SquashTM Main Configuration
Java Environment variables
The content of the SQUASH_JAVA_ARGS variable is appended to the end of the java command line. This allows you to add parameters or override the default ones (since JVM arguments are processed from left to right and the last defined values take precedence).
For example, SquashTM executes: java -Xms128m -Xmx2048m $SQUASH_JAVA_ARGS. So, if you set $SQUASH_JAVA_ARGS to -Xmx4096m, the resulting command will be: java -Xms128m -Xmx2048m -Xmx4096m. In this case, the JVM will start with a maximum heap size Xmx of 4 GB.
Necessary memory
Make sure that the server on which the application is installed has enough RAM to handle all the memory necessary for:
- the heap size (
-Xms,-Xmx) - the metaspace (
-XX:MetaspaceSize,-XX:MaxMetaspaceSize) - the stack of each thread (
-Xss) - the code cache (
-XX:ReservedCodeCacheSize) - other (arena, byte buffers…)
The server should have more memory than -Xmx + -XX:MaxMetaspaceSize + -XX:ReservedCodeCacheSize + 128MB.
See the Java documentation for more information.
SquashTM's Configuration File
This paragraph describes the configuration parameters available in the configuration file (conf/squash.tm.cfg.properties) of SquashTM.
Focus
Once the changes have been done and the squash.tm.cfg.properties file (or the auxiliary configuration file) has been saved, you must restart SquashTM for them to be taken into account.
Other configuration methods
SquashTM is using Spring Boot which provides many mechanisms, other than modifying the squash.tm.cfg.properties file, to define the values of configuration parameters: environment variables, JSON embedded in SPRING_APPLICATION_JSON… Refer to the Sprint Boot documentation to get the exhaustive list of ways to define these values.
For example, if you want to start SquashTM in Docker while setting squashtm.stack.trace.control.panel.visible to true, you can use:
docker run --name='squash-tm' --env SQUASHTM_STACK_TRACE_CONTROL_PANEL_VISIBLE=true -it -p 8090:8080 squashtest/squash:12.0.2
Configuration Management
| Parameter | Description | Default | Notes |
|---|---|---|---|
spring.profiles.include |
Allows splitting configuration into multiple files | - | since Squash TM 1.18.0 A Comma-separated list of identifiers. Auxiliary configuration files must be named either squash.tm.cfg-<ident>.properties or application-<ident>.properties. |
Tomcat
| Parameter | Description | Default | Notes |
|---|---|---|---|
server.port |
Defines the server access port | 8080 |
Please note that the system will not verify that the chosen port is available. Thus, make sure that it is the case by contacting the system administrator |
server.servlet.session.timeout |
Sets the session timeout | 3600 (seconds) |
- |
server.tomcat.accesslog.enabled |
Enables Tomcat access logs | false |
- |
server.tomcat.basedir |
Sets the base directory for Tomcat | ${squash.path.root}/tomcat-work |
- |
server.tomcat.use-relative-redirects |
Ensures internal redirections use HTTPS protocol in HTTPS environments | true |
true or false |
server.servlet.context-path |
SquashTM context path | /squash |
Setting server.servlet.context-path=/foo will require users to log in via the <squash-base-url>/foo URL. |
When port 80 is blocked for security reasons, it is necessary to set server.tomcat.use-relative-redirects to true so that internal redirections are systematically done via port 443.
