jobs/uaa/spec

---
name: uaa

description: "The UAA is the identity management service for Cloud Foundry. It's primary role is as an OAuth2 provider, issuing tokens for client applications to use when they act on behalf of Cloud Foundry users. It can also authenticate users with their Cloud Foundry credentials, and can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth2 clients, as well as various other management functions."

templates:
  bin/uaa: bin/uaa
  bin/configure_proxy.erb: bin/configure_proxy
  bin/health_check.erb: bin/health_check
  bin/pre-start.erb: bin/pre-start
  bin/post-start: bin/post-start
  bin/dns/healthy.erb: bin/dns/healthy

  config/uaa.yml.erb: config/uaa.yml
  config/bpm.yml.erb: config/bpm.yml
  config/log4j2.properties.erb: config/log4j2.properties
  config/ldap.crt.erb: config/ldap.crt
  config/messages.properties.erb: config/messages.properties
  config/uaa.crt.erb: config/uaa.crt
  config/tomcat/tomcat.logging.properties: config/tomcat/logging.properties
  config/tomcat/tomcat.server.xml.erb: config/tomcat/server.xml
  config/tomcat/tomcat.context.xml.erb: config/tomcat/context.xml

  bbr/pre-backup-lock.sh.erb: bin/bbr/pre-backup-lock
  bbr/pre-restore-lock.sh.erb: bin/bbr/pre-restore-lock
  bbr/post-backup-unlock.sh.erb: bin/bbr/post-backup-unlock
  bbr/post-restore-unlock.sh: bin/bbr/post-restore-unlock

provides:
- name: uaa_db
  type: uaa_db
  properties:
  - uaadb

- name: uaa_keys
  type: uaa_keys
  properties:
  - encryption.active_key_label
  - encryption.encryption_keys

consumes:
- name: router
  type: http-router
  optional: true
- name: database
  type: database
  optional: true

packages:
  - uaa

properties:
  uaa.rate_limiter:
    config:
      loggingOption:
        description: "(optional) String (see Details)"
        example: AllCallsWithDetails
      credentialID: 
        description: "(optional) String (see Details)"
        example: 'JWT:Claims+"email"\s*:\s*"(.*?)"'
      limiterMappings.name: 
        description: "(required) String"
        example: Info
      limiterMappings.withCallerRemoteAddressID: 
        description: "(optional but) String - (see Window Type)"
        example: 1r/s
      limiterMappings.withCallerCredentialsID: 
        description: "(optional but) String - (see Window Type)"
        example: 1r/s
      limiterMappings.withoutCallerID: 
        description: "(optional but) String - (see Window Type)"
        example: 1r/s
      limiterMappings.global: 
        description: "(optional but) String - (see Window Type)"
        example: 1r/s
      limiterMappings.pathSelectors: 
        description: "(required non-empty) List of String(s) - (see Path Selector)"
        example: "equals:/info"

  encryption.encryption_keys:
    description: "Map of key labels and encryption passphrases that will be used to create keys using a Key Derivation Function. All passphrase values must be at least 8 characters long."
    example: |
      - label: 'key-1'
        passphrase: 'MY-PASSPHRASE'
      - label: 'key-2'
        passphrase: 'MY-PASSPHRASE-TWO'

  encryption.active_key_label:
    description: "The key label of the encryption passphrase that will be used to create the key using a Key Derivation Function for encrypting new data within the UAA database."
    example: 'key-1'

  #backup properties
  release_level_backup:
    description: "DEPRECATED: Do not use this property. Use the corresponding property in bbr-uaadb."

  #uaa database host configuration
  uaadb.address:
    description: |
      The UAA database IP address. If this property is not set, the UAA will look for a `database` link
      and use the first instance address it can find in the list
  uaadb.databases:
    description: |
      The list of databases used in UAA database including tag/name. The UAA will always look for the `uaa` tag
      and use the database name from that tag
    example:
      - name: uaa
        tag: uaa
  uaadb.db_scheme:
    description: "Database scheme for UAA DB. Supported schemes: postgres, mysql"
  uaadb.port:
    description: "The UAA database Port"
  uaadb.tls:
    description: |
      Use TLS connection for UAA database.
      Valid options are:
      enabled (use TLS with full certificate validation),
      enabled_skip_hostname_validation (use TLS but skip validation of common and alt names in the host certificate),
      enabled_skip_all_validation (use TLS but do not validate anything about the host certificate),
      disabled (do not use TLS)

      The database's CA certificate required when TLS is enabled
      should be added to the uaa.ca_certs configuration field.
    default: enabled
  uaadb.tls_protocols:
    description: |
      If using TLS, this property can be used to narrow down the protocols used
      by the UAA database driver.
      This option only takes effect when using `mysql` as `uaadb.db_scheme`.
      The default is null, the database driver will pick the protocol to use.
      The values can be comma separated.
      PostgreSQL defaults to TLSv1.2 through the JDBC driver.
    example: TLSv1.2,TLSv1.1
  uaadb.roles:
    description: |
      The list of database Roles used in UAA database including tag/name/password
      The UAA will always look for the tag `admin` and use the
      `name` and `password` properties as the database credentials
    example:
      - name: uaa
        password: database-password-for-user-uaa
        tag: admin

  # General server properties
  uaa.catalina_opts:
    description: "The options used to configure Tomcat"
    default: -Xmx768m -XX:MaxMetaspaceSize=256m
  uaa.localhost_http_port:
    description: |
      The port on which UAA will accept HTTP traffic from the localhost machine only.
      Only used by monit to call the /healthz endpoint.
      Either use default or set to another value in range [1024-65535].
      This port must not conflict with other ports configured on this VM, such as uaa.ssl.port.
    default: 8080
  uaa.shutdown.sleep:
    description: |
      Used for draining connection during a graceful shutdown. When the UAA process receives a kill signal
      it will delay the shutdown for the configured number of milliseconds. During this period,
      the /healthz endpoint will return 503/stopping while all other endpoints continue to function.
    default: 5000
  uaa.url:
    description: "The base url of the UAA"
  uaa.zones.internal.hostnames:
    description: |
      A list of hostnames that are routed to the UAA, specifically the default zone in the UAA. The UAA will reject any Host headers that it doesn't recognize.
      By default the UAA recognizes:
        The hostname from the property uaa.url
        The hostname from the property login.url
        localhost (in order to accept health checks)
      Any hostnames added as a list are additive to the default hostnames allowed.
    example:
      - hostname1
      - hostname2.localhost
      - hostname3.example.com
  uaa.proxy_ips_regex:
    description: |
      A pipe delimited set of regular expressions of IP addresses that are considered reverse proxies.
      When a request from these IP addresses come in, the x-forwarded-for and x-forwarded-proto headers will be respected.
    default: 10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|169\.254\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.1[6-9]{1}\.\d{1,3}\.\d{1,3}|172\.2[0-9]{1}\.\d{1,3}\.\d{1,3}|172\.3[0-1]{1}\.\d{1,3}\.\d{1,3}
  uaa.proxy.servers:
    description: "Array of the router IPs acting as the first group of HTTP/TCP backends. These will be added to the proxy_ips_regex as exact matches."
    default: []

  env.http_proxy:
    description: "The http_proxy across the VMs used for all requests over http"
    example: http://test.proxy:8080
  env.https_proxy:
    description: "The http_proxy across the VMs used for all requests over https"
    example: http://test.proxy:8080
  env.no_proxy:
    description: "Set No_Proxy across the VMs"
    example: "localhost,127.0.0.0/8,127.0.1.1"
  uaa.issuer:
    description: "The url to use as the issuer URI"
  uaa.logging_level:
    description: Set UAA logging level.  (e.g. TRACE, DEBUG, INFO)
    default: DEBUG
  uaa.logging.format.timestamp:
    description: "Format for timestamp in component logs. Valid values are 'rfc3339', 'rfc3339-legacy', and 'deprecated'. 'rfc3339' sets the format to be {yyyy-MM-dd'T'HH:mm:ss.nnnnnn}{GMT+0}Z which is rfc3339 compliant but additionally has microsecond precision and is set to UTC timezone. 'rfc3339-legacy' sets the time format to be yyyy-MM-dd'T'HH:mm:ss.SSSXXX. 'deprecated' sets the time format to be yyyy-MM-dd HH:mm:ss.SSS."
    default: rfc3339
  uaa.limitedFunctionality.statusFile:
    description: |
      The UAA checks for the presence of this file. If this file exists, the UAA will continue to function
      but in limited mode. This means any authentication or token action will continue to work, but more
      API endpoints that change configuration will return 503 UNAVAILABLE.
      Normally, there is no need to change this value, unless you have other scripts that may rely on it
    default: /var/vcap/data/uaa/bbr_limited_mode.lock
  uaa.limitedFunctionality.whitelist.endpoints:
    description: "Set the whitelisted API for UAA in degraded mode. Methods and Endpoints are unioned with each other: i.e. all methods are permitted for a whitelisted endpoint, and all endpoints are permitted for a whitelisted method"
    default:
      - /oauth/authorize/**
      - /oauth/token/**
      - /check_token/**
      - /login/**
      - /login.do
      - /logout/**
      - /logout.do
      - /saml/**
      - /autologin/**
      - /authenticate/**
      - /idp_discovery/**
  uaa.limitedFunctionality.whitelist.methods:
    description: "Set the whitelisted API for UAA in degraded mode. Methods and Endpoints are unioned with each other: i.e. all methods are permitted for a whitelisted endpoint, and all endpoints are permitted for a whitelisted method"
    default:
      - GET
      - HEAD
      - OPTIONS

  uaa.rest.template.timeout:
    description: "Timeout for the RestTemplates used by the UAA in ms"
    example: 10000
    default: 10000
  uaa.rest.template.maxTotal:
    description: "Size of the connection pool used by the RestTemplates in the UAA"
    example: 20
    default: 20
  uaa.rest.template.maxPerRoute:
    description: "Maximum number of connections to the same route that is used by the RestTemplates in the UAA"
    example: 5
    default: 5
  uaa.rest.template.maxKeepAlive:
    description: "Maximum time in ms that the connections of the RestTemplates are kept alive in the UAA"
    example: 0
    default: 0

