9.1.0

• Home

Table of Contents

• System Admin Guide
  • Alarms
    • Overview
      • Terminology
      • The Alarm Object
      • Sliding Window Alarms
      • Managing Alarms
      • Notifications
      • Clusters
    • Alarm Types
      • Expiry
      • Failed Authentication
      • Failed Communication
      • Failed Connection
      • Slow Connection
    • Alarm Handlers
      • Email Notifier
      • Webhook Notifier
      • Slack Notifier
      • PagerDuty Notifier
    • Testing Alarms
      • Testing Alarms using the Web UI
      • Testing Alarms using the CLI
      • Verifying the alarm
  • Attribute Transformers
    • Regex Transformer
      • Regex transformation examples
    • Data Source Transformer
      • Data Source Transformation example
    • Script Transformer
  • Audit
    • Configuration
      • Logger
      • File Appender
      • Database Appender
      • Batching Log Messages for performance
    • Audit Data
      • Mandatory
      • Optional
    • Audit Events
      • profile-added
      • token-introspected
      • refresh-token-issued
      • refresh-token-revoked
      • access-token-issued
      • access-token-revoked
      • id-token-issued
      • initial-dcr-access-token-issued
      • initial-dcr-access-token-consumed
      • initial-dcr-access-token-revoked
      • dcr-client-registered
      • user-info
      • authorization-code-issued
      • authorization-code-consumed
      • delegation-issued
      • delegation-revoked
      • account-created
      • accounts-linked
      • account-activated
      • scim-account-updated
      • scim-account-created
      • scim-account-deleted
      • access-token-authentication
      • client-authentication-success
      • client-authentication-failure
      • cat-verification-failed
      • logout
      • user-authentication-success
      • user-sso-authentication-success
      • sso-session-created
      • bc-authentication-start
      • bc-authentication-success
      • bc-authentication-failure
  • Authorization Managers
    • Groups Authorization Manager
      • Group Rules
    • Scope Authorization Manager
      • Policies, Actions and Rules
      • Configuration
      • Use with OpenID Connect User Info
    • Attribute Authorization Manager
      • Configuration
      • Limitations
      • Examples
  • Credential Managers
    • User Account Credentials
    • Credential Policies
      • Data source requirements
  • Cryptography
    • Configuring certificates
    • Configuring private keystores
      • Using an action to add a keystore
      • Preparing the keystore for embedding in an XML configuration document
    • Converting KeyStores (keystore-entry) into correct PKCS12 format
      • Usage of the convertks script
    • Working with PKCS1 private keys
    • Hardware Security Module
      • Entering a PIN
      • Configuring the HSM
      • Debugging the PKCS#11 Provider
    • EdDSA support
  • Data Sources
    • Overview
      • Configuration Strategy
      • Data Source Usage
    • JDBC
      • Table management
      • Database maintenance
      • Quoted identifiers
      • Configuration
      • Clustering
      • Connection Pool Metrics
      • Credential Data Access
      • MySQL and MariaDB
      • Microsoft SQL Server
      • PostgreSQL and CockroachDB
      • Oracle
      • HsqlDB
    • LDAP
      • LDAP for Account and Credential Data Access
      • LDAP for Attribute Data Access
      • Use-case for configuring an LDAP backend for HTML Forms authenticator
      • Connection Pool
    • SCIM
      • SCIM 1.1
      • SCIM 2.0
    • JSON / REST Data Source
      • Configuration
    • DynamoDB
      • Table management
      • Database maintenance
      • User Management Service
      • Credential Data Access
      • Configuration
    • Multi-zone
      • Configuration
  • Deployment
    • Cluster
      • Two Node Setup
      • Standalone Admin Setup
      • Asymmetric Setup
    • Scalability
    • Creating a Cluster
      • Preparing Configuration
      • Setup Nodes
      • Service Role
      • Viewing Connected Nodes
      • Cluster Lifecycle
    • Deploying with Docker
      • Building a Docker Container
      • Running with docker-compose
    • Multi-region Deployments
      • Authorization flows - Front-channel
      • Authorization flows - Back-channel
      • Data sources
  • Email Providers
    • SMTP Email Provider
      • DomainKeys Identified Mail
    • Configure Email Provider for a Service
  • Http Clients
    • Introduction
    • HTTP Client Configuration
      • Scheme
      • Connection Pool
      • Caching
      • Authentication
      • TLS (encryption)
      • Proxies
    • Metrics
  • Logging
    • Log Levels
    • Configuration Overview
    • Appenders
      • Standard Out
      • Cluster Log
      • Request Log
      • Audit Log
      • Metrics
    • Loggers
    • Logging Incorrect Cookies
    • Masking
    • Shipping Logs
    • Log4j Scripting Languages
    • Files Not Configurable by Log4j
      • Configuration Service Logs
  • Monitoring
    • JMX
    • Tracing
    • Zulu Flight Recorder
      • Starting a Recording Manually
      • Starting a Recording from the Command Line
      • Starting a Recording on Startup
    • Status Endpoint
      • Command line tool
    • Prometheus-compliant Metrics
      • Common Alerts
      • Configuration
  • Scripting
    • Introduction to scripts
      • Procedures during authentication
      • Procedures during token issuance and processing
    • Configuring Scripts
      • Script Types
      • Preparations
      • Configuring using etc/init
      • Writing Scripts
  • Server Events
    • Event Listener Types
      • Script EventListeners
      • EventListener Plugins
    • Types of Events
  • SMS Providers
    • Twilio Sms Provider
    • REST Sms Provider
  • Transport Layer Security
    • Server Name Indication
  • Upgrading
    • Upgrading from 7.0.X to 7.1.0
      • HAAPI DPoP improved processing
      • Template and message updates
    • Upgrading from 7.1.X to 7.2.0
      • SDK Changes
      • Logging Changes
    • Upgrading from 7.2.X to 7.3.0
      • Authentication Action Attributes
    • Upgrading from 7.3.X to 7.4.0
      • Email templates in Authentication Actions
      • Startup script changes
      • User Management with GraphQL
      • DynamoDB schema changes
    • Upgrading from 7.4.X to 7.5.0
      • HTTP Client Default Timeouts
    • Upgrading from 7.5.X to 7.6.0
      • Systemd config file update
      • New SAML Authenticator
    • Upgrading from 7.6.X to 8.0.0
      • Upgrading the XML Configuration
      • Authorization custom token procedures update
      • DynamoDB schema changes
      • WebAuthn authenticator
      • HAAPI capability and use of legacy DPOP