SquashTM Paths
| Parameter | Description | Default | Notes |
|---|---|---|---|
spring.config.location |
Sets the configuration location | ../conf |
- |
squash.path.root |
Sets the root path for SquashTM | ${spring.config.location}/.. |
- |
squash.path.bundles-path |
Sets the path for bundles | ${squash.path.root}/bundles |
- |
squash.path.plugins-path |
Sets the path for plugins | ${squash.path.root}/plugins |
- |
squash.path.languages-path |
Sets the path for language files | ${spring.config.location}/lang |
- |
squash.path.local-git-repositories-folder |
Sets the path for local Git repositories | ${squash.path.root}/git-repositories |
since Squash TM 8.0.0 See this page. |
squash.project-imports.folder-path |
Sets the path for the files in queue and the logs of imports | ${squash.path.root}/imports |
since Squash TM 8.0.0 See this page for Xray imports. |
squash.report-custom-template.folder-path |
Sets the path for the report custom templates | ${spring.config.location}/report.custom.templates |
since Squash TM 9.0.0 See this page for report templates. |
Security
| Parameter | Description | Default | Notes |
|---|---|---|---|
squash.security.basic.token-charset |
Defines the encoding for basic auth-secured endpoints | - | since Squash TM 1.16.1 For example: UTF-8, ISO-8859-1… |
squash.crypto.secret |
Defines the encryption key for credentials of third party tools | - | since Squash TM 1.17.0 Logins and passwords entered for connection to third party tools are encrypted in database by using that encryption key. The application is delivered with a default encryption key, this one must immediately be changed. Should be at minimum 12 characters long, but preferably 16+ characters for strong security. Space and tab are not allowed. For example: jN9$mK5vP#xR2hL8nQ4&Changing this key later will make previously stored credentials unusable. |
squash.rest-api.disallow-basic-authentication |
Disallows basic authentication for REST API | true |
since Squash TM 7.1.0 |
squash.rest-api.jwt.secret |
Sets the secret used to encrypt tokens for REST API calls | - | since Squash TM 7.1.0 Must be at least 512 bits and base64 encoded (at least 86 characters). For example: Ym9uam91cmplc3Vpc2RldmVsb3BwZXVzZXN1cnNxdWFzaHRtZXRub3Vzc29tbWVzZW5sYW5uZWUyMDI0ISEhIS |
Deprecation of basic authentication
Since Squash TM 10.1.0, the squash.rest-api.disallow-basic-authentication property is set to true by default (previously, it was false by default).
From mid-2026, basic authentication (login/password) for API calls will no longer be possible, authentication will have to be by token.
Database connection
| Parameter | Description | Default | Notes |
|---|---|---|---|
spring.profiles.active |
Defines the type of database engine | - | since Squash TM 10.1.0 Possible values: postgresql or mariadb. |
spring.datasource.password |
Specifies the password | - | since Squash TM 10.1.0 |
spring.datasource.username |
Specifies the username | - | since Squash TM 10.1.0 |
spring.datasource.url |
Specifies the connection URL | - | since Squash TM 10.1.0 |
spring.datasource.hikari.maximumPoolSize |
Configures the connection pool size | 20 |
Refer to HikariCP documentation for more details. |
Auxiliary configuration files
SquashTM comes with two auxiliary configuration files, squash.tm.cfg-postgresql.properties and squash.tm.cfg-mariadb.properties, which you can use as follows:
- If you are using PostgreSQL:
- Set
postgresqlas the value ofspring.profiles.includein the filesquash.tm.cfg-postgresql.properties; - Specify the values of the parameters from the previous table in the file
squash.tm.cfg-postgresql.properties.
- Set
- If you are using MariaDB:
- Set
mariadbas the value ofspring.profiles.includein the filesquash.tm.cfg-mariadb.properties; - Specify the values of the parameters from the previous table in the file
squash.tm.cfg-mariadb.properties.
- Set
You can also not use these auxiliary files and specify the values of the parameters from the previous table directly in the file squash.tm.cfg.properties.