  # SSL
  login.protocol:
    description: "Scheme to use for HTTP communication (http/https)"
    default: https
  uaa.ssl.port:
    description: |
      The port on which UAA will accept HTTPS traffic.
      Either use default or set to another value in range [1024-65535].
      This port must not conflict with other ports configured on this VM, such as uaa.localhost_http_port.
    default: 8443
  uaa.ssl.enabled_protocols:
    description: |
      The enabled protocols for ssl connection, accept comma seperated list of TLS versions,
      for example TLSv1.2 or TLS1.3 or TLSv1.2,TLS1.3, default value TLSv1.2,TLSv1.3.
    default: 'TLSv1.2,TLSv1.3'
  uaa.ssl.ciphers:
    description: |
      The ciphers used for SSL connection, this parameter should match selected version from uaa.ssl.enabled_protocols.
      Default ciphers contains ciphers can be used by TLSv1.2 and TLSv1.3: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384
    default: 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384'
  uaa.ssl.protocol_header:
    description: The header to look for to determine if ssl termination was performed by a front end load balancer.
    default: x-forwarded-proto
  uaa.ssl.port_header:
    description: The header to look for to determine the port where ssl termination was performed by a front end load balancer.
    default: X-Forwarded-Port
  uaa.sslCertificate:
    description: "The server's ssl certificate. The default is a self-signed certificate and should always be replaced for production deployments"
    default: ''
    example: |
      -----BEGIN CERTIFICATE-----
      MIIDAjCCAmugAwIBAgIJAJtrcBsKNfWDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
      VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
      aXNjbzEQMA4GA1UECgwHUGl2b3RhbDERMA8GA1UECwwISWRlbnRpdHkxFjAUBgNV
      BAMMDU1hcmlzc2EgS29hbGExIDAeBgkqhkiG9w0BCQEWEW1rb2FsYUBwaXZvdGFs
      LmlvMB4XDTE1MDczMDE5Mzk0NVoXDTI1MDcyOTE5Mzk0NVowgZkxCzAJBgNVBAYT
      AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
      MRAwDgYDVQQKDAdQaXZvdGFsMREwDwYDVQQLDAhJZGVudGl0eTEWMBQGA1UEAwwN
      TWFyaXNzYSBLb2FsYTEgMB4GCSqGSIb3DQEJARYRbWtvYWxhQHBpdm90YWwuaW8w
      gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPVOIGvG8MFbkqi+ytdBHVbEGde4
      jaCphmvGm89/4Ks0r+041VsS55XNYnHsxXTlh1FiB2KcbrDb33pgvuAIYpcAO2I0
      gqGeRoS2hNsxzcFdkgSZn1umDAeoE4bCATrquN93KMcw/coY5jacUfb9P2CQztkS
      e2o+QWtIaWYAvI3bAgMBAAGjUDBOMB0GA1UdDgQWBBTkEjA4CEjevAGfnPBciyXC
      3v4zMzAfBgNVHSMEGDAWgBTkEjA4CEjevAGfnPBciyXC3v4zMzAMBgNVHRMEBTAD
      AQH/MA0GCSqGSIb3DQEBCwUAA4GBAIEd8U32tkcvwG9qCOfe5raBENHM4ltTuhju
      zZWIM5Ik1bFf6+rA71HVDD1Z5fRozidhMOl6mrrGShfu6VUjtqzctJeSjaOPIJL+
      wvrXXcAkCYZ9QKf0sqlUWcIRy90nqrD5sL/rHAjNjxQ3lqIOj7yWOgty4LUzFQNr
      FHiyd3T6
      -----END CERTIFICATE-----
  uaa.sslPrivateKey:
    description: "The server's ssl private key. Only passphrase-less keys are supported"
    default: ''
    example: |
      -----BEGIN RSA PRIVATE KEY-----
      MIICXwIBAAKBgQD1TiBrxvDBW5KovsrXQR1WxBnXuI2gqYZrxpvPf+CrNK/tONVb
      EueVzWJx7MV05YdRYgdinG6w2996YL7gCGKXADtiNIKhnkaEtoTbMc3BXZIEmZ9b
      pgwHqBOGwgE66rjfdyjHMP3KGOY2nFH2/T9gkM7ZEntqPkFrSGlmALyN2wIDAQAB
      AoGBAPBvfz+kYt5iz0EuoMqTPBqLY3kZn1fWUbbZmGatxJyKq9UsW5NE2FDwWomn
      tXJ6d0PBfdOd2LDpEgZ1RSF5lobXn2m2+YeEso7A7yMiBRW8CIrkUn8wVA0s42t+
      osElfvj73G2ZjCqQm6BLCjtFYnalmZIzfOCB26xRWaf0MJ7hAkEA/XaqnosJfmRp
      kmvto81LEvjVVlSvpo+6rt66ykywEv9daHWZZBrrwVz3Iu4oXlwPuF8bcO8JMLRf
      OH98T1+1PQJBAPfCj0r3fRhmBZMWqf2/tbeQPvIQzqSXfYroFgnKIKxVCV8Bkm3q
      1rP4c0XDHEWYIwvMWBTOmVSZqfSxtwIicPcCQQDCcRqK7damo5lpvmpb0s3ZDBN9
      WxI1EOYB6NQbBaG9sTGTRUQbS5u4hv0ASvulB7L3md6PUJEYUAcMbKCMs7txAkEA
      7C8pwHJba0XebJB/bqkxxpKYntPM2fScNi32zFBGg2HxNANgnq3vDNN8t/U+X02f
      oyCimvs0CgUOknhTmJJSkwJBAPaI298JxTnWncC3Zu7d5QYCJXjU403Aj4LdcVeI
      6A15MzQdj5Hm82vlmpC4LzXofLjiN4E5ZLluzEw+1TjRE7c=
      -----END RSA PRIVATE KEY-----
  uaa.ca_certs:
    description: "Array of CA certificates to load into the UAA's truststore"
    example:
      - |
        -----BEGIN CERTIFICATE-----
        MIIDAjCCAmugAwIBAgIJAJtrcBsKNfWDMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD
        VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
        aXNjbzEQMA4GA1UECgwHUGl2b3RhbDERMA8GA1UECwwISWRlbnRpdHkxFjAUBgNV
        BAMMDU1hcmlzc2EgS29hbGExIDAeBgkqhkiG9w0BCQEWEW1rb2FsYUBwaXZvdGFs
        LmlvMB4XDTE1MDczMDE5Mzk0NVoXDTI1MDcyOTE5Mzk0NVowgZkxCzAJBgNVBAYT
        AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2Nv
        MRAwDgYDVQQKDAdQaXZvdGFsMREwDwYDVQQLDAhJZGVudGl0eTEWMBQGA1UEAwwN
        TWFyaXNzYSBLb2FsYTEgMB4GCSqGSIb3DQEJARYRbWtvYWxhQHBpdm90YWwuaW8w
        gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAPVOIGvG8MFbkqi+ytdBHVbEGde4
        jaCphmvGm89/4Ks0r+041VsS55XNYnHsxXTlh1FiB2KcbrDb33pgvuAIYpcAO2I0
        gqGeRoS2hNsxzcFdkgSZn1umDAeoE4bCATrquN93KMcw/coY5jacUfb9P2CQztkS
        e2o+QWtIaWYAvI3bAgMBAAGjUDBOMB0GA1UdDgQWBBTkEjA4CEjevAGfnPBciyXC
        3v4zMzAfBgNVHSMEGDAWgBTkEjA4CEjevAGfnPBciyXC3v4zMzAMBgNVHRMEBTAD
        AQH/MA0GCSqGSIb3DQEBCwUAA4GBAIEd8U32tkcvwG9qCOfe5raBENHM4ltTuhju
        zZWIM5Ik1bFf6+rA71HVDD1Z5fRozidhMOl6mrrGShfu6VUjtqzctJeSjaOPIJL+
        wvrXXcAkCYZ9QKf0sqlUWcIRy90nqrD5sL/rHAjNjxQ3lqIOj7yWOgty4LUzFQNr
        FHiyd3T6
        -----END CERTIFICATE-----