      • Microsoft SQL Server JDBC driver
      • Changes to HAAPI responses
      • Password-based PBES2 JWE algorithms
      • Windows Connector Failover Update
    • Upgrading from 8.0.X to 8.1.0
      • Database Changes
      • Custom Token Issuers
      • Email Authenticator
    • Upgrading from 8.1.X to 8.2.0
      • User consent template
      • SDK Changes
      • Token Procedure Plugin Configuration
      • Claims
    • Upgrading from 8.2.X to 8.3.0
    • Upgrading from 8.3.X to 8.4.0
      • SDK
      • Database Changes
      • Deprecation notice
      • Logging Incorrect Cookies
    • Upgrading from 8.4.X to 8.5.0
      • Template Changes
      • Deprecation notice
    • Upgrading from 8.5.X to 8.6.0
      • Deprecation notice
    • Upgrading from 8.6.X to 8.7.0
      • Hypermedia API external browser flow
      • HAAPI authorization code and refresh token binding
    • Upgrading from 8.7.X to 9.0.0
      • JDBC data source - database schema changes
      • User management
      • Service name
      • Attribute Authorization Manager
      • Updates on Docker images
      • SDK changes
      • Events and audit data
      • Token Issuers Data Sources
      • Custom Claims
      • Database client change
      • HTML Forms authenticator
      • Logging Incorrect Cookies
      • SAML Authenticator removal
    • Upgrading from 9.0.X to 9.1.0
      • JDBC data source
      • HTML Forms authenticator
      • SDK changes
    • General Upgrade Procedure
      • Preparing the upgrade
      • Performing the upgrade
      • After the Upgrade
  • DevOps Dashboard
    • Enabling the DevOps Dashboard
    • Requirements of an OAuth Client
    • Group Access
    • Availability
  • System Requirements
    • Operating Systems
    • Minimum Hardware Requirements
    • Recommended Hardware Setup
    • Hypermedia Authentication API
    • Browsers
    • Database
    • User Repositories
    • Networking
    • Hardware Security Module
    • File Encoding
    • HTTP
    • TLS
  • JVM Configuration
    • Changing JVM Settings in the Admin UI
    • Changing the JVM Settings with the CLI
  • Go-live Checklist
    • General System
    • Related Systems
    • All Profile Types
    • Authentication
    • Token Service
    • User Management
    • Configuration
    • Clustering
  • CORS
  • Cross Site Requests
• Authentication Service Admin Guide
  • Overview
    • Authenticators
    • Actions
    • Single Sign-On (SSO)
    • Logout
    • Account Domains
    • Validation Procedures
    • Authenticator Filters
    • Service Providers
    • Protocol Plugins
    • Automatic login
  • Defining an Authentication Service Profile
    • Preparing the Authentication Service Profile
      • Pre-requisite configuration
    • Base Configuration of an Authentication Service Profile
      • Example Create request
  • Authenticators
    • Overview of Authenticators
      • Authenticator purpose
      • Authenticator Base Configuration
      • Multi-factor configuration for Authentication
      • Back-channel Authenticators
    • BankID
      • Integrating with BankID
      • Kinds of BankIDs
      • Trusted BankID Provider
      • Authentication flows
      • Configuration settings
      • BankID Version 6 API
      • BankID on the Phone
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
      • Launch behavior
      • Change specific browser behavior
      • Disable autostart
      • Debugging the templates
    • Duo
      • Configuration Settings
      • Creating a New Authenticator
      • Logging In
    • Dynamic Authenticator
      • Configuration
      • Delegate Authenticator
      • Dynamic Configuration Source
      • Configuration Example
      • Example Use-case
    • Email
      • Base Configuration
      • Using as standalone factor (single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • Hyperlink
      • Inactive Accounts
      • Configuration
    • Encap
      • Basic Configuration
      • Registration During Login
      • Additional Information Before Registration
      • Automatic Login
    • Entrust IDaaS
      • Creating an App in Entrust
      • Creating a new Authenticator
    • Facebook Authenticator
      • Configuring Facebook
      • The Redirect URI
      • The Data Deletion Request Callback URL
      • Configuration in the Authentication Service
    • Google Authenticator
      • Configuring Google
      • The Redirect URI
      • Configuration in the Authentication Service
    • HTML Forms Authenticator
      • Paths
      • Validation Scripts
      • Email Provider
      • Automatic Login
      • Password Only
      • Remember Me
      • Binding Message
      • Configuration
    • OpenID Connect Authenticator
      • The Redirect URI
      • JWKS Endpoint
      • Configuration
    • OpenID Wallet
      • Configuring OpenID Wallet Authenticator
      • Anonymous JWKS Endpoint
      • Further Reading
    • Passkeys
      • Configuring a Passkeys authenticator
      • Registering devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • PingFederate IdP Adapter Authenticator
      • Authentication Flow
      • Configuration
    • PingFederate
    • SAML2
      • Paths
      • Validation Scripts
      • Configuration
      • SAML2 dynamic authenticator
      • Known limitations
    • Sign in with Apple
      • Configuring a Sign in with Apple Service
      • Setting up the authenticator
    • SITHS
      • Configuring an Authenticator
    • SMS OTP
      • Base Configuration
      • Using as standalone factor (Single factor)
      • Using as second or N-th factor
      • Using an Intermediate Attribute
      • SMS OTP in OTP mode
      • SMS OTP in Hyperlink mode
      • Registration
      • Automatic Login
      • Configuration
    • TOTP - Time base One Time Password
      • Configuring an Authenticator
      • Configuring for pre-shared keys
      • Configuring for generated keys
      • Automatic Login
    • Twitter
      • Creating an App in Twitter
      • Configuring the Twitter Authenticator
    • Username
      • Configuration
      • Source Code
    • WebAuthn
      • Device Types
      • Configuring a WebAuthn authenticator
      • Registering devices
      • User Interaction for platform devices
      • Hypermedia Authentication API
      • iOS Domain Association
      • Android Domain Association
      • Known limitations
    • Windows
      • Installing the Windows Connector
      • Configuring an Authenticator
      • Configuring the Windows Connector
      • Troubleshooting
  • Authentication Actions
    • Overview
      • Login Actions
      • SSO Actions
      • Actions and Action Completions
      • Action attributes
    • Attribute Prompt Action
      • Configuration
