diff --git a/x-pack/docs/en/security/authentication/saml-realm.asciidoc b/x-pack/docs/en/security/authentication/saml-realm.asciidoc index 4de8d5a28ce..bbf7d597b30 100644 --- a/x-pack/docs/en/security/authentication/saml-realm.asciidoc +++ b/x-pack/docs/en/security/authentication/saml-realm.asciidoc @@ -25,238 +25,19 @@ for SAML realms. [[saml-settings]] ==== SAML Realm Settings -[cols="4,^3,10"] -|======================= -| Setting | Required | Description -| `type` | yes | Indicates the realm type. Must be set to `saml`. -| `order` | no | Indicates the priority of this realm within the realm chain. - Realms with a lower order are consulted first. Although not - required, we recommend explicitly setting this value when - you configure multiple realms. Defaults to `Integer.MAX_VALUE`. -| `enabled` | no | Indicates whether this realm is enabled or disabled. Enables - you to disable a realm without removing its configuration. - Defaults to `true`. -| `idp.entity_id` | yes | The Entity ID of the SAML Identity Provider. An Entity ID is - a URI with a maximum length of 1024 characters. It can be a - URL (`https://idp.example.com/`) or a URN (`urn:example.com:idp`) - and can be found in the configuration or the SAML metadata - of the Identity Provider. -| `idp.metadata.path` | yes | The path (_recommended_) or URL to a SAML 2.0 metadata file - describing the capabilities and configuration of the Identity - Provider. - If a path is provided, then it is resolved relative to the - {es} config directory. - If a URL is provided, then it must be either a `file` URL or - a `https` URL. - {security} will automatically poll this metadata resource and - will reload the IdP configuration when changes are detected. - File based resources are polled at a frequency determined by - the global {es} `resource.reload.interval.high` setting, which - defaults to 5 seconds. - HTTPS resources are polled at a frequency determined by - the realm's `idp.metadata.http.refresh` setting. -| `idp.metadata.http.refresh` | no | Controls the frequency with which `https` metadata is checked - for changes. Defaults to 1 hour. -| `idp.use_single_logout` | no | Indicates whether to utilise the Identity Provider's Single - Logout service (if one exists in the IdP metadata file). - Defaults to `true`. -| `sp.entity_id` | yes | The Entity ID to use for this SAML Service Provider. - This should be entered as a URI. We recommend that you use the - base URL of your {kib} instance, - e.g. `https://kibana.example.com/` -| `sp.acs` | yes | The URL of the Assertion Consumer Service within {kib}. - Typically this will be the "api/security/v1/saml" endpoint of - your {kib} server, - e.g. `https://kibana.example.com/api/security/v1/saml` -| `sp.logout` | no | The URL of the Single Logout service within {kib}. - Typically this will be the "logout" endpoint of - your {kib} server, - e.g. `https://kibana.example.com/logout` -| `attributes.principal` | yes | The Name of the SAML attribute that should be used as the - {security} user's principal (username) -| `attributes.groups` | no | The Name of the SAML attribute that should be used to populate - {security} user's groups -| `attributes.name` | no | The Name of the SAML attribute that should be used to populate - {security} user's full name -| `attributes.mail` | no | The Name of the SAML attribute that should be used to populate - {security} user's email address -| `attributes.dn` | no | The Name of the SAML attribute that should be used to populate - {security} user's X.500 _Distinguished Name_ -| `attribute_patterns.principal` | no | A java regular expression that is matched against the SAML attribute - specified by `attributes.pattern` before it is applied to the user's - _principal_ property. - The attribute value must match the pattern, and the value of the - first _capturing group_ is used as the principal. - e.g. `^([^@]+)@example\\.com$` matches email addresses from the - "example.com" domain and uses the local-part as the principal. -| `attribute_patterns.groups` | no | As per `attribute_patterns.principal`, but for the _group_ property. -| `attribute_patterns.name` | no | As per `attribute_patterns.principal`, but for the _name_ property. -| `attribute_patterns.mail` | no | As per `attribute_patterns.principal`, but for the _mail_ property. -| `attribute_patterns.dn` | no | As per `attribute_patterns.principal`, but for the _dn_ property. -| `nameid_format` | no | The NameID format that should be requested when asking the IdP - to authenticate the current user. - Defaults to requesting _transient_ names - (`urn:oasis:names:tc:SAML:2.0:nameid-format:transient`) -| `nameid.allow_create` | no | The value of the `AllowCreate` attribute of the `NameIdPolicy` - element in an authentication request. - Defaults to `false` -| `nameid.sp_qualifier` | no | The value of the `SPNameQualifier` attribute of the `NameIdPolicy` - element in an authentication request. - The default is to not include the `SPNameQualifier` attribute. -| `force_authn` | no | Whether to set the `ForceAuthn` attribute when requesting that the - IdP authenticate the current user. If this is set to `true`, the - IdP will be required to freshly establish the user's identity, - irrespective of any exiting sessions they may have. - Defaults to `false`. -| `populate_user_metadata` | no | Whether to populate the {es} user's metadata with the values that - are provided by the SAML attributes. Defaults to `true`. -| `allowed_clock_skew` | no | The maximum amount of skew that can be tolerated between the - IdP's clock and the {es} node's clock. Defaults to 3 minutes. -|======================= +See {ref}/security-settings.html#ref-saml-settings[SAML Realm Settings]. + ===== SAML Realm Signing Settings -If a signing key is configured (i.e. is one of `signing.key` or `signing.keystore.path` has been set), then -{security} will sign outgoing SAML messages. Signing can be configured using the following settings. +See {ref}/security-settings.html#ref-saml-signing-settings[SAML Realm Signing Settings]. -|======================= -| Setting | Required | Description -| `signing.saml_messages` | no | A list of SAML message types that should be signed, or `*` to - sign all messages. Each element in the list should be the - local name of a SAML XML Element. Supported element types are - `AuthnRequest`, `LogoutRequest` and `LogoutResponse`. - Defaults to `*`. -| `signing.key` | no | Specifies the path to the PEM encoded private key to use for - SAML message signing. - `signing.key` and `signing.keystore.path` may not be used at - the same time. -| `signing.secure_key_passphrase` | no | ({ref}/secure-settings.html[Secure]) - Specifies the passphrase to decrypt the PEM encoded private key if - it is encrypted. -| `signing.certificate` | no | Specifies the path to the PEM encoded certificate (or certificate - chain) that corresponds to the `signing.key`. This certificate - must also be included in the Service Provider metadata, or - manually configured within the IdP to allow for signature - validation. - May only be used if `signing.key` is set. -| `signing.keystore.path` | no | The path to the keystore that contains a private key and - certificate. - Must be either a Java Keystore (jks) or a PKCS#12 file. - `signing.key` and `signing.keystore.path` may not be used at the - same time. -| `signing.keystore.type` | no | The type of the keystore. Must be one of "jks" or "PKCS12". - Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or - "pkcs12", otherwise uses "jks" -| `signing.keystore.alias` | no | Specifies the alias of the key within the keystore that should be - used for SAML message signing. Must be specified if the keystore - contains more than one private key. -| `signing.keystore.secure_password` | no | ({ref}/secure-settings.html[Secure]) The password to the keystore. -| `signing.keystore.secure_key_password` | no | ({ref}/secure-settings.html[Secure]) - The password for the key in the keystore. - Defaults to the keystore password. -|======================= ===== SAML Realm Encryption Settings -If an encryption key is configured (i.e. is one of `encryption.key` or -`encryption.keystore.path` has been set), then {security} will publish -an encryption certificate when generating metadata, and will attempt to -decrypt incoming SAML content. -Encryption can be configured using the following settings. - -|======================= -| Setting | Required | Description -| `encryption.key` | no | Specifies the path to the PEM encoded private key to use for - SAML message descryption. - `encryption.key` and `encryption.keystore.path` may not be used at - the same time. -| `encryption.secure_key_passphrase` | no | ({ref}/secure-settings.html[Secure]) - Specifies the passphrase to decrypt the PEM encoded private key if - it is encrypted. -| `encryption.certificate` | no | Specifies the path to the PEM encoded certificate (or certificate - chain) that is associated with the `encryption.key`. This - certificate must also