The Cloud Foundry UAA (User Account and Authentication) server is a Spring Boot application.
Configuration is loaded from the embedded uaa/src/main/resources/uaa.yml and can be overridden
by an external YAML file located at $UAA_CONFIG_URL, $UAA_CONFIG_PATH/uaa.yml,
or $CLOUDFOUNDRY_CONFIG_PATH/uaa.yml.
- Property Quick-Reference Table
- Core / General
- Database
- Servlet & Session
- JWT Token Policy
- OAuth Clients & Users
- Password Policy
- Client Secret Policy
- Authentication / Lockout Policy
- SCIM (User Provisioning)
- Login & Branding
- SAML Service Provider
- Logout
- Links
- CORS
- SMTP / Notifications
- LDAP
- Encryption
- Rate Limiting
- REST Template (HTTP Client)
- Tracing (Brave/Zipkin)
- Health & Shutdown
- Limited Mode
- Metrics
- Zone Paths
- CSP (Content Security Policy)
- Miscellaneous
| Property | Default | Description |
|---|---|---|
 issuer.uri |
— (required) | Token issuer URI |
uaa.url |
http://localhost:8080/uaa |
Public URL of the UAA |
login.url |
http://localhost:8080/uaa |
URL of the login server |
spring_profiles |
— | Active Spring profiles |
require_https |
false |
Require HTTPS for cookies |
https_port |
443 |
HTTPS port |
LOGIN_SECRET |
loginsecret |
Shared secret for login server auth |
dump_requests |
false |
Dump HTTP requests for debugging |
environmentYamlKey |
— | YAML config string for validation |
disableInternalAuth |
false |
Disable internal IDP authentication |
disableInternalUserManagement |
false |
Disable internal user management endpoints |
allowUnverifiedUsers |
true |
Allow login for unverified users |
| Property | Default | Description |
|---|---|---|
database.driverClassName |
(per profile) | JDBC driver class |
database.url |
(per profile) | JDBC connection URL |
database.username |
— | Database user |
database.password |
— | Database password |
database.maxactive |
100 |
Max active connections |
database.maxidle |
10 |
Max idle connections |
database.minidle |
0 |
Min idle connections |
database.maxwait |
30000 |
Max wait for connection (ms) |
database.initialsize |
10 |
Initial pool size |
database.validationquerytimeout |
10 |
Validation query timeout (s) |
database.validationinterval |
5000 |
Validation interval (ms) |
database.connecttimeout |
10 |
Connection timeout (s) |
database.testwhileidle |
false |
Test connections while idle |
database.removedAbandoned |
false |
Remove abandoned connections |
database.logabandoned |
true |
Log abandoned connections |
database.abandonedtimeout |
300 |
Abandoned timeout (s) |
database.evictionintervalms |
15000 |
Eviction interval (ms) |
database.minevictionidlems |
60000 |
Min eviction idle time (ms) |
database.caseinsensitive |
false |
Case-insensitive queries |
database.useSkipLocked |
false |
Use SKIP LOCKED in queries |
database.maxParameters |
-1 |
Max SQL parameters (-1 = unlimited) |
| Property | Default | Description |
|---|---|---|
servlet.session-store |
memory |
Session store type |
servlet.session-cookie.encode-base64 |
true |
Base64-encode session cookie |
servlet.session-cookie.max-age |
— (null) | Session cookie max age |
servlet.idle-timeout |
1800 |
Session idle timeout (s) |
servlet.filtered-headers |
X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto, X-Forwarded-Prefix, Forwarded |
Headers to filter |
| Property | Default | Description |
|---|---|---|
jwt.token.signing-key |
— (null) | Legacy token signing key |
jwt.token.signing-alg |
— (null) | Legacy signing algorithm |
jwt.token.signing-cert |
— (null) | Legacy signing certificate |
jwt.token.revocable |
false |
Make JWT tokens revocable |
jwt.token.queryString.enabled |
true |
Allow tokens via query string |
jwt.token.policy.activeKeyId |
— (null) | Active signing key ID |
jwt.token.policy.keys |
{} |
Map of signing keys |
jwt.token.policy.accessTokenValiditySeconds |
falls back to global | Access token validity (s) |
jwt.token.policy.refreshTokenValiditySeconds |
falls back to global | Refresh token validity (s) |
jwt.token.policy.global.accessTokenValiditySeconds |
43200 |
Global access token validity (s) |
jwt.token.policy.global.refreshTokenValiditySeconds |
2592000 |
Global refresh token validity (s) |
jwt.token.refresh.format |
opaque |
Refresh token format |
jwt.token.refresh.unique |
false |
Unique refresh tokens |
jwt.token.refresh.rotate |
false |
Rotate refresh tokens |
jwt.token.refresh.restrict_grant |
— | Restrict refresh token grant |
jwt.token.claims.exclude |
[] |
Claims excluded from tokens |
| Property | Default | Description |