      • Localization
    • Auto Create Account
      • Creating accounts
      • Configuration
      • Default Values in the account
      • Errors
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
      • User Confirmation
    • Bundle Action
      • Configuration
    • Conditional Multi-Factor
      • Attribute Enable Condition
      • Attribute ACR Condition
      • Subject Condition
      • Client Property Condition
      • Subject Check
    • Copy Attribute
      • Configuration
    • Data Source Transformer Action
      • Transforming values using data source values
      • Include additional values from datasource
      • Configuration
    • Date/Time Deny Action
    • Debug Attribute Action
    • Deny Action
      • Configuration
    • Geolocation Allow or Deny Country Action
      • Configuration
    • Geolocation Changed Country Action
      • Configuration
    • Geolocation Impossible Journey Action
      • Configuration
    • Geolocation New Country Action
      • Configuration
    • Lookup Account
    • Lookup Links Action
      • Overview
      • Configuration
    • Opt-In MFA
      • Registering a New Factor
      • Managing Factors
      • Recovery Codes
      • Single Sign-On of second factors
      • Configuration
    • Regular Expression Transformer Action
      • Transforming values using regular expressions
      • Excluding attributes
      • Renaming attributes
      • Configuration
    • Remove Attribute Transformer Action
      • Configuring attributes for removal
    • Request Acknowledgement
      • Localization
      • Configuration
    • Require Active Account
      • Configuration
    • Reset Password
      • Configuration
      • Example Usage
      • Errors
    • Resolve Account Link
      • Overview
      • Configuration
    • Restart Action
      • Configuration
    • Script Transformer Action
      • Transforming values using script procedures
      • Configuration
    • Selector
      • Configuration
    • Send Email Action
      • Configuration
      • Templates
    • Sequence Action
      • Configuration
    • Set Attribute
      • Configuration
    • Signup
      • Configuration
    • Switch Action
      • Conditions
      • Configuration
    • Time-based Deny Action
    • Update Account
      • Configuration
    • Zone Transfer
      • Configuration
      • Errors
  • Multi-Factor Authentication
    • Using a chain of authenticators
      • More than two factors
      • Single Sign-On and Multi-Factor
      • Freshness and Forced Authentication
      • Using the ACR Parameter
    • Using a Multi-Factor Authentication Action
  • Account Linking
    • Basic Concepts
      • Example of Linking with Facebook
      • Example of Linking with Facebook as Second authenticator
    • Resolving Links
    • Looking up Links
    • Common Linking Flows
      • Linking a foreign account and adding links to the result
      • Linking using the foreign authenticator and resolving immediately
      • Linking using the local authenticator, resolving on next login with foreign
      • Linking two foreign accounts using auto create account
      • Linking two foreign accounts using auto create & resolving on next login
  • Protocol Plugins
    • PingFederate
      • Configuring PingFederate
      • Adapter Configuration
      • Configuring the Authentication Service
    • SAML
      • SAML protocol
      • Configuring the Authentication Service
      • Service Provider (App) integration
      • Federation Server integration
      • SAML Logout
  • Account Manager
    • Registration - Create account
    • Username is Email
  • Service Providers
    • Introduction
    • Managing Service Providers in the Admin UI
    • Framable User Interface
      • Multiple values for ‘allowed-origins’
      • Origin URI pattern format
    • Original Query retry integration
      • Example
      • Example OAuth Client
    • Third Party Cookies
      • Steps to Integrate Preflighting
      • Advanced Preflight behaviour
      • Disabling the Preflight Resource
  • Authenticator Filters
    • User-Agent Authenticator Filter
    • CIDR Authenticator Filter
    • Script Authenticator Filter
    • Geolocation Authenticator Filter
  • Single Sign-On
    • Requirements for SSO
    • Session Duration
      • Session cookies vs Persisted Cookies
      • Database persisted session
      • Expiration
      • Example
    • Overriding SSO
      • Freshness
      • Forcing authentication
  • Automatic Login
    • Authenticator Availability
  • Logout
    • Endpoint
    • Redirect After Logout
      • Using configuration
      • Using query parameter
    • Configuration
  • Geolocation
    • Geolocation Database File
    • Geolocation Actions
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
    • Geolocation authenticator filter
    • Geolocation authenticator settings
• Token Service Admin Guide
  • Introduction to the Token Service
  • Defining an OAuth Profile
    • Preparing the OAuth Profile
      • OpenID Connect
      • Pre-requisite configuration
    • Base Configuration of an OAuth Profile
      • Example create request
  • OAuth Flows
    • Code
      • Proof Key for Code Exchange
    • Implicit
    • Client Credentials
    • Resource Owner Password Credentials
    • OpenID Connect Hybrid Flows
    • OpenID Connect CIBA Flow
      • Signed Authentication Request
    • Token Exchange
    • Assisted Token
    • Refresh
    • Revoke
    • Introspect
      • Introspect with application/jwt as accept header
    • Json Web Key Set (JWKS)
    • Device Authorization Flow
    • Assertion Flow
      • Token reuse
    • Logout Flow
  • Using the device flow
    • Configuration
    • Endpoints
      • Device Authorization
      • UserCode Verification
      • Token Endpoint
    • Token Procedures
    • Templates
  • Scopes and Claims
    • Adding a scope to the profile
    • Adding a scope to a client
    • Scope Lifetime
    • Required scopes
    • Prefix scopes
      • Customizing prefix scope templates and messages
    • Claims of a scope
    • Claims I/O
    • Claim configuration
      • Claim mappers
      • Claim value providers
      • Configuring a claim
  • Configuring OAuth User Authentication
  • OpenID Connect
    • Metadata
    • The “claims” request parameter
    • Issuing pseudonymous subject identifiers
      • Client settings
      • Profile settings
      • Sector Identifier for Dynamic Client Registration
  • OAuth Metadata
  • OpenID Connect Metadata
  • Dynamic Client Registration
    • Architectural Overview of Dynamic Client Registration
      • Deployments and Configurations
      • Initial Access Token
      • Registration
      • Registration Based on a Template Client