be included in the Service Provider metadata, - or manually configured within the IdP to enable message encryption. - May only be used if `encryption.key` is set. -| `encryption.keystore.path` | no | The path to the keystore that contains a private key and - certificate. - Must be either a Java Keystore (jks) or a PKCS#12 file. - `encryption.key` and `encryption.keystore.path` may not be used at - the same time. -| `encryption.keystore.type` | no | The type of the keystore. Must be one of "jks" or "PKCS12". - Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or - "pkcs12", otherwise uses "jks" -| `encryption.keystore.alias` | no | Specifies the alias of the key within the keystore that should be - used for SAML message decryption. If not specified, all compatible - key pairs from the keystore will be considered as candidate keys - for decryption. -| `encryption.keystore.secure_password` | no | ({ref}/secure-settings.html[Secure]) The password to the keystore. -| `encryption.keystore.secure_key_password` | no | ({ref}/secure-settings.html[Secure]) - The password for the key in the keystore. Only a single password is - supported. If you are using multiple decryption keys, then they - cannot have individual passwords. -|======================= +See {ref}/security-settings.html#ref-saml-encryption-settings[SAML Realm Encryption Settings]. ===== SAML Realm SSL Settings -If you are loading the IdP metadata over SSL/TLS (that is, `idp.metadata.path` is a URL using the `https` protocol) -Then the following settings may be used to configure SSL. If these are not specified, then the {xpack} -{ref}/security-settings.html#ssl-tls-settings[default SSL settings] are used. - -These settings are not used for any purpose other than loading metadata over https. - -|======================= -| Setting | Required | Description -| `ssl.key` | no | Specifies the path to the PEM encoded private key to use for http - client authentication. - `ssl.key` and `ssl.keystore.path` may not be used at the same time. -| `ssl.key_passphrase` | no | Specifies the passphrase to decrypt the PEM encoded private key if - it is encrypted. May not be used with `ssl.secure_key_passphrase` -| `ssl.secure_key_passphrase` | no | ({ref}/secure-settings.html[Secure]) - Specifies the passphrase to decrypt the PEM encoded private key if - it is encrypted. May not be used with `ssl.key_passphrase` -| `ssl.certificate` | no | Specifies the path to the PEM encoded certificate (or certificate - chain) that goes with the key. May only be used if `ssl.key` is set. -| `ssl.certificate_authorities` | no | Specifies the paths to the PEM encoded certificate authority - certificates that should be trusted. - `ssl.certificate_authorities` and `ssl.truststore.path` may not be - used at the same time. -| `ssl.keystore.path` | no | The path to the keystore that contains a private key and - certificate. - Must be either a Java Keystore (jks) or a PKCS#12 file. - `ssl.key` and `ssl.keystore.path` may not be used at the same time. -| `ssl.keystore.type` | no | The type of the keystore. Must be one of "jks" or "PKCS12". - Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or - "pkcs12", otherwise uses "jks" -| `ssl.keystore.password` | no | The password to the keystore. - May not be used with `ssl.keystore.secure_password`. -| `ssl.keystore.secure_password` | no | ({ref}/secure-settings.html[Secure]) The password to the keystore. - May not be used with `ssl.keystore.password`. -| `ssl.keystore.key_password` | no | The password for the key in the keystore. - Defaults to the keystore password. - May not be used with `ssl.keystore.secure_key_password`. -| `ssl.keystore.secure_key_password` | no | ({ref}/secure-settings.html[Secure]) - The password for the key in the keystore. - Defaults to the keystore password. - May not be used with `ssl.keystore.key_password`. -| `ssl.truststore.path` | no | The path to the keystore that contains the certificates to trust. - Must be either a Java Keystore (jks) or a PKCS#12 file. - `ssl.certificate_authorities` and `ssl.truststore.path` may not be - used at the same time. -| `ssl.truststore.type` | no | The type of the truststore. Must be one of "jks" or "PKCS12". - Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or - "pkcs12", otherwise uses "jks" -| `ssl.truststore.password` | no | The password to the truststore. - May not be used with `ssl.truststore.secure_password`. -| `ssl.truststore.secure_password` | no | ({ref}/secure-settings.html[Secure]) The