Configuration
Hide Child Parameters
The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (BEGIN CERTIFICATE
) and footer (END CERTIFICATE
) lines.
This field is encrypted.
This field is referenceable.
A string representing a URL, such as https://example.com/path/to/resource?q=search.
Hide Child Parameters
Cluster addresses to use for Redis connections when the redis
strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.
>= 1 characters
Hide Child Parameters
Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return nil
. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than keepalive_pool_size
. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than keepalive_pool_size
.
>= 0<= 2147483646
The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither keepalive_pool_size
nor keepalive_backlog
is specified, no pool is created. If keepalive_pool_size
isn’t specified but keepalive_backlog
is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.
Default:256
>= 1<= 2147483646
Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.
This field is encrypted.
This field is referenceable.
Sentinel node addresses to use for Redis connections when the redis
strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.
>= 1 characters
Hide Child Parameters
Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.
This field is encrypted.
This field is referenceable.
Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won’t be performed. This requires Redis v6.2.0+.
This field is referenceable.
If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure lua_ssl_trusted_certificate
in kong.conf
to specify the CA (or server) certificate used by your Redis server. You may also need to configure lua_ssl_verify_depth
accordingly.
Default:false
Username to use for Redis connections. If undefined, ACL authentication won’t be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to default
.
This field is referenceable.
The certificate for signing requests.
This field is encrypted.
This field is referenceable.
The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The request_signing_certificate
parameter must be set as well.
This field is encrypted.
This field is referenceable.
The private encryption key required to decrypt encrypted assertions.
This field is encrypted.
This field is referenceable.
The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, /
, _
and +
). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.
This field is encrypted.
This field is referenceable.
Match pattern:^[0-9a-zA-Z/_+]+$
>= 32 characters<= 32 characters
The session storage for session data: - cookie
: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn’t require a database. - memcached
: stores session data in memcached - redis
: stores session data in Redis
Allowed values:cookiememcachememcachedredis
Default:cookie
If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.