      • Registration Based on a Non-templatized Client
    • Enabling Dynamic Client Registration
    • Dynamic Client Registration Management (DCRM)
      • Client Certificates and DCRM
      • DCRM Management Clients
    • Dynamic Client Management With GraphQL
    • Dynamic Client Registration API
      • Templatized Dynamic Client Registration
      • Non-Templatized Dynamic Client Registration
    • Custom Client Properties
  • Database Client Management
    • Database Client VS DCR
    • Enabling Database Clients
    • Configuring a Data Source
    • Create a Database Client Endpoint
    • Authorization Access
    • Managing Database Clients in the DevOps Dashboard
    • Configuring Clients
    • Warnings
    • Database Client Limitations
  • OAuth Client Configuration
    • Client Capabilities
      • Hybrid Capabilities
    • User Authentication
    • Client Authentication
      • Client Secret
      • Client Assertion
      • Secondary authentication
    • Client Framability
      • Examples
    • Redirect URI validation
      • Validation policies
      • Using Validate Port on Loopback Interfaces and Allow Per Request Redirect URIs (deprecated)
  • Issuing OAuth and OpenId Connect Tokens
    • Default Token Issuers
    • Custom Token Issuers
    • More on Wrapped Opaque Tokens
    • Encrypted ID Tokens
  • OAuth Endpoint Reference
    • Anonymous
    • Authorize
    • Assisted Token
    • Introspect
    • Revoke
    • Token
    • User Info
    • Dynamic Client Registration
    • Database Client Management
    • Device Authorization
    • OpenID Connect Sessions
    • Backchannel Authentication
    • Verifiable Credentials
  • User Consent
    • Consenting to requested claims
      • Example
    • Asking for consent
      • Example user consent gathering
      • Example with prompt
    • Enabling user consent
    • The user consent template
      • Example claim localization
      • Showing prefix scopes
    • Consentors
  • Consentors
    • BankID
      • Integrating with BankID
      • Signing Consent Data
      • QR Code
      • Asking user for personal number
      • Signing cancellation
      • Configuration settings
      • BankID Consentor Response
      • Testing the Integration and Configuration
      • Persisting the BankID Responses
    • Profile configuration
    • Client configuration
    • Consentor selection
    • Consentor templates
    • Consentor result
  • Mutual TLS Authentication
    • TLS termination
    • Binding certificates to tokens
    • Trusted certificates
      • Trust by PKI
      • Trust by a pinned certificate
    • DN comparison
    • Subject Alternative Name
    • Configuring Mutual TLS
      • Proxy terminated Mutual TLS
      • Direct terminated Mutual TLS
      • Configuring trust
    • Reverse Proxy Server Setup
      • Generic Reverse Proxy Server Setup
      • Setting Up NGINX As a Reverse Proxy Server
      • Setting Up HAProxy As a Reverse Proxy Server
      • Setting Up Apache HTTPD 2.x As a Reverse Proxy
    • Non-Templatized Dynamic Client Registration using Mutual TLS
      • OrganizationIdentifier
      • Match only organizationIdentifier
  • OpenID Connect Issuer Discovery
  • Financial-grade Security
    • JWT Secured Authorization Request (JAR)
    • Pushed Authorization Requests
    • Request Object Handling
    • JWT Security Authorization Response Mode (JARM)
    • Encrypted ID Tokens
  • Session Management and Logout
    • Session Endpoint
    • Logout
      • Logout Notification
    • OpenId Connect specifications for Session Management and Logout
  • Token Procedure Plugins
    • Configuring and using Token Procedure Plugins
    • Developing Token Procedure Plugins
      • Using Custom Token Issuers
      • Using Custom Token Introspecters
  • Verifiable Credential Issuance
    • Pre-authorized Code Flow
      • Pre-authorized Code and User PIN Issuance
    • Rich Authorization Requests (RAR) support
    • Formats and data models
    • Endpoints
      • Token procedures
    • Credential Request Handling
      • Subject and issuer DID methods
      • Token Issuers
      • Authorization Requests
    • Configuration Model Summary
    • Configuration Example
• User Management Admin Guide
  • Overview
    • SCIM 2.0
      • Users
      • Devices
      • Delegations
      • External ID
      • Custom claims
    • GraphQL
      • Queries and Mutations
      • Introspection
      • Authorization
      • Custom Attributes
      • Data Sources
      • More Details
    • OAuth Protected
  • Defining a User Management Service Profile
    • Preparing the User Management Service
      • Pre-requisite configuration
    • Step by step guide to setup a User Management Service
      • 1. Add the profile
      • 2. Select OAuth Service
      • 3. Select User Account Data Source
      • 4. Select OAuth Delegations Data Source
      • 5. Setting up the endpoints
      • 6. Exposing the Endpoints on a Service (node)
      • 7. Commit the changes
    • Password validation
    • Username updates
• Developer Guide
  • Authentication Service
    • Authenticators
      • Authenticators
    • Endpoints
      • Authentication Endpoint
      • Registration Endpoint
      • Anonymous endpoint
      • Authenticators
  • OAuth Service
    • Web Clients
      • Assisted Token JavaScript API
    • CORS on the OAuth Server
      • Default CORS Enabled Endpoints
      • Endpoints that Can be CORS Enabled
  • Data Sources
    • Using SCIM v1.1 as Data Source
      • Client Authentication
      • Required SCIM operations
    • JSON Data Source
      • Credential verification
      • Attribute Provider
      • Bucket Access
      • Authentication
  • SMS REST Client
    • Sending a message
    • Response and Errors
    • Authentication
  • Email Provider Plugin
    • SMTP Plugin’s message contents rendering
  • Front-End Development
    • Introduction
    • Understanding the Templating System
      • The Template Override System
      • Overrides
      • Template Areas
      • Serving templates via the anonymous endpoint
      • Error templates
      • Common Template Variables
      • Authentication Service Template Variables
      • Never Remove CSP
    • Using the UI Builder
      • Setting up the environment
      • Running the previewer
      • Working with Velocity variables
      • Overriding templates
      • Working with template areas
      • Working with translations
      • Building
    • Customizing the Look and Feel
      • Creating Custom Themes in the Admin UI
      • How to create your custom theme in UI Builder
      • How to work with Sass
      • Themes
      • Using External Web Fonts
      • Compiling Assets
      • How to work with the settings file
    • Localizing Resources