  #Branding/Customization
  login.branding.company_name:
    description: This name is used on the UAA Pages and in account management related communication in UAA
  login.branding.product_logo:
    description: This is a base64 encoded PNG image which will be used as the logo on all UAA pages like Login, Sign Up etc.
  login.branding.square_logo:
    description: This is a base64 encoded PNG image which will be used as the favicon for the UAA pages
  login.branding.footer_legal_text:
    description: This text appears on the footer of all UAA pages
  login.branding.footer_links:
    description: These links appear on the footer of all UAA pages. You may choose to add multiple urls for things like Support, Terms of Service etc.
    example:
      linkDisplayName: linkDisplayUrl
  login.branding.banner.logo:
    description: This is a base64 encoded PNG image which will be used as the banner on the UAA discovery login page
  login.branding.banner.text:
    description: This is text that will be used in the banner area on the UAA discovery login page if no banner logo is configured
  login.branding.banner.textColor:
    description: This is the color to be used for banner text if banner text is defined to be used on the UAA discovery login page
  login.branding.banner.backgroundColor:
    description: This is the color to be used for the background of the banner area on the UAA discovery login page
  login.branding.banner.link:
    description: This is the link to be used for the banner logo or banner text on the UAA discovery login page
  login.branding.consent.text:
    description: This text appears on registration and invitation after the words `I agree to` alongside a checkbox that must be selected before the user can continue.
  login.branding.consent.link:
    description: If `login.branding.consent.text` is set, the text after `I agree to` will be hyperlinked to this location.
  login.asset_base_url:
    description: "Deprecated in favor of branding properties. Base url for static assets, allows custom styling of the login server.  Use '/resources/pivotal' for Pivotal style."
    default: /resources/oss
  login.links:
    description: "A hash of home/passwd/signup URLS (see commented examples below)"
  login.links.global.passwd:
    description: |
      URL for requesting password reset. Displayed on the home page of the UAA.
      This is set globally for all identity zones but can be overridden via Identity Zone API.
      The links also support two variables: {zone.id} and {zone.subdomain}
    default: '/forgot_password'
    example: https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/forgot_password
  login.links.global.signup:
    description: |
      URL for requesting to signup/register for an account
      This is set globally for all identity zones but can be overridden via Identity Zone API.
      The links also support two variables: {zone.id} and {zone.subdomain}
    default: '/create_account'
    example: https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/create_account
  login.links.global.homeRedirect:
    description: |
      Landing URL after successful authentication via UI
      This is set globally for all identity zones but can be overridden via Identity Zone API.
      The links also support two variables: {zone.id} and {zone.subdomain}
    default: '/'
    example: https://{zone.subdomain}.myaccountmanager.domain.com/z/{zone.id}/success
  login.links.passwd:
    description: URL for requesting password reset for the default zone
    default: '/forgot_password'
  login.links.signup:
    description: URL for requesting to signup/register for an account
    default: '/create_account'
  login.links.homeRedirect:
    description: Landing URL after successful authentication via UI
    default: '/'
  login.home_redirect:
    description: Deprecated. May 09, 2017. Please use login.links.homeRedirect
  login.self_service_links_enabled:
    description: "Enable self-service account creation and password resets links."
    default: true
  login.messages:
    description: |
      A nested or flat hash of messages that the login server uses to display UI message
      This will be flattened into a java.util.Properties file. The example below will lead
      to four properties, where the key is the concatenated value delimited by dot, for example scope.tokens.read=message
    example:
      messages:
        scope:
          tokens:
            read: View details of your approvals you have granted to this and other applications
            write: Cancel the approvals like this one that you have granted to this and other applications
      scope.tokens.read: View details of your approvals you have granted to this and other applications
      scope.tokens.write: Cancel the approvals like this one that you have granted to this and other applications
  login.logout.redirect.url:
    description: "The Location of the redirect header following a logout of the the UAA (/login)."
    default: /login
  login.logout.redirect.parameter.disable:
    description: "Deprecated as of v52/uaa-4.7.0. Value ignored. Value is always false. Will be removed in the future."
    default: false
  login.logout.redirect.parameter.whitelist:
    description: "A list of URLs that are accepted and honored as values to the `/logout.do?redirect` parameter . If a redirect parameter value is not white listed, redirect will be to the default URL, /login or to the value of uaa.login.logout.redirect.url if set."
  login.prompt.username.text:
    description: "The text used to prompt for a username during login"
    default: Email
  login.prompt.password.text:
    description: "The text used to prompt for a password during login"
    default: Password
  login.idpDiscoveryEnabled:
    description: "IDP Discovery should be set to true if you have configured more than one identity provider for UAA. The discovery relies on email domain being set for each additional provider. This property will also enable a list of selectable accounts that have signed in via the browser."
    default: false
  login.accountChooserEnabled:
    description: "This flag enables the account choosing functionality. If idpDiscoveryEnabled is set to true in the config the IDP is chosen by discovery. Otherwise, the user can enter the IDP by providing the origin."
    default: false
  login.defaultIdentityProvider:
    description: "This value can be set to the origin key of an identity provider. If set, the user will be directed to this identity provider automatically if no other identity provider is discovered or selected via login_hint. When not set, legacy chained authentication (where uaa is attempted first followed by ldap) is used."
    example: uaa
    default: null

  # Email
  login.notifications.url:
    description: "The url for the notifications service (configure to use Notifications Service instead of SMTP server)"
  login.smtp:
    description: "SMTP server configuration, for password reset emails etc."
  login.smtp.host:
    description: "SMTP server host address"
    default: localhost
  login.smtp.port:
    description: "SMTP server port"
    default: 2525
  login.smtp.user:
    description: "SMTP server username"
  login.smtp.password:
    description: "SMTP server password"
  login.smtp.from_address:
    description: "SMTP from address"
  login.smtp.auth:
    description: "If true, authenticate using AUTH command. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html"
    default: false
  login.smtp.starttls:
    description: "If true, send STARTTLS command before login to server. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html"
    default: false
  login.smtp.sslprotocols:
    description: "If set, specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens. https://javamail.java.net/nonav/docs/api/com/sun/mail/smtp/package-summary.html"
    default: TLSv1.2

  # Delete actions
  uaa.delete:
    description: |
      Contains a map of actions, each with a list of IDs.
      Possible delete actions are 'identityProviders', 'users' and 'clients'.
      Identity providers are identified by their alias
      These will be deleted in the default (`uaa`) zone.
      Unrecognized map keys will be ignored.
      If the ID exists both in the delete and create sections
      the delete section takes preceden
    example: |
      clients:
        - client-to-be-deleted-1
        - client-to-be-deleted-2
      users:
        - user-to-be-deleted-1
        - user-to-be-deleted-2
      identityProviders:
        - octa
        - google

  # client secret policy
  uaa.client.secret.policy:
    description: "The client secret policy for clients in the default zone."
    example:
      uaa:
        client:
          secret:
            policy:
              minLength: 0
              maxLength: 255
              requireUpperCaseCharacter: 0
              requireLowerCaseCharacter: 0
              requireDigit: 0
              requireSpecialCharacter: 0
  uaa.client.secret.policy.minLength:
    description: "Minimum number of characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.maxLength:
    description: "Maximum number of characters required for secret to be considered valid (defaults to 255)."
  uaa.client.secret.policy.requireUpperCaseCharacter:
    description: "Minimum number of uppercase characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.requireLowerCaseCharacter:
    description: "Minimum number of lowercase characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.requireDigit:
    description: "Minimum number of digits required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.requireSpecialCharacter:
    description: "Minimum number of special characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.global:
    description: "The global client secret policy for clients in a zone. If the zone doesn't have a client secret policy, this one will be used."
    example:
      uaa:
        client:
          secret:
            policy:
              global:
                minLength: 0
                maxLength: 255
                requireUpperCaseCharacter: 0
                requireLowerCaseCharacter: 0
                requireDigit: 0
                requireSpecialCharacter: 0
  uaa.client.secret.policy.global.minLength:
    description: "Minimum number of characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.global.maxLength:
    description: "Maximum number of characters required for secret to be considered valid (defaults to 255)."
  uaa.client.secret.policy.global.requireUpperCaseCharacter:
    description: "Minimum number of uppercase characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.global.requireLowerCaseCharacter:
    description: "Minimum number of lowercase characters required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.global.requireDigit:
    description: "Minimum number of digits required for secret to be considered valid (defaults to 0)."
  uaa.client.secret.policy.global.requireSpecialCharacter:
    description: "Minimum number of special characters required for secret to be considered valid (defaults to 0)."

