Kong · Schema
SamlPluginConfig
API GatewayAI GatewayAI ConnectivityAgent GatewayEvent GatewayMCP RegistryService MeshLLMKafkaKonnectOpen Source
Properties
| Name | Type | Description |
|---|---|---|
| config | object | |
| name | object | |
| protocols | array | A set of strings representing HTTP protocols. |
| route | object | If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used. |
| service | object | If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/SamlPluginConfig",
"title": "SamlPluginConfig",
"x-speakeasy-entity": "PluginSaml",
"properties": {
"config": {
"type": "object",
"properties": {
"anonymous": {
"description": "An optional string (consumer UUID or username) value to use as an \u201canonymous\u201d consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.",
"type": "string"
},
"assertion_consumer_path": {
"description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).",
"type": "string"
},
"idp_certificate": {
"description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"idp_sso_url": {
"description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.",
"type": "string"
},
"issuer": {
"description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.",
"type": "string"
},
"nameid_format": {
"description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`",
"type": "string",
"default": "EmailAddress",
"enum": [
"EmailAddress",
"Persistent",
"Transient",
"Unspecified"
]
},
"redis": {
"type": "object",
"properties": {
"cloud_authentication": {
"description": "Cloud auth related configs for connecting to a Cloud Provider's Redis instance.",
"type": "object",
"properties": {
"auth_provider": {
"description": "Auth providers to be used to authenticate to a Cloud Provider's Redis instance.",
"type": "string",
"enum": [
"aws",
"azure",
"gcp"
],
"x-referenceable": true
},
"aws_access_key_id": {
"description": "AWS Access Key ID to be used for authentication when `auth_provider` is set to `aws`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"aws_assume_role_arn": {
"description": "The ARN of the IAM role to assume for generating ElastiCache IAM authentication tokens.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"aws_cache_name": {
"description": "The name of the AWS Elasticache cluster when `auth_provider` is set to `aws`.",
"type": "string",
"x-referenceable": true
},
"aws_is_serverless": {
"description": "This flag specifies whether the cluster is serverless when auth_provider is set to `aws`.",
"type": "boolean",
"default": true
},
"aws_region": {
"description": "The region of the AWS ElastiCache cluster when `auth_provider` is set to `aws`.",
"type": "string",
"x-referenceable": true
},
"aws_role_session_name": {
"description": "The session name for the temporary credentials when assuming the IAM role.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"aws_secret_access_key": {
"description": "AWS Secret Access Key to be used for authentication when `auth_provider` is set to `aws`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"azure_client_id": {
"description": "Azure Client ID to be used for authentication when `auth_provider` is set to `azure`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"azure_client_secret": {
"description": "Azure Client Secret to be used for authentication when `auth_provider` is set to `azure`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"azure_tenant_id": {
"description": "Azure Tenant ID to be used for authentication when `auth_provider` is set to `azure`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"gcp_service_account_json": {
"description": "GCP Service Account JSON to be used for authentication when `auth_provider` is set to `gcp`.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
}
}
},
"cluster_max_redirections": {
"description": "Maximum retry attempts for redirection.",
"type": "integer",
"default": 5
},
"cluster_nodes": {
"description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.",
"type": "array",
"items": {
"properties": {
"ip": {
"description": "A string representing a host name, such as example.com.",
"type": "string",
"default": "127.0.0.1"
},
"port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 6379,
"maximum": 65535,
"minimum": 0
}
},
"type": "object"
},
"minLength": 1
},
"connect_timeout": {
"description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.",
"type": "integer",
"default": 2000,
"maximum": 2147483646,
"minimum": 0
},
"connection_is_proxied": {
"description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.",
"type": "boolean",
"default": false
},
"database": {
"description": "Database to use for the Redis connection when using the `redis` strategy",
"type": "integer",
"default": 0
},
"host": {
"description": "A string representing a host name, such as example.com.",
"type": "string",
"default": "127.0.0.1",
"x-referenceable": true
},
"keepalive_backlog": {
"description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.",
"type": "integer",
"maximum": 2147483646,
"minimum": 0
},
"keepalive_pool_size": {
"description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.",
"type": "integer",
"default": 256,
"maximum": 2147483646,
"minimum": 1
},
"password": {
"description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 6379,
"maximum": 65535,
"minimum": 0,
"x-referenceable": true
},
"prefix": {
"description": "The Redis session key prefix.",
"type": "string"
},
"read_timeout": {
"description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.",
"type": "integer",
"default": 2000,
"maximum": 2147483646,
"minimum": 0
},
"send_timeout": {
"description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.",
"type": "integer",
"default": 2000,
"maximum": 2147483646,
"minimum": 0
},
"sentinel_master": {
"description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.",
"type": "string"
},
"sentinel_nodes": {
"description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.",
"type": "array",
"items": {
"properties": {
"host": {
"description": "A string representing a host name, such as example.com.",
"type": "string",
"default": "127.0.0.1"
},
"port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 6379,
"maximum": 65535,
"minimum": 0
}
},
"type": "object"
},
"minLength": 1
},
"sentinel_password": {
"description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"sentinel_role": {
"description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.",
