom scripts # These commands to print the details are important, as using them we can get the inum of these scripts which is required to perform update or delete operations. The following command will display the details of all the existing custom scripts. This will be helpful to get the inum of scripts to perform the update and delete operation. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts --CC client.crt --CK client.key The following command displays the details of selected custom script (by inum). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-inum --url-suffix inum:_____ \\ --CC client.crt --CK client.key Use the following command to display the details of existing custom scripts of a given type (for example: INTROSPECTION). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-type --url-suffix type:INTROSPECTION \\ --CC client.crt --CK client.key","title":"Managing Scripts with the jans-cli"},{"location":"openbanking/jans-cli/#introduction","text":"Jans-cli is a command line interface to configure the Janssen software and it supports both interactive and command-line options for configuration. Jans-cli calls the Jans-Config-API to perform various operations. During Janssen installation, the installer creates a client to use Jans Config API. Jans-cli uses this client to call Jans Config API.","title":"Introduction"},{"location":"openbanking/jans-cli/#supported-operations","text":"Jans-cli supports the following six operations on custom scripts: get-config-scripts : gets a list of custom scripts. post-config-scripts : adds a new custom script. put-config-scripts : updates a custom script. get-config-scripts-by-type : requires an argument --url-suffix TYPE: <> . You can specify the following types: PERSON_AUTHENTICATION , INTROSPECTION , RESOURCE_OWNER_PASSWORD_CREDENTIALS , APPLICATION_SESSION , CACHE_REFRESH , UPDATE_USER , USER_REGISTRATION , CLIENT_REGISTRATION , ID_GENERATOR , UMA_RPT_POLICY , UMA_RPT_CLAIMS , UMA_CLAIMS_GATHERING , CONSENT_GATHERING , DYNAMIC_SCOPE , SPONTANEOUS_SCOPE , END_SESSION , POST_AUTHN , SCIM , CIBA_END_USER_NOTIFICATION , PERSISTENCE_EXTENSION , IDP , or UPDATE_TOKEN . get-config-scripts-by-inum : requires an argument --url-suffix inum: <> delete-config-scripts-by-inum : requires an argument --url-suffix inum: <>","title":"Supported Operations"},{"location":"openbanking/jans-cli/#using-jans-cli","text":"Download jans-cli.pyz . This package can be built manually too. Get a client id and its associated password. Here, we will use the client id and secret created for config-api. TESTCLIENT = $( kubectl get cm cn -n --template ={{ .data.jca_client_id }} ) TESTCLIENTSECRET = $( kubectl get secret cn -n --template ={{ .data.jca_client_pw }} | base64 -d ) client.crt and client.key are the certificate and key files respectively for MTLS. We need to pass this certificate, key as the token endpoint is under MTLS and jans-cli obtains an appropriate token before performing the operation. Use your ca.crt and ca.key that was provided during setup to generate as many client certificates and keys for operating jans-cli as needed. If you have an existing helm deployment, you can retrieve ca.crt and ca.key using the following commands: kubectl get secret cn -n --template ={{ .data.ssl_ca_cert }} | base64 -d > ca.crt kubectl get secret cn -n --template ={{ .data.ssl_ca_key }} | base64 -d > ca.key Generate client.crt and client.key files: openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=Openbanking' openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out client.crt Run the jans-cli in interactive mode and try it out: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --CC client.crt --CK client.key","title":"Using jans-cli"},{"location":"openbanking/jans-cli/#examples","text":"The post-config-scripts and put-config-scripts require various details about the scripts. The following command gives the basic schema of the custom scripts to pass to these operations. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --schema /components/schemas/CustomScript The output of the above command will be similar as: { \"dn\" : null , \"inum\" : null , \"name\" : \"string\" , \"aliases\" : [], \"description\" : null , \"script\" : \"string\" , \"scriptType\" : \"IDP\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null }, \"configurationProperties\" : { \"value1\" : null , \"value2\" : null , \"description\" : null , \"hide\" : true }, \"level\" : \"integer\" , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : { \"raisedAt\" : null , \"stackTrace\" : null }, \"modified\" : false , \"internal\" : false } To add or modify a script first, we need to create the script's python file (e.g. /tmp/sample.py) and then create a JSON file by following the above schema and update the fields as : /tmp/sample.json { \"name\" : \"mySampleScript\" , \"aliases\" : null , \"description\" : \"This is a sample script\" , \"script\" : \"_file /tmp/sample.py\" , \"scriptType\" : \"PERSON_AUTHENTICATION\" , \"programmingLanguage\" : \"PYTHON\" , \"moduleProperties\" : [ { \"value1\" : \"mayvalue1\" , \"value2\" : \"myvalues2\" , \"description\" : \"description for property\" } ], \"configurationProperties\" : null , \"level\" : 1 , \"revision\" : 0 , \"enabled\" : false , \"scriptError\" : null , \"modified\" : false , \"internal\" : false }","title":"Examples"},{"location":"openbanking/jans-cli/#add-a-new-custom-script-update-and-delete-existing-custom-script","text":"The following command will add a new script with details given in /tmp/sampleadd.json file. The jans-cli will generate a unique inum of this new script if we skip inum in the json file. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id post-config-scripts --data /tmp/sampleadd.json \\ --CC client.crt --CK client.key The following command will modify/update the existing script with details given in /tmp/samplemodify.json file. Remember to set inum field in samplemodify.json to the inum of the script to update. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id put-config-scripts --data /tmp/samplemodify.json \\ --CC client.crt --CK client.key To delete a custom script by its inum, use the following command: python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id delete-config-scripts-by-inum --url-suffix inum:HKM-TEST \\ --CC client.crt --CK client.key","title":"Add a new custom script, update and delete existing custom script"},{"location":"openbanking/jans-cli/#print-details-of-existing-custom-scripts","text":"These commands to print the details are important, as using them we can get the inum of these scripts which is required to perform update or delete operations. The following command will display the details of all the existing custom scripts. This will be helpful to get the inum of scripts to perform the update and delete operation. python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts --CC client.crt --CK client.key The following command displays the details of selected custom script (by inum). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-inum --url-suffix inum:_____ \\ --CC client.crt --CK client.key Use the following command to display the details of existing custom scripts of a given type (for example: INTROSPECTION). python3 jans-cli-linux-amd64.pyz --host --client-id $TESTCLIENT --client_secret $TESTCLIENTSECRET --operation-id get-config-scripts-by-type --url-suffix type:INTROSPECTION \\ --CC client.crt --CK client.key","title":"Print details of existing custom scripts"},{"location":"openbanking/par-jarm/","text":"Pushed Authorization Requests(PAR) and JWT Secured Authorization Response Mode(JARM) # This section covers details of two important features required by the open banking ecosystem. The latest Gluu Open Banking Identity Platform supports PAR and JARM specifications. These two features are bundled in the installation so when you install the Gluu Open Banking Identity Platform the Authorization Server(AS) will support these features by default. The older/existing installation may require updating the WAR/ image. Moreover, these features are also FAPI certified for Brazil Open Banking (Based on FAPI 1 Advanced Final) . Pushed Authorization Requests-PAR: # PAR are handled by an additional endpoint of Authorization Server (AS). Clients POST their authorization parameters to this endpoint, in return the clients gets a reference (named as request URI value) that will be used in further authorization requests by the client. PAR enables the OAuth clients to push the payload of an authorization request directly to the authorization server in exchange for a request URI value. This request URI value is used as a reference to the authorization request payload data in a subsequent call to the authorization endpoint. We can set different PAR lifetimes for different clients . PAR lifetime will be 600 seconds if it is unspecified . We have two new configuration properties for PAR: * parEndpoint - String , corresponds to pushed_authorization_request_endpoint as defined by specification . * requirePar - Boolean parameter indicating whether the only means of initiating an authorization request the client is allowed to use is a pushed authorization request . If omitted , the default value is \"false\" . Moreover, there is a new client configuration: * parLifetime: An integer parameter representing the lifetime (in seconds) of the pushed authorization request. JWT Secured Authorization Response Mode-JARM # This is a new JWT-based response mode to encode authorization responses known as JARM, (see Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 ). Here clients are enabled to request the transmission of the authorization response parameters along with additional data in JWT format. This mechanism enhances the security of the standard authorization response since it adds support for signing and encryption,sender authentication, and audience restriction. It also provides protection from replay, credential leakage, and mix-up attacks. It can be combined with any response type. For this feature AS supports new response modes ( query.jwt , fragment.jwt , form_post.jwt , jwt ) and additional signing, encryption algorithms.","title":"PAR and JARM"},{"location":"openbanking/par-jarm/#pushed-authorization-requestspar-and-jwt-secured-authorization-response-modejarm","text":"This section covers details of two important features required by the open banking ecosystem. The latest Gluu Open Banking Identity Platform supports PAR and JARM specifications. These two features are bundled in the installation so when you install the Gluu Open Banking Identity Platform the Authorization Server(AS) will support these features by default. The older/existing installation may require updating the WAR/ image. Moreover, these features are also FAPI certified for Brazil Open Banking (Based on FAPI 1 Advanced Final) .","title":"Pushed Authorization Requests(PAR) and JWT Secured Authorization Response Mode(JARM)"},{"location":"openbanking/par-jarm/#pushed-authorization-requests-par","text":"PAR are handled by an additional endpoint of Authorization Server (AS). Clients POST their authorization parameters to this endpoint, in return the clients gets a reference (named as request URI value) that will be used in further authorization requests by the client. PAR enables the OAuth clients to push the payload of an authorization request directly to the authorization server in exchange for a request URI value. This request URI value is used as a reference to the authorization request payload data in a subsequent call to the authorization endpoint. We can set different PAR lifetimes for different clients . PAR lifetime will be 600 seconds if it is unspecified . We have two new configuration properties for PAR: * parEndpoint - String , corresponds to pushed_authorization_request_endpoint as defined by specification . * requirePar - Boolean parameter indicating whether the only means of initiating an authorization request the client is allowed to use is a pushed authorization request . If omitted , the default value is \"false\" . Moreover, there is a new client configuration: * parLifetime: An integer parameter representing the lifetime (in seconds) of the pushed authorization request.","title":"Pushed Authorization Requests-PAR:"},{"location":"openbanking/par-jarm/#jwt-secured-authorization-response-mode-jarm","text":"This is a new JWT-based response mode to encode authorization responses known as JARM, (see Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 ). Here clients are enabled to request the transmission of the authorization response parameters along with additional data in JWT format. This mechanism enhances the security of the standard authorization response since it adds support for signing and encryption,sender authentication, and audience restriction. It also provides protection from replay, credential leakage, and mix-up attacks. It can be combined with any response type. For this feature AS supports new response modes ( query.jwt , fragment.jwt , form_post.jwt , jwt ) and additional signing, encryption algorithms.","title":"JWT Secured Authorization Response Mode-JARM"},{"location":"reference/","tags":["administration","reference"],"text":"Overview # The Gluu Flex reference guide includes technical references for Flex-specific components and deployments. References for Janssen components, including database references, can be found in the Janssen Project documentation .","title":"Overview"},{"location":"reference/#overview","text":"The Gluu Flex reference guide includes technical references for Flex-specific components and deployments. References for Janssen components, including database references, can be found in the Janssen Project documentation .","title":"Overview"},{"location":"reference/json-config/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"reference/json-config/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/json-config/properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Index"},{"location":"reference/json-config/properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/json-config/properties/casa-properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Casa properties"},{"location":"reference/json-config/properties/casa-properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/json-config/properties/casaconfig-properties/","text":"Where is this content? # The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Casaconfig properties"},{"location":"reference/json-config/properties/casaconfig-properties/#where-is-this-content","text":"The Gluu Flex documentation is a work in progress, and this document is currently a draft. Keep an eye on this page for updates.","title":"Where is this content?"},{"location":"reference/kubernetes/","tags":["administration","reference","kubernetes","architecture","components"],"text":"Overview # This Reference guide helps you learn about the components and architecture of Gluu Flex. Gluu Flex components # auth-server : The OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-key-rotation : Responsible for regenerating auth-keys per x hours. config-api : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Fido : Provides the server side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be internet facing. SCIM : a JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet facing. Casa : self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. Admin UI : The admin web portal to configure and control your Gluu server. Architectural diagram of Gluu #","title":"Overview"},{"location":"reference/kubernetes/#overview","text":"This Reference guide helps you learn about the components and architecture of Gluu Flex.","title":"Overview"},{"location":"reference/kubernetes/#gluu-flex-components","text":"auth-server : The OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Janssen. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-key-rotation : Responsible for regenerating auth-keys per x hours. config-api : The API to configure the auth-server and other components is consolidated in this component. This service should not be Internet-facing. Fido : Provides the server side endpoints to enroll and validate devices that use FIDO. It provides both FIDO U2F (register, authenticate) and FIDO 2 (attestation, assertion) endpoints. This service must be internet facing. SCIM : a JSON/REST API to manage user data. Use it to add, edit and update user information. This service should not be Internet facing. Casa : self-service web portal for end-users to manage authentication and authorization preferences for their account in a Gluu Server. Admin UI : The admin web portal to configure and control your Gluu server.","title":"Gluu Flex components"},{"location":"reference/kubernetes/#architectural-diagram-of-gluu","text":"","title":"Architectural diagram of Gluu"},{"location":"reference/kubernetes/docker-admin-ui/","tags":["administration","reference","kubernetes","docker image"],"text":"docker-admin-ui # A containerized application for Gluu Admin UI frontend. Versions # See Releases for stable versions. For bleeding-edge/unstable version, use gluufederation/admin-ui:0.0.0-nightly . Environment Variables # The following environment variables are supported by the container: CN_CONFIG_ADAPTER : The config backend adapter, can be consul (default), kubernetes , or google . CN_CONFIG_CONSUL_HOST : hostname or IP of Consul (default to localhost ). CN_CONFIG_CONSUL_PORT : port of Consul (default to 8500 ). CN_CONFIG_CONSUL_CONSISTENCY : Consul consistency mode (choose one of default , consistent , or stale ). Default to stale mode. CN_CONFIG_CONSUL_SCHEME : supported Consul scheme ( http or https ). CN_CONFIG_CONSUL_VERIFY : whether to verify cert or not (default to false ). CN_CONFIG_CONSUL_CACERT_FILE : path to Consul CA cert file (default to /etc/certs/consul_ca.crt ). This file will be used if it exists and CN_CONFIG_CONSUL_VERIFY set to true . CN_CONFIG_CONSUL_CERT_FILE : path to Consul cert file (default to /etc/certs/consul_client.crt ). CN_CONFIG_CONSUL_KEY_FILE : path to Consul key file (default to /etc/certs/consul_client.key ). CN_CONFIG_CONSUL_TOKEN_FILE : path to file contains ACL token (default to /etc/certs/consul_token ). CN_CONFIG_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_CONFIG_KUBERNETES_CONFIGMAP : Kubernetes configmaps name (default to jans ). CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_SECRET_ADAPTER : The secrets' adapter, can be vault (default), kubernetes , or google . CN_SECRET_VAULT_VERIFY : whether to verify cert or not (default to false ). CN_SECRET_VAULT_ROLE_ID_FILE : path to file contains Vault AppRole role ID (default to /etc/certs/vault_role_id ). CN_SECRET_VAULT_SECRET_ID_FILE : path to file contains Vault AppRole secret ID (default to /etc/certs/vault_secret_id ). CN_SECRET_VAULT_CERT_FILE : path to Vault cert file (default to /etc/certs/vault_client.crt ). CN_SECRET_VAULT_KEY_FILE : path to Vault key file (default to /etc/certs/vault_client.key ). CN_SECRET_VAULT_CACERT_FILE : path to Vault CA cert file (default to /etc/certs/vault_ca.crt ). This file will be used if it exists and CN_SECRET_VAULT_VERIFY set to true . CN_SECRET_VAULT_ADDR : URL of Vault (default to http://localhost:8200 ). CN_SECRET_VAULT_NAMESPACE : Namespace used to access secrets (default to empty string). CN_SECRET_VAULT_KV_PATH : Path to KV secrets engine (default to secret ). CN_SECRET_VAULT_PREFIX : Base prefix name used to build secret path (default to jans ). CN_SECRET_VAULT_APPROLE_PATH : Path to AppRole (default to approle ). CN_SECRET_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_SECRET_KUBERNETES_CONFIGMAP : Kubernetes secrets name (default to jans ). CN_SECRET_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_WAIT_MAX_TIME : How long the startup \"health checks\" should run (default to 300 seconds). CN_WAIT_SLEEP_DURATION : Delay between startup \"health checks\" (default to 10 seconds). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . GOOGLE_APPLICATION_CREDENTIALS : Optional JSON file (contains Google credentials) that can be injected into container for authentication. Refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to for supported credentials. CN_GOOGLE_SECRET_VERSION_ID : Janssen secret version ID in Google Secret Manager. Defaults to latest , which is recommended. CN_GOOGLE_SECRET_NAME_PREFIX : Prefix for Janssen secret in Google Secret Manager. Defaults to jans . If left jans-secret secret will be created. CN_GOOGLE_SECRET_MANAGER_PASSPHRASE : Passphrase for Janssen secret in Google Secret Manager. This is recommended to be changed and defaults to secret . CN_AUTH_BASE_URL : Base URL of auth server (default to empty). CN_CONFIG_API_BASE_URL : Base URL of config-api server (default to empty). CN_TOKEN_SERVER_BASE_URL : Base URL of token server (default to empty). CN_TOKEN_SERVER_AUTHZ_ENDPOINT : Authorization endpoint at token server (default to /jans-auth/authorize.htm ). CN_TOKEN_SERVER_TOKEN_ENDPOINT : Token endpoint at token server (default to /jans-auth/restv1/token ). CN_TOKEN_SERVER_INTROSPECTION_ENDPOINT : Introspection endpoint at token server (default to /jans-auth/restv1/introspection ). CN_TOKEN_SERVER_USERINFO_ENDPOINT : User info endpoint at token server (default to /jans-auth/restv1/userinfo ). CN_TOKEN_SERVER_CLIENT_ID : Client ID registered at token server. CN_TOKEN_SERVER_CERT_FILE : Path to token server certificate (default to /etc/certs/token_server.crt ). CN_PERSISTENCE_TYPE : Persistence backend being used (one of sql , spanner , couchbase , or hybrid ; default to sql ). CN_HYBRID_MAPPING : Specify data mapping for each persistence (default to \"{}\" ). Note this environment only takes effect when CN_PERSISTENCE_TYPE is set to hybrid . See hybrid mapping section for details. CN_COUCHBASE_URL : Address of Couchbase server (default to localhost ). CN_COUCHBASE_USER : Username of Couchbase server (default to admin ). CN_COUCHBASE_CERT_FILE : Couchbase root certificate location (default to /etc/certs/couchbase.crt ). CN_COUCHBASE_PASSWORD_FILE : Path to file contains Couchbase password (default to /etc/jans/conf/couchbase_password ). CN_COUCHBASE_CONN_TIMEOUT : Connect timeout used when a bucket is opened (default to 10000 milliseconds). CN_COUCHBASE_CONN_MAX_WAIT : Maximum time to wait before retrying connection (default to 20000 milliseconds). CN_COUCHBASE_SCAN_CONSISTENCY : Default scan consistency; one of not_bounded , request_plus , or statement_plus (default to not_bounded ). CN_COUCHBASE_BUCKET_PREFIX : Prefix for Couchbase buckets (default to jans ). CN_COUCHBASE_TRUSTSTORE_ENABLE : Enable truststore for encrypted Couchbase connection (default to true ). CN_COUCHBASE_KEEPALIVE_INTERVAL : Keep-alive interval for Couchbase connection (default to 30000 milliseconds). CN_COUCHBASE_KEEPALIVE_TIMEOUT : Keep-alive timeout for Couchbase connection (default to 2500 milliseconds). CN_SQL_DB_DIALECT : Dialect name of SQL backend (one of mysql , pgsql ; default to mysql ). CN_SQL_DB_HOST : Host of SQL backend (default to localhost ). CN_SQL_DB_PORT : Port of SQL backend (default to 3306 ). CN_SQL_DB_NAME : Database name (default to jans ) CN_SQL_DB_USER : Username to interact with SQL backend (default to jans ). CN_GOOGLE_SPANNER_INSTANCE_ID : Instance ID of Google Spanner (default to empty string). CN_GOOGLE_SPANNER_DATABASE_ID : Database ID of Google Spanner (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . CN_GOOGLE_SPANNER_INSTANCE_ID : Google Spanner instance ID. CN_GOOGLE_SPANNER_DATABASE_ID : Google Spanner database ID. GLUU_ADMIN_UI_AUTH_METHOD : Authentication method for admin-ui (default to basic ). Note, changing the value require restart to jans-config-api. Hybrid mapping # Hybrid persistence supports all available persistence types. To configure hybrid persistence and its data mapping, follow steps below: Set CN_PERSISTENCE_TYPE environment variable to hybrid Set CN_HYBRID_MAPPING with the following format: { \"default\": \"\", \"user\": \"\", \"site\": \"\", \"cache\": \"\", \"token\": \"\", \"session\": \"\", } Example: { \"default\": \"sql\", \"user\": \"spanner\", \"site\": \"sql\", \"cache\": \"sql\", \"token\": \"couchbase\", \"session\": \"spanner\", }","title":"Admin UI Docker Image"},{"location":"reference/kubernetes/docker-admin-ui/#docker-admin-ui","text":"A containerized application for Gluu Admin UI frontend.","title":"docker-admin-ui"},{"location":"reference/kubernetes/docker-admin-ui/#versions","text":"See Releases for stable versions. For bleeding-edge/unstable version, use gluufederation/admin-ui:0.0.0-nightly .","title":"Versions"},{"location":"reference/kubernetes/docker-admin-ui/#environment-variables","text":"The following environment variables are supported by the container: CN_CONFIG_ADAPTER : The config backend adapter, can be consul (default), kubernetes , or google . CN_CONFIG_CONSUL_HOST : hostname or IP of Consul (default to localhost ). CN_CONFIG_CONSUL_PORT : port of Consul (default to 8500 ). CN_CONFIG_CONSUL_CONSISTENCY : Consul consistency mode (choose one of default , consistent , or stale ). Default to stale mode. CN_CONFIG_CONSUL_SCHEME : supported Consul scheme ( http or https ). CN_CONFIG_CONSUL_VERIFY : whether to verify cert or not (default to false ). CN_CONFIG_CONSUL_CACERT_FILE : path to Consul CA cert file (default to /etc/certs/consul_ca.crt ). This file will be used if it exists and CN_CONFIG_CONSUL_VERIFY set to true . CN_CONFIG_CONSUL_CERT_FILE : path to Consul cert file (default to /etc/certs/consul_client.crt ). CN_CONFIG_CONSUL_KEY_FILE : path to Consul key file (default to /etc/certs/consul_client.key ). CN_CONFIG_CONSUL_TOKEN_FILE : path to file contains ACL token (default to /etc/certs/consul_token ). CN_CONFIG_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_CONFIG_KUBERNETES_CONFIGMAP : Kubernetes configmaps name (default to jans ). CN_CONFIG_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_SECRET_ADAPTER : The secrets' adapter, can be vault (default), kubernetes , or google . CN_SECRET_VAULT_VERIFY : whether to verify cert or not (default to false ). CN_SECRET_VAULT_ROLE_ID_FILE : path to file contains Vault AppRole role ID (default to /etc/certs/vault_role_id ). CN_SECRET_VAULT_SECRET_ID_FILE : path to file contains Vault AppRole secret ID (default to /etc/certs/vault_secret_id ). CN_SECRET_VAULT_CERT_FILE : path to Vault cert file (default to /etc/certs/vault_client.crt ). CN_SECRET_VAULT_KEY_FILE : path to Vault key file (default to /etc/certs/vault_client.key ). CN_SECRET_VAULT_CACERT_FILE : path to Vault CA cert file (default to /etc/certs/vault_ca.crt ). This file will be used if it exists and CN_SECRET_VAULT_VERIFY set to true . CN_SECRET_VAULT_ADDR : URL of Vault (default to http://localhost:8200 ). CN_SECRET_VAULT_NAMESPACE : Namespace used to access secrets (default to empty string). CN_SECRET_VAULT_KV_PATH : Path to KV secrets engine (default to secret ). CN_SECRET_VAULT_PREFIX : Base prefix name used to build secret path (default to jans ). CN_SECRET_VAULT_APPROLE_PATH : Path to AppRole (default to approle ). CN_SECRET_KUBERNETES_NAMESPACE : Kubernetes namespace (default to default ). CN_SECRET_KUBERNETES_CONFIGMAP : Kubernetes secrets name (default to jans ). CN_SECRET_KUBERNETES_USE_KUBE_CONFIG : Load credentials from $HOME/.kube/config , only useful for non-container environment (default to false ). CN_WAIT_MAX_TIME : How long the startup \"health checks\" should run (default to 300 seconds). CN_WAIT_SLEEP_DURATION : Delay between startup \"health checks\" (default to 10 seconds). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . GOOGLE_APPLICATION_CREDENTIALS : Optional JSON file (contains Google credentials) that can be injected into container for authentication. Refer to https://cloud.google.com/docs/authentication/provide-credentials-adc#how-to for supported credentials. CN_GOOGLE_SECRET_VERSION_ID : Janssen secret version ID in Google Secret Manager. Defaults to latest , which is recommended. CN_GOOGLE_SECRET_NAME_PREFIX : Prefix for Janssen secret in Google Secret Manager. Defaults to jans . If left jans-secret secret will be created. CN_GOOGLE_SECRET_MANAGER_PASSPHRASE : Passphrase for Janssen secret in Google Secret Manager. This is recommended to be changed and defaults to secret . CN_AUTH_BASE_URL : Base URL of auth server (default to empty). CN_CONFIG_API_BASE_URL : Base URL of config-api server (default to empty). CN_TOKEN_SERVER_BASE_URL : Base URL of token server (default to empty). CN_TOKEN_SERVER_AUTHZ_ENDPOINT : Authorization endpoint at token server (default to /jans-auth/authorize.htm ). CN_TOKEN_SERVER_TOKEN_ENDPOINT : Token endpoint at token server (default to /jans-auth/restv1/token ). CN_TOKEN_SERVER_INTROSPECTION_ENDPOINT : Introspection endpoint at token server (default to /jans-auth/restv1/introspection ). CN_TOKEN_SERVER_USERINFO_ENDPOINT : User info endpoint at token server (default to /jans-auth/restv1/userinfo ). CN_TOKEN_SERVER_CLIENT_ID : Client ID registered at token server. CN_TOKEN_SERVER_CERT_FILE : Path to token server certificate (default to /etc/certs/token_server.crt ). CN_PERSISTENCE_TYPE : Persistence backend being used (one of sql , spanner , couchbase , or hybrid ; default to sql ). CN_HYBRID_MAPPING : Specify data mapping for each persistence (default to \"{}\" ). Note this environment only takes effect when CN_PERSISTENCE_TYPE is set to hybrid . See hybrid mapping section for details. CN_COUCHBASE_URL : Address of Couchbase server (default to localhost ). CN_COUCHBASE_USER : Username of Couchbase server (default to admin ). CN_COUCHBASE_CERT_FILE : Couchbase root certificate location (default to /etc/certs/couchbase.crt ). CN_COUCHBASE_PASSWORD_FILE : Path to file contains Couchbase password (default to /etc/jans/conf/couchbase_password ). CN_COUCHBASE_CONN_TIMEOUT : Connect timeout used when a bucket is opened (default to 10000 milliseconds). CN_COUCHBASE_CONN_MAX_WAIT : Maximum time to wait before retrying connection (default to 20000 milliseconds). CN_COUCHBASE_SCAN_CONSISTENCY : Default scan consistency; one of not_bounded , request_plus , or statement_plus (default to not_bounded ). CN_COUCHBASE_BUCKET_PREFIX : Prefix for Couchbase buckets (default to jans ). CN_COUCHBASE_TRUSTSTORE_ENABLE : Enable truststore for encrypted Couchbase connection (default to true ). CN_COUCHBASE_KEEPALIVE_INTERVAL : Keep-alive interval for Couchbase connection (default to 30000 milliseconds). CN_COUCHBASE_KEEPALIVE_TIMEOUT : Keep-alive timeout for Couchbase connection (default to 2500 milliseconds). CN_SQL_DB_DIALECT : Dialect name of SQL backend (one of mysql , pgsql ; default to mysql ). CN_SQL_DB_HOST : Host of SQL backend (default to localhost ). CN_SQL_DB_PORT : Port of SQL backend (default to 3306 ). CN_SQL_DB_NAME : Database name (default to jans ) CN_SQL_DB_USER : Username to interact with SQL backend (default to jans ). CN_GOOGLE_SPANNER_INSTANCE_ID : Instance ID of Google Spanner (default to empty string). CN_GOOGLE_SPANNER_DATABASE_ID : Database ID of Google Spanner (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). GOOGLE_PROJECT_ID : Google Project ID (default to empty string). Used when CN_CONFIG_ADAPTER or CN_SECRET_ADAPTER set to google . CN_GOOGLE_SPANNER_INSTANCE_ID : Google Spanner instance ID. CN_GOOGLE_SPANNER_DATABASE_ID : Google Spanner database ID. GLUU_ADMIN_UI_AUTH_METHOD : Authentication method for admin-ui (default to basic ). Note, changing the value require restart to jans-config-api.","title":"Environment Variables"},{"location":"reference/kubernetes/docker-admin-ui/#hybrid-mapping","text":"Hybrid persistence supports all available persistence types. To configure hybrid persistence and its data mapping, follow steps below: Set CN_PERSISTENCE_TYPE environment variable to hybrid Set CN_HYBRID_MAPPING with the following format: { \"default\": \"\", \"user\": \"\", \"site\": \"\", \"cache\": \"\", \"token\": \"\", \"session\": \"\", } Example: { \"default\": \"sql\", \"user\": \"spanner\", \"site\": \"sql\", \"cache\": \"sql\", \"token\": \"couchbase\", \"session\": \"spanner\", }","title":"Hybrid mapping"},{"location":"reference/kubernetes/docker-flex-monolith/","tags":["administration","reference","kubernetes","docker image","docker compose"],"text":"Warning This image is for testing and development purposes only. Use Flex helm charts for production setups. Overview # Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui. Pre-requisites # Docker Docker compose Versions # See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly . Environment Variables # Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client `` How to run # Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. Configure Gluu flex # Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py Access endpoints externally # Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration Clean up # Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Flex Monolith Docker Image"},{"location":"reference/kubernetes/docker-flex-monolith/#overview","text":"Docker monolith image packaging for Gluu Flex. This image packs janssen services including the auth-server, config-api, fido2, casa, scim and the Gluu admin ui.","title":"Overview"},{"location":"reference/kubernetes/docker-flex-monolith/#pre-requisites","text":"Docker Docker compose","title":"Pre-requisites"},{"location":"reference/kubernetes/docker-flex-monolith/#versions","text":"See Releases for stable versions. This image should never be used in production. For bleeding-edge/unstable version, use gluufederation/monolith:0.0.0-nightly .","title":"Versions"},{"location":"reference/kubernetes/docker-flex-monolith/#environment-variables","text":"Installation depends on the set of environment variables shown below. These environment variables can be set to customize installation as per the need. If not set, the installer uses default values. ENV Description Default CN_HOSTNAME Hostname to install gluu with. demoexample.gluu.org CN_ADMIN_PASS Password of the admin user. 1t5Fin3#security CN_ORG_NAME Organization name. Used for ssl cert generation. Gluu CN_EMAIL Email. Used for ssl cert generation. team@gluu.org CN_CITY City. Used for ssl cert generation. Austin CN_STATE State. Used for ssl cert generation TX CN_COUNTRY Country. Used for ssl cert generation. US CN_INSTALL_MYSQL Install gluu with mysql as the backend false CN_INSTALL_PGSQL Install gluu with Postgres as the backend false CN_INSTALL_ADMIN_UI Installs the Admin-UI true CN_INSTALL_CONFIG_API Installs the Config API service. true CN_INSTALL_SCIM Installs the SCIM API service. true CN_INSTALL_FIDO2 Installs the FIDO2 API service. true RDBMS_DATABASE RDBMS gluu database for MySQL or Postgres. gluu RDBMS_USER RDBMS database user for MySQL or Postgres. gluu RDBMS_PASSWORD RDBMS database user password for MySQL or Postgres. 1t5Fin3#security RDBMS_HOST RDBMS host for MySQL or Postgres. mysql which is the docker compose service name TEST_CLIENT_ID ID of test client in UUID which has all available scopes to access any gluu API 9876baac-de39-4c23-8a78-674b59df8c09 TEST_CLIENT_SECRET Secret for test client 1t5Fin3#security TEST_CLIENT_TRUSTED Trust test client true TEST_CLIENT_REDIRECT_URI Not Implemented yet Redirect URI for test client. Multiple uri's with comma may be provided, if not provided redirect uris will be same as the config-api-client ``","title":"Environment Variables"},{"location":"reference/kubernetes/docker-flex-monolith/#how-to-run","text":"Download the compose file of your chosen persistence from mysql or postgres wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-mysql-compose.yml wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/flex-postgres-compose.yml Download the script files wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/up.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/down.sh wget https://raw.githubusercontent.com/GluuFederation/flex/main/docker-flex-monolith/clean.sh Give execute permission to the scripts chmod u+x up.sh down.sh clean.sh This docker compose file runs two containers, the flex monolith container and mysql container. To start the containers. ./up.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql. To view the containers running docker compose -f flex-mysql-compose.yml ps To stop the containers. ./down.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"How to run"},{"location":"reference/kubernetes/docker-flex-monolith/#configure-gluu-flex","text":"Access the Docker container shell using: docker compose -f flex-mysql-compose.yml exec flex /bin/bash #This opens a bash terminal in the running container You can grab client_id and client_pw (secret), and other values from setup.properties or /opt/jans/jans-setup/setup.properties.last Use the CLI tools located under /opt/jans/jans-cli/ to configure Gluu flex as needed. For example you can run the TUI : python3 /opt/jans/jans-cli/config-cli-tui.py","title":"Configure Gluu flex"},{"location":"reference/kubernetes/docker-flex-monolith/#access-endpoints-externally","text":"Add to your /etc/hosts file the ip domain record which should be the ip of the instance docker is installed at and the domain used in the env above CN_HOSTNAME . # For-example 172 .22.0.3 demoexample.gluu.org After adding the record you can hit endpoints such as https://demoexample.gluu.org/.well-known/openid-configuration","title":"Access endpoints externally"},{"location":"reference/kubernetes/docker-flex-monolith/#clean-up","text":"Remove setup and volumes ./clean.sh #You can pass mysql|postgres as an argument to the script. If you don't pass any, it will default to mysql.","title":"Clean up"},{"location":"reference/kubernetes/helm-chart/","text":"gluu # Gluu Access and Identity Management Homepage: https://www.gluu.org Maintainers # Name Email Url moabu team@gluu.org Source Code # https://docs.gluu.org Requirements # Kubernetes: >=v1.21.0-0 Repository Name Version admin-ui 5.3.0 auth-server 1.3.0 auth-server-key-rotation 1.3.0 casa 1.3.0 cn-istio-ingress 1.3.0 config 1.3.0 config-api 1.3.0 fido2 1.3.0 kc-scheduler 1.3.0 link 1.3.0 nginx-ingress 1.3.0 persistence 1.3.0 saml 1.3.0 scim 1.3.0 Values # Key Type Default Description admin-ui object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/gluufederation/flex/admin-ui\",\"tag\":\"5.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Admin GUI for configuration of the auth-server admin-ui.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of admin-ui.additionalLabels object {} Additional labels that will be added across the gateway in the format of admin-ui.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. admin-ui.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh admin-ui.dnsConfig object {} Add custom dns config admin-ui.dnsPolicy string \"\" Add custom dns policy admin-ui.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler admin-ui.hpa.behavior object {} Scaling Policies admin-ui.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set admin-ui.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. admin-ui.image.pullSecrets list [] Image Pull Secrets admin-ui.image.repository string \"ghcr.io/gluufederation/flex/admin-ui\" Image to use for deploying. admin-ui.image.tag string \"5.3.0-1\" Image tag to use for deploying. admin-ui.livenessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the liveness healthcheck for the admin ui if needed. admin-ui.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget admin-ui.readinessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the readiness healthcheck for the admin ui if needed. admin-ui.replicas int 1 Service replica number. admin-ui.resources object {\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}} Resource specs. admin-ui.resources.limits.cpu string \"2000m\" CPU limit. admin-ui.resources.limits.memory string \"2000Mi\" Memory limit. admin-ui.resources.requests.cpu string \"2000m\" CPU request. admin-ui.resources.requests.memory string \"2000Mi\" Memory request. admin-ui.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ admin-ui.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service admin-ui.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 admin-ui.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 admin-ui.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers admin-ui.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/auth-server\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server-key-rotation object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/certmanager\",\"tag\":\"1.3.0-1\"},\"keysLife\":48,\"keysPushDelay\":0,\"keysPushStrategy\":\"NEWER\",\"keysStrategy\":\"NEWER\",\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for regenerating auth-keys per x hours auth-server-key-rotation.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server-key-rotation.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server-key-rotation.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. auth-server-key-rotation.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server-key-rotation.dnsConfig object {} Add custom dns config auth-server-key-rotation.dnsPolicy string \"\" Add custom dns policy auth-server-key-rotation.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server-key-rotation.image.pullSecrets list [] Image Pull Secrets auth-server-key-rotation.image.repository string \"ghcr.io/janssenproject/jans/certmanager\" Image to use for deploying. auth-server-key-rotation.image.tag string \"1.3.0-1\" Image tag to use for deploying. auth-server-key-rotation.keysLife int 48 Auth server key rotation keys life in hours auth-server-key-rotation.keysPushDelay int 0 Delay (in seconds) before pushing private keys to Auth server auth-server-key-rotation.keysPushStrategy string \"NEWER\" Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) auth-server-key-rotation.keysStrategy string \"NEWER\" Set key selection strategy used by Auth server auth-server-key-rotation.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. auth-server-key-rotation.resources.limits.cpu string \"300m\" CPU limit. auth-server-key-rotation.resources.limits.memory string \"300Mi\" Memory limit. auth-server-key-rotation.resources.requests.cpu string \"300m\" CPU request. auth-server-key-rotation.resources.requests.memory string \"300Mi\" Memory request. auth-server-key-rotation.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server-key-rotation.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server-key-rotation.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server-key-rotation.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server-key-rotation.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. auth-server.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server.dnsConfig object {} Add custom dns config auth-server.dnsPolicy string \"\" Add custom dns policy auth-server.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler auth-server.hpa.behavior object {} Scaling Policies auth-server.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set auth-server.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server.image.pullSecrets list [] Image Pull Secrets auth-server.image.repository string \"ghcr.io/janssenproject/jans/auth-server\" Image to use for deploying. auth-server.image.tag string \"1.3.0-1\" Image tag to use for deploying. auth-server.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. auth-server.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget auth-server.readinessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.replicas int 1 Service replica number. auth-server.resources object {\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}} Resource specs. auth-server.resources.limits.cpu string \"2500m\" CPU limit. auth-server.resources.limits.memory string \"2500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. auth-server.resources.requests.cpu string \"2500m\" CPU request. auth-server.resources.requests.memory string \"2500Mi\" Memory request. auth-server.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ auth-server.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server.volumes list [] Configure any additional volumes that need to be attached to the pod casa object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/casa\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Janssen Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. casa.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of casa.additionalLabels object {} Additional labels that will be added across the gateway in the format of casa.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. casa.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh casa.dnsConfig object {} Add custom dns config casa.dnsPolicy string \"\" Add custom dns policy casa.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler casa.hpa.behavior object {} Scaling Policies casa.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set casa.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. casa.image.pullSecrets list [] Image Pull Secrets casa.image.repository string \"ghcr.io/janssenproject/jans/casa\" Image to use for deploying. casa.image.tag string \"1.3.0-1\" Image tag to use for deploying. casa.livenessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for casa if needed. casa.livenessProbe.httpGet.path string \"/jans-casa/health-check\" http liveness probe endpoint casa.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget casa.readinessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the casa if needed. casa.readinessProbe.httpGet.path string \"/jans-casa/health-check\" http readiness probe endpoint casa.replicas int 1 Service replica number. casa.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. casa.resources.limits.cpu string \"500m\" CPU limit. casa.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. casa.resources.requests.cpu string \"500m\" CPU request. casa.resources.requests.memory string \"500Mi\" Memory request. casa.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ casa.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service casa.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 casa.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 casa.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers casa.volumes list [] Configure any additional volumes that need to be attached to the pod config object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"adminPassword\":\"Test1234#\",\"city\":\"Austin\",\"configmap\":{\"cnAwsAccessKeyId\":\"\",\"cnAwsDefaultRegion\":\"us-west-1\",\"cnAwsProfile\":\"gluu\",\"cnAwsSecretAccessKey\":\"\",\"cnAwsSecretsEndpointUrl\":\"\",\"cnAwsSecretsNamePrefix\":\"gluu\",\"cnAwsSecretsReplicaRegions\":[],\"cnCacheType\":\"NATIVE_PERSISTENCE\",\"cnConfigKubernetesConfigMap\":\"cn\",\"cnGoogleProjectId\":\"google-project-to-save-config-and-secrets-to\",\"cnGoogleSecretManagerServiceAccount\":\"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\",\"cnGoogleSecretNamePrefix\":\"gluu\",\"cnGoogleSecretVersionId\":\"latest\",\"cnJettyRequestHeaderSize\":8192,\"cnMaxRamPercent\":\"75.0\",\"cnMessageType\":\"DISABLED\",\"cnOpaUrl\":\"http://opa.opa.svc.cluster.cluster.local:8181/v1\",\"cnPersistenceHybridMapping\":\"{}\",\"cnRedisSentinelGroup\":\"\",\"cnRedisSslTruststore\":\"\",\"cnRedisType\":\"STANDALONE\",\"cnRedisUrl\":\"redis.redis.svc.cluster.local:6379\",\"cnRedisUseSsl\":false,\"cnScimProtectionMode\":\"OAUTH\",\"cnSecretKubernetesSecret\":\"cn\",\"cnSqlDbDialect\":\"mysql\",\"cnSqlDbHost\":\"my-release-mysql.default.svc.cluster.local\",\"cnSqlDbName\":\"gluu\",\"cnSqlDbPort\":3306,\"cnSqlDbSchema\":\"\",\"cnSqlDbTimezone\":\"UTC\",\"cnSqlDbUser\":\"gluu\",\"cnSqldbUserPassword\":\"Test1234#\",\"cnVaultAddr\":\"http://localhost:8200\",\"cnVaultAppRolePath\":\"approle\",\"cnVaultKvPath\":\"secret\",\"cnVaultNamespace\":\"\",\"cnVaultPrefix\":\"jans\",\"cnVaultRoleId\":\"\",\"cnVaultRoleIdFile\":\"/etc/certs/vault_role_id\",\"cnVaultSecretId\":\"\",\"cnVaultSecretIdFile\":\"/etc/certs/vault_secret_id\",\"cnVaultVerify\":false,\"kcAdminPassword\":\"Test1234#\",\"kcAdminUsername\":\"admin\",\"kcDbPassword\":\"Test1234#\",\"kcDbSchema\":\"keycloak\",\"kcDbUrlDatabase\":\"keycloak\",\"kcDbUrlHost\":\"mysql.kc.svc.cluster.local\",\"kcDbUrlPort\":3306,\"kcDbUrlProperties\":\"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\",\"kcDbUsername\":\"keycloak\",\"kcDbVendor\":\"mysql\",\"kcLogLevel\":\"INFO\",\"lbAddr\":\"\",\"quarkusTransactionEnableRecovery\":true},\"countryCode\":\"US\",\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"email\":\"team@gluu.org\",\"image\":{\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/configurator\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"migration\":{\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"},\"orgName\":\"Gluu\",\"redisPassword\":\"P@assw0rd\",\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"salt\":\"\",\"state\":\"TX\",\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config-api object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/config-api\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). config-api.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config-api.additionalLabels object {} Additional labels that will be added across the gateway in the format of config-api.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. config-api.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config-api.dnsConfig object {} Add custom dns config config-api.dnsPolicy string \"\" Add custom dns policy config-api.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler config-api.hpa.behavior object {} Scaling Policies config-api.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set config-api.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. config-api.image.pullSecrets list [] Image Pull Secrets config-api.image.repository string \"ghcr.io/janssenproject/jans/config-api\" Image to use for deploying. config-api.image.tag string \"1.3.0-1\" Image tag to use for deploying. config-api.livenessProbe object {\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. config-api.livenessProbe.httpGet object {\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074} http liveness probe endpoint config-api.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget config-api.readinessProbe.httpGet object {\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074} http readiness probe endpoint config-api.replicas int 1 Service replica number. config-api.resources object {\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}} Resource specs. config-api.resources.limits.cpu string \"1000m\" CPU limit. config-api.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. config-api.resources.requests.cpu string \"1000m\" CPU request. config-api.resources.requests.memory string \"1200Mi\" Memory request. config-api.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ config-api.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service config-api.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 config-api.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 config-api.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config-api.volumes list [] Configure any additional volumes that need to be attached to the pod config.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config.additionalLabels object {} Additional labels that will be added across the gateway in the format of config.adminPassword string \"Test1234#\" Admin password to log in to the UI. config.city string \"Austin\" City. Used for certificate creation. config.configmap.cnCacheType string \"NATIVE_PERSISTENCE\" Cache type. NATIVE_PERSISTENCE , REDIS . or IN_MEMORY . Defaults to NATIVE_PERSISTENCE . config.configmap.cnConfigKubernetesConfigMap string \"cn\" The name of the Kubernetes ConfigMap that will hold the configuration layer config.configmap.cnGoogleProjectId string \"google-project-to-save-config-and-secrets-to\" Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretManagerServiceAccount string \"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\" Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretNamePrefix string \"gluu\" Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretVersionId string \"latest\" Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnJettyRequestHeaderSize int 8192 Jetty header size in bytes in the auth server config.configmap.cnMaxRamPercent string \"75.0\" Value passed to Java option -XX:MaxRAMPercentage config.configmap.cnMessageType string \"DISABLED\" Message type (one of POSTGRES, REDIS, or DISABLED) config.configmap.cnOpaUrl string \"http://opa.opa.svc.cluster.cluster.local:8181/v1\" URL of OPA API config.configmap.cnPersistenceHybridMapping string \"{}\" Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when global.cnPersistenceType is set to hybrid . config.configmap.cnRedisSentinelGroup string \"\" Redis Sentinel Group. Often set when config.configmap.cnRedisType is set to SENTINEL . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisSslTruststore string \"\" Redis SSL truststore. Optional. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisType string \"STANDALONE\" Redis service type. STANDALONE or CLUSTER . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUrl string \"redis.redis.svc.cluster.local:6379\" Redis URL and port number : . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUseSsl bool false Boolean to use SSL in Redis. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnScimProtectionMode string \"OAUTH\" SCIM protection mode OAUTH config.configmap.cnSecretKubernetesSecret string \"cn\" Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. config.configmap.cnSqlDbDialect string \"mysql\" SQL database dialect. mysql or pgsql config.configmap.cnSqlDbHost string \"my-release-mysql.default.svc.cluster.local\" SQL database host uri. config.configmap.cnSqlDbName string \"gluu\" SQL database name. config.configmap.cnSqlDbPort int 3306 SQL database port. config.configmap.cnSqlDbSchema string \"\" Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as \"public\" ). config.configmap.cnSqlDbTimezone string \"UTC\" SQL database timezone. config.configmap.cnSqlDbUser string \"gluu\" SQL database username. config.configmap.cnSqldbUserPassword string \"Test1234#\" SQL password injected the secrets . config.configmap.cnVaultAddr string \"http://localhost:8200\" Base URL of Vault. config.configmap.cnVaultAppRolePath string \"approle\" Path to Vault AppRole. config.configmap.cnVaultKvPath string \"secret\" Path to Vault KV secrets engine. config.configmap.cnVaultNamespace string \"\" Vault namespace used to access the secrets. config.configmap.cnVaultPrefix string \"jans\" Base prefix name used to access secrets. config.configmap.cnVaultRoleId string \"\" Vault AppRole RoleID. config.configmap.cnVaultRoleIdFile string \"/etc/certs/vault_role_id\" Path to file contains Vault AppRole role ID. config.configmap.cnVaultSecretId string \"\" Vault AppRole SecretID. config.configmap.cnVaultSecretIdFile string \"/etc/certs/vault_secret_id\" Path to file contains Vault AppRole secret ID. config.configmap.cnVaultVerify bool false Verify connection to Vault. config.configmap.kcAdminPassword string \"Test1234#\" Keycloak admin UI password config.configmap.kcAdminUsername string \"admin\" Keycloak admin UI username config.configmap.kcDbPassword string \"Test1234#\" Password for Keycloak database access config.configmap.kcDbSchema string \"keycloak\" Keycloak database schema name (note that PostgreSQL may be using \"public\" schema). config.configmap.kcDbUrlDatabase string \"keycloak\" Keycloak database name. config.configmap.kcDbUrlHost string \"mysql.kc.svc.cluster.local\" Keycloak database host uri config.configmap.kcDbUrlPort int 3306 Keycloak database port (default to port 3306 for mysql). config.configmap.kcDbUrlProperties string \"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\" Keycloak database connection properties. If using postgresql, the value can be set to empty string. config.configmap.kcDbUsername string \"keycloak\" Keycloak database username config.configmap.kcDbVendor string \"mysql\" Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. config.configmap.kcLogLevel string \"INFO\" Keycloak logging level config.configmap.lbAddr string \"\" Load balancer address for AWS if the FQDN is not registered. config.configmap.quarkusTransactionEnableRecovery bool true Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. config.countryCode string \"US\" Country code. Used for certificate creation. config.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. config.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config.dnsConfig object {} Add custom dns config config.dnsPolicy string \"\" Add custom dns policy config.email string \"team@gluu.org\" Email address of the administrator usually. Used for certificate creation. config.image.pullSecrets list [] Image Pull Secrets config.image.repository string \"ghcr.io/janssenproject/jans/configurator\" Image to use for deploying. config.image.tag string \"1.3.0-1\" Image tag to use for deploying. config.migration object {\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"} CE to CN Migration section config.migration.enabled bool false Boolean flag to enable migration from CE config.migration.migrationDataFormat string \"ldif\" migration data-format depending on persistence backend. Supported data formats are ldif, postgresql+json, and mysql+json. config.migration.migrationDir string \"/ce-migration\" Directory holding all migration files config.orgName string \"Gluu\" Organization name. Used for certificate creation. config.redisPassword string \"P@assw0rd\" Redis admin password if config.configmap.cnCacheType is set to REDIS . config.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. config.resources.limits.cpu string \"300m\" CPU limit. config.resources.limits.memory string \"300Mi\" Memory limit. config.resources.requests.cpu string \"300m\" CPU request. config.resources.requests.memory string \"300Mi\" Memory request. config.salt string \"\" Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. config.state string \"TX\" State code. Used for certificate creation. config.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. config.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 config.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 config.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config.volumes list [] Configure any additional volumes that need to be attached to the pod fido2 object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/fido2\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"service\":{\"name\":\"http-fido2\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. fido2.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of fido2.additionalLabels object {} Additional labels that will be added across the gateway in the format of fido2.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. fido2.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh fido2.dnsConfig object {} Add custom dns config fido2.dnsPolicy string \"\" Add custom dns policy fido2.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler fido2.hpa.behavior object {} Scaling Policies fido2.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set fido2.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. fido2.image.pullSecrets list [] Image Pull Secrets fido2.image.repository string \"ghcr.io/janssenproject/jans/fido2\" Image to use for deploying. fido2.image.tag string \"1.3.0-1\" Image tag to use for deploying. fido2.livenessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for the fido2 if needed. fido2.livenessProbe.httpGet object {\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"} http liveness probe endpoint fido2.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget fido2.readinessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the fido2 if needed. fido2.replicas int 1 Service replica number. fido2.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. fido2.resources.limits.cpu string \"500m\" CPU limit. fido2.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. fido2.resources.requests.cpu string \"500m\" CPU request. fido2.resources.requests.memory string \"500Mi\" Memory request. fido2.service.name string \"http-fido2\" The name of the fido2 port within the fido2 service. Please keep it as default. fido2.service.port int 8080 Port of the fido2 service. Please keep it as default. fido2.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ fido2.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service fido2.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 fido2.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 fido2.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers fido2.volumes list [] Configure any additional volumes that need to be attached to the pod global object {\"admin-ui\":{\"adminUiServiceName\":\"admin-ui\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"adminUiAdditionalAnnotations\":{},\"adminUiEnabled\":false,\"adminUiLabels\":{}}},\"alb\":{\"ingress\":false},\"auth-server\":{\"appLoggers\":{\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"authEncKeys\":\"RSA1_5 RSA-OAEP\",\"authServerServiceName\":\"auth-server\",\"authSigKeys\":\"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}},\"lockEnabled\":false},\"auth-server-key-rotation\":{\"customAnnotations\":{\"cronjob\":{},\"secret\":{},\"service\":{}},\"enabled\":true,\"initKeysLife\":48},\"awsStorageType\":\"io1\",\"azureStorageAccountType\":\"Standard_LRS\",\"azureStorageKind\":\"Managed\",\"casa\":{\"appLoggers\":{\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"},\"casaServiceName\":\"casa\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}}},\"cloud\":{\"testEnviroment\":false},\"cnAwsConfigFile\":\"/etc/jans/conf/aws_config_file\",\"cnAwsSecretsReplicaRegionsFile\":\"/etc/jans/conf/aws_secrets_replica_regions\",\"cnAwsSharedCredentialsFile\":\"/etc/jans/conf/aws_shared_credential_file\",\"cnConfiguratorConfigurationFile\":\"/etc/jans/conf/configuration.json\",\"cnConfiguratorCustomSchema\":{\"secretName\":\"\"},\"cnConfiguratorDumpFile\":\"/etc/jans/conf/configuration.out.json\",\"cnDocumentStoreType\":\"DB\",\"cnGoogleApplicationCredentials\":\"/etc/jans/conf/google-credentials.json\",\"cnObExtSigningAlias\":\"\",\"cnObExtSigningJwksCrt\":\"\",\"cnObExtSigningJwksKey\":\"\",\"cnObExtSigningJwksKeyPassPhrase\":\"\",\"cnObExtSigningJwksUri\":\"\",\"cnObStaticSigningKeyKid\":\"\",\"cnObTransportAlias\":\"\",\"cnObTransportCrt\":\"\",\"cnObTransportKey\":\"\",\"cnObTransportKeyPassPhrase\":\"\",\"cnObTransportTrustStore\":\"\",\"cnPersistenceType\":\"sql\",\"cnPrometheusPort\":\"\",\"cnSqlPasswordFile\":\"/etc/jans/conf/sql_password\",\"config\":{\"customAnnotations\":{\"clusterRoleBinding\":{},\"configMap\":{},\"job\":{},\"role\":{},\"roleBinding\":{},\"secret\":{},\"service\":{},\"serviceAccount\":{}},\"enabled\":true},\"config-api\":{\"adminUiAppLoggers\":{\"adminUiAuditLogLevel\":\"INFO\",\"adminUiAuditLogTarget\":\"FILE\",\"adminUiLogLevel\":\"INFO\",\"adminUiLogTarget\":\"FILE\",\"enableStdoutLogPrefix\":\"true\"},\"appLoggers\":{\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"configApiServerServiceName\":\"config-api\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}},\"plugins\":\"admin-ui,fido2,scim,user-mgt\"},\"configAdapterName\":\"kubernetes\",\"configSecretAdapter\":\"kubernetes\",\"distribution\":\"default\",\"fido2\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"fido2ServiceName\":\"fido2\",\"ingress\":{\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}}},\"fqdn\":\"demoexample.gluu.org\",\"gcePdStorageType\":\"pd-standard\",\"isFqdnRegistered\":false,\"istio\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"enabled\":false,\"gateways\":[],\"ingress\":false,\"namespace\":\"istio-system\"},\"jobTtlSecondsAfterFinished\":300,\"kc-scheduler\":{\"enabled\":false},\"lbIp\":\"22.22.22.22\",\"link\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}},\"linkServiceName\":\"link\"},\"nginx-ingress\":{\"enabled\":true},\"persistence\":{\"customAnnotations\":{\"job\":{},\"secret\":{},\"service\":{}},\"enabled\":true},\"saml\":{\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}},\"samlServiceName\":\"saml\"},\"scim\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}},\"scimServiceName\":\"scim\"},\"serviceAccountName\":\"default\",\"storageClass\":{\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"},\"usrEnvs\":{\"normal\":{},\"secret\":{}}} Parameters used globally across all services helm charts. global.admin-ui.adminUiServiceName string \"admin-ui\" Name of the admin-ui service. Please keep it as default. global.admin-ui.enabled bool true Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. global.admin-ui.ingress.adminUiAdditionalAnnotations object {} Admin UI ingress resource additional annotations. global.admin-ui.ingress.adminUiEnabled bool false Enable Admin UI endpoints in either istio or nginx ingress depending on users choice global.admin-ui.ingress.adminUiLabels object {} Admin UI ingress resource labels. key app is taken. global.alb.ingress bool false Activates ALB ingress global.auth-server-key-rotation.enabled bool true Boolean flag to enable/disable the auth-server-key rotation cronjob chart. global.auth-server-key-rotation.initKeysLife int 48 The initial auth server key rotation keys life in hours global.auth-server.appLoggers object {\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.auth-server.appLoggers.auditStatsLogLevel string \"INFO\" jans-auth_audit.log level global.auth-server.appLoggers.auditStatsLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.appLoggers.authLogLevel string \"INFO\" jans-auth.log level global.auth-server.appLoggers.authLogTarget string \"STDOUT\" jans-auth.log target global.auth-server.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO global.auth-server.appLoggers.httpLogLevel string \"INFO\" http_request_response.log level global.auth-server.appLoggers.httpLogTarget string \"FILE\" http_request_response.log target global.auth-server.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-auth_persistence_duration.log level global.auth-server.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-auth_persistence_duration.log target global.auth-server.appLoggers.persistenceLogLevel string \"INFO\" jans-auth_persistence.log level global.auth-server.appLoggers.persistenceLogTarget string \"FILE\" jans-auth_persistence.log target global.auth-server.appLoggers.scriptLogLevel string \"INFO\" jans-auth_script.log level global.auth-server.appLoggers.scriptLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.authEncKeys string \"RSA1_5 RSA-OAEP\" space-separated key algorithm for encryption (default to RSA1_5 RSA-OAEP ) global.auth-server.authServerServiceName string \"auth-server\" Name of the auth-server service. Please keep it as default. global.auth-server.authSigKeys string \"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\" space-separated key algorithm for signing (default to RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 ) global.auth-server.cnCustomJavaOptions string \"\" passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.auth-server.enabled bool true Boolean flag to enable/disable auth-server chart. You should never set this to false. global.auth-server.ingress object {\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.auth-server.ingress.authServerAdditionalAnnotations object {} Auth server ingress resource additional annotations. global.auth-server.ingress.authServerEnabled bool true Enable Auth server endpoints /jans-auth global.auth-server.ingress.authServerLabels object {} Auth server ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedRegister bool false Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. global.auth-server.ingress.authServerProtectedRegisterAdditionalAnnotations object {} Auth server protected register ingress resource additional annotations. global.auth-server.ingress.authServerProtectedRegisterLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedToken bool false Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. global.auth-server.ingress.authServerProtectedTokenAdditionalAnnotations object {} Auth server protected token ingress resource additional annotations. global.auth-server.ingress.authServerProtectedTokenLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authzenAdditionalAnnotations object {} authzen config ingress resource additional annotations. global.auth-server.ingress.authzenConfigEnabled bool true Enable endpoint /.well-known/authzen-configuration global.auth-server.ingress.authzenConfigLabels object {} authzen config ingress resource labels. key app is taken global.auth-server.ingress.deviceCodeAdditionalAnnotations object {} device-code ingress resource additional annotations. global.auth-server.ingress.deviceCodeEnabled bool true Enable endpoint /device-code global.auth-server.ingress.deviceCodeLabels object {} device-code ingress resource labels. key app is taken global.auth-server.ingress.firebaseMessagingAdditionalAnnotations object {} Firebase Messaging ingress resource additional annotations. global.auth-server.ingress.firebaseMessagingEnabled bool true Enable endpoint /firebase-messaging-sw.js global.auth-server.ingress.firebaseMessagingLabels object {} Firebase Messaging ingress resource labels. key app is taken global.auth-server.ingress.lockAdditionalAnnotations object {} Lock ingress resource additional annotations. global.auth-server.ingress.lockConfigAdditionalAnnotations object {} Lock config ingress resource additional annotations. global.auth-server.ingress.lockConfigEnabled bool false Enable endpoint /.well-known/lock-server-configuration global.auth-server.ingress.lockConfigLabels object {} Lock config ingress resource labels. key app is taken global.auth-server.ingress.lockEnabled bool false Enable endpoint /jans-lock global.auth-server.ingress.lockLabels object {} Lock ingress resource labels. key app is taken global.auth-server.ingress.openidAdditionalAnnotations object {} openid-configuration ingress resource additional annotations. global.auth-server.ingress.openidConfigEnabled bool true Enable endpoint /.well-known/openid-configuration global.auth-server.ingress.openidConfigLabels object {} openid-configuration ingress resource labels. key app is taken global.auth-server.ingress.u2fAdditionalAnnotations object {} u2f config ingress resource additional annotations. global.auth-server.ingress.u2fConfigEnabled bool true Enable endpoint /.well-known/fido-configuration global.auth-server.ingress.u2fConfigLabels object {} u2f config ingress resource labels. key app is taken global.auth-server.ingress.uma2AdditionalAnnotations object {} uma2 config ingress resource additional annotations. global.auth-server.ingress.uma2ConfigEnabled bool true Enable endpoint /.well-known/uma2-configuration global.auth-server.ingress.uma2ConfigLabels object {} uma2 config ingress resource labels. key app is taken global.auth-server.ingress.webdiscoveryAdditionalAnnotations object {} webdiscovery ingress resource additional annotations. global.auth-server.ingress.webdiscoveryEnabled bool true Enable endpoint /.well-known/simple-web-discovery global.auth-server.ingress.webdiscoveryLabels object {} webdiscovery ingress resource labels. key app is taken global.auth-server.ingress.webfingerAdditionalAnnotations object {} webfinger ingress resource additional annotations. global.auth-server.ingress.webfingerEnabled bool true Enable endpoint /.well-known/webfinger global.auth-server.ingress.webfingerLabels object {} webfinger ingress resource labels. key app is taken global.auth-server.lockEnabled bool false Enable jans-lock as service running inside auth-server global.awsStorageType string \"io1\" Volume storage type if using AWS volumes. global.azureStorageAccountType string \"Standard_LRS\" Volume storage type if using Azure disks. global.azureStorageKind string \"Managed\" Azure storage kind if using Azure disks global.casa.appLoggers object {\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.casa.appLoggers.casaLogLevel string \"INFO\" casa.log level global.casa.appLoggers.casaLogTarget string \"STDOUT\" casa.log target global.casa.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO global.casa.appLoggers.timerLogLevel string \"INFO\" casa timer log level global.casa.appLoggers.timerLogTarget string \"FILE\" casa timer log target global.casa.casaServiceName string \"casa\" Name of the casa service. Please keep it as default. global.casa.cnCustomJavaOptions string \"\" passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.casa.enabled bool true Boolean flag to enable/disable the casa chart. global.casa.ingress object {\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.casa.ingress.casaAdditionalAnnotations object {} Casa ingress resource additional annotations. global.casa.ingress.casaEnabled bool false Enable casa endpoints /casa global.casa.ingress.casaLabels object {} Casa ingress resource labels. key app is taken global.cloud.testEnviroment bool false Boolean flag if enabled will strip resources requests and limits from all services. global.cnConfiguratorConfigurationFile string \"/etc/jans/conf/configuration.json\" Path to configuration schema file global.cnConfiguratorCustomSchema object {\"secretName\":\"\"} Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. global.cnConfiguratorCustomSchema.secretName string \"\" The name of the secrets used for storing custom configuration schema. global.cnConfiguratorDumpFile string \"/etc/jans/conf/configuration.out.json\" Path to dumped configuration schema file global.cnDocumentStoreType string \"DB\" Document store type to use for shibboleth files DB. global.cnGoogleApplicationCredentials string \"/etc/jans/conf/google-credentials.json\" Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. global.cnObExtSigningAlias string \"\" Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G global.cnObExtSigningJwksCrt string \"\" Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKey string \"\" Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKeyPassPhrase string \"\" Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksUri string \"\" Open banking external signing jwks uri. Used in SSA Validation. global.cnObStaticSigningKeyKid string \"\" Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G global.cnObTransportAlias string \"\" Open banking transport Alias used inside the JVM. global.cnObTransportCrt string \"\" Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKey string \"\" Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKeyPassPhrase string \"\" Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. global.cnObTransportTrustStore string \"\" Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. global.cnPersistenceType string \"sql\" Persistence backend to run Gluu with hybrid global.cnPrometheusPort string \"\" Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. global.cnSqlPasswordFile string \"/etc/jans/conf/sql_password\" Path to SQL password file global.config-api.adminUiAppLoggers.adminUiAuditLogLevel string \"INFO\" config-api admin-ui plugin audit log level global.config-api.adminUiAppLoggers.adminUiAuditLogTarget string \"FILE\" config-api admin-ui plugin audit log target global.config-api.adminUiAppLoggers.adminUiLogLevel string \"INFO\" config-api admin-ui plugin log target global.config-api.adminUiAppLoggers.adminUiLogTarget string \"FILE\" config-api admin-ui plugin log level global.config-api.adminUiAppLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers object {\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.config-api.appLoggers.configApiLogLevel string \"INFO\" configapi.log level global.config-api.appLoggers.configApiLogTarget string \"STDOUT\" configapi.log target global.config-api.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers.persistenceDurationLogLevel string \"INFO\" config-api_persistence_duration.log level global.config-api.appLoggers.persistenceDurationLogTarget string \"FILE\" config-api_persistence_duration.log target global.config-api.appLoggers.persistenceLogLevel string \"INFO\" config-api_persistence.log level global.config-api.appLoggers.persistenceLogTarget string \"FILE\" config-api_persistence.log target global.config-api.appLoggers.scriptLogLevel string \"INFO\" config-api_script.log level global.config-api.appLoggers.scriptLogTarget string \"FILE\" config-api_script.log target global.config-api.cnCustomJavaOptions string \"\" passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.config-api.configApiServerServiceName string \"config-api\" Name of the config-api service. Please keep it as default. global.config-api.enabled bool true Boolean flag to enable/disable the config-api chart. global.config-api.ingress object {\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.config-api.ingress.configApiAdditionalAnnotations object {} ConfigAPI ingress resource additional annotations. global.config-api.ingress.configApiLabels object {} configAPI ingress resource labels. key app is taken global.config-api.plugins string \"admin-ui,fido2,scim,user-mgt\" Comma-separated values of enabled plugins (supported plugins are \"admin-ui\",\"fido2\",\"scim\",\"user-mgt\",\"jans-link\",\"kc-saml\") global.config.enabled bool true Boolean flag to enable/disable the configuration chart. This normally should never be false global.configAdapterName string \"kubernetes\" The config backend adapter that will hold Gluu configuration layer. aws global.configSecretAdapter string \"kubernetes\" The config backend adapter that will hold Gluu secret layer. vault global.distribution string \"default\" Gluu distributions supported are: default global.fido2.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.fido2.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO global.fido2.appLoggers.fido2LogLevel string \"INFO\" fido2.log level global.fido2.appLoggers.fido2LogTarget string \"STDOUT\" fido2.log target global.fido2.appLoggers.persistenceDurationLogLevel string \"INFO\" fido2_persistence_duration.log level global.fido2.appLoggers.persistenceDurationLogTarget string \"FILE\" fido2_persistence_duration.log target global.fido2.appLoggers.persistenceLogLevel string \"INFO\" fido2_persistence.log level global.fido2.appLoggers.persistenceLogTarget string \"FILE\" fido2_persistence.log target global.fido2.appLoggers.scriptLogLevel string \"INFO\" fido2_script.log level global.fido2.appLoggers.scriptLogTarget string \"FILE\" fido2_script.log target global.fido2.cnCustomJavaOptions string \"\" passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.fido2.enabled bool true Boolean flag to enable/disable the fido2 chart. global.fido2.fido2ServiceName string \"fido2\" Name of the fido2 service. Please keep it as default. global.fido2.ingress object {\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.fido2.ingress.fido2AdditionalAnnotations object {} fido2 ingress resource additional annotations. global.fido2.ingress.fido2ConfigAdditionalAnnotations object {} fido2 config ingress resource additional annotations. global.fido2.ingress.fido2ConfigEnabled bool false Enable endpoint /.well-known/fido2-configuration global.fido2.ingress.fido2ConfigLabels object {} fido2 config ingress resource labels. key app is taken global.fido2.ingress.fido2Enabled bool false Enable endpoint /jans-fido2 global.fido2.ingress.fido2Labels object {} fido2 ingress resource labels. key app is taken global.fido2.ingress.fido2WebauthnAdditionalAnnotations object {} fido2 webauthn ingress resource additional annotations. global.fido2.ingress.fido2WebauthnEnabled bool false Enable endpoint /.well-known/webauthn global.fido2.ingress.fido2WebauthnLabels object {} fido2 webauthn ingress resource labels. key app is taken global.fqdn string \"demoexample.gluu.org\" Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. global.gcePdStorageType string \"pd-standard\" GCE storage kind if using Google disks global.isFqdnRegistered bool false Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. global.istio.