This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring identity.xml (V2)
Users can change the default configurations by editing the <PRODUCT_HOME>/repository/conf/identity/identity.xml
file using the information given below.
Click on the table and use the left and right arrow keys to scroll horizontally.
XML Elements
XML element | Attribute | Description | Data type | Default value | Mandatory/Optional | Sample |
<JDBCPersistenceManager> | Identity related data source configuration. | |||||
__<DataSource> | ||||||
____<Name> | Include a data source name (jndiConfigName ) from the set of data sources defined in master-datasources.xml. | String | N/A | Mandatory | <Name>jdbc/WSO2CarbonDB</Name> | |
<SkipDBSchemaCreation> | If the identity database is created from another place and if it is required to skip schema initialization during the server start up, set the property to "true". | Boolean | FALSE | Optional | <SkipDBSchemaCreation>false</SkipDBSchemaCreation> | |
<SessionDataPersist> | ||||||
<Enable> | Boolean | TRUE | Optional | <Enable>true</Enable> | ||
<Temporary> | Boolean | FALSE | Optional | <Temporary>false</Temporary> | ||
<SessionDataCleanUp> | ||||||
<Enable> | Boolean | TRUE | Optional | <Enable>true</Enable> | ||
<CleanUpTimeout> | <CleanUpTimeout>20160</CleanUpTimeout> | |||||
<CleanUpPeriod> | <CleanUpPeriod>1140</CleanUpPeriod> | |||||
<OperationDataCleanUp> | ||||||
<Enable> | Boolean | TRUE | Optional | <Enable>true</Enable> | ||
<CleanUpPeriod> | <CleanUpPeriod>720</CleanUpPeriod> | |||||
<TimeConfig> | Time configurations are in minutes | |||||
<SessionIdleTimeout> | <SessionIdleTimeout>15</SessionIdleTimeout> | |||||
<RememberMeTimeout> | <RememberMeTimeout>20160</RememberMeTimeout> | |||||
<Security> | ||||||
<KeyStoreDir> | The directory under which all other KeyStore files will be stored | <KeyStoresDir>${carbon.home}/conf/keystores</KeyStoresDir> | ||||
<Identity> | ||||||
<IssuerPolicy> | <IssuerPolicy>SelfAndManaged</IssuerPolicy> | |||||
<TokenValidationPolicy> | <TokenValidationPolicy>CertValidate</TokenValidationPolicy> | |||||
<BlackList> | ||||||
<WhiteList> | ||||||
<System> | ||||||
<KeyStore> | ||||||
<StorePass> | ||||||
_<OpenID> | OpenID related configurations. | |||||
__<OpenIDServerUrl> | This is the URL that the OpenID server (servlet) is running in. | String | N/A | Mandatory | <OpenIDServerUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/openidserver</OpenIDServerUrl> | |
__<OpenIDUserPattern> | URL of the pattern that can be configured for the user's OpenID. | String | N/A | Mandatory | <OpenIDUserPattern>${carbon.protocol}://${carbon.host}:${carbon.management.port}/openid</OpenIDUserPattern> | |
<OpenIDLoginUrl> | String | N/A | <OpenIDLoginUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/openid_login.do</OpenIDLoginUrl> | |||
__<OpenIDSkipUserConsent> | Set to false if the users must be prompted for approval. | Boolean | FALSE | Optional | <OpenIDSkipUserConsent>false</OpenIDSkipUserConsent> | |
__<OpenIDRememberMeExpiry> | Expiry time of the OpenID RememberMe token in minutes. | Int | 0 Minutes | Optional | <OpenIDRememberMeExpiry>7200</OpenIDRememberMeExpiry> | |
<DisableOpenIDDumbMode> | To enable or disable the OpenID Dumb Mode | Boolean | FALSE | Optional | <DisableOpenIDDumbMode>false</DisableOpenIDDumbMode> | |
<OpenIDPrivateAssociationStoreClass> | Specify full qualified class name of the class which is going to be used as private association store | <OpenIDPrivateAssociationStoreClass>org.wso2.carbon.identity.provider.openid.PrivateAssociationCryptoStore</OpenIDPrivateAssociationStoreClass> | ||||
<OpenIDAssociationExpiryTime> | The expiration time (in minutes) for the OpenID association | <OpenIDAssociationExpiryTime>15</OpenIDAssociationExpiryTime> | ||||
<OpenIDPrivateAssociationServerKey> | Server secret. This value should be the same in all nodes in the cluster | <OpenIDPrivateAssociationServerKey>qewlj324lmasc</OpenIDPrivateAssociationServerKey> | ||||