|---|---|---|
oauth.clients |
{} |
Bootstrap OAuth client definitions |
oauth.client.override |
— | Override existing client on bootstrap |
oauth.client.autoapprove |
[] |
Clients auto-approved for all scopes |
oauth.user.authorities |
(see details) | Default authorities for new users |
clientMaxCount |
500 |
Max clients returned by list endpoint |
| Property | Default | Description |
|---|---|---|
password.policy.global.minLength |
0 |
Global min password length |
password.policy.global.maxLength |
255 |
Global max password length |
password.policy.global.requireUpperCaseCharacter |
0 |
Global required uppercase chars |
password.policy.global.requireLowerCaseCharacter |
0 |
Global required lowercase chars |
password.policy.global.requireDigit |
0 |
Global required digits |
password.policy.global.requireSpecialCharacter |
0 |
Global required special chars |
password.policy.global.expirePasswordInMonths |
0 |
Global password expiry (months) |
password.policy.minLength |
(falls back to global) | Default zone min password length |
password.policy.maxLength |
(falls back to global) | Default zone max password length |
password.policy.requireUpperCaseCharacter |
(falls back to global) | Default zone required uppercase |
password.policy.requireLowerCaseCharacter |
(falls back to global) | Default zone required lowercase |
password.policy.requireDigit |
(falls back to global) | Default zone required digits |
password.policy.requireSpecialCharacter |
(falls back to global) | Default zone required special chars |
password.policy.expirePasswordInMonths |
(falls back to global) | Default zone password expiry |
| Property | Default | Description |
|---|---|---|
oauth.client.secret.policy.global.minLength |
0 |
Global min secret length |
oauth.client.secret.policy.global.maxLength |
255 |
Global max secret length |
oauth.client.secret.policy.global.requireUpperCaseCharacter |
0 |
Global required uppercase |
oauth.client.secret.policy.global.requireLowerCaseCharacter |
0 |
Global required lowercase |
oauth.client.secret.policy.global.requireDigit |
0 |
Global required digits |
oauth.client.secret.policy.global.requireSpecialCharacter |
0 |
Global required special chars |
oauth.client.secret.policy.global.expireSecretInMonths |
0 |
Global secret expiry (months) |
oauth.client.secret.policy.minLength |
(falls back to global) | Default zone min secret length |
oauth.client.secret.policy.maxLength |
(falls back to global) | Default zone max secret length |
| Property | Default | Description |
|---|---|---|
authentication.policy.global.lockoutAfterFailures |
5 |
Global lockout threshold |
authentication.policy.global.countFailuresWithinSeconds |
1200 |
Global failure counting window (s) |
authentication.policy.global.lockoutPeriodSeconds |
300 |
Global lockout duration (s) |
authentication.policy.lockoutAfterFailures |
(falls back to global) | Default zone lockout threshold |
authentication.policy.countFailuresWithinSeconds |
(falls back to global) | Default zone failure window (s) |
authentication.policy.lockoutPeriodSeconds |
(falls back to global) | Default zone lockout duration (s) |
authentication.enableUriEncodingCompatibilityMode |
false |
URI encoding compat mode |
| Property | Default | Description |
|---|---|---|
scim.users |
[] |
Bootstrap users |
scim.groups |
{} |
Bootstrap groups and descriptions |
scim.external_groups |
[] |
External group mappings |
scim.userids_enabled |
true |
Enable /ids/Users endpoint |
scim.user.override |
false |
Override existing bootstrap users |
scim.delete.deactivate |
false |
Deactivate instead of delete |
userMaxCount |
500 |
Max users returned by list endpoint |
groupMaxCount |
500 |
Max groups returned by list endpoint |
delete.users |
— (null) | Users to delete on bootstrap |
| Property | Default | Description |
|---|---|---|
login.selfServiceLinksEnabled |
true |
Show self-service links |
login.homeRedirect |
— (null) | Home page redirect URL |
login.idpDiscoveryEnabled |
false |
Enable IDP discovery |
login.accountChooserEnabled |
false |
Enable account chooser |
login.entityBaseURL |
http://localhost:8080/uaa |
SAML SP entity base URL |
login.entityID |
unit-test-sp |
SAML SP entity ID |
login.prompt.username.text |
Email |
Username field label |
login.prompt.password.text |
Password |
Password field label |
login.branding |
— | UI branding configuration |
login.defaultIdentityProvider |
— (null) | Default IDP origin key |
login.allowedGroups |
— (null) | Restrict login to group members |