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of global.istio.additionalLabels object {} Additional labels that will be added across the gateway in the format of global.istio.enabled bool false Boolean flag that enables using istio side-cars with Gluu services. global.istio.gateways list [] Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. global.istio.ingress bool false Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. global.istio.namespace string \"istio-system\" The namespace istio is deployed in. The is normally istio-system. global.jobTtlSecondsAfterFinished int 300 https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ global.kc-scheduler.enabled bool false Boolean flag to enable/disable the kc-scheduler cronjob chart. global.lbIp string \"22.22.22.22\" The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if global.fqdn is globally resolvable. global.link.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.link.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO global.link.appLoggers.linkLogLevel string \"INFO\" cacherefresh.log level global.link.appLoggers.linkLogTarget string \"STDOUT\" cacherefresh.log target global.link.appLoggers.persistenceDurationLogLevel string \"INFO\" cacherefresh_persistence_duration.log level global.link.appLoggers.persistenceDurationLogTarget string \"FILE\" cacherefresh_persistence_duration.log target global.link.appLoggers.persistenceLogLevel string \"INFO\" cacherefresh_persistence.log level global.link.appLoggers.persistenceLogTarget string \"FILE\" cacherefresh_persistence.log target global.link.appLoggers.scriptLogLevel string \"INFO\" cacherefresh_script.log level global.link.appLoggers.scriptLogTarget string \"FILE\" cacherefresh_script.log target global.link.cnCustomJavaOptions string \"\" passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.link.customAnnotations object {\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}} Add custom annotations for kubernetes resources for the service global.link.enabled bool false Boolean flag to enable/disable the link chart. global.link.ingress object {\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.link.ingress.linkAdditionalAnnotations object {} link ingress resource additional annotations. global.link.ingress.linkLabels object {} link ingress resource labels. key app is taken global.link.linkServiceName string \"link\" Name of the link service. Please keep it as default. global.nginx-ingress.enabled bool true Boolean flag to enable/disable the nginx-ingress definitions chart. global.persistence.enabled bool true Boolean flag to enable/disable the persistence chart. global.saml.cnCustomJavaOptions string \"\" passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. global.saml.enabled bool false Boolean flag to enable/disable the saml chart. global.saml.ingress object {\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.saml.ingress.samlAdditionalAnnotations object {} SAML ingress resource additional annotations. global.saml.ingress.samlLabels object {} SAML ingress resource labels. key app is taken global.saml.samlServiceName string \"saml\" Name of the saml service. Please keep it as default. global.scim.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.scim.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO global.scim.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-scim_persistence_duration.log level global.scim.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-scim_persistence_duration.log target global.scim.appLoggers.persistenceLogLevel string \"INFO\" jans-scim_persistence.log level global.scim.appLoggers.persistenceLogTarget string \"FILE\" jans-scim_persistence.log target global.scim.appLoggers.scimLogLevel string \"INFO\" jans-scim.log level global.scim.appLoggers.scimLogTarget string \"STDOUT\" jans-scim.log target global.scim.appLoggers.scriptLogLevel string \"INFO\" jans-scim_script.log level global.scim.appLoggers.scriptLogTarget string \"FILE\" jans-scim_script.log target global.scim.cnCustomJavaOptions string \"\" passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.scim.enabled bool true Boolean flag to enable/disable the SCIM chart. global.scim.ingress object {\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.scim.ingress.scimAdditionalAnnotations object {} SCIM ingress resource additional annotations. global.scim.ingress.scimConfigAdditionalAnnotations object {} SCIM config ingress resource additional annotations. global.scim.ingress.scimConfigEnabled bool false Enable endpoint /.well-known/scim-configuration global.scim.ingress.scimConfigLabels object {} SCIM config ingress resource labels. key app is taken global.scim.ingress.scimEnabled bool false Enable SCIM endpoints /jans-scim global.scim.ingress.scimLabels object {} SCIM ingress resource labels. key app is taken global.scim.scimServiceName string \"scim\" Name of the scim service. Please keep it as default. global.serviceAccountName string \"default\" service account used by Kubernetes resources global.storageClass object {\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"} StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. global.storageClass.parameters object {} parameters: fsType: \"\" kind: \"\" pool: \"\" storageAccountType: \"\" type: \"\" global.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services global.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 global.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 installer-settings object {\"acceptLicense\":\"\",\"aws\":{\"arn\":{\"arnAcmCert\":\"\",\"enabled\":\"\"},\"lbType\":\"\",\"vpcCidr\":\"0.0.0.0/0\"},\"confirmSettings\":false,\"currentVersion\":\"\",\"google\":{\"useSecretManager\":\"\"},\"images\":{\"edit\":\"\"},\"namespace\":\"\",\"nginxIngress\":{\"namespace\":\"\",\"releaseName\":\"\"},\"nodes\":{\"ips\":\"\",\"names\":\"\",\"zones\":\"\"},\"openbanking\":{\"cnObTransportTrustStoreP12password\":\"\",\"hasCnObTransportTrustStore\":false},\"postgres\":{\"install\":\"\",\"namespace\":\"\"},\"redis\":{\"install\":\"\",\"namespace\":\"\"},\"releaseName\":\"\",\"sql\":{\"install\":\"\",\"namespace\":\"\"},\"volumeProvisionStrategy\":\"\"} Only used by the installer. These settings do not affect nor are used by the chart kc-scheduler object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/kc-scheduler\",\"tag\":\"1.3.0-1\"},\"interval\":10,\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for synchronizing Keycloak SAML clients kc-scheduler.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of kc-scheduler.additionalLabels object {} Additional labels that will be added across the gateway in the format of kc-scheduler.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. kc-scheduler.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh kc-scheduler.dnsConfig object {} Add custom dns config kc-scheduler.dnsPolicy string \"\" Add custom dns policy kc-scheduler.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. kc-scheduler.image.pullSecrets list [] Image Pull Secrets kc-scheduler.image.repository string \"ghcr.io/janssenproject/jans/kc-scheduler\" Image to use for deploying. kc-scheduler.image.tag string \"1.3.0-1\" Image tag to use for deploying. kc-scheduler.interval int 10 Interval of running the scheduler (in minutes) kc-scheduler.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. kc-scheduler.resources.limits.cpu string \"300m\" CPU limit. kc-scheduler.resources.limits.memory string \"300Mi\" Memory limit. kc-scheduler.resources.requests.cpu string \"300m\" CPU request. kc-scheduler.resources.requests.memory string \"300Mi\" Memory request. kc-scheduler.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service kc-scheduler.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 kc-scheduler.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 kc-scheduler.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers kc-scheduler.volumes list [] Configure any additional volumes that need to be attached to the pod link object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/link\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Link. link.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of link.additionalLabels object {} Additional labels that will be added across the gateway in the format of link.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. link.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh link.dnsConfig object {} Add custom dns config link.dnsPolicy string \"\" Add custom dns policy link.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler link.hpa.behavior object {} Scaling Policies link.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set link.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. link.image.pullSecrets list [] Image Pull Secrets link.image.repository string \"ghcr.io/janssenproject/jans/link\" Image to use for deploying. link.image.tag string \"1.3.0-1\" Image tag to use for deploying. link.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. link.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint link.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget link.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint link.replicas int 1 Service replica number. link.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. link.resources.limits.cpu string \"500m\" CPU limit. link.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. link.resources.requests.cpu string \"500m\" CPU request. link.resources.requests.memory string \"1200Mi\" Memory request. link.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ link.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service link.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 link.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 link.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers link.volumes list [] Configure any additional volumes that need to be attached to the pod nginx-ingress object {\"certManager\":{\"certificate\":{\"enabled\":false,\"issuerGroup\":\"cert-manager.io\",\"issuerKind\":\"ClusterIssuer\",\"issuerName\":\"\"}},\"ingress\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"hosts\":[\"demoexample.gluu.org\"],\"ingressClassName\":\"nginx\",\"path\":\"/\",\"tls\":[{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}]}} Nginx ingress definitions chart nginx-ingress.ingress.additionalAnnotations object {} Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: \"optional\" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: \"gluu/tls-certificate\" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: \"1\" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: \"true\" nginx-ingress.ingress.additionalLabels object {} Additional labels that will be added across all ingress definitions in the format of nginx-ingress.ingress.tls list [{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}] Secrets holding HTTPS CA cert and key. persistence object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/persistence-loader\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Job to generate data and initial config for Gluu Server persistence layer. persistence.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of persistence.additionalLabels object {} Additional labels that will be added across the gateway in the format of persistence.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. persistence.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh persistence.dnsConfig object {} Add custom dns config persistence.dnsPolicy string \"\" Add custom dns policy persistence.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. persistence.image.pullSecrets list [] Image Pull Secrets persistence.image.repository string \"ghcr.io/janssenproject/jans/persistence-loader\" Image to use for deploying. persistence.image.tag string \"1.3.0-1\" Image tag to use for deploying. persistence.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. persistence.resources.limits.cpu string \"300m\" CPU limit persistence.resources.limits.memory string \"300Mi\" Memory limit. persistence.resources.requests.cpu string \"300m\" CPU request. persistence.resources.requests.memory string \"300Mi\" Memory request. persistence.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service persistence.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 persistence.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 persistence.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers persistence.volumes list [] Configure any additional volumes that need to be attached to the pod saml object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/saml\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} SAML. saml.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of saml.additionalLabels object {} Additional labels that will be added across the gateway in the format of saml.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. saml.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh saml.dnsConfig object {} Add custom dns config saml.dnsPolicy string \"\" Add custom dns policy saml.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler saml.hpa.behavior object {} Scaling Policies saml.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set saml.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. saml.image.pullSecrets list [] Image Pull Secrets saml.image.repository string \"ghcr.io/janssenproject/jans/saml\" Image to use for deploying. saml.image.tag string \"1.3.0-1\" Image tag to use for deploying. saml.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. saml.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint saml.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget saml.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint saml.replicas int 1 Service replica number. saml.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. saml.resources.limits.cpu string \"500m\" CPU limit. saml.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. saml.resources.requests.cpu string \"500m\" CPU request. saml.resources.requests.memory string \"1200Mi\" Memory request. saml.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ saml.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service saml.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 saml.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 saml.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers saml.volumes list [] Configure any additional volumes that need to be attached to the pod scim object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/scim\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"service\":{\"name\":\"http-scim\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} System for Cross-domain Identity Management (SCIM) version 2.0 scim.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of scim.additionalLabels object {} Additional labels that will be added across the gateway in the format of scim.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. scim.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh scim.dnsConfig object {} Add custom dns config scim.dnsPolicy string \"\" Add custom dns policy scim.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler scim.hpa.behavior object {} Scaling Policies scim.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set scim.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. scim.image.pullSecrets list [] Image Pull Secrets scim.image.repository string \"ghcr.io/janssenproject/jans/scim\" Image to use for deploying. scim.image.tag string \"1.3.0-1\" Image tag to use for deploying. scim.livenessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for SCIM if needed. scim.livenessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http liveness probe endpoint scim.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget scim.readinessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the SCIM if needed. scim.readinessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http readiness probe endpoint scim.replicas int 1 Service replica number. scim.resources.limits.cpu string \"1000m\" CPU limit. scim.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. scim.resources.requests.cpu string \"1000m\" CPU request. scim.resources.requests.memory string \"1200Mi\" Memory request. scim.service.name string \"http-scim\" The name of the scim port within the scim service. Please keep it as default. scim.service.port int 8080 Port of the scim service. Please keep it as default. scim.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ scim.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service scim.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 scim.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 scim.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers scim.volumes list [] Configure any additional volumes that need to be attached to the pod","title":"Flex Helm Chart"},{"location":"reference/kubernetes/helm-chart/#gluu","text":"Gluu Access and Identity Management Homepage: https://www.gluu.org","title":"gluu"},{"location":"reference/kubernetes/helm-chart/#maintainers","text":"Name Email Url moabu team@gluu.org","title":"Maintainers"},{"location":"reference/kubernetes/helm-chart/#source-code","text":"https://docs.gluu.org","title":"Source Code"},{"location":"reference/kubernetes/helm-chart/#requirements","text":"Kubernetes: >=v1.21.0-0 Repository Name Version admin-ui 5.3.0 auth-server 1.3.0 auth-server-key-rotation 1.3.0 casa 1.3.0 cn-istio-ingress 1.3.0 config 1.3.0 config-api 1.3.0 fido2 1.3.0 kc-scheduler 1.3.0 link 1.3.0 nginx-ingress 1.3.0 persistence 1.3.0 saml 1.3.0 scim 1.3.0","title":"Requirements"},{"location":"reference/kubernetes/helm-chart/#values","text":"Key Type Default Description admin-ui object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/gluufederation/flex/admin-ui\",\"tag\":\"5.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Admin GUI for configuration of the auth-server admin-ui.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of admin-ui.additionalLabels object {} Additional labels that will be added across the gateway in the format of admin-ui.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. admin-ui.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh admin-ui.dnsConfig object {} Add custom dns config admin-ui.dnsPolicy string \"\" Add custom dns policy admin-ui.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler admin-ui.hpa.behavior object {} Scaling Policies admin-ui.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set admin-ui.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. admin-ui.image.pullSecrets list [] Image Pull Secrets admin-ui.image.repository string \"ghcr.io/gluufederation/flex/admin-ui\" Image to use for deploying. admin-ui.image.tag string \"5.3.0-1\" Image tag to use for deploying. admin-ui.livenessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the liveness healthcheck for the admin ui if needed. admin-ui.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget admin-ui.readinessProbe object {\"failureThreshold\":20,\"initialDelaySeconds\":60,\"periodSeconds\":25,\"tcpSocket\":{\"port\":8080},\"timeoutSeconds\":5} Configure the readiness healthcheck for the admin ui if needed. admin-ui.replicas int 1 Service replica number. admin-ui.resources object {\"limits\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"},\"requests\":{\"cpu\":\"2000m\",\"memory\":\"2000Mi\"}} Resource specs. admin-ui.resources.limits.cpu string \"2000m\" CPU limit. admin-ui.resources.limits.memory string \"2000Mi\" Memory limit. admin-ui.resources.requests.cpu string \"2000m\" CPU request. admin-ui.resources.requests.memory string \"2000Mi\" Memory request. admin-ui.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ admin-ui.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service admin-ui.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 admin-ui.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 admin-ui.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers admin-ui.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/auth-server\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} OAuth Authorization Server, the OpenID Connect Provider, the UMA Authorization Server--this is the main Internet facing component of Gluu. It's the service that returns tokens, JWT's and identity assertions. This service must be Internet facing. auth-server-key-rotation object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/certmanager\",\"tag\":\"1.3.0-1\"},\"keysLife\":48,\"keysPushDelay\":0,\"keysPushStrategy\":\"NEWER\",\"keysStrategy\":\"NEWER\",\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for regenerating auth-keys per x hours auth-server-key-rotation.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server-key-rotation.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server-key-rotation.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. auth-server-key-rotation.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server-key-rotation.dnsConfig object {} Add custom dns config auth-server-key-rotation.dnsPolicy string \"\" Add custom dns policy auth-server-key-rotation.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server-key-rotation.image.pullSecrets list [] Image Pull Secrets auth-server-key-rotation.image.repository string \"ghcr.io/janssenproject/jans/certmanager\" Image to use for deploying. auth-server-key-rotation.image.tag string \"1.3.0-1\" Image tag to use for deploying. auth-server-key-rotation.keysLife int 48 Auth server key rotation keys life in hours auth-server-key-rotation.keysPushDelay int 0 Delay (in seconds) before pushing private keys to Auth server auth-server-key-rotation.keysPushStrategy string \"NEWER\" Set key selection strategy after pushing private keys to Auth server (only takes effect when keysPushDelay value is greater than 0) auth-server-key-rotation.keysStrategy string \"NEWER\" Set key selection strategy used by Auth server auth-server-key-rotation.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. auth-server-key-rotation.resources.limits.cpu string \"300m\" CPU limit. auth-server-key-rotation.resources.limits.memory string \"300Mi\" Memory limit. auth-server-key-rotation.resources.requests.cpu string \"300m\" CPU request. auth-server-key-rotation.resources.requests.memory string \"300Mi\" Memory request. auth-server-key-rotation.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server-key-rotation.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server-key-rotation.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server-key-rotation.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server-key-rotation.volumes list [] Configure any additional volumes that need to be attached to the pod auth-server.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of auth-server.additionalLabels object {} Additional labels that will be added across the gateway in the format of auth-server.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. auth-server.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh auth-server.dnsConfig object {} Add custom dns config auth-server.dnsPolicy string \"\" Add custom dns policy auth-server.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler auth-server.hpa.behavior object {} Scaling Policies auth-server.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set auth-server.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. auth-server.image.pullSecrets list [] Image Pull Secrets auth-server.image.repository string \"ghcr.io/janssenproject/jans/auth-server\" Image to use for deploying. auth-server.image.tag string \"1.3.0-1\" Image tag to use for deploying. auth-server.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. auth-server.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} Executes the python3 healthcheck. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget auth-server.readinessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the auth server if needed. https://github.com/JanssenProject/docker-jans-auth-server/blob/master/scripts/healthcheck.py auth-server.replicas int 1 Service replica number. auth-server.resources object {\"limits\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"},\"requests\":{\"cpu\":\"2500m\",\"memory\":\"2500Mi\"}} Resource specs. auth-server.resources.limits.cpu string \"2500m\" CPU limit. auth-server.resources.limits.memory string \"2500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. auth-server.resources.requests.cpu string \"2500m\" CPU request. auth-server.resources.requests.memory string \"2500Mi\" Memory request. auth-server.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ auth-server.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service auth-server.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 auth-server.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 auth-server.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers auth-server.volumes list [] Configure any additional volumes that need to be attached to the pod casa object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/casa\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Janssen Casa (\"Casa\") is a self-service web portal for end-users to manage authentication and authorization preferences for their account in a Janssen Auth Server. casa.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of casa.additionalLabels object {} Additional labels that will be added across the gateway in the format of casa.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. casa.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh casa.dnsConfig object {} Add custom dns config casa.dnsPolicy string \"\" Add custom dns policy casa.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler casa.hpa.behavior object {} Scaling Policies casa.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set casa.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. casa.image.pullSecrets list [] Image Pull Secrets casa.image.repository string \"ghcr.io/janssenproject/jans/casa\" Image to use for deploying. casa.image.tag string \"1.3.0-1\" Image tag to use for deploying. casa.livenessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for casa if needed. casa.livenessProbe.httpGet.path string \"/jans-casa/health-check\" http liveness probe endpoint casa.