  # Global client redirect URI configuration
  uaa.client.redirect_uri.matching_mode:
    description: |
      When set to `legacy`, allow unsafe matching of redirect URIs.
      For example, https://example.com would also match all subdomains and all paths of https://example.com.
      When set to `exact`, will provide OAuth2 spec-compliant (RFC6749) exact redirect URI matching.
    default: legacy

  # Clients
  uaa.clients:
    description: |
      List of OAuth2 clients that the UAA will be bootstrapped with.
      These will be created in the default (`uaa`) zone.
    example:
      login:
        id: login
        override: true
        secret: some-secret
        authorized-grant-types: authorization_code,client_credentials,refresh_token
        authorities: test_resource.test_action
        scope: test_resource.test_action
        redirect-uri: http://login.example.com
        autoapprove: true
        app-launch-url: http://myloginpage.com
        show-on-homepage: true
        app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC
      app:
        id: app
        override: true
        secret: app-secret
        authorized-grant-types: authorization_code,client_credentials,refresh_token
        authorities: test_resource.test_action
        scopes: # overrides anything present in 'scope' property
          - test_resource.test_action
          - test_resource.other_action
        redirect-uri: http://login.example.com
        autoapprove:
        - test_resource.test_action
        - test_resource.other_action
        app-launch-url: http://myapppage.com
        show-on-homepage: true
        app-icon: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAMAAAAoLQ9TAAAAD1BMVEWZttQvMDEoKisqKywAAAApvvoVAAAAGElEQVQYlWNgYUQBLAxMDCiAeXgLoHsfAD03AHOyfqy1AAAAAElFTkSuQmCC
  uaa.admin.client_secret:
    description: "Secret of the admin client - a client named admin with uaa.admin as an authority"

  uaa.authentication.enable_uri_encoding_compatibility_mode:
    description: "When enabled basic auth credentials will only be URI decoded when the `X-CF-ENCODED-CREDENTIALS` header is set to `true`"
    default: false

  # Security policies (for the UAA zone)
  uaa.authentication.policy.lockoutAfterFailures:
    description: "Number of allowed failures before account is locked"
    default: 5
  uaa.authentication.policy.countFailuresWithinSeconds:
    description: "Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked"
    default: 1200
  uaa.authentication.policy.lockoutPeriodSeconds:
    description: "Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded"
    default: 300
  uaa.password.policy.minLength:
    description: "Minimum number of characters required for password to be considered valid"
    default: 0
  uaa.password.policy.maxLength:
    description: "Maximum number of characters required for password to be considered valid"
    default: 255
  uaa.password.policy.requireUpperCaseCharacter:
    description: "Minimum number of uppercase characters required for password to be considered valid"
    default: 0
  uaa.password.policy.requireLowerCaseCharacter:
    description: "Minimum number of lowercase characters required for password to be considered valid"
    default: 0
  uaa.password.policy.requireDigit:
    description: "Minimum number of digits required for password to be considered valid"
    default: 0
  uaa.password.policy.requireSpecialCharacter:
    description: "Minimum number of special characters required for password to be considered valid"
    default: 0
  uaa.password.policy.expirePasswordInMonths:
    description: "Number of months after which current password expires"
    default: 0
  uaa.disableInternalAuth:
    description: "Disables internal user authentication"
    default: false
  uaa.disableInternalUserManagement:
    description: "Disables UI and API for internal user management"
    default: false
  uaa.user.authorities:
    description: "Contains a list of the default authorities/scopes assigned to a user"
    default:
      - openid
      - scim.me
      - cloud_controller.read
      - cloud_controller.write
      - cloud_controller_service_permissions.read
      - password.write
      - uaa.user
      - approvals.me
      - oauth.approvals
      - notification_preferences.read
      - notification_preferences.write
      - profile
      - roles
      - user_attributes
      - uaa.offline_token
  uaa.jwt.queryString.enabled:
    default: true
    description: "If set to true, the /oauth/token and /check_token endpoints accept GET and query string parameters"
  uaa.jwt.revocable:
    default: false
    description: "Set to true if you wish that even JWT tokens become individually revocable and stored in the UAA token storage. This setting applies to the default zone only."
  uaa.jwt.policy.accessTokenValiditySeconds:
    default: 43200
    description: "The access token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only."
  uaa.jwt.policy.refreshTokenValiditySeconds:
    default: 2592000
    description: "The refresh token validity for the default zone if nothing is configured on the client. Will override global validity policies for the default zone only."
  uaa.jwt.policy.active_key_id:
    description: "The ID of the JWT signing key to be used when signing tokens."
    example: "key-1"
  uaa.jwt.policy.keys:
    description: "Map of key IDs and signing keys, each defined with a property `signingKey`."
    example:
      key-1:
        signingKey: |
          -----BEGIN RSA PRIVATE KEY-----
          MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3
          AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU
          JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB
          AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz
          a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb
          RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r
          LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr
          sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6
          J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL
          f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC
          AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf
          oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH
          waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw==
          -----END RSA PRIVATE KEY-----
  uaa.jwt.signing_key:
    description: "Deprecated. Use uaa.jwt.policy.keys. The key used to sign the JWT-based OAuth2 tokens."
  uaa.jwt.verification_key:
    description: "Deprecated. The key used to verify JWT-based OAuth2 tokens. If you are specifying your signing key(s) under uaa.jwt.policy.keys, the verification key does not need to be specified."
  uaa.jwt.claims.exclude:
    description: "List of claims to exclude from the JWT-based OAuth2 tokens."
    example:
     - authorities
  uaa.jwt.refresh.restrict_grant:
    description: "Disallows refresh-token grant for any client for which the user has not approved the `uaa.offline_token` scope"
    default: false
  uaa.jwt.refresh.unique:
    description: "Revokes existing refresh tokens for client-user combination when creating a new refresh token. Note: only applies if `uaa.jwt.revocable` is true."
    default: false
  uaa.jwt.refresh.rotate:
    description: "Rotate refresh tokens. Invalidate the existing one and issue a new refresh token when processing refresh token flow."
    default: false
  uaa.jwt.refresh.format:
    description: "The format for the refresh token. Allowed values are `jwt`, `opaque`"
    default: jwt

  # cors settings
  uaa.cors.default.allowed.headers:
    description: "whitelist for allowed headers for non-xhr cors requests"
    default: ~
  uaa.cors.default.allowed.origin:
    description: "whitelist for allowed origins for non-xhr cors requests"
    default: ~
  uaa.cors.default.allowed.uris:
    description: "whitelist for allowed uris for non-xhr cors requests"
    default: ~
  uaa.cors.default.allowed.methods:
    description: "whitelist for allowed methods for non-xhr cors requests"
    default: ~
  uaa.cors.default.allowed.credentials:
    description: "whether to allow credentials to be sent over non-xhr cors requests"
    default: ~
  uaa.cors.default.max_age:
    description: "how long the results of a preflight request is cached"
    default: ~
  uaa.cors.xhr.allowed.headers:
    description: "whitelist for allowed headers for xhr cors requests"
    default: ~
  uaa.cors.xhr.allowed.origin:
    description: "whitelist for allowed origins for xhr cors requests"
    default: ~
  uaa.cors.xhr.allowed.uris:
    description: "whitelist for allowed uris for xhr cors requests"
    default: ~
  uaa.cors.xhr.allowed.methods:
    description: "whitelist for allowed methods for xhr cors requests"
    default: ~
  uaa.cors.xhr.allowed.credentials:
    description: "whether to allow credentials to be sent over xhr cors requests"
    default: ~
  uaa.cors.xhr.max_age:
    description: "how long the results of a preflight request is cached"
    default: ~

  # Content Security Policy (csp) settings
  uaa.csp.script-src:
    description: "Overrides the default script-src CSP header value of 'self'. Set this to allow scripts to be loaded from sources besides UAA. Because this overrides (not appends to) the value, be sure to include an entry for 'self' so scripts from UAA are allowed."
    default:
      - "'self'"
    example:
      - "'self'"
      - "'unsafe-inline'"
      - "js.example.com"