Database update
| Parameter | Description | Default | Notes |
|---|---|---|---|
squash.db.update-mode |
Enables/disables automatic database updates | interactive |
since Squash TM 9.0.0 See this page for the possible values. |
Administration Features
| Parameter | Description | Default | Notes |
|---|---|---|---|
squashtm.feature.file.repository |
Activates/deactivates attachment outsourcing | false |
true or falseRead documentation before activating. |
squashtm.stack.trace.control.panel.visible |
Shows/hides configuration of stack trace display | false |
true or falseIf true, the configuration panel to activate/deactivate error details is visible in the page 'System settings'. |
squash.control.deletion.threshold |
Sets the number of items from which confirmation of deletion is reinforced | 0 |
since Squash TM 11.0.00 disables the feature. |
Reports
| Parameter | Description | Default | Notes |
|---|---|---|---|
report.criteria.project.multiselect |
Enables/disables multiple selections in project pickers | false |
- |
Connection to Bugtrackers
| Parameter | Description | Default | Notes |
|---|---|---|---|
squashtm.bugtracker.timeout |
Sets the timeout for server attempts to reach a bugtracker. | 15 (seconds) |
- |
squash.bugtracker.cache-update-delay |
Sets the delay between bugtracker connector cache updates. | 86400 (seconds) |
since Squash TM 7.3.0 |
squash.bugtracker.cache-update-cron |
Sets a Cron Expression for the cache update of the bug tracker connectors. If defined, it will override the delay. | - | since Squash TM 9.0.0 Example: 0 0 0 * * * will update the cache every day at midnight.For more information about Spring Cron Expressions, see Spring CronExpression documentation. |
squash.bugtracker.cache-worker-pool-size |
Sets the number of workers used to update the cache of the bug tracker connectors. | 5 |
since Squash TM 9.0.0 |
squash.bugtracker.max-results-per-search |
Sets the maximum number of results returned for autocomplete searches on issues. | 50 (results) |
since Squash TM 9.0.0 The maximum value is 100.The minimum value is 5.It is recommended to lower the value if the GitLab projects used contain a large number of issues. |
Bugzilla
| Parameter | Description | Default | Notes |
|---|---|---|---|
plugin.bugtracker.bugzilla.cache.enable |
Enables/disables the Bugzilla fields cache feature | false |
true or falseUse this feature if retrieving fields takes a long time. If true, all fields of Bugzilla servers will be cached in memory once retrieved. |
plugin.bugtracker.bugzilla.cache-at-start.bugtracker-urls |
Defines the URLs of the bugtrackers that should initialize fields cache when SquashTM starts | - | Use a comma-separated list |
plugin.bugtracker.bugzilla.cache-refresh.cron-expression |
Sets the Cron Expression defining when to perform a refresh of the Bugzilla fields cache | - | For more information about Spring Cron Expressions, see Spring CronExpression documentation. |
Excel import
| Parameter | Description | Default | Notes |
|---|---|---|---|
squash.xls-imports.max-concurrent-imports |
Defines the maximum number of concurrent imports | - | since Squash TM 7.4.0 SquashTM will refuse to perform an Excel import if this limit is reached. This limit is used to avoid overloading SquashTM; its value depends on the CPU and RAM of the server. No value means no limit, this is the default configuration. |
squash.xls-imports.max-test-cases-per-import |
Defines the maximum number of test cases in an import file | - | since Squash TM 7.4.0 SquashTM will refuse to perform an Excel import if this limit is reached. This limit is used to avoid overloading SquashTM; its value depends on the CPU and RAM of the server. No value means no limit, this is the default configuration. |
squash.xls-imports.max-test-steps-per-import |
Defines the maximum number of test steps in an import file | - | since Squash TM 7.4.0 SquashTM will refuse to perform an Excel import if this limit is reached. This limit is used to avoid overloading SquashTM; its value depends on the CPU and RAM of the server. No value means no limit, this is the default configuration. |
squash.xls-imports.max-requirements-per-import |
Defines the maximum number of requirements in an import file | - | since Squash TM 8.0.0 SquashTM will refuse to perform an Excel import if this limit is reached. This limit is used to avoid overloading SquashTM; its value depends on the CPU and RAM of the server. No value means no limit, this is the default configuration. |
Project Import
Currently, only Xray project import is available.
| Parameter | Description | Default | Notes |
|---|---|---|---|
squash.project-imports.delay |
Sets the delay between two import processes | 3600 (seconds) |
since Squash TM 8.0.0 |
Jira and GitLab Synchronizations
| Parameter | Description | Default | Notes |
|---|---|---|---|
squash.external.synchronisation.enabled |
Enables/disables scheduled processing of all synchronizations | true |
since Squash TM 7.0.0true or false |
squash.external.synchronisation.delay |
Sets the delay between two synchronizations | 300 (seconds) |
- |
squash.external.synchronisation.max-items-per-sync |
Sets the maximum number of items in scope when creating a new synchronization | - | since Squash TM 8.0.0 |
squash.external.synchronisation.enabled enables or disables the scheduled process for all synchronizations.
This property does not affect the attribute activated of the synchronizations.