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget casa.readinessProbe object {\"httpGet\":{\"path\":\"/jans-casa/health-check\",\"port\":\"http-casa\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the casa if needed. casa.readinessProbe.httpGet.path string \"/jans-casa/health-check\" http readiness probe endpoint casa.replicas int 1 Service replica number. casa.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. casa.resources.limits.cpu string \"500m\" CPU limit. casa.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. casa.resources.requests.cpu string \"500m\" CPU request. casa.resources.requests.memory string \"500Mi\" Memory request. casa.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ casa.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service casa.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 casa.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 casa.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers casa.volumes list [] Configure any additional volumes that need to be attached to the pod config object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"adminPassword\":\"Test1234#\",\"city\":\"Austin\",\"configmap\":{\"cnAwsAccessKeyId\":\"\",\"cnAwsDefaultRegion\":\"us-west-1\",\"cnAwsProfile\":\"gluu\",\"cnAwsSecretAccessKey\":\"\",\"cnAwsSecretsEndpointUrl\":\"\",\"cnAwsSecretsNamePrefix\":\"gluu\",\"cnAwsSecretsReplicaRegions\":[],\"cnCacheType\":\"NATIVE_PERSISTENCE\",\"cnConfigKubernetesConfigMap\":\"cn\",\"cnGoogleProjectId\":\"google-project-to-save-config-and-secrets-to\",\"cnGoogleSecretManagerServiceAccount\":\"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\",\"cnGoogleSecretNamePrefix\":\"gluu\",\"cnGoogleSecretVersionId\":\"latest\",\"cnJettyRequestHeaderSize\":8192,\"cnMaxRamPercent\":\"75.0\",\"cnMessageType\":\"DISABLED\",\"cnOpaUrl\":\"http://opa.opa.svc.cluster.cluster.local:8181/v1\",\"cnPersistenceHybridMapping\":\"{}\",\"cnRedisSentinelGroup\":\"\",\"cnRedisSslTruststore\":\"\",\"cnRedisType\":\"STANDALONE\",\"cnRedisUrl\":\"redis.redis.svc.cluster.local:6379\",\"cnRedisUseSsl\":false,\"cnScimProtectionMode\":\"OAUTH\",\"cnSecretKubernetesSecret\":\"cn\",\"cnSqlDbDialect\":\"mysql\",\"cnSqlDbHost\":\"my-release-mysql.default.svc.cluster.local\",\"cnSqlDbName\":\"gluu\",\"cnSqlDbPort\":3306,\"cnSqlDbSchema\":\"\",\"cnSqlDbTimezone\":\"UTC\",\"cnSqlDbUser\":\"gluu\",\"cnSqldbUserPassword\":\"Test1234#\",\"cnVaultAddr\":\"http://localhost:8200\",\"cnVaultAppRolePath\":\"approle\",\"cnVaultKvPath\":\"secret\",\"cnVaultNamespace\":\"\",\"cnVaultPrefix\":\"jans\",\"cnVaultRoleId\":\"\",\"cnVaultRoleIdFile\":\"/etc/certs/vault_role_id\",\"cnVaultSecretId\":\"\",\"cnVaultSecretIdFile\":\"/etc/certs/vault_secret_id\",\"cnVaultVerify\":false,\"kcAdminPassword\":\"Test1234#\",\"kcAdminUsername\":\"admin\",\"kcDbPassword\":\"Test1234#\",\"kcDbSchema\":\"keycloak\",\"kcDbUrlDatabase\":\"keycloak\",\"kcDbUrlHost\":\"mysql.kc.svc.cluster.local\",\"kcDbUrlPort\":3306,\"kcDbUrlProperties\":\"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\",\"kcDbUsername\":\"keycloak\",\"kcDbVendor\":\"mysql\",\"kcLogLevel\":\"INFO\",\"lbAddr\":\"\",\"quarkusTransactionEnableRecovery\":true},\"countryCode\":\"US\",\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"email\":\"team@gluu.org\",\"image\":{\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/configurator\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"migration\":{\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"},\"orgName\":\"Gluu\",\"redisPassword\":\"P@assw0rd\",\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"salt\":\"\",\"state\":\"TX\",\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Configuration parameters for setup and initial configuration secret and config layers used by Gluu services. config-api object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/config-api\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Config Api endpoints can be used to configure the auth-server, which is an open-source OpenID Connect Provider (OP) and UMA Authorization Server (AS). config-api.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config-api.additionalLabels object {} Additional labels that will be added across the gateway in the format of config-api.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. config-api.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config-api.dnsConfig object {} Add custom dns config config-api.dnsPolicy string \"\" Add custom dns policy config-api.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler config-api.hpa.behavior object {} Scaling Policies config-api.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set config-api.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. config-api.image.pullSecrets list [] Image Pull Secrets config-api.image.repository string \"ghcr.io/janssenproject/jans/config-api\" Image to use for deploying. config-api.image.tag string \"1.3.0-1\" Image tag to use for deploying. config-api.livenessProbe object {\"httpGet\":{\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. config-api.livenessProbe.httpGet object {\"path\":\"/jans-config-api/api/v1/health/live\",\"port\":8074} http liveness probe endpoint config-api.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget config-api.readinessProbe.httpGet object {\"path\":\"jans-config-api/api/v1/health/ready\",\"port\":8074} http readiness probe endpoint config-api.replicas int 1 Service replica number. config-api.resources object {\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}} Resource specs. config-api.resources.limits.cpu string \"1000m\" CPU limit. config-api.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. config-api.resources.requests.cpu string \"1000m\" CPU request. config-api.resources.requests.memory string \"1200Mi\" Memory request. config-api.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ config-api.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service config-api.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 config-api.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 config-api.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config-api.volumes list [] Configure any additional volumes that need to be attached to the pod config.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of config.additionalLabels object {} Additional labels that will be added across the gateway in the format of config.adminPassword string \"Test1234#\" Admin password to log in to the UI. config.city string \"Austin\" City. Used for certificate creation. config.configmap.cnCacheType string \"NATIVE_PERSISTENCE\" Cache type. NATIVE_PERSISTENCE , REDIS . or IN_MEMORY . Defaults to NATIVE_PERSISTENCE . config.configmap.cnConfigKubernetesConfigMap string \"cn\" The name of the Kubernetes ConfigMap that will hold the configuration layer config.configmap.cnGoogleProjectId string \"google-project-to-save-config-and-secrets-to\" Project id of the Google project the secret manager belongs to. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretManagerServiceAccount string \"SWFtTm90YVNlcnZpY2VBY2NvdW50Q2hhbmdlTWV0b09uZQo=\" Service account with roles roles/secretmanager.admin base64 encoded string. This is used often inside the services to reach the configuration layer. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretNamePrefix string \"gluu\" Prefix for Gluu secret in Google Secret Manager. Defaults to gluu. If left gluu-secret secret will be created. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnGoogleSecretVersionId string \"latest\" Secret version to be used for secret configuration. Defaults to latest and should normally always stay that way. Used only when global.configAdapterName and global.configSecretAdapter is set to google. config.configmap.cnJettyRequestHeaderSize int 8192 Jetty header size in bytes in the auth server config.configmap.cnMaxRamPercent string \"75.0\" Value passed to Java option -XX:MaxRAMPercentage config.configmap.cnMessageType string \"DISABLED\" Message type (one of POSTGRES, REDIS, or DISABLED) config.configmap.cnOpaUrl string \"http://opa.opa.svc.cluster.cluster.local:8181/v1\" URL of OPA API config.configmap.cnPersistenceHybridMapping string \"{}\" Specify data that should be saved in persistence (one of default, user, cache, site, token, or session; default to default). Note this environment only takes effect when global.cnPersistenceType is set to hybrid . config.configmap.cnRedisSentinelGroup string \"\" Redis Sentinel Group. Often set when config.configmap.cnRedisType is set to SENTINEL . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisSslTruststore string \"\" Redis SSL truststore. Optional. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisType string \"STANDALONE\" Redis service type. STANDALONE or CLUSTER . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUrl string \"redis.redis.svc.cluster.local:6379\" Redis URL and port number : . Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnRedisUseSsl bool false Boolean to use SSL in Redis. Can be used when config.configmap.cnCacheType is set to REDIS . config.configmap.cnScimProtectionMode string \"OAUTH\" SCIM protection mode OAUTH config.configmap.cnSecretKubernetesSecret string \"cn\" Kubernetes secret name holding configuration keys. Used when global.configSecretAdapter is set to kubernetes which is the default. config.configmap.cnSqlDbDialect string \"mysql\" SQL database dialect. mysql or pgsql config.configmap.cnSqlDbHost string \"my-release-mysql.default.svc.cluster.local\" SQL database host uri. config.configmap.cnSqlDbName string \"gluu\" SQL database name. config.configmap.cnSqlDbPort int 3306 SQL database port. config.configmap.cnSqlDbSchema string \"\" Schema name used by SQL database (default to empty-string; if using MySQL, the schema name will be resolved as the database name, whereas in PostgreSQL the schema name will be resolved as \"public\" ). config.configmap.cnSqlDbTimezone string \"UTC\" SQL database timezone. config.configmap.cnSqlDbUser string \"gluu\" SQL database username. config.configmap.cnSqldbUserPassword string \"Test1234#\" SQL password injected the secrets . config.configmap.cnVaultAddr string \"http://localhost:8200\" Base URL of Vault. config.configmap.cnVaultAppRolePath string \"approle\" Path to Vault AppRole. config.configmap.cnVaultKvPath string \"secret\" Path to Vault KV secrets engine. config.configmap.cnVaultNamespace string \"\" Vault namespace used to access the secrets. config.configmap.cnVaultPrefix string \"jans\" Base prefix name used to access secrets. config.configmap.cnVaultRoleId string \"\" Vault AppRole RoleID. config.configmap.cnVaultRoleIdFile string \"/etc/certs/vault_role_id\" Path to file contains Vault AppRole role ID. config.configmap.cnVaultSecretId string \"\" Vault AppRole SecretID. config.configmap.cnVaultSecretIdFile string \"/etc/certs/vault_secret_id\" Path to file contains Vault AppRole secret ID. config.configmap.cnVaultVerify bool false Verify connection to Vault. config.configmap.kcAdminPassword string \"Test1234#\" Keycloak admin UI password config.configmap.kcAdminUsername string \"admin\" Keycloak admin UI username config.configmap.kcDbPassword string \"Test1234#\" Password for Keycloak database access config.configmap.kcDbSchema string \"keycloak\" Keycloak database schema name (note that PostgreSQL may be using \"public\" schema). config.configmap.kcDbUrlDatabase string \"keycloak\" Keycloak database name. config.configmap.kcDbUrlHost string \"mysql.kc.svc.cluster.local\" Keycloak database host uri config.configmap.kcDbUrlPort int 3306 Keycloak database port (default to port 3306 for mysql). config.configmap.kcDbUrlProperties string \"?useUnicode=true&characterEncoding=UTF-8&character_set_server=utf8mb4\" Keycloak database connection properties. If using postgresql, the value can be set to empty string. config.configmap.kcDbUsername string \"keycloak\" Keycloak database username config.configmap.kcDbVendor string \"mysql\" Keycloak database vendor name (default to MySQL server). To use PostgreSQL server, change the value to postgres. config.configmap.kcLogLevel string \"INFO\" Keycloak logging level config.configmap.lbAddr string \"\" Load balancer address for AWS if the FQDN is not registered. config.configmap.quarkusTransactionEnableRecovery bool true Quarkus transaction recovery. When using MySQL, there could be issue regarding XA_RECOVER_ADMIN; refer to https://dev.mysql.com/doc/refman/8.0/en/privileges-provided.html#priv_xa-recover-admin for details. config.countryCode string \"US\" Country code. Used for certificate creation. config.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. config.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh config.dnsConfig object {} Add custom dns config config.dnsPolicy string \"\" Add custom dns policy config.email string \"team@gluu.org\" Email address of the administrator usually. Used for certificate creation. config.image.pullSecrets list [] Image Pull Secrets config.image.repository string \"ghcr.io/janssenproject/jans/configurator\" Image to use for deploying. config.image.tag string \"1.3.0-1\" Image tag to use for deploying. config.migration object {\"enabled\":false,\"migrationDataFormat\":\"ldif\",\"migrationDir\":\"/ce-migration\"} CE to CN Migration section config.migration.enabled bool false Boolean flag to enable migration from CE config.migration.migrationDataFormat string \"ldif\" migration data-format depending on persistence backend. Supported data formats are ldif, postgresql+json, and mysql+json. config.migration.migrationDir string \"/ce-migration\" Directory holding all migration files config.orgName string \"Gluu\" Organization name. Used for certificate creation. config.redisPassword string \"P@assw0rd\" Redis admin password if config.configmap.cnCacheType is set to REDIS . config.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. config.resources.limits.cpu string \"300m\" CPU limit. config.resources.limits.memory string \"300Mi\" Memory limit. config.resources.requests.cpu string \"300m\" CPU request. config.resources.requests.memory string \"300Mi\" Memory request. config.salt string \"\" Salt. Used for encoding/decoding sensitive data. If omitted or set to empty string, the value will be self-generated. Otherwise, a 24 alphanumeric characters are allowed as its value. config.state string \"TX\" State code. Used for certificate creation. config.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. config.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 config.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 config.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers config.volumes list [] Configure any additional volumes that need to be attached to the pod fido2 object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/fido2\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}},\"service\":{\"name\":\"http-fido2\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} FIDO 2.0 (FIDO2) is an open authentication standard that enables leveraging common devices to authenticate to online services in both mobile and desktop environments. fido2.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of fido2.additionalLabels object {} Additional labels that will be added across the gateway in the format of fido2.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. fido2.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh fido2.dnsConfig object {} Add custom dns config fido2.dnsPolicy string \"\" Add custom dns policy fido2.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler fido2.hpa.behavior object {} Scaling Policies fido2.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set fido2.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. fido2.image.pullSecrets list [] Image Pull Secrets fido2.image.repository string \"ghcr.io/janssenproject/jans/fido2\" Image to use for deploying. fido2.image.tag string \"1.3.0-1\" Image tag to use for deploying. fido2.livenessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the liveness healthcheck for the fido2 if needed. fido2.livenessProbe.httpGet object {\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"} http liveness probe endpoint fido2.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget fido2.readinessProbe object {\"httpGet\":{\"path\":\"/jans-fido2/sys/health-check\",\"port\":\"http-fido2\"},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the readiness healthcheck for the fido2 if needed. fido2.replicas int 1 Service replica number. fido2.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"500Mi\"}} Resource specs. fido2.resources.limits.cpu string \"500m\" CPU limit. fido2.resources.limits.memory string \"500Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. fido2.resources.requests.cpu string \"500m\" CPU request. fido2.resources.requests.memory string \"500Mi\" Memory request. fido2.service.name string \"http-fido2\" The name of the fido2 port within the fido2 service. Please keep it as default. fido2.service.port int 8080 Port of the fido2 service. Please keep it as default. fido2.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ fido2.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service fido2.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 fido2.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 fido2.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers fido2.volumes list [] Configure any additional volumes that need to be attached to the pod global object {\"admin-ui\":{\"adminUiServiceName\":\"admin-ui\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"adminUiAdditionalAnnotations\":{},\"adminUiEnabled\":false,\"adminUiLabels\":{}}},\"alb\":{\"ingress\":false},\"auth-server\":{\"appLoggers\":{\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"authEncKeys\":\"RSA1_5 RSA-OAEP\",\"authServerServiceName\":\"auth-server\",\"authSigKeys\":\"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}},\"lockEnabled\":false},\"auth-server-key-rotation\":{\"customAnnotations\":{\"cronjob\":{},\"secret\":{},\"service\":{}},\"enabled\":true,\"initKeysLife\":48},\"awsStorageType\":\"io1\",\"azureStorageAccountType\":\"Standard_LRS\",\"azureStorageKind\":\"Managed\",\"casa\":{\"appLoggers\":{\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"},\"casaServiceName\":\"casa\",\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}}},\"cloud\":{\"testEnviroment\":false},\"cnAwsConfigFile\":\"/etc/jans/conf/aws_config_file\",\"cnAwsSecretsReplicaRegionsFile\":\"/etc/jans/conf/aws_secrets_replica_regions\",\"cnAwsSharedCredentialsFile\":\"/etc/jans/conf/aws_shared_credential_file\",\"cnConfiguratorConfigurationFile\":\"/etc/jans/conf/configuration.json\",\"cnConfiguratorCustomSchema\":{\"secretName\":\"\"},\"cnConfiguratorDumpFile\":\"/etc/jans/conf/configuration.out.json\",\"cnDocumentStoreType\":\"DB\",\"cnGoogleApplicationCredentials\":\"/etc/jans/conf/google-credentials.json\",\"cnObExtSigningAlias\":\"\",\"cnObExtSigningJwksCrt\":\"\",\"cnObExtSigningJwksKey\":\"\",\"cnObExtSigningJwksKeyPassPhrase\":\"\",\"cnObExtSigningJwksUri\":\"\",\"cnObStaticSigningKeyKid\":\"\",\"cnObTransportAlias\":\"\",\"cnObTransportCrt\":\"\",\"cnObTransportKey\":\"\",\"cnObTransportKeyPassPhrase\":\"\",\"cnObTransportTrustStore\":\"\",\"cnPersistenceType\":\"sql\",\"cnPrometheusPort\":\"\",\"cnSqlPasswordFile\":\"/etc/jans/conf/sql_password\",\"config\":{\"customAnnotations\":{\"clusterRoleBinding\":{},\"configMap\":{},\"job\":{},\"role\":{},\"roleBinding\":{},\"secret\":{},\"service\":{},\"serviceAccount\":{}},\"enabled\":true},\"config-api\":{\"adminUiAppLoggers\":{\"adminUiAuditLogLevel\":\"INFO\",\"adminUiAuditLogTarget\":\"FILE\",\"adminUiLogLevel\":\"INFO\",\"adminUiLogTarget\":\"FILE\",\"enableStdoutLogPrefix\":\"true\"},\"appLoggers\":{\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"configApiServerServiceName\":\"config-api\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}},\"plugins\":\"admin-ui,fido2,scim,user-mgt\"},\"configAdapterName\":\"kubernetes\",\"configSecretAdapter\":\"kubernetes\",\"distribution\":\"default\",\"fido2\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"fido2ServiceName\":\"fido2\",\"ingress\":{\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}}},\"fqdn\":\"demoexample.gluu.org\",\"gcePdStorageType\":\"pd-standard\",\"isFqdnRegistered\":false,\"istio\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"enabled\":false,\"gateways\":[],\"ingress\":false,\"namespace\":\"istio-system\"},\"jobTtlSecondsAfterFinished\":300,\"kc-scheduler\":{\"enabled\":false},\"lbIp\":\"22.22.22.22\",\"link\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}},\"linkServiceName\":\"link\"},\"nginx-ingress\":{\"enabled\":true},\"persistence\":{\"customAnnotations\":{\"job\":{},\"secret\":{},\"service\":{}},\"enabled\":true},\"saml\":{\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":false,\"ingress\":{\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}},\"samlServiceName\":\"saml\"},\"scim\":{\"appLoggers\":{\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"},\"cnCustomJavaOptions\":\"\",\"customAnnotations\":{\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"secret\":{},\"service\":{},\"virtualService\":{}},\"enabled\":true,\"ingress\":{\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}},\"scimServiceName\":\"scim\"},\"serviceAccountName\":\"default\",\"storageClass\":{\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"},\"usrEnvs\":{\"normal\":{},\"secret\":{}}} Parameters used globally across all services helm charts. global.admin-ui.adminUiServiceName string \"admin-ui\" Name of the admin-ui service. Please keep it as default. global.admin-ui.enabled bool true Boolean flag to enable/disable the admin-ui chart and admin ui config api plugin. global.admin-ui.ingress.adminUiAdditionalAnnotations object {} Admin UI ingress resource additional annotations. global.admin-ui.ingress.adminUiEnabled bool false Enable Admin UI endpoints in either istio or nginx ingress depending on users choice global.admin-ui.ingress.adminUiLabels object {} Admin UI ingress resource labels. key app is taken. global.alb.ingress bool false Activates ALB ingress global.auth-server-key-rotation.enabled bool true Boolean flag to enable/disable the auth-server-key rotation cronjob chart. global.auth-server-key-rotation.initKeysLife int 48 The initial auth server key rotation keys life in hours global.auth-server.appLoggers object {\"auditStatsLogLevel\":\"INFO\",\"auditStatsLogTarget\":\"FILE\",\"authLogLevel\":\"INFO\",\"authLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"httpLogLevel\":\"INFO\",\"httpLogTarget\":\"FILE\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.auth-server.appLoggers.auditStatsLogLevel string \"INFO\" jans-auth_audit.log level global.auth-server.appLoggers.auditStatsLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.appLoggers.authLogLevel string \"INFO\" jans-auth.log level global.auth-server.appLoggers.authLogTarget string \"STDOUT\" jans-auth.log target global.auth-server.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e auth-server-script ===> 2022-12-20 17:49:55,744 INFO global.auth-server.appLoggers.httpLogLevel string \"INFO\" http_request_response.log level global.auth-server.appLoggers.httpLogTarget string \"FILE\" http_request_response.log target global.auth-server.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-auth_persistence_duration.log level global.auth-server.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-auth_persistence_duration.log target global.auth-server.appLoggers.persistenceLogLevel string \"INFO\" jans-auth_persistence.log level global.auth-server.appLoggers.persistenceLogTarget string \"FILE\" jans-auth_persistence.log target global.auth-server.appLoggers.scriptLogLevel string \"INFO\" jans-auth_script.log level global.auth-server.appLoggers.scriptLogTarget string \"FILE\" jans-auth_script.log target global.auth-server.authEncKeys string \"RSA1_5 RSA-OAEP\" space-separated key algorithm for encryption (default to RSA1_5 RSA-OAEP ) global.auth-server.authServerServiceName string \"auth-server\" Name of the auth-server service. Please keep it as default. global.auth-server.authSigKeys string \"RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512\" space-separated key algorithm for signing (default to RS256 RS384 RS512 ES256 ES384 ES512 PS256 PS384 PS512 ) global.auth-server.cnCustomJavaOptions string \"\" passing custom java options to auth-server. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.auth-server.enabled bool true Boolean flag to enable/disable auth-server chart. You should never set this to false. global.auth-server.ingress object {\"authServerAdditionalAnnotations\":{},\"authServerEnabled\":true,\"authServerLabels\":{},\"authServerProtectedRegister\":false,\"authServerProtectedRegisterAdditionalAnnotations\":{},\"authServerProtectedRegisterLabels\":{},\"authServerProtectedToken\":false,\"authServerProtectedTokenAdditionalAnnotations\":{},\"authServerProtectedTokenLabels\":{},\"authzenAdditionalAnnotations\":{},\"authzenConfigEnabled\":true,\"authzenConfigLabels\":{},\"deviceCodeAdditionalAnnotations\":{},\"deviceCodeEnabled\":true,\"deviceCodeLabels\":{},\"firebaseMessagingAdditionalAnnotations\":{},\"firebaseMessagingEnabled\":true,\"firebaseMessagingLabels\":{},\"lockAdditionalAnnotations\":{},\"lockConfigAdditionalAnnotations\":{},\"lockConfigEnabled\":false,\"lockConfigLabels\":{},\"lockEnabled\":false,\"lockLabels\":{},\"openidAdditionalAnnotations\":{},\"openidConfigEnabled\":true,\"openidConfigLabels\":{},\"u2fAdditionalAnnotations\":{},\"u2fConfigEnabled\":true,\"u2fConfigLabels\":{},\"uma2AdditionalAnnotations\":{},\"uma2ConfigEnabled\":true,\"uma2ConfigLabels\":{},\"webdiscoveryAdditionalAnnotations\":{},\"webdiscoveryEnabled\":true,\"webdiscoveryLabels\":{},\"webfingerAdditionalAnnotations\":{},\"webfingerEnabled\":true,\"webfingerLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.auth-server.ingress.authServerAdditionalAnnotations object {} Auth server ingress resource additional annotations. global.auth-server.ingress.authServerEnabled bool true Enable Auth server endpoints /jans-auth global.auth-server.ingress.authServerLabels object {} Auth server ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedRegister bool false Enable mTLS onn Auth server endpoint /jans-auth/restv1/register. Currently not working in Istio. global.auth-server.ingress.authServerProtectedRegisterAdditionalAnnotations object {} Auth server protected register ingress resource additional annotations. global.auth-server.ingress.authServerProtectedRegisterLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authServerProtectedToken bool false Enable mTLS on Auth server endpoint /jans-auth/restv1/token. Currently not working in Istio. global.auth-server.ingress.authServerProtectedTokenAdditionalAnnotations object {} Auth server protected token ingress resource additional annotations. global.auth-server.ingress.authServerProtectedTokenLabels object {} Auth server protected token ingress resource labels. key app is taken global.auth-server.ingress.authzenAdditionalAnnotations object {} authzen config ingress resource additional annotations. global.auth-server.ingress.authzenConfigEnabled bool true Enable endpoint /.well-known/authzen-configuration global.auth-server.ingress.authzenConfigLabels object {} authzen config ingress resource labels. key app is taken global.auth-server.ingress.deviceCodeAdditionalAnnotations object {} device-code ingress resource additional annotations. global.auth-server.ingress.deviceCodeEnabled bool true Enable endpoint /device-code global.auth-server.ingress.deviceCodeLabels object {} device-code ingress resource labels. key app is taken global.auth-server.ingress.firebaseMessagingAdditionalAnnotations object {} Firebase Messaging ingress resource additional annotations. global.auth-server.ingress.firebaseMessagingEnabled bool true Enable endpoint /firebase-messaging-sw.js global.auth-server.ingress.firebaseMessagingLabels object {} Firebase Messaging ingress resource labels. key app is taken global.auth-server.ingress.lockAdditionalAnnotations object {} Lock ingress resource additional annotations. global.auth-server.ingress.lockConfigAdditionalAnnotations object {} Lock config ingress resource additional annotations. global.auth-server.ingress.lockConfigEnabled bool false Enable endpoint /.well-known/lock-server-configuration global.auth-server.ingress.lockConfigLabels object {} Lock config ingress resource labels. key app is taken global.auth-server.ingress.lockEnabled bool false Enable endpoint /jans-lock global.auth-server.ingress.lockLabels object {} Lock ingress resource labels. key app is taken global.auth-server.ingress.openidAdditionalAnnotations object {} openid-configuration ingress resource additional annotations. global.auth-server.ingress.openidConfigEnabled bool true Enable endpoint /.well-known/openid-configuration global.auth-server.ingress.openidConfigLabels object {} openid-configuration ingress resource labels. key app is taken global.auth-server.ingress.u2fAdditionalAnnotations object {} u2f config ingress resource additional annotations. global.auth-server.ingress.u2fConfigEnabled bool true Enable endpoint /.well-known/fido-configuration global.auth-server.ingress.u2fConfigLabels object {} u2f config ingress resource labels. key app is taken global.auth-server.ingress.uma2AdditionalAnnotations object {} uma2 config ingress resource additional annotations. global.auth-server.ingress.uma2ConfigEnabled bool true Enable endpoint /.well-known/uma2-configuration global.auth-server.ingress.uma2ConfigLabels object {} uma2 config ingress resource labels. key app is taken global.auth-server.ingress.webdiscoveryAdditionalAnnotations object {} webdiscovery ingress resource additional annotations. global.auth-server.ingress.webdiscoveryEnabled bool true Enable endpoint /.well-known/simple-web-discovery global.auth-server.ingress.webdiscoveryLabels object {} webdiscovery ingress resource labels. key app is taken global.auth-server.ingress.webfingerAdditionalAnnotations object {} webfinger ingress resource additional annotations. global.auth-server.ingress.webfingerEnabled bool true Enable endpoint /.well-known/webfinger global.auth-server.ingress.webfingerLabels object {} webfinger ingress resource labels. key app is taken global.auth-server.lockEnabled bool false Enable jans-lock as service running inside auth-server global.awsStorageType string \"io1\" Volume storage type if using AWS volumes. global.azureStorageAccountType string \"Standard_LRS\" Volume storage type if using Azure disks. global.azureStorageKind string \"Managed\" Azure storage kind if using Azure disks global.casa.appLoggers object {\"casaLogLevel\":\"INFO\",\"casaLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"timerLogLevel\":\"INFO\",\"timerLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.casa.appLoggers.casaLogLevel string \"INFO\" casa.log level global.casa.appLoggers.casaLogTarget string \"STDOUT\" casa.log target global.casa.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e casa ===> 2022-12-20 17:49:55,744 INFO global.casa.appLoggers.timerLogLevel string \"INFO\" casa timer log level global.casa.appLoggers.timerLogTarget string \"FILE\" casa timer log target global.casa.casaServiceName string \"casa\" Name of the casa service. Please keep it as default. global.casa.cnCustomJavaOptions string \"\" passing custom java options to casa. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.casa.enabled bool true Boolean flag to enable/disable the casa chart. global.casa.ingress object {\"casaAdditionalAnnotations\":{},\"casaEnabled\":false,\"casaLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.casa.ingress.casaAdditionalAnnotations object {} Casa ingress resource additional annotations. global.casa.ingress.casaEnabled bool false Enable casa endpoints /casa global.casa.ingress.casaLabels object {} Casa ingress resource labels. key app is taken global.cloud.testEnviroment bool false Boolean flag if enabled will strip resources requests and limits from all services. global.cnConfiguratorConfigurationFile string \"/etc/jans/conf/configuration.json\" Path to configuration schema file global.cnConfiguratorCustomSchema object {\"secretName\":\"\"} Use custom configuration schema in existing secrets. Note, the secrets has to contain the key configuration.json or any basename as specified in cnConfiguratorConfigurationFile. global.cnConfiguratorCustomSchema.secretName string \"\" The name of the secrets used for storing custom configuration schema. global.cnConfiguratorDumpFile string \"/etc/jans/conf/configuration.out.json\" Path to dumped configuration schema file global.cnDocumentStoreType string \"DB\" Document store type to use for shibboleth files DB. global.cnGoogleApplicationCredentials string \"/etc/jans/conf/google-credentials.json\" Base64 encoded service account. The sa must have roles/secretmanager.admin to use Google secrets. Leave as this is a sensible default. global.cnObExtSigningAlias string \"\" Open banking external signing AS Alias. This is a kid value.Used in SSA Validation, kid used while encoding a JWT sent to token URL i.e. XkwIzWy44xWSlcWnMiEc8iq9s2G global.cnObExtSigningJwksCrt string \"\" Open banking external signing jwks AS certificate authority string. Used in SSA Validation. This must be encoded using base64.. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKey string \"\" Open banking external signing jwks AS key string. Used in SSA Validation. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksKeyPassPhrase string \"\" Open banking external signing jwks AS key passphrase to unlock provided key. This must be encoded using base64. Used when .global.cnObExtSigningJwksUri is set. global.cnObExtSigningJwksUri string \"\" Open banking external signing jwks uri. Used in SSA Validation. global.cnObStaticSigningKeyKid string \"\" Open banking signing AS kid to force the AS to use a specific signing key. i.e. Wy44xWSlcWnMiEc8iq9s2G global.cnObTransportAlias string \"\" Open banking transport Alias used inside the JVM. global.cnObTransportCrt string \"\" Open banking AS transport crt. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKey string \"\" Open banking AS transport key. Used in SSA Validation. This must be encoded using base64. global.cnObTransportKeyPassPhrase string \"\" Open banking AS transport key passphrase to unlock AS transport key. This must be encoded using base64. global.cnObTransportTrustStore string \"\" Open banking AS transport truststore crt. This is normally generated from the OB issuing CA, OB Root CA and Signing CA. Used when .global.cnObExtSigningJwksUri is set. Used in SSA Validation. This must be encoded using base64. global.cnPersistenceType string \"sql\" Persistence backend to run Gluu with hybrid global.cnPrometheusPort string \"\" Port used by Prometheus JMX agent (default to empty string). To enable Prometheus JMX agent, set the value to a number. global.cnSqlPasswordFile string \"/etc/jans/conf/sql_password\" Path to SQL password file global.config-api.adminUiAppLoggers.adminUiAuditLogLevel string \"INFO\" config-api admin-ui plugin audit log level global.config-api.adminUiAppLoggers.adminUiAuditLogTarget string \"FILE\" config-api admin-ui plugin audit log target global.config-api.adminUiAppLoggers.adminUiLogLevel string \"INFO\" config-api admin-ui plugin log target global.config-api.adminUiAppLoggers.adminUiLogTarget string \"FILE\" config-api admin-ui plugin log level global.config-api.adminUiAppLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers object {\"configApiLogLevel\":\"INFO\",\"configApiLogTarget\":\"STDOUT\",\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.config-api.appLoggers.configApiLogLevel string \"INFO\" configapi.log level global.config-api.appLoggers.configApiLogTarget string \"STDOUT\" configapi.log target global.config-api.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e config-api_persistence ===> 2022-12-20 17:49:55,744 INFO global.config-api.appLoggers.persistenceDurationLogLevel string \"INFO\" config-api_persistence_duration.log level global.config-api.appLoggers.persistenceDurationLogTarget string \"FILE\" config-api_persistence_duration.log target global.config-api.appLoggers.persistenceLogLevel string \"INFO\" config-api_persistence.log level global.config-api.appLoggers.persistenceLogTarget string \"FILE\" config-api_persistence.log target global.config-api.appLoggers.scriptLogLevel string \"INFO\" config-api_script.log level global.config-api.appLoggers.scriptLogTarget string \"FILE\" config-api_script.log target global.config-api.cnCustomJavaOptions string \"\" passing custom java options to config-api. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.config-api.configApiServerServiceName string \"config-api\" Name of the config-api service. Please keep it as default. global.config-api.enabled bool true Boolean flag to enable/disable the config-api chart. global.config-api.ingress object {\"configApiAdditionalAnnotations\":{},\"configApiEnabled\":true,\"configApiLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.config-api.ingress.configApiAdditionalAnnotations object {} ConfigAPI ingress resource additional annotations. global.config-api.ingress.configApiLabels object {} configAPI ingress resource labels. key app is taken global.config-api.plugins string \"admin-ui,fido2,scim,user-mgt\" Comma-separated values of enabled plugins (supported plugins are \"admin-ui\",\"fido2\",\"scim\",\"user-mgt\",\"jans-link\",\"kc-saml\") global.config.enabled bool true Boolean flag to enable/disable the configuration chart. This normally should never be false global.configAdapterName string \"kubernetes\" The config backend adapter that will hold Gluu configuration layer. aws global.configSecretAdapter string \"kubernetes\" The config backend adapter that will hold Gluu secret layer. vault global.distribution string \"default\" Gluu distributions supported are: default global.fido2.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"fido2LogLevel\":\"INFO\",\"fido2LogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.fido2.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e fido2 ===> 2022-12-20 17:49:55,744 INFO global.fido2.appLoggers.fido2LogLevel string \"INFO\" fido2.log level global.fido2.appLoggers.fido2LogTarget string \"STDOUT\" fido2.log target global.fido2.appLoggers.persistenceDurationLogLevel string \"INFO\" fido2_persistence_duration.log level global.fido2.appLoggers.persistenceDurationLogTarget string \"FILE\" fido2_persistence_duration.log target global.fido2.appLoggers.persistenceLogLevel string \"INFO\" fido2_persistence.log level global.fido2.appLoggers.persistenceLogTarget string \"FILE\" fido2_persistence.log target global.fido2.appLoggers.scriptLogLevel string \"INFO\" fido2_script.log level global.fido2.appLoggers.scriptLogTarget string \"FILE\" fido2_script.log target global.fido2.cnCustomJavaOptions string \"\" passing custom java options to fido2. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.fido2.enabled bool true Boolean flag to enable/disable the fido2 chart. global.fido2.fido2ServiceName string \"fido2\" Name of the fido2 service. Please keep it as default. global.fido2.ingress object {\"fido2AdditionalAnnotations\":{},\"fido2ConfigAdditionalAnnotations\":{},\"fido2ConfigEnabled\":false,\"fido2ConfigLabels\":{},\"fido2Enabled\":false,\"fido2Labels\":{},\"fido2WebauthnAdditionalAnnotations\":{},\"fido2WebauthnEnabled\":false,\"fido2WebauthnLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.fido2.ingress.fido2AdditionalAnnotations object {} fido2 ingress resource additional annotations. global.fido2.ingress.fido2ConfigAdditionalAnnotations object {} fido2 config ingress resource additional annotations. global.fido2.ingress.fido2ConfigEnabled bool false Enable endpoint /.well-known/fido2-configuration global.fido2.ingress.fido2ConfigLabels object {} fido2 config ingress resource labels. key app is taken global.fido2.ingress.fido2Enabled bool false Enable endpoint /jans-fido2 global.fido2.ingress.fido2Labels object {} fido2 ingress resource labels. key app is taken global.fido2.ingress.fido2WebauthnAdditionalAnnotations object {} fido2 webauthn ingress resource additional annotations. global.fido2.ingress.fido2WebauthnEnabled bool false Enable endpoint /.well-known/webauthn global.fido2.ingress.fido2WebauthnLabels object {} fido2 webauthn ingress resource labels. key app is taken global.fqdn string \"demoexample.gluu.org\" Fully qualified domain name to be used for Gluu installation. This address will be used to reach Gluu services. global.gcePdStorageType string \"pd-standard\" GCE storage kind if using Google disks global.isFqdnRegistered bool false Boolean flag to enable mapping global.lbIp to global.fqdn inside pods on clouds that provide static ip for load balancers. On cloud that provide only addresses to the LB this flag will enable a script to actively scan config.configmap.lbAddr and update the hosts file inside the pods automatically. global.istio.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of global.istio.additionalLabels object {} Additional labels that will be added across the gateway in the format of global.istio.enabled bool false Boolean flag that enables using istio side-cars with Gluu services. global.istio.gateways list [] Override the gateway that can be created by default. This is used when istio ingress has already been setup and the gateway exists. global.istio.ingress bool false Boolean flag that enables using istio gateway for Gluu. This assumes istio ingress is installed and hence the LB is available. global.istio.namespace string \"istio-system\" The namespace istio is deployed in. The is normally istio-system. global.jobTtlSecondsAfterFinished int 300 https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/ global.kc-scheduler.enabled bool false Boolean flag to enable/disable the kc-scheduler cronjob chart. global.lbIp string \"22.22.22.22\" The Loadbalancer IP created by nginx or istio on clouds that provide static IPs. This is not needed if global.fqdn is globally resolvable. global.link.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"linkLogLevel\":\"INFO\",\"linkLogTarget\":\"STDOUT\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.link.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e link-persistence ===> 2022-12-20 17:49:55,744 INFO global.link.appLoggers.linkLogLevel string \"INFO\" cacherefresh.log level global.link.appLoggers.linkLogTarget string \"STDOUT\" cacherefresh.log target global.link.appLoggers.persistenceDurationLogLevel string \"INFO\" cacherefresh_persistence_duration.log level global.link.appLoggers.persistenceDurationLogTarget string \"FILE\" cacherefresh_persistence_duration.log target global.link.appLoggers.persistenceLogLevel string \"INFO\" cacherefresh_persistence.log level global.link.appLoggers.persistenceLogTarget string \"FILE\" cacherefresh_persistence.log target global.link.appLoggers.scriptLogLevel string \"INFO\" cacherefresh_script.log level global.link.appLoggers.scriptLogTarget string \"FILE\" cacherefresh_script.log target global.link.cnCustomJavaOptions string \"\" passing custom java options to link. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.link.customAnnotations object {\"deployment\":{},\"destinationRule\":{},\"horizontalPodAutoscaler\":{},\"pod\":{},\"podDisruptionBudget\":{},\"service\":{},\"virtualService\":{}} Add custom annotations for kubernetes resources for the service global.link.enabled bool false Boolean flag to enable/disable the link chart. global.link.ingress object {\"linkAdditionalAnnotations\":{},\"linkEnabled\":true,\"linkLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.link.ingress.linkAdditionalAnnotations object {} link ingress resource additional annotations. global.link.ingress.linkLabels object {} link ingress resource labels. key app is taken global.link.linkServiceName string \"link\" Name of the link service. Please keep it as default. global.nginx-ingress.enabled bool true Boolean flag to enable/disable the nginx-ingress definitions chart. global.persistence.enabled bool true Boolean flag to enable/disable the persistence chart. global.saml.cnCustomJavaOptions string \"\" passing custom java options to saml. DO NOT PASS JAVA_OPTIONS in envs. global.saml.enabled bool false Boolean flag to enable/disable the saml chart. global.saml.ingress object {\"samlAdditionalAnnotations\":{},\"samlEnabled\":false,\"samlLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.saml.ingress.samlAdditionalAnnotations object {} SAML ingress resource additional annotations. global.saml.ingress.samlLabels object {} SAML ingress resource labels. key app is taken global.saml.samlServiceName string \"saml\" Name of the saml service. Please keep it as default. global.scim.appLoggers object {\"enableStdoutLogPrefix\":\"true\",\"persistenceDurationLogLevel\":\"INFO\",\"persistenceDurationLogTarget\":\"FILE\",\"persistenceLogLevel\":\"INFO\",\"persistenceLogTarget\":\"FILE\",\"scimLogLevel\":\"INFO\",\"scimLogTarget\":\"STDOUT\",\"scriptLogLevel\":\"INFO\",\"scriptLogTarget\":\"FILE\"} App loggers can be configured to define where the logs will be redirected to and the level of each in which it should be displayed. global.scim.appLoggers.enableStdoutLogPrefix string \"true\" Enable log prefixing which enables prepending the STDOUT logs with the file name. i.e jans-scim ===> 2022-12-20 17:49:55,744 INFO global.scim.appLoggers.persistenceDurationLogLevel string \"INFO\" jans-scim_persistence_duration.log level global.scim.appLoggers.persistenceDurationLogTarget string \"FILE\" jans-scim_persistence_duration.log target global.scim.appLoggers.persistenceLogLevel string \"INFO\" jans-scim_persistence.log level global.scim.appLoggers.persistenceLogTarget string \"FILE\" jans-scim_persistence.log target global.scim.appLoggers.scimLogLevel string \"INFO\" jans-scim.log level global.scim.appLoggers.scimLogTarget string \"STDOUT\" jans-scim.log target global.scim.appLoggers.scriptLogLevel string \"INFO\" jans-scim_script.log level global.scim.appLoggers.scriptLogTarget string \"FILE\" jans-scim_script.log target global.scim.cnCustomJavaOptions string \"\" passing custom java options to scim. Notice you do not need to pass in any loggers options as they are introduced below in appLoggers. DO NOT PASS JAVA_OPTIONS in envs. global.scim.enabled bool true Boolean flag to enable/disable the SCIM chart. global.scim.ingress object {\"scimAdditionalAnnotations\":{},\"scimConfigAdditionalAnnotations\":{},\"scimConfigEnabled\":false,\"scimConfigLabels\":{},\"scimEnabled\":false,\"scimLabels\":{}} Enable endpoints in either istio or nginx ingress depending on users choice global.scim.ingress.scimAdditionalAnnotations object {} SCIM ingress resource additional annotations. global.scim.ingress.scimConfigAdditionalAnnotations object {} SCIM config ingress resource additional annotations. global.scim.ingress.scimConfigEnabled bool false Enable endpoint /.well-known/scim-configuration global.scim.ingress.scimConfigLabels object {} SCIM config ingress resource labels. key app is taken global.scim.ingress.scimEnabled bool false Enable SCIM endpoints /jans-scim global.scim.ingress.scimLabels object {} SCIM ingress resource labels. key app is taken global.scim.scimServiceName string \"scim\" Name of the scim service. Please keep it as default. global.serviceAccountName string \"default\" service account used by Kubernetes resources global.storageClass object {\"allowVolumeExpansion\":true,\"allowedTopologies\":[],\"mountOptions\":[\"debug\"],\"parameters\":{},\"provisioner\":\"microk8s.io/hostpath\",\"reclaimPolicy\":\"Retain\",\"volumeBindingMode\":\"WaitForFirstConsumer\"} StorageClass section. This is not currently used by the openbanking distribution. You may specify custom parameters as needed. global.storageClass.parameters object {} parameters: fsType: \"\" kind: \"\" pool: \"\" storageAccountType: \"\" type: \"\" global.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service. Envs defined in global.userEnvs will be globally available to all services global.usrEnvs.normal object {} Add custom normal envs to the service. variable1: value1 global.usrEnvs.secret object {} Add custom secret envs to the service. variable1: value1 installer-settings object {\"acceptLicense\":\"\",\"aws\":{\"arn\":{\"arnAcmCert\":\"\",\"enabled\":\"\"},\"lbType\":\"\",\"vpcCidr\":\"0.0.0.0/0\"},\"confirmSettings\":false,\"currentVersion\":\"\",\"google\":{\"useSecretManager\":\"\"},\"images\":{\"edit\":\"\"},\"namespace\":\"\",\"nginxIngress\":{\"namespace\":\"\",\"releaseName\":\"\"},\"nodes\":{\"ips\":\"\",\"names\":\"\",\"zones\":\"\"},\"openbanking\":{\"cnObTransportTrustStoreP12password\":\"\",\"hasCnObTransportTrustStore\":false},\"postgres\":{\"install\":\"\",\"namespace\":\"\"},\"redis\":{\"install\":\"\",\"namespace\":\"\"},\"releaseName\":\"\",\"sql\":{\"install\":\"\",\"namespace\":\"\"},\"volumeProvisionStrategy\":\"\"} Only used by the installer. These settings do not affect nor are used by the chart kc-scheduler object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/kc-scheduler\",\"tag\":\"1.3.0-1\"},\"interval\":10,\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Responsible for synchronizing Keycloak SAML clients kc-scheduler.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of kc-scheduler.additionalLabels object {} Additional labels that will be added across the gateway in the format of kc-scheduler.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. kc-scheduler.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh kc-scheduler.dnsConfig object {} Add custom dns config kc-scheduler.dnsPolicy string \"\" Add custom dns policy kc-scheduler.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. kc-scheduler.image.pullSecrets list [] Image Pull Secrets kc-scheduler.image.repository string \"ghcr.io/janssenproject/jans/kc-scheduler\" Image to use for deploying. kc-scheduler.image.tag string \"1.3.0-1\" Image tag to use for deploying. kc-scheduler.interval int 10 Interval of running the scheduler (in minutes) kc-scheduler.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. kc-scheduler.resources.limits.cpu string \"300m\" CPU limit. kc-scheduler.resources.limits.memory string \"300Mi\" Memory limit. kc-scheduler.resources.requests.cpu string \"300m\" CPU request. kc-scheduler.resources.requests.memory string \"300Mi\" Memory request. kc-scheduler.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service kc-scheduler.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 kc-scheduler.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 kc-scheduler.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers kc-scheduler.volumes list [] Configure any additional volumes that need to be attached to the pod link object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/link\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Link. link.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of link.additionalLabels object {} Additional labels that will be added across the gateway in the format of link.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. link.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh link.dnsConfig object {} Add custom dns config link.dnsPolicy string \"\" Add custom dns policy link.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler link.hpa.behavior object {} Scaling Policies link.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set link.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. link.image.pullSecrets list [] Image Pull Secrets link.image.repository string \"ghcr.io/janssenproject/jans/link\" Image to use for deploying. link.image.tag string \"1.3.0-1\" Image tag to use for deploying. link.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. link.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint link.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget link.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint link.replicas int 1 Service replica number. link.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. link.resources.limits.cpu string \"500m\" CPU limit. link.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. link.resources.requests.cpu string \"500m\" CPU request. link.resources.requests.memory string \"1200Mi\" Memory request. link.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ link.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service link.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 link.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 link.