      • About Locales
      • Using localized messages in templates
      • Message keys
      • Message lookup
      • Message Files Format
      • Using plugin-specific messages in re-usable templates
    • Secure Iframing
      • Pre-requisites
    • API Driven UI
  • Scripting Guide
    • Credential Transformation Procedures
      • Function
      • Examples
    • EventListener procedures
      • Configuring EventListener Procedures
      • Common API
      • EventListener functions
    • Filter procedures
      • Function
      • Common API
      • API
    • Global Scripts
      • Common API
      • Global Constants
    • Token procedures
      • Issuing tokens
      • Token Procedure Function Signature
      • Including Request Parameters Values
    • Token Procedure API
      • Context
    • Token Procedure Examples
      • Overview
      • Assisted Token Endpoint
      • Authorize Endpoint
      • Introspection Endpoint
      • Token Endpoint
      • UserInfo Endpoint
    • Transformation Procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Userinfo procedures
      • Common API
      • Claims
      • Common API
      • Function
      • Return Value
      • Examples
    • Validation procedures
      • Common API
      • Function
      • Return Value
      • Examples
    • Pre-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Post-Processing Procedures
      • Function
      • Return Value
      • Examples
    • Common Procedure API
      • Common Procedure Objects
      • Procedure Context object
      • Common Operations Examples
    • Developing Procedures
      • Logging
      • Exceptions
  • Plugins
    • Access to the Curity Release Repository
    • Plugin Installation
      • Classpath considerations
    • Basic structure of a plugin
      • SmsSender Plugin Example
    • Managed Objects
    • Plugin Services
      • Service Restrictions by Plugin Type
      • Service Restrictions in ManagedObject
    • Cross-site Plugin Handlers
    • Java Version
    • Server-Provided Dependencies
      • SLF4J Logging API
      • Bean Validation API
      • Hibernate Validator Engine
      • Kotlin Standard Library
    • Serialization
  • Hypermedia Authentication API
    • Introduction
    • Access control
      • Client attestation
      • Android client attestation configuration
      • iOS client attestation configuration
      • Browser (Web) client attestation configuration
      • Disabling attestation for testing purposes
      • Debugging Web CAT problems
    • Authorization code and refresh token binding
    • Flow state management
    • API Driven UI
    • Examples
      • Example - Username and password based authentication
      • Example - Encap authentication with device registration
      • Example - Using an external browser
    • SDK
      • HAAPI Android SDK
      • HAAPI iOS SDK
      • HAAPI Web SDK
  • Curity SDKs
    • Java Plugin SDK
    • HAAPI Android SDK
    • HAAPI iOS SDK
    • HAAPI Web SDK
  • GraphQL APIs
    • Using Access Tokens
    • Introspecting the Schema
    • Using Queries
    • Mutation Errors
    • DynamoDB limitations
      • User Management service limitations
      • Dynamic Client Registration service limitations
      • Database Client limitations
    • GraphQL error for unsupported features
• Configuration Guide
  • Overview
    • Transactional configuration
    • Rollbacks and history
    • Factory default
    • Mandatory, optional and default parameters
    • Configuration interfaces
      • Service Roles
      • Profiles
      • Endpoints
      • Using Endpoints in Service Roles
    • Commit Hooks
  • RESTCONF API
    • General Concepts
    • RESTCONF Endpoint
      • URIs
    • RESTCONF Operations
    • Querying Data
    • Rollback using RESTCONF
    • Invoking YANG Actions Using RESTCONF
    • Message Encoding
    • Authentication
  • Command Line Interface
    • Connect to the CLI
    • Modes in the CLI
      • View mode
      • Configuration mode
    • Basic Usage
      • Viewing the configuration
      • Changing the configuration
      • Applying the configuration
      • Rollback changes
    • Advanced Usage
      • Moving through the configuration using Edit
      • Showing selected values only
      • Exporting configuration
      • Loading configuration
      • Multiline Edit Mode
    • Scripting and automation
  • Commit Hooks
    • Commit Hook CLI Scripts
    • Commit Hook Scripts
  • Encrypted Configuration
    • Setup Encryption
      • Defining a key during installation
    • Defining Encryption Key on Startup
    • Change Encryption Key
      • Re-encrypting custom Plugin configuration
  • Backing Up the Configuration
    • Using the idsvr Command
    • Using the idsh Command
    • Using the Web UI
    • Using the RESTCONF API
  • Restoring a Saved Configuration
    • Using the idsvr Command
  • Restoring the Initial Configuration
    • Preserving the Configuration Database
    • Deleting the Configuration Database
      • 1. Stop the admin node
      • 2. Remove the running datastore
      • 3. Check the min-conf.xml and key-conf.xml
      • 4. Making sure the default procedures are in place
      • 5. Make sure the appropriate certificates are initialized
      • 6. Start the admin node
  • Parameterized XML Configuration
    • Example:
    • Default Values
    • Using startup.properties
  • Access Control
    • Defining Rules in the Admin UI
      • Rules for the DevOps Dashboard
    • Enforcement of Access Control Rules
  • Configuration Reference
    • Alarms
      • Control
      • Alarm-inventory
      • Summary
      • Alarm-list
      • Shelved-alarms
      • Alarm-profile
    • Environment
      • Localization
      • White-listed-proxies
      • Cluster
      • Admin-service
      • Themes
      • Zones
      • Service-role
      • Runtime-service
      • Reporting
      • Alarms
    • Profile
      • Authentication-service
      • Authorization-server
      • User-management-service
      • Endpoints
      • Token-issuers
    • Facilities
      • Cache
      • Client
      • Data-source
      • Email-provider
      • Sms-provider
      • Crypto
      • Caching-services
      • Client-attestation
    • Processing
      • Token-procedure
      • Global-script
      • Validation-procedure
      • Transformation-procedure
      • Filter-procedure
      • Event-listener-procedure
      • Claims-provider-procedure
      • Credential-transformation-procedure
      • Pre-processing-procedure
      • Post-processing-procedure
      • Authorization-manager
      • Event-listener
      • Account-manager
      • Credential-manager
      • Credential-policies
    • Base Types
    • Type Reference
      • Types
      • Identities
• Glossary