"type": "string",
"enum": [
"any",
"master",
"slave"
]
},
"sentinel_username": {
"description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.",
"type": "string",
"x-referenceable": true
},
"server_name": {
"description": "A string representing an SNI (server name indication) value for TLS.",
"type": "string",
"x-referenceable": true
},
"socket": {
"description": "The Redis unix socket path.",
"type": "string"
},
"ssl": {
"description": "If set to true, uses SSL to connect to Redis.",
"type": "boolean",
"default": false
},
"ssl_verify": {
"description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.",
"type": "boolean",
"default": true
},
"username": {
"description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.",
"type": "string",
"x-referenceable": true
}
}
},
"request_digest_algorithm": {
"description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`",
"type": "string",
"default": "SHA256",
"enum": [
"SHA1",
"SHA256"
]
},
"request_signature_algorithm": {
"description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`",
"type": "string",
"default": "SHA256",
"enum": [
"SHA256",
"SHA384",
"SHA512"
]
},
"request_signing_certificate": {
"description": "The certificate for signing requests.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"request_signing_key": {
"description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"response_digest_algorithm": {
"description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`",
"type": "string",
"default": "SHA256",
"enum": [
"SHA1",
"SHA256"
]
},
"response_encryption_key": {
"description": "The private encryption key required to decrypt encrypted assertions.",
"type": "string",
"x-encrypted": true,
"x-referenceable": true
},
"response_signature_algorithm": {
"description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`",
"type": "string",
"default": "SHA256",
"enum": [
"SHA256",
"SHA384",
"SHA512"
]
},
"session_absolute_timeout": {
"description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.",
"type": "number",
"default": 86400
},
"session_audience": {
"description": "The session audience, for example \"my-application\"",
"type": "string",
"default": "default"
},
"session_cookie_domain": {
"description": "The session cookie domain flag.",
"type": "string"
},
"session_cookie_http_only": {
"description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.",
"type": "boolean",
"default": true
},
"session_cookie_name": {
"description": "The session cookie name.",
"type": "string",
"default": "session"
},
"session_cookie_path": {
"description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).",
"type": "string",
"default": "/"
},
"session_cookie_same_site": {
"description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.",
"type": "string",
"default": "Lax",
"enum": [
"Default",
"Lax",
"None",
"Strict"
]
},
"session_cookie_secure": {
"description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.",
"type": "boolean"
},
"session_enforce_same_subject": {
"description": "When set to `true`, audiences are forced to share the same subject.",
"type": "boolean",
"default": false
},
"session_hash_storage_key": {
"description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.",
"type": "boolean",
"default": false
},
"session_hash_subject": {
"description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.",
"type": "boolean",
"default": false
},
"session_idling_timeout": {
"description": "The session cookie idle time in seconds.",
"type": "number",
"default": 900
},
"session_memcached_host": {
"description": "The memcached host.",
"type": "string",
"default": "127.0.0.1"
},
"session_memcached_port": {
"description": "An integer representing a port number between 0 and 65535, inclusive.",
"type": "integer",
"default": 11211,
"maximum": 65535,
"minimum": 0
},
"session_memcached_prefix": {
"description": "The memcached session key prefix.",
"type": "string"
},
"session_memcached_socket": {
"description": "The memcached unix socket path.",
"type": "string"
},
"session_remember": {
"description": "Enables or disables persistent sessions",
"type": "boolean",
"default": false
},
"session_remember_absolute_timeout": {
"description": "Persistent session absolute timeout in seconds.",
"type": "number",
"default": 2592000
},
"session_remember_cookie_name": {
"description": "Persistent session cookie name",
"type": "string",
"default": "remember"
},
"session_remember_rolling_timeout": {
"description": "Persistent session rolling timeout in seconds.",
"type": "number",
"default": 604800
},
"session_request_headers": {
"type": "array",
"items": {
"enum": [
"absolute-timeout",
"audience",
"id",
"idling-timeout",
"rolling-timeout",
"subject",
"timeout"
],
"type": "string"
}
},
"session_response_headers": {
"type": "array",
"items": {
"enum": [
"absolute-timeout",
"audience",
"id",
"idling-timeout",
"rolling-timeout",
"subject",
"timeout"
],
"type": "string"
}
},
"session_rolling_timeout": {
"description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.",
"type": "number",
"default": 3600
},
"session_secret": {
"description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.",
"type": "string",
"maxLength": 32,
"minLength": 32,
"x-encrypted": true,
"x-referenceable": true
},
"session_storage": {
"description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis",
"type": "string",
"default": "cookie",
"enum": [
"cookie",
"memcache",
"memcached",
"redis"
]
},
"session_store_metadata": {
"description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.",
"type": "boolean",
"default": false
},
"validate_assertion_signature": {
"description": "Enable signature validation for SAML responses.",
"type": "boolean",
"default": true
}
},
"required": [
"assertion_consumer_path",
"idp_sso_url",
"issuer",
"session_secret"
]
},
"name": {
"const": "saml"
},
"protocols": {
"description": "A set of strings representing HTTP protocols.",
"type": "array",
"items": {
"enum": [
"grpc",
"grpcs",
"http",
"https"
],
"type": "string"
},
"format": "set",
"default": [
"grpc",
"grpcs",
"http",
"https"
]
},
"route": {
"description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.",
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
}
}
},
"service": {
"description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.",
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
}
}
}
},
"required": [
"config"
]
}