  # Global security policies (for all zones)
  uaa.authentication.policy.global.lockoutAfterFailures:
    description: "Number of allowed failures before account is locked"
    default: 5
  uaa.authentication.policy.global.countFailuresWithinSeconds:
    description: "Number of seconds in which lockoutAfterFailures failures must occur in order for account to be locked"
    default: 3600
  uaa.authentication.policy.global.lockoutPeriodSeconds:
    description: "Number of seconds to lock out an account when lockoutAfterFailures failures is exceeded"
    default: 300
  uaa.password.policy.global.minLength:
    description: "Minimum number of characters required for password to be considered valid"
    default: 0
  uaa.password.policy.global.maxLength:
    description: "Maximum number of characters required for password to be considered valid"
    default: 255
  uaa.password.policy.global.requireUpperCaseCharacter:
    description: "Minimum number of uppercase characters required for password to be considered valid"
    default: 0
  uaa.password.policy.global.requireLowerCaseCharacter:
    description: "Minimum number of lowercase characters required for password to be considered valid"
    default: 0
  uaa.password.policy.global.requireDigit:
    description: "Minimum number of digits required for password to be considered valid"
    default: 0
  uaa.password.policy.global.requireSpecialCharacter:
    description: "Minimum number of special characters required for password to be considered valid"
    default: 0
  uaa.password.policy.global.expirePasswordInMonths:
    description: "Number of months after which current password expires"
    default: 0
  uaa.jwt.policy.global.accessTokenValiditySeconds:
    default: 43200
    description: "The global access token validity for all zones if nothing is configured on the client"
  uaa.jwt.policy.global.refreshTokenValiditySeconds:
    default: 2592000
    description: "The global refresh token validity for all zones if nothing is configured on the client"

  # Scim properties
  uaa.scim.user.override:
    description: "If true, override users defined in uaa.scim.users found in the database."
    default: true
  uaa.scim.userids_enabled:
    description: "Enables the endpoint `/ids/Users` that allows consumers to translate user ids to name"
    default: true
  uaa.scim.users:
    description: |
      A list of users to be bootstrapped with authorities.
      These will be created in the default (`uaa`) zone.
      Each entry supports the following format:
        Short OpenStruct:
          - name: username
            password: password
            groups:
              - group1
              - group2
        Long OpenStruct:
          - name: username
            password: password
            groups:
              - group1
              - group2
            firstName: first name
            lastName: lastName
            email: email
            origin: origin-value - most commonly uaa
    example:
      - name: marissa
        password: koala
        email: marissa@test.org
        firstName: Marissa
        lastName: Bloggs
        groups:
          - group_name
        origin: uaa
  uaa.scim.external_groups:
    description: |
      External group mappings. Either formatted as an OpenStruct.
      As an OpenStruct, the mapping additionally specifies an origin to which the mapping is applied:
        origin1:
          external_group1:
            - internal_group1
            - internal_group2
            - internal_group3
          external_group2:
            - internal_group2
            - internal_group4
        origin2:
          external_group3:
            - internal_group3
            - internal_group4
            - internal_group5
  uaa.scim.groups:
    description: |
      Contains a hash of group names and their descriptions. These groups will be added to the UAA database for the default zone but not associated with any user.
      Example:
        uaa:
          scim:
            groups:
              my-test-group: 'My test group description'
              another-group: 'Another group description'
  # probably belongs in uaadb instead
  uaa.database.additionalParameters:
    description: "Additional parameters that should be added to the url that is used to connect to the database. Boolean values need to be passed as String."
    example:
      tcpKeepAlive: "true"
      usePipelineAuth: "false"
  # connection pool properties
  uaa.database.max_connections:
    description: "The max number of open connections to the DB from a running UAA instance"
    default: 100
  uaa.database.max_idle_connections:
    description: "The max number of open idle connections to the DB from a running UAA instance"
    default: 10
  uaa.database.min_idle_connections:
    description: "The min number of open idle connections to the DB from a running UAA instance"
    default: 0
  uaa.database.remove_abandoned:
    description: "True if connections that are left open longer then abandoned_timeout seconds during a session(time between borrow and return from pool) should be forcibly closed"
    default: false
  uaa.database.abandoned_timeout:
    description: "Timeout in seconds for the longest running queries. Take into DB migrations for this timeout as they may run during a long period of time."
    default: 300
  uaa.database.log_abandoned:
    description: "Should connections that are forcibly closed be logged."
    default: true
  uaa.database.case_insensitive:
    description: "Set to true if you don't want to be using LOWER() SQL functions in search queries/filters, because you know that your DB is case insensitive. If this property is null, then it will be set to true if the UAA DB is MySQL and false otherwise, but even on MySQL you can override it by setting it explicitly to false"
  uaa.database.test_while_idle:
    description: "If true, connections will be validated by the idle connection evictor (if any). If the validation fails, the connection is destroyed and removed from the pool."
    default: false

  # LDAP
  uaa.ldap.enabled:
    description: "Set to true to enable LDAP"
    default: false
  uaa.ldap.override:
    description: |
      If the LDAP configuration has `override: false` set, the LDAP values will only be stored
      in the database if the LDAP has not been configured yet.
      If property is omitted, the default is override: true
  uaa.ldap.profile_type:
    description: "The file to be used for configuring the LDAP authentication. Options are: 'simple-bind', 'search-and-bind', 'search-and-compare'"
    default: search-and-bind
  uaa.ldap.url:
    description: "The URL to the ldap server, must start with ldap:// or ldaps://. Allows multiple server URLs to be specified for failover purpose, space separated."
    example: ldap://localhost:389 ldaps://secure.host:636
  uaa.ldap.userDNPattern:
    description: "Used with simple-bind only. A semi-colon separated lists of DN patterns to construct a DN direct from the user ID without performing a search."
  uaa.ldap.userDNPatternDelimiter:
    description: "The delimiter character in between user DN patterns for simple-bind authentication"
    default: ";"
  uaa.ldap.userDN:
    description: "Used with search-and-bind and search-and-compare. A valid LDAP ID that has read permissions to perform a search of the LDAP tree for user information. "
  uaa.ldap.userPassword:
    description: "Used with search-and-bind and search-and-compare. Password for the LDAP ID that performs a search of the LDAP tree for user information."
  uaa.ldap.searchBase:
    description: "Used with search-and-bind and search-and-compare. Define a base where the search starts at."
    default: ""
  uaa.ldap.searchFilter:
    description: "Used with search-and-bind and search-and-compare. Search filter used. Takes one parameter, user ID defined as {0}"
    default: "cn={0}"
  uaa.ldap.passwordAttributeName:
    description: "Used with search-and-compare only. The name of the password attribute in the LDAP directory"
    default: "userPassword"
  uaa.ldap.localPasswordCompare:
    description: "Used with search-and-compare only. Set to true if passwords are retrieved by the search, and should be compared in the login server."
    default: "true"
  uaa.ldap.passwordEncoder:
    description: "Used with search-and-compare only. The encoder used to properly encode user password to match the one in the LDAP directory."
    default: "org.cloudfoundry.identity.uaa.ldap.DynamicPasswordComparator"
  uaa.ldap.sslCertificate:
    description: "Used with ldaps:// URLs. The certificate, if self signed, to be trusted by this connection."
  uaa.ldap.ssl.skipverification:
    description: "Set to true, and LDAPS connection will not validate the server certificate."
    default: false
  uaa.ldap.ssl.tls:
    description: "If using StartTLS, what mode to enable. Default is none, not enabled. Possible values are none, simple"
    default: none
  uaa.ldap.mailAttributeName:
    description: "The name of the LDAP attribute that contains the users email address"
    default: mail
  uaa.ldap.mailSubstitute:
    description: "Defines an email pattern containing a {0} to generate an email address for an LDAP user during authentication"
    default: ''
  uaa.ldap.mailSubstituteOverridesLdap:
    description: "Set to true if you wish to override an LDAP user email address with a generated one"
    default: false
  uaa.ldap.referral:
    description: |
      Configures the UAA LDAP referral behavior. The following values are possible:
      - follow -> Referrals are followed
      - ignore -> Referrals are ignored and the partial result is returned
      - throw  -> An error is thrown and the authentication is aborted
      Reference: http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
    default: follow
  uaa.ldap.groups.profile_type:
    description: "What type of group integration should be used. Values are: 'no-groups', 'groups-as-scopes', 'groups-map-to-scopes'"
    default: "no-groups"
  uaa.ldap.groups.searchBase:
    description: "Search start point for a user group membership search, and sequential nested searches.. You can set this value to 'memberOf' when using Active Directory and skip group search but use the calculated memberOf field on the user records. No nested search will be performed."
    default: ""
  uaa.ldap.groups.groupRoleAttribute:
    description: "Used with groups-as-scopes, defines the attribute that holds the scope name(s)."
    default: spring.security.ldap.dn
  uaa.ldap.groups.groupSearchFilter:
    description: "Search query filter to find the groups a user belongs to, or for a nested search, groups that a group belongs to"
    default: "member={0}"
  uaa.ldap.groups.searchSubtree:
    description: "Boolean value, set to true to search below the search base"
    default: "true"
  uaa.ldap.groups.maxSearchDepth:
    description: "Set to number of levels a nested group search should go. Set to 1 to disable nested groups (default)"
    default: "1"
  uaa.ldap.emailDomain:
    description: "Sets the whitelist of emails domains that the LDAP identity provider handles"
    example:
      - whitelist-domain1.org
      - whitelist-domain2.org
  uaa.ldap.attributeMappings:
    description: "Specifies how UAA user attributes map to LDAP attributes. given_name, family_name, and phone_number are UAA user attributes, while other attributes should be included using the prefix `user.attribute`"
    example:
      given_name: givenName
      family_name: sn
      phone_number: telephoneNumber
      user.attribute.name-of-attribute-in-uaa-id-token: name-of-attribute-in-ldap-record
      user.attribute.name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-ldap-record
  uaa.ldap.storeCustomAttributes:
    description: "Stores custom attribute mappings from the attributeMappings configuration in the database so that they can be retrieved using the /userinfo endpoint"
    default: true
  uaa.ldap.externalGroupsWhitelist:
    description: "Whitelist of external groups from LDAP that get added as roles in the ID Token"
    example:
      - admin
      - user
  uaa.ldap.add_shadow_user_on_login:
    description: "If set to false, only users pre-populated in the UAA user database will be allowed to authenticate via LDAP. If set to true, any user from LDAP will be allowed to authenticate and an internal user will be created if one does not yet exist."
    default: true

