Configuration

configobjectrequired
Hide Child Parameters
anonymousstring

An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.

assertion_consumer_pathstringrequired

A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).

idp_certificatestring

The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (BEGIN CERTIFICATE) and footer (END CERTIFICATE) lines.
This field is encrypted.
This field is referenceable.

idp_sso_urlstringrequired

A string representing a URL, such as https://example.com/path/to/resource?q=search.

issuerstringrequired

The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.

nameid_formatstring

The requested NameId format. Options available are: - Unspecified - EmailAddress - Persistent - Transient

Allowed values:EmailAddressPersistentTransientUnspecified

Default:EmailAddress

redisobject
Hide Child Parameters
cluster_max_redirectionsinteger

Maximum retry attempts for redirection.

Default:5

cluster_nodesarray[object]

Cluster addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.

>= 1 characters

Hide Child Parameters
ipstring

A string representing a host name, such as example.com.

Default:127.0.0.1

portinteger

An integer representing a port number between 0 and 65535, inclusive.

Default:6379

>= 0<= 65535

connect_timeoutinteger

An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

Default:2000

>= 0<= 2147483646

connection_is_proxiedboolean

If the connection to Redis is proxied (e.g. Envoy), set it true. Set the host and port to point to the proxy address.

Default:false

databaseinteger

Database to use for the Redis connection when using the redis strategy

Default:0

hoststring

A string representing a host name, such as example.com.

Default:127.0.0.1

keepalive_backloginteger

Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size.

>= 0<= 2147483646

keepalive_pool_sizeinteger

The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size nor keepalive_backlog is specified, no pool is created. If keepalive_pool_size isn’t specified but keepalive_backlog is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.

Default:256

>= 1<= 2147483646

passwordstring

Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
This field is encrypted.
This field is referenceable.

portinteger

An integer representing a port number between 0 and 65535, inclusive.

Default:6379

>= 0<= 65535

prefixstring

The Redis session key prefix.

read_timeoutinteger

An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

Default:2000

>= 0<= 2147483646

send_timeoutinteger

An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.

Default:2000

>= 0<= 2147483646

sentinel_masterstring

Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.

sentinel_nodesarray[object]

Sentinel node addresses to use for Redis connections when the redis strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.

>= 1 characters

Hide Child Parameters
hoststring

A string representing a host name, such as example.com.

Default:127.0.0.1

portinteger

An integer representing a port number between 0 and 65535, inclusive.

Default:6379

>= 0<= 65535

sentinel_passwordstring

Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
This field is encrypted.
This field is referenceable.

sentinel_rolestring

Sentinel role to use for Redis connections when the redis strategy is defined. Defining this value implies using Redis Sentinel.

Allowed values:anymasterslave

sentinel_usernamestring

Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won’t be performed. This requires Redis v6.2.0+.
This field is referenceable.

server_namestring

A string representing an SNI (server name indication) value for TLS.

socketstring

The Redis unix socket path.

sslboolean

If set to true, uses SSL to connect to Redis.

Default:false

ssl_verifyboolean

If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate in kong.conf to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth accordingly.

Default:false

usernamestring

Username to use for Redis connections. If undefined, ACL authentication won’t be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default.
This field is referenceable.

request_digest_algorithmstring

The digest algorithm for Authn requests: - SHA256 - SHA1

Allowed values:SHA1SHA256

Default:SHA256

request_signature_algorithmstring

The signature algorithm for signing Authn requests. Options available are: - SHA256 - SHA384 - SHA512

Allowed values:SHA256SHA384SHA512

Default:SHA256

request_signing_certificatestring

The certificate for signing requests.
This field is encrypted.
This field is referenceable.

request_signing_keystring

The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The request_signing_certificate parameter must be set as well.
This field is encrypted.
This field is referenceable.

response_digest_algorithmstring

The algorithm for verifying digest in SAML responses: - SHA256 - SHA1

Allowed values:SHA1SHA256

Default:SHA256

response_encryption_keystring

The private encryption key required to decrypt encrypted assertions.
This field is encrypted.
This field is referenceable.

response_signature_algorithmstring

The algorithm for validating signatures in SAML responses. Options available are: - SHA256 - SHA384 - SHA512

Allowed values:SHA256SHA384SHA512

Default:SHA256

session_absolute_timeoutnumber

The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.

Default:86400

session_audiencestring

The session audience, for example “my-application”

Default:default

session_enforce_same_subjectboolean

When set to true, audiences are forced to share the same subject.

Default:false

session_hash_storage_keyboolean

When set to true, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.

Default:false

session_hash_subjectboolean

When set to true, the value of subject is hashed before being stored. Only applies when session_store_metadata is enabled.

Default:false

session_idling_timeoutnumber

The session cookie idle time in seconds.

Default:900

session_memcached_hoststring

The memcached host.

Default:127.0.0.1

session_memcached_portinteger

An integer representing a port number between 0 and 65535, inclusive.

Default:11211

>= 0<= 65535

session_memcached_prefixstring

The memcached session key prefix.

session_memcached_socketstring

The memcached unix socket path.

session_rememberboolean

Enables or disables persistent sessions

Default:false

session_remember_absolute_timeoutnumber

Persistent session absolute timeout in seconds.

Default:2592000

session_remember_rolling_timeoutnumber

Persistent session rolling timeout in seconds.

Default:604800

session_request_headersarray[string]

Allowed values:absolute-timeoutaudienceididling-timeoutrolling-timeoutsubjecttimeout

session_response_headersarray[string]

Allowed values:absolute-timeoutaudienceididling-timeoutrolling-timeoutsubjecttimeout

session_rolling_timeoutnumber

The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.

Default:3600

session_secretstringrequired

The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, /, _ and +). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.
This field is encrypted.
This field is referenceable.

Match pattern:^[0-9a-zA-Z/_+]+$

>= 32 characters<= 32 characters

session_storagestring

The session storage for session data: - cookie: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn’t require a database. - memcached: stores session data in memcached - redis: stores session data in Redis

Allowed values:cookiememcachememcachedredis

Default:cookie

session_store_metadataboolean

Configures whether or not session metadata should be stored. This includes information about the active sessions for the specific_audience belonging to a specific subject.

Default:false

validate_assertion_signatureboolean

Enable signature validation for SAML responses.

Default:true

protocolsarray[string]

A set of strings representing HTTP protocols.

Allowed values:grpcgrpcshttphttps

Default:grpc, grpcs, http, https

routeobject

If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring
serviceobject

If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.

* Additional properties are NOT allowed.
Hide Child Parameters
idstring

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!