Switching this property to false can be useful in situations such as:
- You do not use synchronizations;
- The instance is a pre-production SquashTM having a copy of the production database and you must avoid the synchronizations recorded in the database to run on this instance to not pollute your Jira/GitLab tickets;
- You use another SquashTM instance to handle synchronizations.
squash.external.synchronisation.delay defines the delay between two updates, expressed in seconds. If this property is missing or incorrect, the default delay is set to five minutes (300 seconds) and a warning occurs in the SquashTM logs when the application starts. The shorter the delay is, the more resources SquashTM consumes. For most common uses, a delay between 5 and 15 minutes is enough.
Jira
| Parameter | Description | Default | Notes |
|---|---|---|---|
plugin.synchronisation.jira.batchSize |
Sets the batch size for Jira REST API requests | 50 |
- |
Xsquash4Jira plugin has a property,plugin.synchronisation.jira.batchSize, defining the size of the batch to update the information from Jira.
The default value is 50, which must be less than or equal to the value jira.search.views.default.max defined in the jira-config.properties property file. That default value works fine with Data Center and Cloud, if no configuration changes have been made to the Jira instance.
GitLab
| Parameter | Description | Default | Notes |
|---|---|---|---|
plugin.synchronisation.gitlab.webhook.secret-token |
Defines the optional token used to validate GitLab webhooks | - | See more details here. |
plugin.synchronisation.gitlab.webhook.show-secret-token |
Shows/hides secret token on the plugin administration screen | true |
true or falseSee more details here. |
TM-TA
| Parameter | Description | Default | Notes |
|---|---|---|---|
tm.test.automation.pollinterval.millis |
Sets the polling interval for test automation | 3000 (milliseconds) |
- |
LDAP and Active Directory
See this page for more information.
Single LDAP
Use these settings to configure authentication with a single LDAP server.
| Parameter | Description | Default | Notes |
|---|---|---|---|
authentication.provider |
Defines the authentication provider | - | ldap or ldap,internal for multi-source (i.e. internal means that the users can also use their local SquashTM account) |
authentication.ldap.server.url |
Defines LDAP server URL | - | For example:ldap://localhost:389 |
authentication.ldap.server.managerDn |
Defines the manager user DN (if anonymous access is not allowed) | - | For example:CN=admin,CN=Users,DC=example,DC=com |
authentication.ldap.server.managerPassword |
Defines the manager password (if anonymous access is not allowed) | - | For example:something |
authentication.ldap.user.searchBase |
Defines the search base DN | - | For example:DC=example,DC=com |
authentication.ldap.user.searchFilter |
Defines the search filter | - | For example:(uid={0}) |
authentication.ldap.user.fetchAttributes |
Defines whether to fetch user attributes | true |
true or false |
authentication.ldap.user.dnPatterns |
Defines base DN patterns for user lookup | - | For example:uid={0},ou=people |
Multi-LDAP
Use these settings to configure authentication with multiple LDAP servers.
| Parameter | Description | Default | Notes |
|---|---|---|---|
authentication.provider |
Defines the authentication provider | - | ldap-multi or ldap-multi,internal for multi-source (i.e. internal means that the users can also use their local SquashTM account) |
authentication.ldap.multi.root.names |
Defines the names of the multiple LDAP servers | - | For example:ldap1,ldap2 |
For each LDAP server (e.g., ldap1, ldap2), use the following properties, prefixed with the server name:
| Parameter | Description | Default | Notes |
|---|---|---|---|
[name].authentication.ldap.server.url |
Defines LDAP server URL | - | For example:ldap://localhost:389 |
[name].authentication.ldap.server.managerDn |
Defines the manager user DN (if anonymous access is not allowed) | - | For example:CN=admin,CN=Users,DC=example,DC=com |
[name].authentication.ldap.server.managerPassword |
Defines the manager password (if anonymous access is not allowed) | - | For example:something |
[name].authentication.ldap.user.searchBase |
Defines the search base DN | - | For example:DC=example,DC=com |
[name].authentication.ldap.user.searchFilter |
Defines the search filter | - | For example:(uid={0}) |
[name].authentication.ldap.user.fetchAttributes |
Defines whether to fetch user attributes | - | For example:false |
[name].authentication.ldap.user.dnPatterns |
Defines base DN patterns for user lookup | - | For example:uid={0},ou=people |
Single Active Directory
Use these settings to configure authentication with a single Active Directory server.