password to the truststore. - May not be used with `ssl.truststore.password`. -| `ssl.verification_mode` | no | One of `full` (verify the hostname and the certicate path), - `certificate` (verify the certificate path, but not the hostname) - or `none` (perform no verification). Defaults to `full`. -+ - See {ref}/security-settings.html#ssl-tls-settings[`xpack.ssl.verification_mode`] - for a more detailed explanation of these values. -| `ssl.supported_protocols` | no | Specifies the supported protocols for TLS/SSL. -| `ssl.cipher_suites` | no | Specifies the cipher suites that should be supported. -|======================= +See {ref}/security-settings.html#ref-saml-ssl-settings[SAML Realm SSL Settings]. diff --git a/x-pack/docs/en/settings/security-settings.asciidoc b/x-pack/docs/en/settings/security-settings.asciidoc index ba281b5ccb4..963d5a5f002 100644 --- a/x-pack/docs/en/settings/security-settings.asciidoc +++ b/x-pack/docs/en/settings/security-settings.asciidoc @@ -689,6 +689,10 @@ LDAP operation (such as `search`). Defaults to `true`. [float] ===== PKI realm settings +The `type` setting must be set to `pki`. In addition to the +<>, you can specify +the following settings: + `username_pattern`:: The regular expression pattern used to extract the username from the certificate DN. The first match group is the used as the username. @@ -735,8 +739,16 @@ Defaults to `100000`. [[ref-saml-settings]] [float] ===== SAML realm settings + +The `type` setting must be set to `saml`. In addition to the +<>, you can specify +the following settings: + `idp.entity_id`:: -The Entity ID of the SAML Identity Provider +The Entity ID of the SAML Identity Provider. An Entity ID is a URI with a +maximum length of 1024 characters. It can be a URL (https://idp.example.com/) or +a URN (`urn:example.com:idp`) and can be found in the configuration or the SAML +metadata of the Identity Provider. `idp.metadata.path`:: The path _(recommended)_ or URL to a SAML 2.0 metadata file describing the @@ -744,7 +756,7 @@ capabilities and configuration of the Identity Provider. If a path is provided, then it is resolved relative to the {es} config directory. If a URL is provided, then it must be either a `file` URL or a `https` URL. -{security} will automatically poll this metadata resource and will reload +{security} automatically polls this metadata resource and reloads the IdP configuration when changes are detected. File based resources are polled at a frequency determined by the global {es} `resource.reload.interval.high` setting, which defaults to 5 seconds. @@ -761,39 +773,47 @@ Indicates whether to utilise the Identity Provider's Single Logout service Defaults to `true`. `sp.entity_id`:: -The Entity ID to use for this SAML Service Provider, entered as a URI. +The Entity ID to use for this SAML Service Provider. This should be entered as a +URI. We recommend that you use the base URL of your Kibana instance. For example, +`https://kibana.example.com/`. `sp.acs`:: -The URL of the Assertion Consumer Service within {kib}. +The URL of the Assertion Consumer Service within {kib}. Typically this is the +"api/security/v1/saml" endpoint of your Kibana server. For example, +`https://kibana.example.com/api/security/v1/saml`. `sp.logout`:: -The URL of the Single Logout service within {kib}. +The URL of the Single Logout service within {kib}. Typically this is the +"logout" endpoint of your Kibana server. For example, +`https://kibana.example.com/logout`. `attributes.principal`:: The Name of the SAML attribute that should be used as the {security} user's -principal (username) +principal (username). `attributes.groups`:: The Name of the SAML attribute that should be used to populate {security} -user's groups +user's groups. `attributes.name`:: The Name of the SAML attribute that should be used to populate {security} -user's full name +user's full name. `attributes.mail`:: The Name of the SAML attribute that should be used to populate {security} -user's email address +user's email address. `attributes.dn`:: The Name of the SAML attribute that should be used to populate {security} -user's X.500 _Distinguished Name_ +user's X.500 _Distinguished Name_. `attribute_patterns.principal`:: -A java regular expression that is matched against the SAML attribute specified +A Java regular expression that is matched against the SAML attribute specified by `attributes.pattern` before it is applied to the user's _principal_ property. -The attribute value must match the pattern, and the value