login.checkOriginEnabled |
false |
Check user origin on auth |
login.maxUsers |
-1 |
Max users (-1 = unlimited) |
login.allowOriginLoop |
true |
Allow origin loop |
login.aliasEntitiesEnabled |
false |
Enable alias entities |
login.oauth.providers |
— | External OAuth/OIDC providers |
| Property | Default | Description |
|---|---|---|
login.saml.activeKeyId |
— | Active SAML signing key ID |
login.saml.keys |
{} |
Map of SAML keys |
login.saml.entityIDAlias |
— (null) | SAML entity ID alias |
login.saml.nameID |
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
Default SAML NameID format |
login.saml.assertionConsumerIndex |
0 |
Assertion consumer index |
login.saml.signMetaData |
true |
Sign SAML SP metadata |
login.saml.signRequest |
true |
Sign SAML auth requests |
login.saml.wantAssertionSigned |
true |
Require signed assertions |
login.saml.signatureAlgorithm |
SHA256 |
SAML signature algorithm |
login.saml.disableInResponseToCheck |
false |
Disable InResponseTo validation |
login.saml.providers |
— | SAML IDP definitions |
login.serviceProviderKey |
— | Legacy SP private key |
login.serviceProviderKeyPassword |
— | Legacy SP key password |
login.serviceProviderCertificate |
— | Legacy SP certificate |
| Property | Default | Description |
|---|---|---|
logout.redirect.url |
/login |
Post-logout redirect URL |
logout.redirect.parameter.disable |
false |
Disable redirect parameter |
logout.redirect.parameter.whitelist |
[] |
Allowed redirect URLs |
| Property | Default | Description |
|---|---|---|
links.global.passwd |
— (null) | Custom forgot-password link |
links.global.signup |
— (null) | Custom signup link |
links.global.homeRedirect |
— (null) | Home redirect URL |
| Property | Default | Description |
|---|---|---|
cors.enforceSystemZonePolicyInAllZones |
false |
Enforce system CORS in all zones |
cors.default.max_age |
1728000 |
Default CORS max age (s) |
cors.default.allowed.uris |
[".*"] |
Default allowed URI patterns |
cors.default.allowed.origins |
[".*"] |
Default allowed origins |
cors.default.allowed.headers |
[Accept, Authorization, Content-Type, Accept-Language, Content-Language] |
Default allowed headers |
cors.default.allowed.methods |
[GET, POST, PUT, OPTIONS, DELETE, PATCH] |
Default allowed methods |
cors.default.allowed.credentials |
false |
Default allow credentials |
cors.xhr.max_age |
1728000 |
XHR CORS max age (s) |
cors.xhr.allowed.uris |
[".*"] |
XHR allowed URI patterns |
cors.xhr.allowed.origins |
[".*"] |
XHR allowed origins |
cors.xhr.allowed.headers |
[Accept, Authorization, Content-Type, Accept-Language, Content-Language, X-Requested-With] |
XHR allowed headers |
cors.xhr.allowed.methods |
[GET, OPTIONS] |
XHR allowed methods |
cors.xhr.allowed.credentials |
true |
XHR allow credentials |
| Property | Default | Description |
|---|---|---|
smtp.host |
localhost |
SMTP server hostname |
smtp.port |
25 |
SMTP server port |
smtp.user |
"" |
SMTP username |
smtp.password |
"" |
SMTP password |
smtp.auth |
false |
Enable SMTP auth |
smtp.starttls |
false |
Enable STARTTLS |
smtp.sslprotocols |
TLSv1.2 |
SSL/TLS protocol versions |
smtp.fromAddress |
"" |
From address for emails |
notifications.url |
— (null) | Notification service URL |
notifications.sendInDefaultZone |
true |
Send in default zone |
notifications.verify_ssl |
false |
Verify SSL for notifications |
| Property | Default | Description |
|---|---|---|
ldap.profile.file |
— | LDAP profile configuration file |
ldap.base.url |
— | LDAP server URL |
ldap.base.userDn |
— | LDAP bind DN |
ldap.base.password |
— | LDAP bind password |
ldap.base.searchBase |
— | LDAP search base DN |
ldap.base.searchFilter |
— | LDAP user search filter |
ldap.base.userDnPattern |
— | DN pattern for simple bind |
ldap.base.referral |
— | LDAP referral handling |
ldap.ssl.skipverification |
false |
Skip LDAP SSL verification |
ldap.groups.file |
— | LDAP groups configuration file |
ldap.groups.searchBase |
— | LDAP group search base |
ldap.groups.groupSearchFilter |
— | Group membership filter |
ldap.groups.maxSearchDepth |
10 |
Max nested group depth |
ldap.groups.autoAdd |
— | Auto-add LDAP groups |
| Property | Default | Description |
|---|---|---|
encryption.active_key_label |
— (required) | Active encryption key label |
encryption.encryption_keys |
— (required) | List of encryption keys |
| Property | Default | Description |
|---|---|---|
ratelimit.loggingOption |
OnlyLimited |
Rate-limit logging mode |
ratelimit.credentialID |