<EnableOpenIDAssociationCleanupTask> | This enable private association cleanup task which cleans expired private associations | Boolean | TRUE | <EnableOpenIDAssociationCleanupTask>true</EnableOpenIDAssociationCleanupTask> | ||
<OpenIDAssociationCleanupPeriod> | Time Period (in minutes) that cleanup task would run | Int | <OpenIDAssociationCleanupPeriod>15</OpenIDAssociationCleanupPeriod> | |||
_<OAuth> | OAuth related configurations. | |||||
<AppInfoCacheTimeout> | <AppInfoCacheTimeout>-1</AppInfoCacheTimeout> | |||||
<AuthorizationGrantCacheTimeout> | <AuthorizationGrantCacheTimeout>-1</AuthorizationGrantCacheTimeout> | |||||
<SessionDataCacheTimeout> | <SessionDataCacheTimeout>-1</SessionDataCacheTimeout> | |||||
<ClaimCacheTimeout> | ||||||
<OAuth1RequestTokenUrl> | <OAuth1RequestTokenUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth/request-token</OAuth1RequestTokenUrl> | |||||
<OAuth1AuthorizeUrl> | <OAuth1AuthorizeUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth/authorize-url</OAuth1AuthorizeUrl> | |||||
<OAuth1AccessTokenUrl> | <OAuth1AccessTokenUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth/access-token</OAuth1AccessTokenUrl> | |||||
<OAuth2AuthzEPUrl> | <OAuth2AuthzEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/authorize</OAuth2AuthzEPUrl> | |||||
<OAuth2TokenEPUrl> | <OAuth2TokenEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</OAuth2TokenEPUrl> | |||||
<OAuth2UserInfoEPUrl> | <OAuth2UserInfoEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/userinfo</OAuth2UserInfoEPUrl> | |||||
<OIDCConsentPage> | <OIDCConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_consent.do</OIDCConsentPage> | |||||
<OAuth2ConsentPage> | <OAuth2ConsentPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_authz.do</OAuth2ConsentPage> | |||||
<OAuth2ErrorPage> | <OAuth2ErrorPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/oauth2_error.do</OAuth2ErrorPage> | |||||
_ <AuthorizationCodeDefaultValidityPeriod> | Default validity period for Authorization Code in seconds. | Int | 300 Seconds | Optional | <AuthorizationCodeDefaultValidityPeriod>300</AuthorizationCodeDefaultValidityPeriod | |
_ <AccessTokenDefaultValidityPeriod> | Default validity period for Access Token in seconds. | Int | 3600 Seconds | Optional | <AccessTokenDefaultValidityPeriod>3600</AccessTokenDefaultValidityPeriod> | |
<UserAccessTokenDefaultValidityPeriod> | Default validity period for user access tokens in seconds | Int | 3600 Seconds | <UserAccessTokenDefaultValidityPeriod>3600</UserAccessTokenDefaultValidityPeriod> | ||
<RefreshTokenValidityPeriod> | Validity period for refresh token | Int | <RefreshTokenValidityPeriod>84600</RefreshTokenValidityPeriod> | |||
__<TimestampSkew> | Timestamp skew in seconds. | Int | 300 Seconds | Optional | <TimestampSkew>300</TimestampSkew> | |
__<EnableOAuthCache> | Enable OAuth caching. This cache has the replication support. | Boolean | TRUE | Optional | <EnableOAuthCache>true</EnableOAuthCache> | |
<RenewRefreshTokenForRefreshGrant> | Enable renewal of refresh token for refresh_token grant | Boolean | TRUE | |||
__<TokenPersistencePreprocessor> | Configure the security measures needed to be done prior to storing the token in the database, such as hashing, encrypting, etc. | String | org.wso2.carbon.identity.oauth.preprocessor.PlainTokenPersistencePreprocessor | Optional | <TokenPersistencePreprocessor>org.wso2.carbon.identity.oauth.preprocessor.PlainTextTokenPersistencePreprocessor</TokenPersistencePreprocessor> | |
<ClientAuthHandlers> | Supported OAuth2.0 client authentication methods | |||||