  # OpenID Connect/OAuth

  login.oauth.providers:
    description: |
      Contains a hash of OpenID Connect/Oauth Identity Providers,
      the key will be used as the origin key for that provider, followed by key/value pairs.
      Presence of the userInfoUrl will mark it as an OpenID provider instead of OAuth.
      If the provider has `override: false` set, the provider values will only be stored
      in the database if the provider doesn't exist.
    example:
      my-oauth-provider:
        override: false
        type: oauth2.0
        authUrl: <URL to the authorize endpoint of the provider>
        tokenUrl: <URL to the token endpoint of the provider>
        tokenKey: <Token verification key>
        tokenKeyUrl: <URL for token verification. Will be used if tokenKey is not specified.>
        issuer: <optional - if the issuer URL is different than tokenUrl URL>
        scopes:
          - openid
          - <other scope>
        linkText: My Oauth Provider
        showLinkText: true
        addShadowUserOnLogin: true
        relyingPartyId: <OAuth Client ID>
        relyingPartySecret: <OAuth Client secret>
        skipSslValidation: false
        storeCustomAttributes: true
        performRpInitiatedLogout: true
        attributeMappings:
          given_name: <Attribute holding given name in the OAuth if an ID Token is present or the access token has claims>
          family_name: <Attribute holding family name in the OAuth if an ID Token is present or the access token has claims>
          user_name: <Attribute holding username in the OAuth if an ID Token is present or the access token has claims>
          external_groups:
            - <attribute holding roles or group memberships in the OAuth if an ID Token is present or the access token has claims>
            - <other attribute holding roles or group memberships in the OAuth if an ID Token is present or the access token has claims>
          user:
            attribute:
              name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token
              name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token
      my-oidc-provider:
        type: oidc1.0
        discoveryUrl: |
          <URL for OpenID Connect Identity Provider discovery, example: https://accounts.google.com/.well-known/openid-configuration>
          Using this automatic discovery and you can omit several attributes like issuer, auth endpoint,
          token endpoint, userinfo endpoint, token key url
        scopes:
          - openid
          - <other scope>
        linkText: My Oauth Provider
        showLinkText: true
        addShadowUserOnLogin: true
        relyingPartyId: <OIDC Client ID>
        relyingPartySecret: <OIDC Client secret>
        skipSslValidation: false
        storeCustomAttributes: true
        passwordGrantEnabled: false
        performRpInitiatedLogout: true
        attributeMappings:
          given_name: <Attribute holding given name in the OIDC ID Token>
          family_name: <Attribute holding family name in the OIDC ID Token>
          user_name: <Attribute holding username in the OIDC ID Token>
          external_groups:
            - <attribute holding roles or group memberships in the OIDC id_token>
            - <other attribute holding roles or group memberships in the OIDC id_token>
          user:
            attribute:
              name-of-attribute-in-uaa-id-token: name-of-attribute-in-provider-token
              name-of-other-attribute-in-uaa-id-token: name-of-other-attribute-in-provider-token
        prompts:
          - name: username
            type: text
            text: Email
          - name: password
            type: password
            text: Password
          - name: passcode
            type: password
            text: Temporary Authentication Code (Get on at /passcode)