Customizing the Look and Feel

All the style rules of the frontend are bundled in two .css files which are included in the Curity Identity Server. Try not to override any of those files as it might be harder to follow future updates. Instead you should create your own custom-theme and include it in the templates by using the settings.vm file.

Creating Custom Themes in the Admin UI

The theme builder inside Admin UI makes it easy to create custom themes.

In order to create your own custom theme, follow the steps below:

1. Go to System → Look and Feel or visit https://localhost:6749/admin/#/look-and-feel
2. Make customizations in the controls sidebar, you will see a preview in real time updating as you work
3. To activate the theme, click the Commit menu option in the Changes menu.

Now when you visit any user facing screen when interacting with the server, you will see the new theme.

Note

It is recommended to either use the Admin UI theme builder, or to create a custom theme in UI Builder.

Fig. 184 You can find the theme builder under the System sidebar, click on “Look and feel”.

The Preview Area

The main preview area gives you an overview on how the templates will look in real time. Without having to switch to the server rendered templates every time. You can switch between 1) Login 2) Authenticator Selector 3) Create account.

Controls

In the right sidebar you will find all the controls. To make customizations, edit color swatches, drag sliders and make changes to default values. It is good to have basic CSS knowledge to understand some properties, but many are self explanatory and has descriptions below. Each controls maps to a CSS custom property in the Curity UI-Kit theming system. Changes are applied instantly in the preview area.

Toggle Alerts and Errors

To see how errors and alerts look like, toggle the error switch in the toolbar.

Fig. 185 Toggle errors and alerts

View theme CSS

When you want to see the generated CSS code from the changes, switch to “View CSS” in the toolbar.

Fig. 186 Click “View CSS” in the toolbar to see the generated CSS Code

Download CSS file

It is also possible to download the CSS file separately, if you want to drop in to an existing Curity installation or continue working on it in an IDE.

Fig. 187 Download the CSS file by clicking Download CSS in the toolbar menu

Velocity variables

Besides the CSS theming properties, there are some properties that sets Velocity variables.

1. $theme_css_path - the path to the created CSS theme.
2. $logo_path - the path to the logotype. You can upload an image (converted to a base 64 encoded string) or specify an external URL.
3. $logo_email_path - the path to the email logotype used when sending emails. You can upload an image (converted to a base 64 encoded string) or specify an external URL.
4. $logo_inside - the placement of the logo. It can be outside the well (default) or inside. This is a new setting from version 7.0.0
5. $single_color_authenticator_chooser - the colors of the authenticator buttons. Colored buttons is default, but you can set a monochrome color scale.

Custom CSS

You can also write custom CSS that will be included in the theme.

Fig. 188 Switch to the CSS tab in the right sidebar to write custom CSS that will be included in the theme.

Note

The Custom CSS added here doesn’t reflect in the Preview area, but will be added when the configuration is commited.

Reset theme

You can go back and reset to the default theme by clicking the “Reset theme” button in the toolbar. When you commit the system reverts your changes and uses the default theme.

Fig. 189 Click “Reset theme” to discard the changes and go back to the default theme

How to create your custom theme in UI Builder

In order to create your own custom-theme, follow the steps below:

1. Duplicate the file $INSTALLATION_HOME/misc/ui-builder/src/curity/scss/curity-theme.scss (for example to $INSTALLATION_HOME/misc/ui-builder/src/curity/scss/custom-theme.scss)
2. Start the previewer (see Using the UI Builder), so that the custom-theme.css file is created under $INSTALLATION_HOME/misc/ui-builder/build/curity/webroot/css
3. Change the values of the variables defined in the copied file to ones that fit your needs

The next step would be to include the custom-theme.css file that you previously created in the templates. In order achieve that:

1. Copy the $INSTALLATION_HOME/misc/ui-builder/src/curity/templates/core/settings.vm file under $INSTALLATION_HOME/misc/ui-builder/src/curity/templates/overrides/
2. Uncomment the row referring to the loaded theme (search for $theme_css_path) and change curity-theme.css to custom-theme.css
3. Restart the previewer (this will force the previewer to include the newly copied in the $INSTALLATION_HOME/misc/ui-builder/build folder)

You can now continue editing the custom-theme.scss file and the changes will be reloaded on the previewer without the need for restart. Avoid changing other .scss other than the custom-theme.scss when possible. You can add your CSS overrides at the end of the file which will take precedence over any rules in main.css

Danger

Never override csp.vm with an empty file or one that substantially reduces the policies defined by that core template. Doing so will likely result is severe security vulnerabilities.

How to work with Sass

The Curity UI Kit is written in Sass (.scss). Sass is a mature, stable, and powerful CSS extension language. Sass is a preprocessor and compiles to CSS. Sass has features that help you write robust, maintainable CSS.

Sass compiles to CSS so every file inside src/curity/scss/ will compile to a .css file, ready to be included in HTML.

Main

The main file - src/curity/scss/main.scss contains base styles for all the application components aswell as some settings defined as Sass variables, such as the path to fonts and media queries.

Font path

When using self hosted webfonts the $fontPath variable sets the path to those fonts.

Media Queries

To work with responsive themes there are predefined breakpoint variables. Curity UI Kit uses a mobile first strategy using min-width media queries. Any CSS unit can be used here, rem, em or pixels are preferred.

$breakpoint-sm: '(min-width: 40em)' !default;
$breakpoint-md: '(min-width: 52em)' !default;
$breakpoint-lg: '(min-width: 64em)' !default;
$breakpoint-xlg: '(min-width: 74em)' !default;
$breakpoint-xxlg: '(min-width: 84em)' !default;
$breakpoint-xxxlg: '(min-width: 114em)' !default;

Themes

Themes are built with CSS Custom Properties (sometimes referred to as CSS variables or cascading variables), so not relying on any Sass syntax or special features. Theme files contains only a list of properties, using the custom property notation (key/value). --color-spot: #d859a1; and are accessed using the var() function (e.g., color: var(--main-color);). Since themes are created with CSS Custom Properties, this also means that the variables can be easily modified with JavaScript and also created outside UI Kit, all you need is a text editor.

Curity themes follow a common best practice that is to define custom properties on the :root pseudo-class, so that it can be applied globally across your HTML document.

UI Kit comes with a default theme curity-ui-kit/src/curity/scss/curity-theme.scss.

Theme variables

A theme consists of different sets of variables to style different components in the application.