__<SupportedResponseTypes> | Supported OAuth2.0 respose types. | String values with Comma separated | token, code | Optional | <SupportedResponseTypes>token,code</SupportedResponseTypes> | |
__<SupportedGrantTypes> | Supported OAuth2.0 grant types. | String values with Comma separated | authorization_code,password,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:saml2-bearer | Optional | <SupportedGrantTypes>authorization_code,password,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:saml2-bearer</SupportedGrantTypes> | |
__<OAuthCallbackHandlers> | ||||||
____<OAuthCallbackHandler> | OAuth callback handler module class name. | String | N/A | Mandatory | <OAuthCallbackHandler class="org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler"/> | |
__<EnableAssertions> | Assertions can be used to embed parameters into the access token. | |||||
______<UserName> | This enables you to add the user name as an additional parameter if you require it. | Boolean | FALSE | Optional | <UserName>false</UserName> | |
__<EnableAccessTokenPartitioning> | This should be set to true when using multiple user stores and keys should be saved into different tables according to the user store. By default, all the application keys are saved into the same table. UserName Assertion should be 'true' to use this. | Boolean | FALSE | Optional | <EnableAccessTokenPartitioning>false</EnableAccessTokenPartitioning> | |
__<AccessTokenPartitioningDomains> | This includes the user store domain names and mapping to the new table name. E.g., if you provide 'A:foo.com', foo.com should be the user store domain name and 'A' represents the relavant mapping of the token store table, i.e., tokens will be added to a table called IDN_OAUTH2_ACCESS_TOKEN_A. | String values with Comma separated | N/A | Optional | ||
__<AuthorizationContextTokenGeneration> | ||||||
_____<Enabled> | This mentions whether token generation is enabled or not. | Boolean | FALSE | Optional | <Enabled>false</Enabled> | |
_____<TokenGeneratorImplClass> | Token generation class name. | String | org.wso2.carbon.identity.oauth2.token.JWTTokenGenerator | Optional | <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass> | |
_____<ClaimsRetrieverImplClass> | Claim retrieving class name for generating a token. | org.wso2.carbon.identity.oauth2.token.DefaultClaimsRetriever | Optional | <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass><AuthorizationContextTTL>15</AuthorizationContextTTL> | ||
_____<ConsumerDialectURI> | Claim Dialect URI that is used for claim retrieving. | http://wso2.org/claims | Optional | <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI> | ||
_____<SignatureAlgorithm> | Signature algorithm used for sign the token. | SHA256withRSA | Optional | <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> | ||
_____<AuthorizationContextTTL> | Token time to live value. | Long | 15 Minutes | Optional | <AuthorizationContextTTL>15</AuthorizationContextTTL> | |
__<SAML2Grant> | Configuration related to SAML2 Grant type. | |||||
__<OpenIDConnect> | ||||||
_____<IDTokenBuilder> | IDToken generator implementation class name. | String | org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder | Optional | <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder> | |
_____<IDTokenIssuerID> | The value of TokenIssuerID of the IDToken. This is a unique value and should be changed according to the deployment values. | String | OIDCAuthzServer | Optional | <IDTokenIssuerID>https://localhost:9443/oauth2endpoints/token</IDTokenIssuerID> | |
_____<IDTokenSubjectClaim> | This is the claim used as the subject of the IDToken. You can use different claims such as http://wso2.org/claims/emailaddress. | String | http://wso2.org/claims/fullname | Optional | <IDTokenSubjectClaim>http://wso2.org/claims/givenname</IDTokenSubjectClaim> | |
_____<IDTokenCustomClaimsCallBackHandler> | Claim callback implementation class name. This is used to return custom claims with the IDToken. | String | org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback | Optional | <IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler> | |
_____<IDTokenExpiration> | The expiration value of the IDToken in seconds. | Int | 300 Seconds | Optional | <IDTokenExpiration>3600</IDTokenExpiration> | |
_____<UserInfoEndpointClaimDialect> | Defines which claim dialect should be returned from the User Endpoint. | String | http://wso2.org/claims/fullname | Optional | <UserInfoEndpointClaimDialect>http://wso2.org/claims</UserInfoEndpointClaimDialect> | |
_____<UserInfoEndpointClaimRetriever> | Defines