  # Saml
  login.saml.entityid:
    description: |
      This is used as the SAML Service Provider Entity ID. Each zone has a unique entity ID. Zones other than
      the default zone will derive their entity ID from this setting by prefexing it with the subdomain.
    example:
  login.saml.entity_base_url:
    description: |
      The URL for which SAML identity providers will post assertions to.
      If set it overrides the default.
      This URL should NOT have the schema (http:// or https:// prefix in it) instead just the hostname.
      The schema is derived by #{login.protocol} property.
      The default value is `p("uaa.url").sub("://uaa.", "://login.")`, typically login.example.com
      The UAA will display this link in the cf --sso call if there is a SAML provider enabled.
  login.saml.activeKeyId:
    description: |
      The active key to be used for signing messages and the key to be used to encrypt messages.
      See login.saml.keys
  login.saml.keys:
    description: |
      A map of keys where each map key is the name of the key. The login.saml.activeKeyId must match
      one of the keys in the map.
      To rotate keys, simply add keys. To activate a key, add it as the login.saml.activeKeyId
    example: |
      activeKeyId: key1
      keys:
        key1:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIEogIBAAKCAQEArRkvkddLUoNyuvu0ktkcLL0CyGG8Drh9oPsaVOLVHJqB1Ebr
            oNMTPbY0HPjuD5WBDZTi3ftNLp1mPn9wFy6FhMTvIYeQmTskH8m/kyVReXG/zfWq
            a4+V6UW4nmUcvfF3YNrHvN5VPTWTJrc2KBzseWQ70OaBNfBi6z4XbdOF45dDfck2
            oRnasinUv+rG+PUl7x8OjgdVyyen6qeCQ6xt8W9fHg//Nydlfwb3/L+syPoBujdu
            Hai7GoLUzm/zqOM9dhlR5mjuEJ3QUvnmGKrGDoeHFog0CMgLC+C0Z4ZANB6GbjlM
            bsQczsaYxHMqAMOnOe6xIXUrPOoc7rclwZeHMQIDAQABAoIBAAFB2ZKZmbZztfWd
            tmYKpaW9ibOi4hbJSEBPEpXjP+EBTkgYa8WzQsSD+kTrme8LCvDqT+uE076u7fsu
            OcYxVE7ujz4TGf3C7DQ+5uFOuBTFurroOeCmHlSfaQPdgCPxCQjvDdxVUREsvnDd
            i8smyqDnFXgi9HVL1awXu1vU2XgZshfl6wBOCNomVMCN8mVcBQ0KM88SUvoUwM7i
            sSdj1yQV16Za8+nVnMW41FMHegVRd3Y5EsXJfwGuXnZMIG87PavH1nUqn9NOFq9Y
            kb4SeOO47PaMxv7jMaXltVVokdGH8L/BY4we8tBL+wVeUJ94aYx/Q/LUAtRPbKPS
            ZSEi/7ECgYEA3dUg8DXzo59zl5a8kfz3aoLl8RqRYzuf8F396IuiVcqYlwlWOkZW
            javwviEOEdZhUZPxK1duXKTvYw7s6eDFwV+CklTZu4A8M3Os0D8bSL/pIKqcadt5
            JClIRmOmmQpj9AYhSdBTdQtJGjVDaDXJBb7902pDm9I4jMFbjAKLZNsCgYEAx8J3
            Y1c7GwHw6dxvTywrw3U6z1ILbx2olVLY6DIgZaMVT4EKTAv2Ke4xF4OZYG+lLRbt
            hhOHYzRMYC38MNl/9RXHBgUlQJXOQb9u644motl5dcMvzIIuWFCn5vXxR2C3McNy
            vPdzYS2M64xRGy+IENtPSCcUs9C99bEajRcuG+MCgYAONabEfFA8/OvEnA08NL4M
            fpIIHbGOb7VRClRHXxpo8G9RzXFOjk7hCFCFfUyPa/IT7awXIKSbHp2O9NfMK2+/
            cUTF5tWDozU3/oLlXAV9ZX2jcApQ5ZQe8t4EVEHJr9azPOlI9yVBbBWkriDBPiDA
            U3mi3z2xb4fbzE726vrO3QKBgA6PfTZPgG5qiM3zFGX3+USpAd1kxJKX3dbskAT0
            ymm+JmqCJGcApDPQOeHV5NMjsC2GM1AHkmHHyR1lnLFO2UXbDYPB0kJP6RXfx00C
            MozCP1k3Hf/RKWGkl2h9WtXyFchZz744Zz+ZG2F7+9l4cHmSEshWmOq2d3I2M5I/
            M0wzAoGAa2oM4Q6n+FMHl9e8H+2O4Dgm7wAdhuZI1LhnLL6GLVC1JTmGrz/6G2TX
            iNFhc0lnDcVeZlwg4i7M7MH8UFdWj3ZEylsXjrjIspuAJg7a/6qmP9s2ITVffqYk
            2slwG2SIQchM5/0uOiP9W0YIjYEe7hgHUmL9Rh8xFuo9y72GH8c=
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            MIID0DCCArgCCQDBRxU0ucjw6DANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
            VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR8wHQYDVQQK
            ExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVLZXkgMTEiMCAGA1UE
            AxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqGSIb3DQEJARYRZmhh
            bmlrQHBpdm90YWwuaW8wHhcNMTcwNDEwMTkxMTIyWhcNMTgwNDEwMTkxMTIyWjCB
            qTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
            c2NvMR8wHQYDVQQKExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVL
            ZXkgMTEiMCAGA1UEAxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqG
            SIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB
            DwAwggEKAoIBAQCtGS+R10tSg3K6+7SS2RwsvQLIYbwOuH2g+xpU4tUcmoHURuug
            0xM9tjQc+O4PlYENlOLd+00unWY+f3AXLoWExO8hh5CZOyQfyb+TJVF5cb/N9apr
            j5XpRbieZRy98Xdg2se83lU9NZMmtzYoHOx5ZDvQ5oE18GLrPhdt04Xjl0N9yTah
            GdqyKdS/6sb49SXvHw6OB1XLJ6fqp4JDrG3xb18eD/83J2V/Bvf8v6zI+gG6N24d
            qLsagtTOb/Oo4z12GVHmaO4QndBS+eYYqsYOh4cWiDQIyAsL4LRnhkA0HoZuOUxu
            xBzOxpjEcyoAw6c57rEhdSs86hzutyXBl4cxAgMBAAEwDQYJKoZIhvcNAQELBQAD
            ggEBAB72QKF9Iri+UdCGAIok/qIeKw5AwZ0wtiONa+DF4B80/yAA1ObpuO3eeeka
            t0s4wtCRflE08zLrwqHlvKQAGKmJkfRLfEqfKStIUOTHQxE6wOaBtfW41M9ZF1hX
            NHpnkfmSQjaHVNTRbABiFH6eTq8J6CuO12PyDf7lW3EofvcTU3ulsDhuMAz02ypJ
            BgcOufnl+qP/m/BhVQsRD5mtJ56uJpHvri1VR2kj8N59V8f6KPO2m5Q6MulEhWml
            TsxyxUl03oyICDP1cbpYtDk2VddVNWipHHPH/mBVW41EBVv0VDV03LH3RfS9dXiK
            ynuP3shhqhFvaaiUTZP4l5yF/GQ=
            -----END CERTIFICATE-----
        key2:
          key: |
            -----BEGIN RSA PRIVATE KEY-----
            MIIEpAIBAAKCAQEAwt7buITRZhXX98apcgJbiHhrPkrgn5MCsCphRQ89oWPUHWjN
            j9Kz2m9LaKgq9DnNLl22U4e6/LUQToBCLxkIqwaobZKjIUjNAmNomqbNO7AD2+K7
            RCiQ2qijWUwXGu+5+fSmF/MOermNKUDiQnRJSSSAPObAHOI980zTWVsApKpcFVaV
            vk/299L/0rk8I/mNvf63cdw4Nh3xn4Ct+oCnTaDg5OtpGz8sHlocOAti+LdrtNzH
            uBWq8q2sdhFQBRGe1MOeH8CAEHgKYwELTBCJEyLhykdRgxXJHSaL56+mb6HQvGO/
            oyZHn+qHsCCjcdR1L/U4qt4m7HBimv0qbvApQwIDAQABAoIBAQCftmmcnHbG1WZR
            NChSQa5ldlRnFJVvE90jJ0jbgfdAHAKQLAI2Ozme8JJ8bz/tNKZ+tt2lLlxJm9iG
            jkYwNbNOAMHwNDuxHuqvZ2wnPEh+/+7Zu8VBwoGeRJLEsEFLmWjyfNnYTSPz37nb
            Mst+LbKW2OylfXW89oxRqQibdqNbULpcU4NBDkMjToH1Z4dUFx3X2R2AAwgDz4Ku
            HN4HoxbsbUCI5wLDJrTGrJgEntMSdsSdOY48YOMBnHqqfw7KoJ0sGjrPUy0vOGq2
            CeP3uqbXX/mJpvJ+jg3Y2b1Zeu2I+vAnZrxlaZ+hYnZfoNqVjBZ/EEq/lmEovMvr
            erP8FYI5AoGBAOrlmMZYdhW0fRzfpx6WiBJUkFfmit4qs9nQRCouv+jHS5QL9aM9
            c+iKeP6kWuxBUYaDBmf5J1OBW4omNd384NX5PCiL/Fs/lxgdMZqEhnhT4Dj4Q6m6
            ZXUuY6hamoF5+z2mtkZzRyvD1LUAARKJw6ggUtcH28cYC3RkZ5P6SWHVAoGBANRg
            scI9pF2VUrmwpgIGhynLBEO26k8j/FyE3S7lPcUZdgPCUZB0/tGklSo183KT/KQY
            TgO2mqb8a8xKCz41DTnUPqJWZzBOFw5QaD2i9O6soXUAKqaUm3g40/gyWX1hUtHa
            K0Kw5z1Sf3MoCpW0Ozzn3znYbAoSvBRr53d0EVK3AoGAOD1ObbbCVwIGroIR1i3+
            WD0s7g7Bkt2wf+bwWxUkV4xX2RNf9XyCItv8iiM5rbUZ2tXGE+DAfKrNCu+JGCQy
            hKiOsbqKaiJ4f4qF1NQECg0y8xDlyl5Zakv4ClffBD77W1Bt9cIl+SGC7O8aUqDv
            WnKawucbxLhKDcz4S6KyLR0CgYEAhuRrw24XqgEgLCVRK9QtoZP7P28838uBjNov
            Cow8caY8WSLhX5mQCGQ7AjaGTG5Gd4ugcadYD1wgs/8LqRVVMzfmGII8xGe1KThV
            HWEVpUssuf3DGU8meHPP3sNMJ+DbE8M42wE1vrNZlDEImBGD1qmIFVurM7K2l1n6
            CNtF7X0CgYBuFf0A0cna8LnxOAPm8EPHgFq4TnDU7BJzzcO/nsORDcrh+dZyGJNS
            fUTMp4k+AQCm9UwJAiSf4VUwCbhXUZ3S+xB55vrH+Yc2OMtsIYhzr3OCkbgKBMDn
            nBVKSGAomYD2kCUmSbg7bUrFfGntmvOLqTHtVfrCyE5i8qS63RbHlA==
            -----END RSA PRIVATE KEY-----
          passphrase: password
          certificate: |
            -----BEGIN CERTIFICATE-----
            MIID0DCCArgCCQDqnPTUvA17+TANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
            VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMR8wHQYDVQQK
            ExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVLZXkgMjEiMCAGA1UE
            AxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqGSIb3DQEJARYRZmhh
            bmlrQHBpdm90YWwuaW8wHhcNMTcwNDEwMTkxNTAyWhcNMTgwNDEwMTkxNTAyWjCB
            qTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
            c2NvMR8wHQYDVQQKExZDbG91ZCBGb3VuZHJ5IElkZW50aXR5MQ4wDAYDVQQLEwVL
            ZXkgMjEiMCAGA1UEAxMZbG9naW4uaWRlbnRpdHkuY2YtYXBwLmNvbTEgMB4GCSqG