| Parameter | Description | Default | Notes |
|---|---|---|---|
authentication.provider |
Defines the authentication provider | - | ad.ldap or ad.ldap,internal for multi-source (i.e. internal means that the users can also use their local SquashTM account) |
authentication.ad.server.url |
Defines the AD server URL | - | For example:ldap://localhost:389 |
authentication.ad.server.domain |
Defines the AD server domain | - | For example:ad.squashtest.org |
authentication.ad.server.managerDn |
Defines the manager user DN | - | For example:admin |
authentication.ad.server.managerPassword |
Defines the manager password | - | For example:something |
authentication.ad.user.searchBase |
Defines the search base | - | - |
authentication.ad.user.searchFilter |
Defines the search filter | - | For example:(&(objectClass=user)(userPrincipalName={0})) |
Multi-Active Directory
Use these settings to configure authentication with multiple Active Directory servers.
| Parameter | Description | Default | Notes |
|---|---|---|---|
authentication.provider |
Defines the authentication provider | - | ad.ldap-multi or ad.ldap-multi,internal for multi-source (i.e. internal means that the users can also use their local SquashTM account) |
authentication.ad.multi.root.names |
Defines the names of the multiple AD servers | - | For example:ad1,ad2 |
For each AD server (e.g., ad1, ad2), use the following properties, prefixed with the server name:
| Parameter | Description | Default | Notes |
|---|---|---|---|
[name].authentication.ad.server.url |
Defines the AD server URL | - | For example:ldap://localhost:389 |
[name].authentication.ad.server.domain |
Defines the AD server domain | - | For example:ad.squashtest.org |
[name].authentication.ad.server.managerDn |
Defines the manager user DN | - | For example:admin |
[name].authentication.ad.server.managerPassword |
Defines the manager password | - | For example:something |
[name].authentication.ad.user.searchBase |
Defines the search base | - | - |
[name].authentication.ad.user.searchFilter |
Defines the search filter | - | For example:(&(objectClass=user)(userPrincipalName={0})) |
SAML
See this page for more information.
| Property | Description | Default | Notes |
|---|---|---|---|
| Main configuration | |||
saml.enabled |
Enables/disables SAML | false |
true or false |
authentication.provider |
Defines the authentication provider | - | saml or saml,internal for multi-source (i.e. internal means that the users can also use their local SquashTM account) |
saml.idp.metadata-url |
Defines the URL or path where the IdP metadata can be found | - | Allowed formats: - file://absolute/path/to/file: fetches a file locally by its absolute path- http:// or https://metadata.remote-host/path/to/file: remote download of the metadata via HTTP(S)- relative/path/to/file: a path relative to the configuration directory of SquashTM (e.g. saml/idp.xml) |
saml.sp.registration-id |
Unique identifier used to register your service provider (SP) in the plugin's SAML configuration | - | For example, google |
saml.sp.entity-id |
SquashTM instance unique identifier. This value must be unique within your authentication ecosystem and will be communicated to the identity provider (IdP) | - | For example, urn:squash-tm:saml or https://squash-tm.your-organization.com/saml |
saml.sp.metadata.private-key |
Private key in PKCS8 format used by the service provider (SP) to sign requests and decrypt messages | - | Format PKCS8 required |
saml.sp.metadata.certificate |
Service provider (SP) X.509 certificate used for signature validation and encryption | - | - |
| Entry point | |||
squash.security.preferred-auth-url |
Sets SAML authentication entry point as the main entry point | /auth/saml/login/{registration-id} |
Unauthenticated users will be automatically redirected to the SAML entry point instead of the regular login form. |
| SSO options | |||
saml.sso.force-authN |
Enables/disables forced reauthentication | false |
true or falseIf enabled, the user will have to reauthenticate with the IdP every time it wants to authenticate with SquashTM. This effectively disables the SSO mechanism. |
saml.sso.provider-name |
Defines a human-readable name that will be included in messages sent to the IdP, useful for logging purposes | empty |
- |
saml.sso.binding |
Defines which binding SquashTM use to initiate SSO with the IdP | First binding method listed in the <SingleSignOnService/> clause of the IdP metadata |
For more information, see this document. For example: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
saml.sso.assertion-consumer-index |
Requires the IdP to send its responses to the given consumer service. | The default consumer service in the SP metadata | A non-negative integer or blank The list of available consumer services can be found in the <AssertionConsumerService/> clauses in the SP metadata. |
saml.sso.nameID |
Requires the IdP to return the principal with a given NameIDFormat, which is essentially the username of the user in SquashTM | If blank, the IdP will pick one among those listed in the SP metadata | For example:urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
saml.sso.allow-create |
Notifies the IdP that creating new user is permitted when unknown | false |
true or false |
saml.sso.passive |
If enabled, SquashTM will inform the IdP that it does not consider user interaction necessary for authentication | - | true or false |
saml.sso.include-scoping |