the implemenation name of the class which builds the claims for the user info endpoint's response. | String | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever | Optional | <UserInfoEndpointClaimRetriever>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever</UserInfoEndpointClaimRetriever> | |
_____<UserInfoEndpointRequestValidator> | Implemenation name of the class that validates the user info request against the specification. | String | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator | Optional | <UserInfoEndpointRequestValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator</UserInfoEndpointRequestValidator> | |
_____<UserInfoEndpointAccessTokenValidator> | Implementation name of the class that validates the access token. | String | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator | Optional | <UserInfoEndpointAccessTokenValidator>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator</UserInfoEndpointAccessTokenValidator> | |
_____<UserInfoEndpointResponseBuilder> | Implementation name of the class that builds the user info request. | String | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder | Optional | <UserInfoEndpointResponseBuilder>org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder</UserInfoEndpointResponseBuilder> | |
_____<SkipUserConsent> | Set to false if the users must be prompted for approval. | Boolean | FALSE | Optional | <SkipUserConsent>false</SkipUserConsent> | |
__<MultifactorAuthentication> | ||||||
___<XMPPSettings> | XMPP setting for multifactor authentication. | |||||
____<XMPPConfig> | ||||||
______<XMPPProvider> | XMPP provider name. | String | N/A | Mandatory | <XMPPProvider>gtalk</XMPPProvider> | |
______<XMPPServer> | XMPP server name. | String | N/A | Mandatory | <XMPPServer>talk.google.com</XMPPServer> | |
______<XMPPPort> | XMPP server's port. | Int | N/A | Mandatory | <XMPPPort>5222</XMPPPort> | |
______<XMPPExt> | XMPP domain. | String | N/A | Mandatory | <XMPPExt>gmail.com</XMPPExt> | |
______<XMPPUserName> | User name for login to XMPP server. | String | N/A | Mandatory | <XMPPUserName>multifactor1@gmail.com</XMPPUserName> | |
______<XMPPPassword> | Password for login to XMPP server. | String | N/A | Mandatory | <XMPPPassword>wso2carbon</XMPPPassword> | |
__<SSOService> | ||||||
<PersistanceCacheTimeout> | <PersistanceCacheTimeout>157680000</PersistanceCacheTimeout> | |||||
<SessionIndexCacheTimeout> | <SessionIndexCacheTimeout>157680000</SessionIndexCacheTimeout> | |||||
<EntityId> | <EntityId>${carbon.host}</EntityId> | |||||
___ _<IdentityProviderURL> | Unique identifier for IDP. This would be passed as Issuer in SAML2 response. | String | N/A | Mandatory | <IdentityProviderURL>https://localhost:9443/samlsso</IdentityProviderURL> | |
<DefaultLogoutEndpoint> | <DefaultLogoutEndpoint>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/samlsso_logout.do</DefaultLogoutEndpoint> | |||||
<NotificationEndpoint> | <NotificationEndpoint>${carbon.protocol}://${carbon.host}:${carbon.management.port}/authenticationendpoint/samlsso_notification.do</NotificationEndpoint> | |||||
____ <SingleLogoutRetryCount> | Number of retries that must be done if a single logout request is not received from the SP. | Int | 5 | Optional | <SingleLogoutRetryCount>5</SingleLogoutRetryCount> | |
____ <SingleLogoutRetryInterval> | Interval between two re-tries. | Int | 60000 Miliseconds | Optional | <SingleLogoutRetryInterval>60000</SingleLogoutRetryInterval> | |
____ <TenantPartitioningEnabled> | This would add the tenant domain as parameter into the ACS URL. | Boolean | FALSE | Optional | <TenantPartitioningEnabled>false</TenantPartitioningEnabled> | |
______<SessionTimeout> | Remember me session timeout in seconds. | Int | 36000 Seconds | Optional | <SessionTimeout>36000</SessionTimeout> | |
______<AttributesClaimDialect> | Claim Dialect URI that is used for claim retrieving. | String | http://wso2.org/claims | Optional | <AttributesClaimDialect>http://wso2.org/claims</AttributesClaimDialect> | |
<SAMLSSOAssertionBuilder> | <SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder</SAMLSSOAssertionBuilder> | |||||