of the first -_capturing group_ is used as the principal. +The attribute value must match the pattern and the value of the first +_capturing group_ is used as the principal. For example, `^([^@]+)@example\\.com$` +matches email addresses from the "example.com" domain and uses the local-part as +the principal. `attribute_patterns.groups`:: As per `attribute_patterns.principal`, but for the _group_ property. @@ -809,26 +829,41 @@ As per `attribute_patterns.principal`, but for the _dn_ property. `nameid_format`:: The NameID format that should be requested when asking the IdP to authenticate -the current user. -Defaults to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` +the current user. Defaults to requesting _transient_ names +(`urn:oasis:names:tc:SAML:2.0:nameid-format:transient`). + +`nameid.allow_create`:: The value of the `AllowCreate` attribute of the +`NameIdPolicy` element in an authentication request. Defaults to `false`. + +`nameid.sp_qualifier`:: The value of the `SPNameQualifier` attribute of the +`NameIdPolicy` element in an authentication request. The default is to not +include the `SPNameQualifier` attribute. `force_authn`:: -Whether to set the `ForceAuthn` attribute when requesting that the IdP -authenticate the current user. +Specifies whether to set the `ForceAuthn` attribute when requesting that the IdP +authenticate the current user. If set to `true`, the IdP is required to verify +the user’s identity, irrespective of any existing sessions they might have. Defaults to `false`. `populate_user_metadata`:: -Whether to populate the {es} user's metadata with the values that are provided -by the SAML attributes. -Defaults to `true`. +Specifies whether to populate the {es} user's metadata with the values that are +provided by the SAML attributes. Defaults to `true`. `allowed_clock_skew`:: The maximum amount of skew that can be tolerated between the IdP's clock and the {es} node's clock. Defaults to `3m` (3 minutes). +[float] +[[ref-saml-signing-settings]] +===== SAML realm signing settings + +If a signing key is configured (that is, either `signing.key` or +`signing.keystore.path` is set), then {security} signs outgoing SAML messages. +Signing can be configured using the following settings: + `signing.saml_messages`:: -A list of SAML message types that should be signed, or `*` to sign all messages. +A list of SAML message types that should be signed or `*` to sign all messages. Each element in the list should be the local name of a SAML XML Element. Supported element types are `AuthnRequest`, `LogoutRequest` and `LogoutResponse`. Only valid if `signing.key` or `signing.keystore.path` is also specified. @@ -836,152 +871,177 @@ Defaults to `*`. `signing.key`:: Specifies the path to the PEM encoded private key to use for SAML message signing. -`signing.key` and `signing.keystore.path` may not be used at the same time. +`signing.key` and `signing.keystore.path` cannot be used at the same time. `signing.secure_key_passphrase` (<>):: Specifies the passphrase to decrypt the PEM encoded private key (`signing.key`) if it is encrypted. `signing.certificate`:: -Specifies the path to the PEM encoded certificate that corresponds to the -`signing.key`. May only be used if `signing.key` is set. +Specifies the path to the PEM encoded certificate (or certificate chain) that +corresponds to the `signing.key`. This certificate must also be included in the +Service Provider metadata or manually configured within the IdP to allow for +signature validation. This setting can only be used if `signing.key` is set. `signing.keystore.path`:: The path to the keystore that contains a private key and certificate. Must be either a Java Keystore (jks) or a PKCS#12 file. -`signing.key` and `signing.keystore.path` may not be used at the same time. +`signing.key` and `signing.keystore.path` cannot be used at the same time. `signing.keystore.type`:: -The type of the keystore (`signing.keystore.path`). -Must be one of "jks" or "PKCS12". Defaults to "PKCS12" if the keystore path -ends in ".p12", ".pfx" or "pkcs12", otherwise uses "jks". +The type of the keystore in `signing.keystore.path`. +Must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", +or "pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`. `signing.keystore.alias`:: Specifies the alias of the key within the keystore that should be -used for SAML message signing. Must be specified if the keystore -contains more than one private key. +used for SAML message signing. If the keystore