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers link.volumes list [] Configure any additional volumes that need to be attached to the pod nginx-ingress object {\"certManager\":{\"certificate\":{\"enabled\":false,\"issuerGroup\":\"cert-manager.io\",\"issuerKind\":\"ClusterIssuer\",\"issuerName\":\"\"}},\"ingress\":{\"additionalAnnotations\":{},\"additionalLabels\":{},\"hosts\":[\"demoexample.gluu.org\"],\"ingressClassName\":\"nginx\",\"path\":\"/\",\"tls\":[{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}]}} Nginx ingress definitions chart nginx-ingress.ingress.additionalAnnotations object {} Additional annotations that will be added across all ingress definitions in the format of {cert-manager.io/issuer: \"letsencrypt-prod\"} Enable client certificate authentication nginx.ingress.kubernetes.io/auth-tls-verify-client: \"optional\" Create the secret containing the trusted ca certificates nginx.ingress.kubernetes.io/auth-tls-secret: \"gluu/tls-certificate\" Specify the verification depth in the client certificates chain nginx.ingress.kubernetes.io/auth-tls-verify-depth: \"1\" Specify if certificates are passed to upstream server nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: \"true\" nginx-ingress.ingress.additionalLabels object {} Additional labels that will be added across all ingress definitions in the format of nginx-ingress.ingress.tls list [{\"hosts\":[\"demoexample.gluu.org\"],\"secretName\":\"tls-certificate\"}] Secrets holding HTTPS CA cert and key. persistence object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/persistence-loader\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"resources\":{\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} Job to generate data and initial config for Gluu Server persistence layer. persistence.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of persistence.additionalLabels object {} Additional labels that will be added across the gateway in the format of persistence.customCommand list [] Add custom job's command. If passed, it will override the default conditional command. persistence.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh persistence.dnsConfig object {} Add custom dns config persistence.dnsPolicy string \"\" Add custom dns policy persistence.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. persistence.image.pullSecrets list [] Image Pull Secrets persistence.image.repository string \"ghcr.io/janssenproject/jans/persistence-loader\" Image to use for deploying. persistence.image.tag string \"1.3.0-1\" Image tag to use for deploying. persistence.resources object {\"limits\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"},\"requests\":{\"cpu\":\"300m\",\"memory\":\"300Mi\"}} Resource specs. persistence.resources.limits.cpu string \"300m\" CPU limit persistence.resources.limits.memory string \"300Mi\" Memory limit. persistence.resources.requests.cpu string \"300m\" CPU request. persistence.resources.requests.memory string \"300Mi\" Memory request. persistence.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service persistence.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 persistence.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 persistence.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers persistence.volumes list [] Configure any additional volumes that need to be attached to the pod saml object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/saml\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} SAML. saml.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of saml.additionalLabels object {} Additional labels that will be added across the gateway in the format of saml.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. saml.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh saml.dnsConfig object {} Add custom dns config saml.dnsPolicy string \"\" Add custom dns policy saml.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler saml.hpa.behavior object {} Scaling Policies saml.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set saml.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. saml.image.pullSecrets list [] Image Pull Secrets saml.image.repository string \"ghcr.io/janssenproject/jans/saml\" Image to use for deploying. saml.image.tag string \"1.3.0-1\" Image tag to use for deploying. saml.livenessProbe object {\"exec\":{\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]},\"failureThreshold\":10,\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for the auth server if needed. saml.livenessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http liveness probe endpoint saml.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget saml.readinessProbe.exec object {\"command\":[\"python3\",\"/app/scripts/healthcheck.py\"]} http readiness probe endpoint saml.replicas int 1 Service replica number. saml.resources object {\"limits\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"500m\",\"memory\":\"1200Mi\"}} Resource specs. saml.resources.limits.cpu string \"500m\" CPU limit. saml.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. saml.resources.requests.cpu string \"500m\" CPU request. saml.resources.requests.memory string \"1200Mi\" Memory request. saml.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ saml.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service saml.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 saml.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 saml.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers saml.volumes list [] Configure any additional volumes that need to be attached to the pod scim object {\"additionalAnnotations\":{},\"additionalLabels\":{},\"customCommand\":[],\"customScripts\":[],\"dnsConfig\":{},\"dnsPolicy\":\"\",\"hpa\":{\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50},\"image\":{\"pullPolicy\":\"IfNotPresent\",\"pullSecrets\":[],\"repository\":\"ghcr.io/janssenproject/jans/scim\",\"tag\":\"1.3.0-1\"},\"lifecycle\":{},\"livenessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5},\"pdb\":{\"enabled\":true,\"maxUnavailable\":\"90%\"},\"readinessProbe\":{\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5},\"replicas\":1,\"resources\":{\"limits\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"},\"requests\":{\"cpu\":\"1000m\",\"memory\":\"1200Mi\"}},\"service\":{\"name\":\"http-scim\",\"port\":8080},\"topologySpreadConstraints\":{},\"usrEnvs\":{\"normal\":{},\"secret\":{}},\"volumeMounts\":[],\"volumes\":[]} System for Cross-domain Identity Management (SCIM) version 2.0 scim.additionalAnnotations object {} Additional annotations that will be added across the gateway in the format of scim.additionalLabels object {} Additional labels that will be added across the gateway in the format of scim.customCommand list [] Add custom pod's command. If passed, it will override the default conditional command. scim.customScripts list [] Add custom scripts that have been mounted to run before the entrypoint. - /tmp/custom.sh - /tmp/custom2.sh scim.dnsConfig object {} Add custom dns config scim.dnsPolicy string \"\" Add custom dns policy scim.hpa object {\"behavior\":{},\"enabled\":true,\"maxReplicas\":10,\"metrics\":[],\"minReplicas\":1,\"targetCPUUtilizationPercentage\":50} Configure the HorizontalPodAutoscaler scim.hpa.behavior object {} Scaling Policies scim.hpa.metrics list [] metrics if targetCPUUtilizationPercentage is not set scim.image.pullPolicy string \"IfNotPresent\" Image pullPolicy to use for deploying. scim.image.pullSecrets list [] Image Pull Secrets scim.image.repository string \"ghcr.io/janssenproject/jans/scim\" Image to use for deploying. scim.image.tag string \"1.3.0-1\" Image tag to use for deploying. scim.livenessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":30,\"periodSeconds\":30,\"timeoutSeconds\":5} Configure the liveness healthcheck for SCIM if needed. scim.livenessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http liveness probe endpoint scim.pdb object {\"enabled\":true,\"maxUnavailable\":\"90%\"} Configure the PodDisruptionBudget scim.readinessProbe object {\"httpGet\":{\"path\":\"/jans-scim/sys/health-check\",\"port\":8080},\"initialDelaySeconds\":25,\"periodSeconds\":25,\"timeoutSeconds\":5} Configure the readiness healthcheck for the SCIM if needed. scim.readinessProbe.httpGet.path string \"/jans-scim/sys/health-check\" http readiness probe endpoint scim.replicas int 1 Service replica number. scim.resources.limits.cpu string \"1000m\" CPU limit. scim.resources.limits.memory string \"1200Mi\" Memory limit. This value is used to calculate memory allocation for Java. Currently it only supports Mi . Please refrain from using other units. scim.resources.requests.cpu string \"1000m\" CPU request. scim.resources.requests.memory string \"1200Mi\" Memory request. scim.service.name string \"http-scim\" The name of the scim port within the scim service. Please keep it as default. scim.service.port int 8080 Port of the scim service. Please keep it as default. scim.topologySpreadConstraints object {} Configure the topology spread constraints. Notice this is a map NOT a list as in the upstream API https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ scim.usrEnvs object {\"normal\":{},\"secret\":{}} Add custom normal and secret envs to the service scim.usrEnvs.normal object {} Add custom normal envs to the service variable1: value1 scim.usrEnvs.secret object {} Add custom secret envs to the service variable1: value1 scim.volumeMounts list [] Configure any additional volumesMounts that need to be attached to the containers scim.volumes list [] Configure any additional volumes that need to be attached to the pod","title":"Values"},{"location":"supergluu/","tags":["Super Gluu","Introduction"],"text":"Super Gluu Documentation # Super Gluu is a free and secure two-factor authentication (2FA) mobile app. Super Gluu app can be used to achieve 2FA for web and mobile applications with Janssen Server , Gluu Flex , and Gluu Server working as authentication servers. Super Gluu documentation is organized into the following sections: User Guide Admin Guide Developer Guide Compatibility # Super Gluu is compatible with all versions of Gluu Flex. FIDO Security # During Super Gluu authentication, the Gluu Flex does more than look at the device ID to grant access. Super Gluu uses the Gluu Flex Server's FIDO U2F endpoints to enroll a public key. The private key is stored on the device. At authentication time, the Gluu Flex sends a challenge-response to the device to check for the corresponding private key. This adds an extra layer of security to Super Gluu push notification authentications. How to Use Super Gluu # Super Gluu is tightly bundled with Janssen. Follow the Flex installation guide to deploy Gluu Flex, then follow the Super Gluu admin guide to configure and begin using Super Gluu for strong authentication. Workflows # Super Gluu supports multiple workflows, including: A one-step, passwordless authentication, where the person scans a QR code with their Super Gluu app and the Gluu Flex looks up which person is associated with that device. A two-step authentication, where the person enters their username and then receives an out-of-band push notification to the mobile device to authorize access (a.k.a identifier first authentication). A two-step authentication, where the person enters their username and password and then receives an out-of-band push notification to the mobile device to authorize access. In all scenarios, users are prompted to scan a QR code on their first Super Gluu authentication to bind their device and account. In the second and third workflows listed above, users begin receiving push notifications for all authentications after the initial device registration process. Testing locally # Super Gluu security is based on SSL and therefore expects a public server with valid certificates. To test locally on a non-public server, follow these steps Download Super Gluu # Super Gluu is available for free on the iOS and Android app marketplaces! Download the Android app Download the iOS app Contributors # The next version of Super Gluu will support localization in many languages. We'd like to extend our sincere appreciation to the following people for helping translate Super Gluu content: Jose Gonzalez, Gluu Gasmyr Mougang, Gluu Yumi Sano, iBridge Andrea Patricelli, Tirasa Yuriy Zabrovarrnay, Gluu Aliaksander Sameseu, Gluu Andre Koot, Nixu Mohammad Abudayyeh, Gluu Ganesh Dutt Sharma, Gluu Mohib Zico, Gluu Mustafa Baser, Gluu","title":"Super Gluu Documentation"},{"location":"supergluu/#super-gluu-documentation","text":"Super Gluu is a free and secure two-factor authentication (2FA) mobile app. Super Gluu app can be used to achieve 2FA for web and mobile applications with Janssen Server , Gluu Flex , and Gluu Server working as authentication servers. Super Gluu documentation is organized into the following sections: User Guide Admin Guide Developer Guide","title":"Super Gluu Documentation"},{"location":"supergluu/#compatibility","text":"Super Gluu is compatible with all versions of Gluu Flex.","title":"Compatibility"},{"location":"supergluu/#fido-security","text":"During Super Gluu authentication, the Gluu Flex does more than look at the device ID to grant access. Super Gluu uses the Gluu Flex Server's FIDO U2F endpoints to enroll a public key. The private key is stored on the device. At authentication time, the Gluu Flex sends a challenge-response to the device to check for the corresponding private key. This adds an extra layer of security to Super Gluu push notification authentications.","title":"FIDO Security"},{"location":"supergluu/#how-to-use-super-gluu","text":"Super Gluu is tightly bundled with Janssen. Follow the Flex installation guide to deploy Gluu Flex, then follow the Super Gluu admin guide to configure and begin using Super Gluu for strong authentication.","title":"How to Use Super Gluu"},{"location":"supergluu/#workflows","text":"Super Gluu supports multiple workflows, including: A one-step, passwordless authentication, where the person scans a QR code with their Super Gluu app and the Gluu Flex looks up which person is associated with that device. A two-step authentication, where the person enters their username and then receives an out-of-band push notification to the mobile device to authorize access (a.k.a identifier first authentication). A two-step authentication, where the person enters their username and password and then receives an out-of-band push notification to the mobile device to authorize access. In all scenarios, users are prompted to scan a QR code on their first Super Gluu authentication to bind their device and account. In the second and third workflows listed above, users begin receiving push notifications for all authentications after the initial device registration process.","title":"Workflows"},{"location":"supergluu/#testing-locally","text":"Super Gluu security is based on SSL and therefore expects a public server with valid certificates. To test locally on a non-public server, follow these steps","title":"Testing locally"},{"location":"supergluu/#download-super-gluu","text":"Super Gluu is available for free on the iOS and Android app marketplaces! Download the Android app Download the iOS app","title":"Download Super Gluu"},{"location":"supergluu/#contributors","text":"The next version of Super Gluu will support localization in many languages. We'd like to extend our sincere appreciation to the following people for helping translate Super Gluu content: Jose Gonzalez, Gluu Gasmyr Mougang, Gluu Yumi Sano, iBridge Andrea Patricelli, Tirasa Yuriy Zabrovarrnay, Gluu Aliaksander Sameseu, Gluu Andre Koot, Nixu Mohammad Abudayyeh, Gluu Ganesh Dutt Sharma, Gluu Mohib Zico, Gluu Mustafa Baser, Gluu","title":"Contributors"},{"location":"supergluu/admin-guide/","tags":["Super Gluu","administration","configuration"],"text":"Super Gluu Administration Guide # Obtaining an SSA # In order to set up Super Gluu, the administrator must obtain a Software Statement Assertion from Agama Lab . Login with GitHub or email, then sign up for a SCAN subscription. The free tier will give you 500 credits, which can be used for 500 SuperGluu API calls (1 call = 1 credit). Then, go over to the SSA tab and create a new SSA with the supergluu software role and an expiry date of your choice. Your SSA will no longer be useable after that date. After creating the SSA, you can click on Details and view the base64 encoded string of characters that represent the SSA. You will need this string during setup. Configuration on Gluu Flex # Log into Flex UI Navigate to Admin > Scripts > super_gluu Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Enable super_gluu script Navigate to FIDO and Enable SuperGluu At this point, the Super Gluu module on Gluu Flex is configured and ready. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated. Configuration on Gluu Server 4.x # To get started, log into the Gluu Server dashboard (a.k.a. oxTrust) and do the following: Navigate to Configuration > Manage Custom Scripts . In the Person Authentication tab find the super_gluu authentication module. Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Scroll down and find the Enable check box. Enable the script by clicking the check box. Scroll to the bottom of the page and click Update . Now Super Gluu is an available authentication mechanism for your Gluu Server. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated. Migration from old setups # If you are using a setup from before SCAN was implemented, you will need to migrate to the latest super_gluu interception script. Obtain the latest super_gluu interception script for Gluu Server or Jans Open the script configuration using one of the methods mentioned above, and navigate to super_gluu Replace the contents of the script with the new one Disable the script, and click Update . This will update the properties of the script configuration. Populate the AS_SSA and AS_ENDPOINT fields as described above. Enable the script by clicking the Enable check box Scroll to the bottom of the page and click Update The latest version of Super Gluu is now enabled on your server. Note To make sure Super Gluu has been enabled successfully, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration . Find acr_values_supported and you should see super_gluu . Test 2FA Authentication Flow # To test the Super Gluu configuration from end to end, an administrator can follow the steps below: Change the default authentication method to super_gluu using this guide Keep this browser window active so you can revert the authentication method to the default one. Prepare your mobile device by following Super Gluu mobile app user guide Perform tests using a test user","title":"Administration Guide"},{"location":"supergluu/admin-guide/#super-gluu-administration-guide","text":"","title":"Super Gluu Administration Guide"},{"location":"supergluu/admin-guide/#obtaining-an-ssa","text":"In order to set up Super Gluu, the administrator must obtain a Software Statement Assertion from Agama Lab . Login with GitHub or email, then sign up for a SCAN subscription. The free tier will give you 500 credits, which can be used for 500 SuperGluu API calls (1 call = 1 credit). Then, go over to the SSA tab and create a new SSA with the supergluu software role and an expiry date of your choice. Your SSA will no longer be useable after that date. After creating the SSA, you can click on Details and view the base64 encoded string of characters that represent the SSA. You will need this string during setup.","title":"Obtaining an SSA"},{"location":"supergluu/admin-guide/#configuration-on-gluu-flex","text":"Log into Flex UI Navigate to Admin > Scripts > super_gluu Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Enable super_gluu script Navigate to FIDO and Enable SuperGluu At this point, the Super Gluu module on Gluu Flex is configured and ready. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated.","title":"Configuration on Gluu Flex"},{"location":"supergluu/admin-guide/#configuration-on-gluu-server-4x","text":"To get started, log into the Gluu Server dashboard (a.k.a. oxTrust) and do the following: Navigate to Configuration > Manage Custom Scripts . In the Person Authentication tab find the super_gluu authentication module. Use the following properties: AS_SSA : Your base64 encoded SSA string from Agama Lab AS_ENDPOINT : https://account.gluu.org The rest of the values can be left as provided Scroll down and find the Enable check box. Enable the script by clicking the check box. Scroll to the bottom of the page and click Update . Now Super Gluu is an available authentication mechanism for your Gluu Server. This means that, using OpenID Connect acr_values , applications can now request Super Gluu authentication for users. You can verify this by going to the super_gluu script properties and seeing that the AS_CLIENT_ID and AS_CLIENT_SECRET fields are now populated.","title":"Configuration on Gluu Server 4.x"},{"location":"supergluu/admin-guide/#migration-from-old-setups","text":"If you are using a setup from before SCAN was implemented, you will need to migrate to the latest super_gluu interception script. Obtain the latest super_gluu interception script for Gluu Server or Jans Open the script configuration using one of the methods mentioned above, and navigate to super_gluu Replace the contents of the script with the new one Disable the script, and click Update . This will update the properties of the script configuration. Populate the AS_SSA and AS_ENDPOINT fields as described above. Enable the script by clicking the Enable check box Scroll to the bottom of the page and click Update The latest version of Super Gluu is now enabled on your server. Note To make sure Super Gluu has been enabled successfully, you can check your Gluu Server's OpenID Connect configuration by navigating to the following URL: https:///.well-known/openid-configuration . Find acr_values_supported and you should see super_gluu .","title":"Migration from old setups"},{"location":"supergluu/admin-guide/#test-2fa-authentication-flow","text":"To test the Super Gluu configuration from end to end, an administrator can follow the steps below: Change the default authentication method to super_gluu using this guide Keep this browser window active so you can revert the authentication method to the default one. Prepare your mobile device by following Super Gluu mobile app user guide Perform tests using a test user","title":"Test 2FA Authentication Flow"},{"location":"supergluu/developer-guide/","tags":["Super Gluu","Developer"],"text":"Super Gluu Developer Guide # Super Gluu is a two-factor authentication mobile application for iOS and Android. Super Gluu can be used as a strong authentication mechanism to access resources that are protected by Gluu's free open source central authentication server, called the Gluu Server . The below documentation describes what is happening during user enrollment and authentication. QR Code # During enrollment and authentication, the app goes through a few steps: The user scans the QR code, which contains identification data in the following format: { \"app\" : \"https://example.gluu.org\", \"state\" : \"dek4nwk6-dk56-sr43-4frt-4jfi30fltimd\" \"issuer\" : \"https://example.gluu.org\" \"created\" : \"2016-06-12T12:00:01.874000\" } Data from the QR code is changed into Fido U2F metadata: String discoveryUrl = oxPush2Request.getIssuer(); discoveryUrl += \"/.well-known/fido-u2f-configuration\"; final String discoveryJson = CommunicationService.get(discoveryUrl, null); final U2fMetaData u2fMetaData = new Gson().fromJson(discoveryJson, U2fMetaData.class); This metadata is sent to the server: ``` final List keyHandles = dataStore.getKeyHandlesByIssuerAndAppId(oxPush2Request.getIssuer(), oxPush2Request.getApp()); final boolean isEnroll = (keyHandles.size() == 0) || StringUtils.equals(oxPush2Request.getMethod(), \"enroll\"); final String u2fEndpoint; if (isEnroll) u2fEndpoint = u2fMetaData.getRegistrationEndpoint();// if enroll then get registration endpoint } else { u2fEndpoint = u2fMetaData.getAuthenticationEndpoint();// if authentication then get corresponding endpoint } validChallengeJsonResponse = CommunicationService.get(u2fEndpoint, parameters); ``` When the result comes back, it decides whether to enroll a new device or authenticate an existing one: if (isEnroll) { tokenResponse = oxPush2RequestListener.onEnroll(challengeJson, oxPush2Request, isDeny); } else { tokenResponse = oxPush2RequestListener.onSign(challengeJson, u2fMetaData.getIssuer(), isDeny); } Enrollment Process # If you scan a QR code for the first time and your device's UDID isn't attached to your user ID, the app will enroll it. First, it needs to prepare the data properties, as follows: > String version = request.getString(JSON_PROPERTY_VERSION); > String appParam = request.getString(JSON_PROPERTY_APP_ID); > String challenge = request.getString(JSON_PROPERTY_SERVER_CHALLENGE); > String origin = oxPush2Request.getIssuer(); > > EnrollmentResponse enrollmentResponse = u2fKey.register(new EnrollmentRequest(version, appParam, challenge, oxPush2Request)); During registration, the app generates a unique keyHandle and keyPair (public/private keys) to sign all data and uses an ECC algorithm to encode the required data, as follows: > TokenEntry tokenEntry = new TokenEntry(keyPairGenerator.keyPairToJson(keyPair), enrollmentRequest.getApplication(), enrollmentRequest.getOxPush2Request().getIssuer()); > . > . > . > dataStore.storeTokenEntry(keyHandle, tokenEntry); > byte[] userPublicKey = keyPairGenerator.encodePublicKey(keyPair.getPublic()); > > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeRegistrationSignedBytes(applicationSha256, challengeSha256, keyHandle, userPublicKey); > byte[] signature = keyPairGenerator.sign(signedData, certificatePrivateKey); > return new EnrollmentResponse(userPublicKey, keyHandle, vendorCertificate, signature); Now, all the data is converted into one-byte array, then one additional parameter is added, determining if the request is approved or denied, as follows: > JSONObject clientData = new JSONObject(); > if (isDeny){ > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REGISTER_CANCEL_TYPE);//Deny > } else { > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REQUEST_TYPE_REGISTER);//Approve > } > clientData.put(JSON_PROPERTY_SERVER_CHALLENGE, challenge); > clientData.put(JSON_PROPERTY_SERVER_ORIGIN, origin); > > String clientDataString = clientData.toString(); > byte[] resp = rawMessageCodec.encodeRegisterResponse(enrollmentResponse); > > JSONObject response = new JSONObject(); > response.put(\"registrationData\", Utils.base64UrlEncode(resp)); > response.put(\"clientData\", Utils.base64UrlEncode(clientDataString.getBytes(Charset.forName(\"ASCII\")))); > response.put(\"deviceData\", Utils.base64UrlEncode(deviceDataString.getBytes(Charset.forName(\"ASCII\")))); > > TokenResponse tokenResponse = new TokenResponse(); > tokenResponse.setResponse(response.toString()); > tokenResponse.setChallenge(new String(challenge)); > tokenResponse.setKeyHandle(new String(enrollmentResponse.getKeyHandle())); > > return tokenResponse; For authentication, all information is associated with your device UDID and the app retrieves the data from the data store each time, as follows: > TokenEntry tokenEntry = dataStore.getTokenEntry(keyHandle); > String keyPairJson = tokenEntry.getKeyPair(); > keyPair = keyPairGenerator.keyPairFromJson(keyPairJson); > int counter = dataStore.incrementCounter(keyHandle); > byte userPresence = userPresenceVerifier.verifyUserPresence(); > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeAuthenticateSignedBytes(applicationSha256, userPresence, counter, challengeSha256); > return new AuthenticateResponse(userPresence, counter, signature); The onEnroll and onSign methods prepare the parameters and data before the call to the server. For more information about these two methods, see the Super Gluu Git repo. Now, the app makes one last call to the server: > final Map parameters = new HashMap(); > parameters.put(\"username\", oxPush2Request.getUserName()); > parameters.put(\"tokenResponse\", tokenResponse.getResponse()); > > final String resultJsonResponse = CommunicationService.post(u2fEndpoint, parameters); The string resultJsonResponse contains the JSON result. The app extracts some additional information from this result. Check enrollment or authentication success using the u2fOperationResult.getStatus() field, as follows: > LogInfo log = new LogInfo(); > log.setIssuer(oxPush2Request.getIssuer()); > log.setUserName(oxPush2Request.getUserName()); > log.setLocationIP(oxPush2Request.getLocationIP()); > log.setLocationAddress(oxPush2Request.getLocationCity()); > log.setCreatedDate(String.valueOf(System.currentTimeMillis()));//oxPush2Request.getCreated()); > log.setMethod(oxPush2Request.getMethod()); Testing locally # The following is a method for testing Super Gluu locally on a non-public server. This guide assumes a Gluu Server has been installed and is operational. Warning The following testing steps mimic a MITM attack, so needless to say, these instructions are for development purposes only! In the Gluu Server VM settings, change the network adapter connection type from NAT to Bridged; The Gluu Server and smartphone should be connected to WiFi on the same local network Log into the VM and run ifconfig in the terminal to get the IP address of the Gluu Server In oxTrust, enable the Super Gluu authentication script Update the host file on the machine where you are running the browser to log in. Example: 192.168.1.232 c67.example.info Run ipconfig / ifconfig on the machine where you are planning to run your DNS server. Configure any DNS server to allow resovle u144.example.info.