<SAMLSSOEncrypter> | <SAMLSSOEncrypter>org.wso2.carbon.identity.sso.saml.builders.encryption.DefaultSSOEncrypter</SAMLSSOEncrypter> | |||||
<SAMLSSOSigner> | <SAMLSSOSigner>org.wso2.carbon.identity.sso.saml.builders.signature.DefaultSSOSigner</SAMLSSOSigner> | |||||
<SAML2HTTPRedirectSignatureValidator> | <SAML2HTTPRedirectSignatureValidator>org.wso2.carbon.identity.sso.saml.validators.SAML2HTTPRedirectDeflateSignatureValidator</SAML2HTTPRedirectSignatureValidator> | |||||
<SAMLSSOResponseBuilder> | <SAMLSSOResponseBuilder>org.wso2.carbon.identity.sso.saml.builders.DefaultResponseBuilder</SAMLSSOResponseBuilder | |||||
<SAMLResponseValidityPeriod> | SAML Token validity period | Int | 5 Minutes | <SAMLResponseValidityPeriod>5</SAMLResponseValidityPeriod> | ||
_ <UseAuthenticatedUserDomainCrypto> | When set to true , this is useful in tenant mode setup with older versions of API Manager. This indicates that the SAML2 SSO SAML Response must be signed using the authenticated user's tenant keystore. | Boolean | FALSE | |||
<SAMLDefaultSigningAlgorithmURI> | <SAMLDefaultSigningAlgorithmURI>http://www.w3.org/2000/09/xmldsig#rsa-sha1</SAMLDefaultSigningAlgorithmURI> | |||||
<SAMLDefaultDigestAlgorithmURI> | <SAMLDefaultDigestAlgorithmURI>http://www.w3.org/2000/09/xmldsig#sha1</SAMLDefaultDigestAlgorithmURI> | |||||
<SecurityTokenService> | ||||||
<IdentityProviderURL> | https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/services/wso2carbon-sts | |||||
<PassiveSTS> | ||||||
<IdentityProviderURL> | https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/passivests | |||||
<RetryURL> | ||||||
<TokenStoreClassName> | ||||||
______<AcceptOpenIDLogin> | Skips authentication if the valid OpenID login session is available. | Boolean | FALSE | Optional | <AcceptOpenIDLogin>false</AcceptOpenIDLogin> | |
______<ClaimsRetrieverImplClass> | Claim retrieving class name for generating a token. | String | N/A | Mandatory | <ClaimsRetrieverImplClass>org.wso2.carbon.identity.sso.saml.builders.claims.DefaultClaimsRetriever</ClaimsRetrieverImplClass> | |
__<EntitlementSettings> | ||||||
____<ThirftBasedEntitlementConfig> | Thrift transport configurations for entitlement service. | |||||
______<EnableThriftService> | Enable thrift transport. | Boolean | FALSE | Optional | <EnableThriftService>true</EnableThriftService> | |
_______<ReceivePort> | Thrift listening port. | Int | N/A | Mandatory | <ReceivePort>${Ports.ThriftEntitlementReceivePort}</ReceivePort> | |
_______<ClientTimeout> | Thrift session time out in seconds. | Int | N/A | Mandatory | <ClientTimeout>10000</ClientTimeout> | |
_______<KeyStore> | Thrift key store configurations used for SSL. | |||||
__________<Location> | Key store location | String | N/A | Mandatory | <Location>${carbon.home}/repository/resources/security/wso2carbon.jks</Location> | |
________ _<Password> | Key store password | String | N/A | Mandatory | <Password>wso2carbon</Password> | |
<ThriftHostName> | The host name of your IS machine | String | <ThriftHostName>${carbon.host}</ThriftHostName> | |||
<SCIM> | ||||||
<UserEPUrl> | https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path> | |||||
<GroupEPUrl> | https://<HostName>:<MgtTrpProxyPort except 443>/<ProxyContextPath>/<context>/<path> | |||||
__<SCIMAuthenticators> | ||||||
____<Authenticator> | Defines implementations of SCIM authenticator. | String | org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler and org.wso2.carbon.identity.scim.provider.auth.OAuthHandler | Optional | Authenticator class="org.wso2.carbon.identity.scim.provider.auth.BasicAuthHandler"> | |
______<Property> | Configuration properties of each autenticator implementation. | String | N/A | Optional | <Property name="Priority">5</Property> | |
<SessionContextCache> |
| |||||
<Enable> | Boolean | TRUE | <Enable>true</Enable> | |||
<Capacity> | Int | <Capacity>100000</Capacity> | ||||
<EventListeners> | ||||||
<CacheConfig> | ||||||
<CacheManager> |