If enabled, SquashTM will add additional scoping constraints when a user authenticates. | false |
true or false |
saml.sso.allowed-idps |
Defines, in a multi-layered IdP architecture, which IdPs are allowed to process an authentication requests | - | A comma-separated list of IdPs Note: scoping must be enabled. |
saml.sso.proxy-count |
Defines the maximum proxy hops allowed for authentication messages | 2 |
A non-negative integer In this context a proxy is an IdP within a chain of IdPs that can delegate one to the next. A value of 0 forbids the use of proxies and the IdP that receives the authentication request cannot delegate and must authenticate the user himself. Note: scoping must be enabled. |
saml.sso.authn-contexts |
Defines the authentication contexts that should be honored by the IdP when it authenticates the user | (blank, i.e. no specific requirements) | A comma-separated list Useful when the default IdP authentication challenge is not deemed sure enough and SquashTM asks for guarantees of a more stringent process. For example: urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI, urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContractNote: scoping must be enabled. For more information, see this document. |
saml.sso.authn-context-comparison |
Instructs the IdP on how it should process the credentials presented by the user during authentication | exact |
exact, minimum, maximum, or betterNote: scoping must be enabled. For more information, see this document. |
saml.sso.relay-state |
Defines an arbitrary token to be sent back and forth to the IdP | (blank) | Part of the SAML specification but SquashTM has no use case for it. |
| SP metadata options | |||
name-id-format |
Defines the format of the NameID used to identify the user in the SAML authentication request | (blank) | since Squash TM 10.1.0 For example: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, urn:oasis:names:tc:SAML:2.0:nameid-format:transient |
authn-requests-signed |
Indicates whether SAML authentication requests sent by the SP should be signed | false |
true or false |
single-logout-service-binding |
Defines the type of binding (transport protocol) used by the SP to communicate with the IdP's Single Logout Service | urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST |
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST or urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect |
saml.sp.metadata.trusted-keys |
Defines which keys should be considered as trust anchors for PKIX verification of the SP metadata file | all |
all (all keys in the keystore will be trusted), blank (equivalent to all), none (none of the keys in the keystore will be trusted), or a comma-separated list of keys (the keys must exist in the keystore). |
| SP session options | |||
saml.session.max-assertion-time |
Defines the validity interval of an authentication assertion during the SSO process | 3000 (seconds) |
If the process has not completed by that time the process has failed and SSO must be reinitiated from scratch. Note that the default value is large enough for most situations. |
saml.session.max-auth-time |
Defines the validity interval of an IdP authentication | 864000 (seconds, i.e. 10 days) |
On expiration SquashTM will consider that the user must re-authenticate with the IdP. |
saml.session.clock-skew |
Sets in seconds the maximum tolerance accepted for clock offsets between service provider (SP) and identity provider (IdP) | 300 (seconds) |
On expiration SquashTM will consider that SAML assertions as expired, even if a slight clock gap remained between the systems |
| Reverse proxy / load balancer options | |||
saml.proxy.enabled |
Enables/disables reverse proxy support | false |
true or false |
saml.proxy.server-name |
Declares the hostname of the reverse proxy | - | This must be defined if proxy support is enabled, since it has no default value. |
saml.proxy.scheme |
Declares the scheme used by the reverse proxy for outbound communications | https |
http or https |
saml.proxy.server-port |
Declares the port used by the reverse proxy for outbound communications | 443 |
A valid port number |
saml.proxy.context-path |
Declares the context path of the application as served by the reverse proxy | /squash |
A context path, starting with a forward slash / |
saml.proxy.include-port-in-url |
Indicates whether the port number should be explicitly included in the request URL | true |
true or false |
| Assertion extra attributes | The assertion returned by the IdP may contain extra attributes about the user account that you may wish to use in SquashTM. The following properties allows you to map some of those attributes to SquashTM user account. Their default value is null (no mapping defined for that attribute). This is different from a blank value, i.e. if you do not need them, keep them commented out. |
||
saml.user-mapping.alternate-username |
Defines an extra attribute value as the username in SquashTM (instead of the nominal NameID) | - | A property name |
saml.user-mapping.first-name |
Defines an extra attribute value as the first name of a user account in SquashTM | - | A property name |
saml.user-mapping.last-name |
Defines an extra attribute value as the last name of a user account in SquashTM | - | A property name |
saml.user-mapping.email |
Defines an extra attribute value as the email of a user account in SquashTM | - | A property name |
OpenID Connect
See this page for more information.