            SIb3DQEJARYRZmhhbmlrQHBpdm90YWwuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IB
            DwAwggEKAoIBAQDC3tu4hNFmFdf3xqlyAluIeGs+SuCfkwKwKmFFDz2hY9QdaM2P
            0rPab0toqCr0Oc0uXbZTh7r8tRBOgEIvGQirBqhtkqMhSM0CY2iaps07sAPb4rtE
            KJDaqKNZTBca77n59KYX8w56uY0pQOJCdElJJIA85sAc4j3zTNNZWwCkqlwVVpW+
            T/b30v/SuTwj+Y29/rdx3Dg2HfGfgK36gKdNoODk62kbPyweWhw4C2L4t2u03Me4
            Faryrax2EVAFEZ7Uw54fwIAQeApjAQtMEIkTIuHKR1GDFckdJovnr6ZvodC8Y7+j
            Jkef6oewIKNx1HUv9Tiq3ibscGKa/Spu8ClDAgMBAAEwDQYJKoZIhvcNAQELBQAD
            ggEBAKzeh/bRDEEP/WGsiYhCCfvESyt0QeKwUk+Hfl0/oP4m9pXNrnMRApyoi7FB
            owpmXIeqDqGigPai6pJ3xCO94P+Bz7WTk0+jScYm/hGpcIOeKh8FBfW0Fddu9Otn
            qVk0FdRSCTjUZKQlNOqVTjBeKOjHmTkgh96IR3EP2/hp8Ym4HLC+w265V7LnkqD2
            SoMez7b2V4NmN7z9OxTALUbTzmFG77bBDExHvfbiFlkIptx8+IloJOCzUsPEg6Ur
            kueuR7IB1S4q6Ja7Gb9b9NYQDFt4hjb5mC9aPxaX+KK2JlZg4cTFVCdkIyp2/fHI
            iQpMzNWb7zZWlCfDL4dJZHYoNfg=
            -----END CERTIFICATE-----
  login.saml.serviceProviderKey:
    description: "Deprecated. Use login.saml.keys. Private key for the service provider certificate."
    example: |
      -----BEGIN RSA PRIVATE KEY-----
      MIICXgIBAAKBgQDfTLadf6QgJeS2XXImEHMsa+1O7MmIt44xaL77N2K+J/JGpfV3
      AnkyB06wFZ02sBLB7hko42LIsVEOyTuUBird/3vlyHFKytG7UEt60Fl88SbAEfsU
      JN1i1aSUlunPS/NCz+BKwwKFP9Ss3rNImE9Uc2LMvGy153LHFVW2zrjhTwIDAQAB
      AoGBAJDh21LRcJITRBQ3CUs9PR1DYZPl+tUkE7RnPBMPWpf6ny3LnDp9dllJeHqz
      a3ACSgleDSEEeCGzOt6XHnrqjYCKa42Z+Opnjx/OOpjyX1NAaswRtnb039jwv4gb
      RlwT49Y17UAQpISOo7JFadCBoMG0ix8xr4ScY+zCSoG5v0BhAkEA8llNsiWBJF5r
      LWQ6uimfdU2y1IPlkcGAvjekYDkdkHiRie725Dn4qRiXyABeaqNm2bpnD620Okwr
      sf7LY+BMdwJBAOvgt/ZGwJrMOe/cHhbujtjBK/1CumJ4n2r5V1zPBFfLNXiKnpJ6
      J/sRwmjgg4u3Anu1ENF3YsxYabflBnvOP+kCQCQ8VBCp6OhOMcpErT8+j/gTGQUL
      f5zOiPhoC2zTvWbnkCNGlqXDQTnPUop1+6gILI2rgFNozoTU9MeVaEXTuLsCQQDC
      AGuNpReYucwVGYet+LuITyjs/krp3qfPhhByhtndk4cBA5H0i4ACodKyC6Zl7Tmf
      oYaZoYWi6DzbQQUaIsKxAkEA2rXQjQFsfnSm+w/9067ChWg46p4lq5Na2NpcpFgH
      waZKhM1W0oB8MX78M+0fG3xGUtywTx0D4N7pr1Tk2GTgNw==
      -----END RSA PRIVATE KEY-----
  login.saml.serviceProviderKeyPassword:
    description: "Deprecated. Use login.saml.keys. Passphrase for the service provider private key."
    example: ""
    default: ""
  login.saml.serviceProviderCertificate:
    description: "Deprecated. Use login.saml.keys. Service provider certificate."
    example: |
      -----BEGIN CERTIFICATE-----
      MIIEJTCCA46gAwIBAgIJANIqfxWTfhpkMA0GCSqGSIb3DQEBBQUAMIG+MQswCQYD
      VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j
      aXNjbzEdMBsGA1UEChMUUGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Ns
      b3VkIEZvdW5kcnkgSWRlbnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2Yt
      YXBwLmNvbTEfMB0GCSqGSIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzAeFw0xNTA1
      MTQxNzE5MTBaFw0yNTA1MTExNzE5MTBaMIG+MQswCQYDVQQGEwJVUzETMBEGA1UE
      CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEdMBsGA1UEChMU
      UGl2b3RhbCBTb2Z0d2FyZSBJbmMxJDAiBgNVBAsTG0Nsb3VkIEZvdW5kcnkgSWRl
      bnRpdHkgVGVhbTEcMBoGA1UEAxMTaWRlbnRpdHkuY2YtYXBwLmNvbTEfMB0GCSqG
      SIb3DQEJARYQbWFyaXNzYUB0ZXN0Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
      gYkCgYEA30y2nX+kICXktl1yJhBzLGvtTuzJiLeOMWi++zdivifyRqX1dwJ5MgdO
      sBWdNrASwe4ZKONiyLFRDsk7lAYq3f975chxSsrRu1BLetBZfPEmwBH7FCTdYtWk
      lJbpz0vzQs/gSsMChT/UrN6zSJhPVHNizLxstedyxxVVts644U8CAwEAAaOCAScw
      ggEjMB0GA1UdDgQWBBSvWY/TyHysYGxKvII95wD/CzE1AzCB8wYDVR0jBIHrMIHo
      gBSvWY/TyHysYGxKvII95wD/CzE1A6GBxKSBwTCBvjELMAkGA1UEBhMCVVMxEzAR
      BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHTAbBgNV
      BAoTFFBpdm90YWwgU29mdHdhcmUgSW5jMSQwIgYDVQQLExtDbG91ZCBGb3VuZHJ5
      IElkZW50aXR5IFRlYW0xHDAaBgNVBAMTE2lkZW50aXR5LmNmLWFwcC5jb20xHzAd
      BgkqhkiG9w0BCQEWEG1hcmlzc2FAdGVzdC5vcmeCCQDSKn8Vk34aZDAMBgNVHRME
      BTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAL5j1JCN5EoXMOOBSBUL8KeVZFQD3Nfy
      YkYKBatFEKdBFlAKLBdG+5KzE7sTYesn7EzBISHXFz3DhdK2tg+IF1DeSFVmFl2n
      iVxQ1sYjo4kCugHBsWo+MpFH9VBLFzsMlP3eIDuVKe8aPXFKYCGhctZEJdQTKlja
      lshe50nayKrT
      -----END CERTIFICATE----
  login.saml.providers:
    description: |
      Contains a hash of SAML Identity Providers,
      the key is the IDP Alias, followed by key/value pairs.
      To learn more about how to setup a saml identity provider go to https://simplesamlphp.org
      If the provider has `override: false` set, the provider values will only be stored
      in the database if the provider doesn't exist.
    example:
      my-identity-provider:
        override: false
        metadataTrustCheck: false
        idpMetadata: http://my.identityprovider.com/saml2/idp/metadata.php
        nameID: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        assertionConsumerIndex: 0
        signMetaData: false
        signRequest: false
        iconUrl: https://my.identityprovider.com/icon.png
        showSamlLoginLink: true
        linkText: Log in with My Saml Identity Provider
        groupMappingMode: AS_SCOPES
        skipSslValidation: false
        storeCustomAttributes: true
  login.saml.socket.connectionManagerTimeout:
    description: "Timeout in milliseconds for connection pooling for SAML metadata HTTP requests"
    default: 10000
  login.saml.socket.soTimeout:
    description: "Read timeout in milliseconds for SAML metadata HTTP requests"
    default: 10000
  login.saml.signMetaData:
    description: "Global property to sign Local/SP metadata"
    default: true
  login.saml.signRequest:
    description: "Global property to sign Local/SP requests"
    default: true
  login.saml.wantAssertionSigned:
    description: "Global property to request that external IDPs sign their SAML assertion before sending them to the UAA"
    default: true
  login.saml.disableInResponseToCheck:
    description: |
      Disable InResponseToField SAML validation on the default zone. For non default zone, this flag is part of the zone configuration.
      Please see: https://docs.spring.io/spring-security-saml/docs/current/reference/html/chapter-troubleshooting.html
    default: false
  login.saml.signatureAlgorithm:
    description: "Signature hashing algorithm for SAML. Can be SHA1, SHA256, or SHA512."
    example: SHA256
  login.url:
    description: |
      Set if you have an external login server.
      The UAA uses this link on by its email service to create links
      The UAA uses this as a base domain for internal hostnames so that subdomain can be detected
      This defaults to the uaa.url property, and if not set, to login.<domain>
    default: ~
  uaa.servlet.session-store:
    description: |
        Select the backend where user sessions will be stored
        Valid options are:
          memory (use an in memory map structure),
          database (use the configured database as a session store)
    default: memory
  uaa.servlet.idle-timeout:
    description: "UAA session idle timeout in seconds."
    default: 1800
  uaa.servlet.session-cookie.max-age:
    description: |
      Lifetime of the UAA session cookie in seconds.
      If -1, will use 'Session' lifetime.
    default: -1
  uaa.servlet.session-cookie.encode-base64:
    description: |
      Use base64 to encode the UAA session cookie.
      If true, base64 encode is used, if false url encode is used.
    default: true

  # CORS
  uaa.cors.enforce_system_zone_policy_in_all_zones:
    description: |
      When set to true, the CORS policy for custom identity zones will be ignored,
      and the system default identity zone policy will apply to all zones. When set
      to false, the CORS policy for custom identity zones will be honored.
    default: true