=192.168.1.232 . For example you can use a lightweight WindowsDNS DNS proxy server Create a dns.config file in the folder with dedserver.jar. Example file content: u144.example.info.=192.168.1.232 Checkut and build https://github.com/JonahAragon/WindowsDNS Run the DNS server using a command like this: java -jar dedserver.jar Create a dns.config file in the folder with dedserver.jar . Example file content: u144.example.info.=192.168.1.232 Run the DNS server using a command like this: java -jar dedserver.jar On your mobile phone, open the WiFi connection details and specify the DNS server IP from Step 6 Now you can test Super Gluu After you finish testing, don't forget to change your WiFi connection type on the mobile phone back to use the automatic settings.","title":"Developer Guide"},{"location":"supergluu/developer-guide/#super-gluu-developer-guide","text":"Super Gluu is a two-factor authentication mobile application for iOS and Android. Super Gluu can be used as a strong authentication mechanism to access resources that are protected by Gluu's free open source central authentication server, called the Gluu Server . The below documentation describes what is happening during user enrollment and authentication.","title":"Super Gluu Developer Guide"},{"location":"supergluu/developer-guide/#qr-code","text":"During enrollment and authentication, the app goes through a few steps: The user scans the QR code, which contains identification data in the following format: { \"app\" : \"https://example.gluu.org\", \"state\" : \"dek4nwk6-dk56-sr43-4frt-4jfi30fltimd\" \"issuer\" : \"https://example.gluu.org\" \"created\" : \"2016-06-12T12:00:01.874000\" } Data from the QR code is changed into Fido U2F metadata: String discoveryUrl = oxPush2Request.getIssuer(); discoveryUrl += \"/.well-known/fido-u2f-configuration\"; final String discoveryJson = CommunicationService.get(discoveryUrl, null); final U2fMetaData u2fMetaData = new Gson().fromJson(discoveryJson, U2fMetaData.class); This metadata is sent to the server: ``` final List keyHandles = dataStore.getKeyHandlesByIssuerAndAppId(oxPush2Request.getIssuer(), oxPush2Request.getApp()); final boolean isEnroll = (keyHandles.size() == 0) || StringUtils.equals(oxPush2Request.getMethod(), \"enroll\"); final String u2fEndpoint; if (isEnroll) u2fEndpoint = u2fMetaData.getRegistrationEndpoint();// if enroll then get registration endpoint } else { u2fEndpoint = u2fMetaData.getAuthenticationEndpoint();// if authentication then get corresponding endpoint } validChallengeJsonResponse = CommunicationService.get(u2fEndpoint, parameters); ``` When the result comes back, it decides whether to enroll a new device or authenticate an existing one: if (isEnroll) { tokenResponse = oxPush2RequestListener.onEnroll(challengeJson, oxPush2Request, isDeny); } else { tokenResponse = oxPush2RequestListener.onSign(challengeJson, u2fMetaData.getIssuer(), isDeny); }","title":"QR Code"},{"location":"supergluu/developer-guide/#enrollment-process","text":"If you scan a QR code for the first time and your device's UDID isn't attached to your user ID, the app will enroll it. First, it needs to prepare the data properties, as follows: > String version = request.getString(JSON_PROPERTY_VERSION); > String appParam = request.getString(JSON_PROPERTY_APP_ID); > String challenge = request.getString(JSON_PROPERTY_SERVER_CHALLENGE); > String origin = oxPush2Request.getIssuer(); > > EnrollmentResponse enrollmentResponse = u2fKey.register(new EnrollmentRequest(version, appParam, challenge, oxPush2Request)); During registration, the app generates a unique keyHandle and keyPair (public/private keys) to sign all data and uses an ECC algorithm to encode the required data, as follows: > TokenEntry tokenEntry = new TokenEntry(keyPairGenerator.keyPairToJson(keyPair), enrollmentRequest.getApplication(), enrollmentRequest.getOxPush2Request().getIssuer()); > . > . > . > dataStore.storeTokenEntry(keyHandle, tokenEntry); > byte[] userPublicKey = keyPairGenerator.encodePublicKey(keyPair.getPublic()); > > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeRegistrationSignedBytes(applicationSha256, challengeSha256, keyHandle, userPublicKey); > byte[] signature = keyPairGenerator.sign(signedData, certificatePrivateKey); > return new EnrollmentResponse(userPublicKey, keyHandle, vendorCertificate, signature); Now, all the data is converted into one-byte array, then one additional parameter is added, determining if the request is approved or denied, as follows: > JSONObject clientData = new JSONObject(); > if (isDeny){ > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REGISTER_CANCEL_TYPE);//Deny > } else { > clientData.put(JSON_PROPERTY_REQUEST_TYPE, REQUEST_TYPE_REGISTER);//Approve > } > clientData.put(JSON_PROPERTY_SERVER_CHALLENGE, challenge); > clientData.put(JSON_PROPERTY_SERVER_ORIGIN, origin); > > String clientDataString = clientData.toString(); > byte[] resp = rawMessageCodec.encodeRegisterResponse(enrollmentResponse); > > JSONObject response = new JSONObject(); > response.put(\"registrationData\", Utils.base64UrlEncode(resp)); > response.put(\"clientData\", Utils.base64UrlEncode(clientDataString.getBytes(Charset.forName(\"ASCII\")))); > response.put(\"deviceData\", Utils.base64UrlEncode(deviceDataString.getBytes(Charset.forName(\"ASCII\")))); > > TokenResponse tokenResponse = new TokenResponse(); > tokenResponse.setResponse(response.toString()); > tokenResponse.setChallenge(new String(challenge)); > tokenResponse.setKeyHandle(new String(enrollmentResponse.getKeyHandle())); > > return tokenResponse; For authentication, all information is associated with your device UDID and the app retrieves the data from the data store each time, as follows: > TokenEntry tokenEntry = dataStore.getTokenEntry(keyHandle); > String keyPairJson = tokenEntry.getKeyPair(); > keyPair = keyPairGenerator.keyPairFromJson(keyPairJson); > int counter = dataStore.incrementCounter(keyHandle); > byte userPresence = userPresenceVerifier.verifyUserPresence(); > byte[] applicationSha256 = DigestUtils.sha256(application); > byte[] challengeSha256 = DigestUtils.sha256(challenge); > byte[] signedData = rawMessageCodec.encodeAuthenticateSignedBytes(applicationSha256, userPresence, counter, challengeSha256); > return new AuthenticateResponse(userPresence, counter, signature); The onEnroll and onSign methods prepare the parameters and data before the call to the server. For more information about these two methods, see the Super Gluu Git repo. Now, the app makes one last call to the server: > final Map parameters = new HashMap(); > parameters.put(\"username\", oxPush2Request.getUserName()); > parameters.put(\"tokenResponse\", tokenResponse.getResponse()); > > final String resultJsonResponse = CommunicationService.post(u2fEndpoint, parameters); The string resultJsonResponse contains the JSON result. The app extracts some additional information from this result. Check enrollment or authentication success using the u2fOperationResult.getStatus() field, as follows: > LogInfo log = new LogInfo(); > log.setIssuer(oxPush2Request.getIssuer()); > log.setUserName(oxPush2Request.getUserName()); > log.setLocationIP(oxPush2Request.getLocationIP()); > log.setLocationAddress(oxPush2Request.getLocationCity()); > log.setCreatedDate(String.valueOf(System.currentTimeMillis()));//oxPush2Request.getCreated()); > log.setMethod(oxPush2Request.getMethod());","title":"Enrollment Process"},{"location":"supergluu/developer-guide/#testing-locally","text":"The following is a method for testing Super Gluu locally on a non-public server. This guide assumes a Gluu Server has been installed and is operational. Warning The following testing steps mimic a MITM attack, so needless to say, these instructions are for development purposes only! In the Gluu Server VM settings, change the network adapter connection type from NAT to Bridged; The Gluu Server and smartphone should be connected to WiFi on the same local network Log into the VM and run ifconfig in the terminal to get the IP address of the Gluu Server In oxTrust, enable the Super Gluu authentication script Update the host file on the machine where you are running the browser to log in. Example: 192.168.1.232 c67.example.info Run ipconfig / ifconfig on the machine where you are planning to run your DNS server. Configure any DNS server to allow resovle u144.example.info.=192.168.1.232 . For example you can use a lightweight WindowsDNS DNS proxy server Create a dns.config file in the folder with dedserver.jar. Example file content: u144.example.info.=192.168.1.232 Checkut and build https://github.com/JonahAragon/WindowsDNS Run the DNS server using a command like this: java -jar dedserver.jar Create a dns.config file in the folder with dedserver.jar . Example file content: u144.example.info.=192.168.1.232 Run the DNS server using a command like this: java -jar dedserver.jar On your mobile phone, open the WiFi connection details and specify the DNS server IP from Step 6 Now you can test Super Gluu After you finish testing, don't forget to change your WiFi connection type on the mobile phone back to use the automatic settings.","title":"Testing locally"},{"location":"supergluu/user-guide/","tags":["Super Gluu","User Guide"],"text":"Super Gluu User Guide # This guide will show how to use the Super Gluu two-factor authentication mobile application. It covers the initial setup, managing keys and logs, and general settings. Note The screenshots below are shown in iOS. Android is roughly the same. Initial Setup # Camera Access Prompt # After installation, Super Gluu will request access to use your camera, which is used to scan a QR code to set up your two-factor authentication. Choose Login Method # For additional security, Super Gluu gives you the option to configure either a passcode or TouchID to access Super Gluu. This choice can be changed in the application settings later. Note After 5 unsuccessful attempts to enter the passcode, the app is locked for 10 minutes. Screen for the passcode and TouchID selection Screen for enabling passcode Screen for enabling TouchID Confirm Push Notification # Next, it will ask for permission to send push notifications from the Flex. This choice can be changed later in the device settings. More information about the push notification will be covered later in the document. Main Screen # After configuration, the main screen is displayed. It features the main enrollment button in the center and the menu button in the top right. QR Code Enrollment # To enroll a device, enter the credentials in your Flex web app to generate a QR code, then click the Scan QR Code button on the Super Gluu app's Home screen: After it scans the code and the server returns the request correctly, it will prompt to Approve or Deny . To continue the enrollment/authentication process, click Approve : The timer on the top right of the screen shows the time limit to choose to Approve or Deny . As time runs out, the number's color will change: yellow if it's under 20 seconds, red if it's under 10. Next, it will redirect to the main page and display a success message. Menu # After pressing the menu button, you'll get the option to view logs, keys, settings, and help files. You can also check the current app version in the bottom right corner. Tapping it for several seconds will show the details of the latest commit. Logs # Each time it enrolls or authenticates a device, the app will save corresponding logs in the Logs tab. The log details whether authentication was successful, with more details available if the log is tapped on. Clear these logs if desired by swiping left on the log, then tapping the red button. The Log tab will report the enrollment and authentication process and display who logged in, when, and from where. Just tap on the log to get to the information screen. The information screen contains data about: Flex name & server URL Username IP address & location Time & date Keys # This tab contains all available keys for each Flex. A key is a unique file that is generated during enrollment and is used to authenticate the device on the server. If a key for a server is deleted, enroll again with a new key. Note If you delete a key from your app but wish to re-enroll the same device against the same server, the corresponding entry for that device also needs to be removed from the user record in the Flex. To change a key's name, swipe left on it and tap the green button. To delete a key, swipe left on the key, then tap the red button. Settings # In the Settings tab, there are options to configure the passcode or TouchID. Push Notifications # Super Gluu can receive push notifications from Flex. The server can send an enrollment or authentication request to the application, as if it scanned the QR code directly. After choosing to receive push notifications either during initial setup or through the Settings tab later, enroll through the server. Super Gluu will send a token to the server, which will be used to send push notifications to the device. After receiving the notification, tap Approve or Deny directly from the push menu. Super Gluu can receive a notification when the application is running in the foreground. It will look just like the original authentication screen. Device Settings, iPad Support # There are a few options for Super Gluu in the device settings - push notifications, location, access to the camera, and passcode protection. Any change made in the device settings will take effect in the application. Super Gluu can run on iPads, and the layout is the same for all IOS devices. For more information, please see the Gluu Website","title":"User Guide"},{"location":"supergluu/user-guide/#super-gluu-user-guide","text":"This guide will show how to use the Super Gluu two-factor authentication mobile application. It covers the initial setup, managing keys and logs, and general settings. Note The screenshots below are shown in iOS. Android is roughly the same.","title":"Super Gluu User Guide"},{"location":"supergluu/user-guide/#initial-setup","text":"","title":"Initial Setup"},{"location":"supergluu/user-guide/#camera-access-prompt","text":"After installation, Super Gluu will request access to use your camera, which is used to scan a QR code to set up your two-factor authentication.","title":"Camera Access Prompt"},{"location":"supergluu/user-guide/#choose-login-method","text":"For additional security, Super Gluu gives you the option to configure either a passcode or TouchID to access Super Gluu. This choice can be changed in the application settings later. Note After 5 unsuccessful attempts to enter the passcode, the app is locked for 10 minutes. Screen for the passcode and TouchID selection Screen for enabling passcode Screen for enabling TouchID","title":"Choose Login Method"},{"location":"supergluu/user-guide/#confirm-push-notification","text":"Next, it will ask for permission to send push notifications from the Flex. This choice can be changed later in the device settings. More information about the push notification will be covered later in the document.","title":"Confirm Push Notification"},{"location":"supergluu/user-guide/#main-screen","text":"After configuration, the main screen is displayed. It features the main enrollment button in the center and the menu button in the top right.","title":"Main Screen"},{"location":"supergluu/user-guide/#qr-code-enrollment","text":"To enroll a device, enter the credentials in your Flex web app to generate a QR code, then click the Scan QR Code button on the Super Gluu app's Home screen: After it scans the code and the server returns the request correctly, it will prompt to Approve or Deny . To continue the enrollment/authentication process, click Approve : The timer on the top right of the screen shows the time limit to choose to Approve or Deny . As time runs out, the number's color will change: yellow if it's under 20 seconds, red if it's under 10. Next, it will redirect to the main page and display a success message.","title":"QR Code Enrollment"},{"location":"supergluu/user-guide/#menu","text":"After pressing the menu button, you'll get the option to view logs, keys, settings, and help files. You can also check the current app version in the bottom right corner. Tapping it for several seconds will show the details of the latest commit.","title":"Menu"},{"location":"supergluu/user-guide/#logs","text":"Each time it enrolls or authenticates a device, the app will save corresponding logs in the Logs tab. The log details whether authentication was successful, with more details available if the log is tapped on. Clear these logs if desired by swiping left on the log, then tapping the red button. The Log tab will report the enrollment and authentication process and display who logged in, when, and from where. Just tap on the log to get to the information screen. The information screen contains data about: Flex name & server URL Username IP address & location Time & date","title":"Logs"},{"location":"supergluu/user-guide/#keys","text":"This tab contains all available keys for each Flex. A key is a unique file that is generated during enrollment and is used to authenticate the device on the server. If a key for a server is deleted, enroll again with a new key. Note If you delete a key from your app but wish to re-enroll the same device against the same server, the corresponding entry for that device also needs to be removed from the user record in the Flex. To change a key's name, swipe left on it and tap the green button. To delete a key, swipe left on the key, then tap the red button.","title":"Keys"},{"location":"supergluu/user-guide/#settings","text":"In the Settings tab, there are options to configure the passcode or TouchID.","title":"Settings"},{"location":"supergluu/user-guide/#push-notifications","text":"Super Gluu can receive push notifications from Flex. The server can send an enrollment or authentication request to the application, as if it scanned the QR code directly. After choosing to receive push notifications either during initial setup or through the Settings tab later, enroll through the server. Super Gluu will send a token to the server, which will be used to send push notifications to the device. After receiving the notification, tap Approve or Deny directly from the push menu. Super Gluu can receive a notification when the application is running in the foreground. It will look just like the original authentication screen.","title":"Push Notifications"},{"location":"supergluu/user-guide/#device-settings-ipad-support","text":"There are a few options for Super Gluu in the device settings - push notifications, location, access to the camera, and passcode protection. Any change made in the device settings will take effect in the application. Super Gluu can run on iPads, and the layout is the same for all IOS devices. For more information, please see the Gluu Website","title":"Device Settings, iPad Support"}]} \ No newline at end of file diff --git a/head/sitemap.xml b/head/sitemap.xml index b21852d8c..b6a3295fd 100644 --- a/head/sitemap.xml +++ b/head/sitemap.xml @@ -2,322 +2,322 @@ https://docs.gluu.org/head/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/CHANGELOG/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/config/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/admin-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/auth-server-interaction/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/auth-server-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/configuration/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/dashboard/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/faq/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/fido-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/introduction/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/left-nav-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/logs/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/properties/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/schema-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/services-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/smtp-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/userMgmt-menu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/admin-ui/webhooks/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/kubernetes-ops/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/kubernetes-ops/admin-ui-private/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/kubernetes-ops/upgrade/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/recipes/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/recipes/getting-started-rancher/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/saml/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/saml/idp/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/admin/saml/proxy/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/includes/cn-system-requirements/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/agama/prerequisites/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/docker-install/compose/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/docker-install/quick-start/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/helm-install/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/helm-install/amazon-eks/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/helm-install/google-gke/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/helm-install/local/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/helm-install/microsoft-azure/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/helm-install/rancher/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/vm-install/rhel/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/vm-install/suse/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/vm-install/ubuntu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/install/vm-install/vm-requirements/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/configuration-instructions/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/curl/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/install-cn/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/install-vm/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/jans-cli/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/openbanking/par-jarm/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/json-config/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/json-config/properties/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/json-config/properties/casa-properties/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/json-config/properties/casaconfig-properties/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/kubernetes/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/kubernetes/docker-admin-ui/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/kubernetes/docker-flex-monolith/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/reference/kubernetes/helm-chart/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/supergluu/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/supergluu/admin-guide/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/supergluu/developer-guide/ - 2025-01-09 + 2025-01-22 daily https://docs.gluu.org/head/supergluu/user-guide/ - 2025-01-09 + 2025-01-22 daily \ No newline at end of file diff --git a/head/sitemap.xml.gz b/head/sitemap.xml.gz index 4af4167991649edfe4905ff8c3e00c6aed20e405..065511945e5b8aa41e50b4bba7ce7163d0eba429 100644 GIT binary patch literal 719 zcmV;=0xhL< zT%eah8LzLF-@knjFPCq27uynT!n~-JeY#q9IS;R!=6F1=lF8^`NUIQalVn#{QgbS7 z)~i>`-NmB5#s=o4>9w^%?#5P9ZAJx|R@#;_wb3D{X4{Mv&g(6q;r*;#W&=Lr zz6+tJe5CbdkI`eUIU5E>(8m~yA({hZcs8gn*Yi2pJVm*twyC;b>UfQB+Zb~oGeah%WZMB$)b=1m?iG5*01_$GG<c*-#ITJoN^A64Dy-&;g>jfk-o=5!-rg<|Pu> z-K5$z5q?zS*HYrQZT^UskU;zoJ298?*_Ef+XFkx=LTBA^F685BW^4ruA9?V7en+W&y!T)0qxk2vCxjUfBzM9`bd~}KLD>JM5(BFv954RKeC&4H)8ix^>m&r?2AxAM+QfC-FQ+GV;$(Au@7-b#32h8l%k$NG zxqzUew!vI2zkmB6UN5h=XPc57LSEF$0k4)_&cmCgIUEivv>Ch{a21njP<3?$n`2?K zUR^G?XN&q88<>}-*TzM)9b3WLjE)Ld#+5R)(Sg*>rWq@o)|Z%l)Z2^o#VfHs7wgMf zz02s;`2 zdYwbw_u{_D6y-EeInxiVs+*EW9`jbHz=pc_biM~mJ>te9;<`C)O|e98@;pm5?7@xw7z^!q`}bc#rw@d@{Q-9agK@np001LG BUqS!?