<idp-name> should be replaced with the lowercase name of the IdP.
| Parameter | Description | Default | Notes |
|---|---|---|---|
| Main configuration | |||
oidc.access.whitelist |
Restricts access based on user's email domain | - | A comma separated list of domains By default, access to SquashTM and restriction of users is to be configured directly in the IdP. This property handles restriction of access on SquashTM's side in case the IdP does not offer that possibility. It verifies that the connecting user's e-mail domain matches one or more of the domain values indicated via this property. If this property is left blank, no restrictions will be applied. For example: @company-name.com,@domain.fr |
squash.security.preferred-auth-url |
Sets the main entry point for unauthenticated user requests | /login (i.e. login page for form-based basic authentication) |
This property handles SquashTM's behavior in terms of unauthenticated user requests. It defines the URL to which the user will be redirected for login, in other words, it sets the main entry point. If the set value matches the pattern /oidc/authorization/<idp-name> , the login will be redirected to the specified IdP's login page or logged in directly if they are already connected to their IdP.Note: this is a generic SquashTM property and is not exclusive to OpenID Connect. |
| IdP provider options | The options below allow you to declare a new custom IdP to use with SquashTM. For some providers (Google, Facebook, GitHub, Okta…), some of these properties are pre-configured and can be omitted. The OpenID Connect configuration values for an IdP are often accessible from the provider's well-known Configuration Endpoint: <issuer-uri>/.well-known/openid-configuration |
||
spring.security.oauth2.client.provider.<idp-name>.user-name-attribute |
Specifies which attribute to use as username in SquashTM | - | - |
spring.security.oauth2.client.provider.<idp-name>.issuer-uri |
Specifies the issuer identifier URL | - | - |
spring.security.oauth2.client.provider.<idp-name>.authorization-uri |
Specifies the IdP endpoint to start the authorization request | - | - |
spring.security.oauth2.client.provider.<idp-name>.token-uri |
Specifies the endpoint for retrieving access tokens | - | - |
spring.security.oauth2.client.provider.<idp-name>.user-info-uri |
Specifies the endpoint for retrieving user data | - | - |
spring.security.oauth2.client.provider.<idp-name>.jwk-set-uri |
Specifies the URI to retrieve the Auth provider's public key | - | This is used to verify JWT tokens |
| IdP client options | |||
spring.security.oauth2.client.registration.<idp-name>.client-id |
Specifies the OAuth2 client identifier | - | Provided by the IdP when registering your SquashTM instance. |
spring.security.oauth2.client.registration.<idp-name>.client-secret |
Specifies the OAuth2 client secret | - | Provided by the IdP when registering your SquashTM instance. |
spring.security.oauth2.client.registration.<idp-name>.authorization-grant-type |
Specifies the OAuth2 grant type | - | SquashTM supports authorization_code. |
spring.security.oauth2.client.registration.<idp-name>.redirect-uri |
Specifies the URL to which the authentication response will be sent | - | Must match the /oidc/code/*patternThis is the redirect URI configured in the IdP. |
spring.security.oauth2.client.registration.<idp-name>.scope |
Defines the information the IdP will provide about the user | - | The available scopes can vary from one IdP to another. OpenID Connect requires the openid scope, but additional scopes can be specified. |
spring.security.oauth2.client.registration.<idp-name>.client-name |
Specifies the name of the IdP client | - | - |