Configure launch options for Blitz Identity Provider services#

The following Java options are available for Blitz Identity Provider applications to define enabling special modes of application operation and override the default modes of operation:

Attention

It is recommended that you consult with Blitz Identity Provider technical support before installing options.

  • blitz.login.cookie.sameSite - specifies the flag with which session cookies should be created in Blitz Identity Provider. By default, cookies are created with the flag sameSite=Lax. This can be overridden to None.

  • blitz.login.outside.flow.callback.ttl.sec - specifies the time to wait for a response from an external authentication method called from Blitz Identity Provider. The default value is 300 seconds.

  • blitz.login.mus.cookie.unused.ttl.sec - sets the lifetime of the cookie responsible for memorizing the list of logged in users in the current browser. The default value corresponds to 365 days (the value is set in seconds);

  • blitz.login.bua.cookie.ttl.sec - sets the validity time of the cookie used to remember the user’s browser. The default value corresponds to 365 days (the value is set in seconds);

  • blitz.login.setLastAuth.disabled - allows to disable writing the time of the last user authentication to the database. By default, the time of the last user authentication is written to the database. Disabling recording of the last authentication time allows to increase database performance, but does not allow to use the function of blocking accounts by inactivity;

  • blitzDispatchedQueues - specifies the name of the queue from which Blitz Identity Provider processes tasks for sending emails, user registration and password recovery. The default queue name is default;

  • blitz.stores.united.u-cache.ttlInSec - the expiration time of the account data cache provided via the REST API. The default is 1 second;

  • blitz.csrf.cookie.ttlInSec - specifies the validity time of the cookie preventing CSRF. The default corresponds to 6 hours (the value is set in seconds). This is the maximum time from the moment the user opens the page until the completed page is executed by the user to the server;

  • blitz.jdbc.cols.types.strings - specifies the column type used to store string attributes in the relational DBMS (PostgreSQL). The text type is used by default;

  • blitz.jdbc.pool.stat-period - specifies the frequency at which JDBC usage statistics are logged. The default is 300 seconds;

  • saml.numThreads - specifies the number of threads that Blitz Identity Provider processes SAML input requests. The default is 32 threads;

  • blitz.oauth.exchange.rules.fs.cache.capacity - specifies the cache size used by Blitz Identity Provider to check microservice access rules. The default cache size is 10000 checks;

  • blitz.oauth.dyn.reg.clientSecretLength - specifies the size of client_secret generated when dynamically registering a pair of client_id and client_secret. By default, client_secret is generated with a size of 15 characters.

  • blitz.oauth.dyn.reg.clientAttachingTllInSec - specifies the time during which the client_id and client_secret pair generated during dynamic registration should be associated with the user (if the pair is not associated with the user during this time, it will be canceled). The default corresponds to 1 hour (the value is specified in seconds).

  • blitz.session.checkRemoteAddress.disabled - set true to disable checking the equality of the session and the incoming request IP addresses (recommended if you have users with dynamic IP addresses).

  • blitz.webauthn.residentKey.preferred - if the option is specified, security keys are registered with the parameter residentKey=preferred. In this case, if the option is set as true, then requireResidentKey=true, and if the option is false, then requireResidentKey=false.

  • blitz.ldap.store.extension.class - passing com.identityblitz.idp.store.ldap.custom.PasswordMigrationExt to the option enables the password migration mode.

  • blitz.ldap.store.extension.PasswordMigrationExt.passwordHashAttr - specifies the name of the LDAP attribute that stores the password hash for the password migration option. The hash must contain the {bcrypt} prefix for password migration from hashes with bcrypt algorithm.

  • extensionsDir is the address of the directory with extension modules.

  • metrics – allows you to disable gathering performance metrics in the Prometheus format. To do so, set the value to false. By default, metric gathering is enabled

  • couchbase.durability.mode - specifies the mode of data saving in Couchbase Server. In case of using Couchbase Server version 6.0.1 or older, clientVerified mode must be used. If you are using Couchbase Server versions 6.5, 7.0 or newer, clientVerified mode cannot be used. The parameter in Couchbase Server versions 6.5, 7.0 becomes optional (in the absence of the parameter, majority mode is used) and allows you to select the required data retention assurance mode in a cluster with replication from the following options:

    • disabled - waiting for memory-only writes on the primary node of the cluster;

    • majority - waiting for memory writes on the primary node and most replicas;

    • majorityAndPersistActive - waiting to write to disk on the primary node and write to memory for most replicas;

    • persistToMajority - waiting to write to disk on the primary node and in most replicas.

  • akka.http.parsing.max-uri-length - sets the maximum length of URL in the browser string. In some cases it may be necessary to increase the string size, then it is recommended to set 16k in this parameter.

  • akka.http.parsing.max-header-value-length - sets the maximum allowed HTTP header size. If it’s necessary to increase the header size, set 16k in this parameter.

  • akka.coordinated-shutdown.phases.service-stop.timeout - sets the waiting time after receiving the command to stop the service, during which the service can complete the tasks taken into work. If you use the message broker built into Blitz Identity Provider, it is recommended to set the parameter to 30s for the service.

  • memcached.locator.tries - defines the number of attempts to find a working Memcached server if the system is processing an access failure to Memcached server.

Warning

It is not guaranteed that the options used will be preserved in future versions of Blitz Identity Provider.

To set options with values different from the default values, it is necessary to edit the /etc/default/blitz-idp file. Set the necessary JAVA_OPTS in it. Below is an example of a file in which the blitz.csrf.cookie.ttlInSec and blitz.login.cookie.sameSite options are also set among the Java options. After changing JAVA_OPTS, you must restart the Blitz Identity Provider services on which the changes are made.

export JAVA_HOME=/usr/java/default
export PIDFILE=/usr/share/identityblitz/blitz-idp/RUNNING_PID
export JAVA_OPTS="-server -Xms512m -Xmx1G -XX:MaxMetaspaceSize=512m -Xmn256m -Dcom.couchbase.connectTimeout=30000 -Dakka.http.parsing.max-uri-length=16k"
export JAVA_OPTS="$JAVA_OPTS -Dblitz.csrf.cookie.ttlInSec=36000 -Dblitz.login.cookie.sameSite=None -Dplay.filters.headers.frameOptions=null"