contains more than one private +key, this setting must be specified. `signing.keystore.secure_password` (<>):: -The password to the keystore (`signing.keystore.path`). +The password to the keystore in `signing.keystore.path`. `signing.keystore.secure_key_password` (<>):: The password for the key in the keystore (`signing.keystore.path`). Defaults to the keystore password. +[float] +[[ref-saml-encryption-settings]] +===== SAML realm encryption settings + +If an encryption key is configured (that is, either `encryption.key` or +`encryption.keystore.path` is set), then {security} publishes an encryption +certificate when generating metadata and attempts to decrypt incoming SAML +content. Encryption can be configured using the following settings: + `encryption.key`:: Specifies the path to the PEM encoded private key to use for SAML message decryption. -`encryption.key` and `encryption.keystore.path` may not be used at the same time. +`encryption.key` and `encryption.keystore.path` cannot be used at the same time. `encryption.secure_key_passphrase` (<>):: Specifies the passphrase to decrypt the PEM encoded private key (`encryption.key`) if it is encrypted. `encryption.certificate`:: -Specifies the path to the PEM encoded certificate chain that is associated with -the `encryption.key`. May only be used if `encryption.key` is set. +Specifies the path to the PEM encoded certificate (or certificate chain) that is +associated with the `encryption.key`. This certificate must also be included in +the Service Provider metadata or manually configured within the IdP to enable +message encryption. This setting can be used only if `encryption.key` is set. `encryption.keystore.path`:: The path to the keystore that contains a private key and certificate. Must be either a Java Keystore (jks) or a PKCS#12 file. -`encryption.key` and `encryption.keystore.path` may not be used at the same time. +`encryption.key` and `encryption.keystore.path` cannot be used at the same time. `encryption.keystore.type`:: The type of the keystore (`encryption.keystore.path`). -Must be one of "jks" or "PKCS12". Defaults to "PKCS12" if the keystore path -ends in ".p12", ".pfx" or "pkcs12", otherwise uses "jks". +Must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", +or "pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`. `encryption.keystore.alias`:: Specifies the alias of the key within the keystore (`encryption.keystore.path`) that should be used for SAML message decryption. If not specified, all compatible -key pairs from the keystore will be considered as candidate keys for decryption. +key pairs from the keystore are considered as candidate keys for decryption. `encryption.keystore.secure_password` (<>):: The password to the keystore (`encryption.keystore.path`). `encryption.keystore.secure_key_password` (<>):: The password for the key in the keystore (`encryption.keystore.path`). Only a -single password is supported. If you are using multiple decryption keys, then +single password is supported. If you are using multiple decryption keys, they cannot have individual passwords. +[float] +[[ref-saml-ssl-settings]] +===== SAML realm SSL settings + +If you are loading the IdP metadata over SSL/TLS (that is, `idp.metadata.path` +is a URL using the `https` protocol), the following settings can be used to +configure SSL. If these are not specified, then the +<> are used. + +NOTE: These settings are not used for any purpose other than loading metadata +over https. + `ssl.key`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the -path to the PEM encoded private key to use for http client authentication (if -required). `ssl.key` and `ssl.keystore.path` may not be used at the same time. +Specifies the path to the PEM encoded private key to use for http client +authentication (if required). `ssl.key` and `ssl.keystore.path` cannot be used +at the same time. `ssl.key_passphrase`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the +Specifies the passphrase to decrypt the PEM encoded private key (`ssl.key`) if it is -encrypted. May not be used with `ssl.secure_key_passphrase` +encrypted. Cannot be used with `ssl.secure_key_passphrase`. `ssl.secure_key_passphrase` (<>):: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the +Specifies the passphrase to decrypt the PEM encoded private key (`ssl.key`) if it is -encrypted. May not be used with `ssl.key_passphrase` +encrypted. Cannot be used with `ssl.key_passphrase`. `ssl.certificate`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the +Specifies the path to the PEM encoded certificate (or certificate chain) that is associated -with the key (`ssl.key`). May only be used if `ssl.key` is set. +with the key (`ssl.key`). This setting can be used only if `ssl.key` is set. `ssl.certificate_authorities`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the +Specifies the paths to the PEM encoded certificate authority certificates that should be -trusted. `ssl.certificate_authorities` and `ssl.truststore.path` may not be +trusted. `ssl.certificate_authorities` and `ssl.truststore.path` cannot be used at the same time. `ssl.keystore.path`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), the path to +Specifies the path to the keystore that contains a private key and certificate. Must be either a Java Keystore (jks) or a PKCS#12 file. -`ssl.key` and `ssl.keystore.path` may not be used at the same time. +`ssl.key` and `ssl.keystore.path` cannot be used at the same time. `ssl.keystore.type`:: -The type of the keystore (`ssl.keystore.path`). Must be one of "jks" or "PKCS12". -Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or "pkcs12", -otherwise uses "jks" +The type of the keystore (`ssl.keystore.path`). Must be either `jks` or `PKCS12`. +If the keystore path ends in ".p12", ".pfx" or "pkcs12", this setting defaults +to `PKCS12`. Otherwise, it defaults to `jks`. `ssl.keystore.password`:: -The password to the keystore (`ssl.keystore.path`). -May not be used with `ssl.keystore.secure_password`. +The password to the keystore (`ssl.keystore.path`). This setting cannot be used +with `ssl.keystore.secure_password`. `ssl.keystore.secure_password` (<>):: The password to the keystore (`ssl.keystore.path`). -May not be used with `ssl.keystore.password`. +This setting cannot be used with `ssl.keystore.password`. `ssl.keystore.key_password`:: The password for the key in the keystore (`ssl.keystore.path`). -Defaults to the keystore password. -May not be used with `ssl.keystore.secure_key_password`. +Defaults to the keystore password. This setting cannot be used with +`ssl.keystore.secure_key_password`. `ssl.keystore.secure_key_password` (<>):: The password for the key in the keystore (`ssl.keystore.path`). -Defaults to the keystore password. -May not be used with `ssl.keystore.key_password`. +Defaults to the keystore password. This setting cannot be used with +`ssl.keystore.key_password`. `ssl.truststore.path`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), the path to the +The path to the keystore that contains the certificates to trust. Must be either a Java Keystore (jks) or a PKCS#12 file. -`ssl.certificate_authorities` and `ssl.truststore.path` may not be used at the +`ssl.certificate_authorities` and `ssl.truststore.path` cannot be used at the same time. `ssl.truststore.type`:: -The type of the truststore (`ssl.truststore.path`). Must be one of "jks" or "PKCS12". -Defaults to "PKCS12" if the keystore path ends in ".p12", ".pfx" or "pkcs12", -otherwise uses "jks" +The type of the truststore (`ssl.truststore.path`). Must be either `jks` or +`PKCS12`. If the keystore path ends in ".p12", ".pfx" or "pkcs12", this setting +defaults to `PKCS12`. Otherwise, it defaults to `jks`. `ssl.truststore.password`:: -The password to the truststore (`ssl.truststore.path`). -May not be used with `ssl.truststore.secure_password`. +The password to the truststore (`ssl.truststore.path`). This setting cannot be +used with `ssl.truststore.secure_password`. `ssl.truststore.secure_password` (<>):: -The password to the truststore (`ssl.truststore.path`). -May not be used with `ssl.truststore.password`. +The password to the truststore (`ssl.truststore.path`). This setting cannot be +used with `ssl.truststore.password`. `ssl.verification_mode`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), one of `full` -(verify the hostname and the certicate path), `certificate` (verify the +One of `full` +(verify the hostname and the certificate path), `certificate` (verify the certificate path, but not the hostname) or `none` (perform no verification). Defaults to `full`. + @@ -989,11 +1049,10 @@ See <> for a more detailed explanation of these values. `ssl.supported_protocols`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the -supported protocols for TLS/SSL. +Specifies the supported protocols for TLS/SSL. `ssl.cipher_suites`:: -If retrieving IDP metadata via https (see `idp.metadata.path`), specifies the +Specifies the cipher suites that should be supported. [float]