1. Page - top level styles to modify the top level page area, surrounding the well.
2. Well - the container that holds the form elements
3. Login symbol - the illustrative icon on top of the form
4. Logo - the company logo
5. Colors - Main color such as primary, call to action and spot colors
6. Forms - Style form elements
7. Typography - Change font settings, such as pointing to system fonts or web fonts
8. Spacing - Space between component follow a vertical rythm.
9. Progress bar - The HTML progress element used for password strengh checker
10. Buttons - Button components and variants
11. Alerts - Holds inline warnings, errors and success messages
12. Checkmark - Style the animated checkmark that is used on templates where a flow is “done”.
13. Authenticators - Define custom colors for the avaliable authenticators.

Below you will find all the theme variables listed.

Page

The page surrounding the login well and form.

/* If using background image, specify the URL here using url("URL"). Local or external. */
--page-background-image-url: none;
/* If using a css gradient as background, supports linear, radial or conic gradient */
--page-background-image-gradient: none;
/* If using background image, specify position here x, y */
--page-background-position: center center;
/* If using background image, specify repeat;  */
--page-background-repeat: no-repeat;
/* If using background image, specify size;  */
--page-background-size: cover;
/* Page background color */
--page-background-color: #f3f5f7;
/* Page background color when the dark background setting is used */
--page-background-color-dark: #3a445e;
/* Set to none to hide the "Powered by Curity" in the footer  */
--page-powered-by-display: flex;

Well

The well is the wrapper around the form elements.

/* Border color */
--well-border-color: transparent;
/* Border radius */
--well-border-radius: 26px;
/* Border style */
--well-border-style: solid;
/* Border width */
--well-border-width: 1px;
/* Box shadow */
--well-box-shadow: rgb(0 0 0 / 5%) 0 6px 24px 0, rgb(0 0 0 / 8%) 0 0 0 1px;

Login symbol

The login symbol is the illustrative icon above the form.

/* Display. Set to none to hide */
--login-symbol-display: block;
/* The symbol has a squared canvas (equal width/height) */
--login-symbol-size: 180px;
/* Margin top */
--login-symbol-margin-top: 2rem;
/* Margin bottom */
--login-symbol-margin-bottom: 2rem;
/* Border radius */
--login-symbol-border-radius: 50%;

Logo

Base settings for the company logo. Can be placed either outside the well or inside. Default is outside. You can customize this option in settings file settings.vm setting the logo_inside variable to true or false. #set ($logo_inside = false)

/* If logo is visible. Set to none to hide */
--login-logo-display: block;
/* Max width */
--login-logo-max-width: 200px;
/* Max height */
--login-logo-max-height: 40px;

Colors

There are a number of main color variables that you can modify to quickly change the theme. Accent colors for states like hover, Call to Action colors, link colors and more. Any CSS color mode can be used.

/* Paragraphs and lists */
--color-text: #737373;
/* Headings */
--color-heading: #262c3d;
/* Base colors */
--color-light: white;
--color-primary: #2e364b;
--color-primary-dark: #262c3d;
--color-primary-medium: #262c3d;
--color-primary-light: #7e89a8;
/* Call to action */
--color-success: #57c75c;
--color-info: #62818f;
--color-danger: #ca2e2b;
--color-warning: #e0c01c;
--color-add: #0092ff;
/* Spot and link colors */
--color-spot: #d859a1;
--color-link: #d859a1;
--color-link-hover: #87148b;

Forms

Forms are a big part of the templates and you can make fine grained adjustments in the theme.

/* Label color */
--form-label-color: #666;
/* Labe line height */
--form-label-line-height: 2;
/* Label font size */
--form-label-font-size: calc(var(--type-base-size) * 0.85);
/* Disabled fields */
--form-field-disabled-background-color: rgb(0 0 0 / 12.5%);
--form-field-disabled-opacity: 0.5;
/* Read only fields */
--form-field-readonly-background-color: rgb(0 0 0 / 12.5%);
/* Background color */
--form-field-background-color: white;
/* Background color when dark mode is used */
--form-field-background-color-dark: var(--color-primary-dark);
/* Placeholder */
--form-placeholder-color: #ccc;
/* Border color */
--form-field-border-color: rgb(207 217 224);
/* Border color hover */
--form-field-border-color-hover: rgb(152, 152, 153);
/* Border color focus */
--form-field-border-color-focus: rgb(0 89 200);
/* Box shadow */
--form-field-box-shadow: none;
/* Box shadow focus */
--form-field-box-shadow-focus: rgb(152 203 255) 0 0 0 3px;
/* Height */
--form-field-height: 2.55rem;
/* Padding */
--form-field-padding: 0.75rem;
/* Padding left, set differently when form field icon is used */
--form-field-padding-left: 0.75rem;
/* Icon display. Set to block or flex to show. Default is none */
--form-field-icon-display: none;
/* Icon color */
--form-field-icon-color: #ccc;
/* Icon size */
--form-field-icon-size: 1.5rem;
/* Border radius */
--form-field-border-radius: 8px;
/* Border style */
--form-field-border-style: solid;
/* Border width */
--form-field-border-width: 1px;
/* Border color */
--form-field-border-color: #cfd9e0;
/* Border color when dark mode is used */
--form-field-border-color-dark: var(--color-primary-dark);
/* Caret color */
--form-field-caret-color: var(--color-primary);

Typography

Typography settings.

/* Default font stack. Can be system fonts or web fonts. */
--type-sans: "Roboto-Regular", system, -apple-system, "Roboto", "Segoe UI",
  "Lucida Grande", sans-serif;
/* Default font weight */
--type-weight: normal;
/* Default font stack for bolder type. Used for headings */
--type-sans-bold: "Roboto-Medium", system, -apple-system, "Roboto", "Segoe UI",
  "Lucida Grande", sans-serif;
/* Default font weight for bolder type. These should use ex 700 when using system fonts. And the same
font weight as defined via the font-face rule, when using web fonts */
--type-weight-bold: normal;
/* Default font stack for monospaced fonts */
--type-mono: "SF Mono", consolas, monaco, "Courier New", courier, monospace;
/* Line height */
--type-line-height: 1.5;
/* Base font size */
--type-base-size: 1rem;

Spacing

Spacings between component use relative units fo follow a vertical rythm.

/* Spacing can use any CSS unit */
--space-1: 0.5rem;
--space-2: calc(var(--space-1) * 2);
--space-3: calc(var(--space-1) * 4);
--space-4: calc(var(--space-1) * 8);

Progress bar

The base settings for the HTML progress element. The progress element is used for the password strength checker on the create account templates.

/* Progress bar height */
--progress-bar-height: 6px;
/* Border radius */
--progress-bar-border-radius: 6px;

Buttons

The base settings for buttons. Note that button colors follow the primary color palette for easy theming.

/* Button top/bottom padding */
--button-padding-y: 0.6rem;
/* Bottom side padding */
--button-padding-x: 1rem;
/* Border radius */
--button-border-radius: 6px;
/* Button font size */
--button-font-size: calc(var(--type-base-size));

Alerts

Base settings for alerts. Note that alert colors use the Call to action colors for warning, danger, success and info.

/* Border radius */
--alert-border-radius: 8px;
/* Border style */
--alert-border-style: solid;
/* Border width */
--alert-border-width: 1px;
/* Border color */
--alert-border-color: #cfd9e0;

Checkmark

You can customize the animated checkmark that is used on templates where a flow is done.

/* Size */
--done-checkmark-container-size: 100px;
/* Inside checkmar size */
--done-checkmark-size: 80px;
/* Checkmark line color */
--done-checkmark-line-color: var(--color-success);
/* Checkmark circle color */
--done-checkmark-circle-color: var(--color-success);

Authenticators

You can define custom colors for the available authenticators.

--authenticator-google-color: #4285f4;
--authenticator-pingfederate-color: #002050;
--authenticator-email-color: grey;
--authenticator-oidc-color: #f78c40;
--authenticator-group-color: green;
--authenticator-encap-color: #fbb034;
--authenticator-windows-color: #0078d7;
--authenticator-siths-color: #008272;
--authenticator-facebook-color: #3b5998;
--authenticator-twitter-color: #0077b5;
--authenticator-linkedin-color: #0077b5;
--authenticator-sms-color: #70b29c;
--authenticator-html-form-color: #626c87;
--authenticator-saml-color: #666;
--authenticator-totp-color: #4682b4;
--authenticator-github-color: #333;
--authenticator-twitter-color: #1da1f2;
--authenticator-bankid-color: #235971;
--authenticator-dropbox-color: #007ee5;
--authenticator-aws-color: #f90;
--authenticator-salesforce-color: #1798c1;
--authenticator-windowslive-color: #d83b01;
--authenticator-slack-color: #6ecadc;
--authenticator-box-color: #0061d5;
--authenticator-bitbucket-color: #205081;
--authenticator-instagram-color: #c13584;
--authenticator-signicat-color: #212831;
--authenticator-stackexchange-color: #1e5397;
--authenticator-criipto-color: #edb0ab;
--authenticator-freja-color: #48429e;
--authenticator-cgi-color: #c03;
--authenticator-duo-color: #6dc04f;
--authenticator-sign-in-with-apple-color: #000;

To use single colored authenticator colors using #set ($single_color_authenticator_chooser = true). If set to true the --color-primary color will be used. If set to false the authenticator color variables will be used. An example below:

Fig. 190 Authenticator button icons can be monochrome or have colours (default)

Light and Dark Mode

Fig. 191 Light and dark mode

There are two built-in modes - light and dark. Modes are handled in the template settings using the two variables #set ($body_background = 'body-light') and #set ($login_form_background = 'form-light'). The CSS supports both modes without recompilation.

You can also override the CSS classes and write your own styles. At the bottom you see some empty class definitions, modify this to fit your application.

// Light body background class.
.body-light {

}

// Dark body background class
.body-dark {

}

// Form background-color light.
.form-light {

}

// Form background-color transparent.
.form-transparent {

}

Using External Web Fonts

If you want to use hosted web fonts via for example Google Fonts, Typekit or similar services you need to modify Content Security Policy (CSP). CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks.

Copy $INSTALLATION_HOME/misc/ui-builder/src/curity/templates/core/fragments/csp.vm to our overridden template or template area area in $INSTALLATION_HOME/misc/ui-builder/src/curity/templates/template-areas/my-company/fragments/csp.vm

Then to allow, for example, Google Fonts, change accordingly:

#set ($styleSrc = "style-src 'self' https://fonts.googleapis.com 'unsafe-inline' ${nonceScriptSrc};")

<meta http-equiv="Content-Security-Policy" content="connect-src 'self'; font-src 'self' https://fonts.gstatic.com; $childSrc">

In your custom theme ${INSTALLATION_HOME}/misc/ui-builder/src/curity/scss/custom-theme.scss:

@import url('https://fonts.googleapis.com/css?family=Calistoga&display=swap');

body {
  font-family: 'Calistoga', serif;
}

Compiling Assets

In package.json there are npm scripts ready to run and build the themes.

{
  "scripts": {
    "start": "concurrently \" npm run java\" \" npm run dev\"",
    "build": "webpack --config webpack.config.js --mode production",
    "clean": "rm -rf build",
    "java": "node previewer",
    "dev": "webpack --config webpack.config.js --mode development --stats-error-details",
  }
}

• Use npm start to start the development server. Live reload is included and the browser will reload and instantly reflect your changes, both for Sass and HTML changes.
• Use npm run build to compile Sass to CSS. This will also copy assets like fonts, images and JavaScripts, to the build folder.
• Use npm run clean to remove the build folder with the compiled assets.

How to work with the settings file

The settings.vm file under $INSTALLATION_HOME/misc/ui-builder/src/curity/templates/core has as a sole purpose to help developers modify the basic parameters of the templates with ease. Each possible setting contains the default value which, if needed, can be overridden.

As a first step, copy the settings.vm file from core to overrides (or your specific template-area). Then, for each of the settings you want to override, uncomment its line and change the value at will.

An overview of the possible variables and their default values can be found below:

• main_css_path default: /assets/css/main.css
• theme_css_path default: /assets/css/curity-theme.css
• body_background default: body-light
• login_form_background default: form-light
• logo_path default: /assets/images/curity-logo.svg
• logo_white_path default: /assets/images/curity-logo-white.svg
• logo_inside default: false
• powered_by default: true
• single_color_authenticator_chooser default: true
• icons_only_authenticator_chooser default: false
• show_symbol default: true
• page_symbol_path default: /assets/images/
• page_symbol_path_* default: /assets/images/<symbol-name>.svg

A detailed explanation of each variable can be found in the comments before its declaration.

Warning

Overriding settings.vm is safe, but altering settings-default.vm (in overides, template-area or anywhere else) is not recommended. Also, try not to remove the line #parse("settings-defaults") from settings.vm. Doing so might cause problems in future updates.