— | Regex for credential extraction |
ratelimit.limiterMappings |
[] |
Rate-limit rules |
| Property | Default | Description |
|---|---|---|
rest.template.timeout |
10000 |
HTTP client timeout (ms) |
rest.template.maxTotal |
10 |
Max total connections |
rest.template.maxPerRoute |
5 |
Max connections per route |
rest.template.maxKeepAlive |
0 |
Max keep-alive (ms) |
rest.template.validateAfterInactivity |
2000 |
Validate after inactivity (ms) |
rest.template.retryCount |
0 |
HTTP retry count |
| Property | Default | Description |
|---|---|---|
brave.localServiceName |
uaa |
Service name in traces |
brave.supportsJoin |
true |
Support span joining |
brave.traceId128Bit |
false |
Use 128-bit trace IDs |
| Property | Default | Description |
|---|---|---|
uaa.shutdown.sleep |
10000 |
Shutdown sleep time (ms) |
uaa.health.db.rate |
10000 |
DB health check interval (ms) |
delete.expirationRunTime |
2500 |
Token expiration cleanup timeout (ms) |
| Property | Default | Description |
|---|---|---|
uaa.limitedFunctionality.statusFile |
— (null) | Limited mode status file |
uaa.limitedFunctionality.whitelist.endpoints |
{} |
Whitelisted endpoints |
uaa.limitedFunctionality.whitelist.methods |
{} |
Whitelisted HTTP methods |
| Property | Default | Description |
|---|---|---|
metrics.enabled |
true |
Enable metrics collection |
metrics.perRequestMetrics |
false |
Per-request metrics |
| Property | Default | Description |
|---|---|---|
zones.paths.enabled |
false |
Enable zone path routing |
zones.internal.hostnames |
[] |
Hostnames for default zone |
| Property | Default | Description |
|---|---|---|
csp.script-src |
['self'] |
CSP script-src directive |
| Property | Default | Description |
|---|---|---|
logging.file.name.path |
— | Log file directory |
Default: — (required, no default)
Source: @Value("${issuer.uri}") in TokenEndpointBuilder, OpenIdConnectEndpoints
Type: String
The URI that identifies this UAA instance as an OAuth 2.0 / OIDC token issuer. This value appears
in the iss claim of all tokens issued by the UAA and in the OpenID Connect discovery document.
It must be a fully-qualified URL (e.g. http://localhost:8080/uaa).
Default: http://localhost:8080/uaa
Source: @ConfigurationProperties(prefix = "uaa") in UaaProperties.Uaa, @Value("${uaa.url}") in multiple beans
Type: String
The externally-reachable URL of the UAA. Used for constructing token endpoint URLs, JWKS URIs, and other self-referencing links in API responses.
Default: http://localhost:8080/uaa
Source: @Value("${login.url:http://localhost:8080/uaa}") in MessagingConfig, SpringServletXmlBeansConfiguration
Type: String
The base URL of the login server. Used in email templates (e.g. password reset links) and
other contexts where the login page URL is needed. Typically the same as uaa.url.
Default: — (none)
Source: Mapped to Spring active profiles
Type: String (comma-separated)
Controls which Spring profiles are active. Common values:
hsqldb— in-memory HSQLDB (default for testing)postgresql— PostgreSQL databasemysql— MySQL/MariaDB databaseldap— Enable LDAP authenticationsaml— Enable SAML support
Multiple profiles can be combined, e.g. postgresql,ldap.
Default: false
Source: @ConfigurationProperties in UaaProperties.RootLevel
Type: boolean
When true, various UAA cookies will have the Secure attribute set. Should be true in
production when the UAA is served over HTTPS.
Default: 443
Source: @ConfigurationProperties in UaaProperties.RootLevel
Type: int
The HTTPS port for the UAA server. Used in redirect calculations when HTTPS is required.
Default: loginsecret
Source: @ConfigurationProperties in UaaProperties.RootLevel
Type: String
The shared secret that an external login server uses to authenticate to the UAA via the login
client. Each deployment should set a unique value.
Default: false
Source: @ConfigurationProperties in UaaProperties.RootLevel
Type: boolean
When true, logs full HTTP request details for debugging. Should never be true in production.
Default: — (injected internally)
Source: @Value("${environmentYamlKey}") in SpringServletXmlBeansConfiguration
Type: String
An internal property holding the full YAML configuration string. Used by the
YamlConfigurationValidator to validate configuration structure at startup.
Default: false
Source: Referenced in uaa.yml comments, checked via @config['disableInternalAuth']
Type: boolean
When true, authentication via the UAA's internal identity provider (IDP) is disabled.
Users must then authenticate via external IDPs (LDAP, SAML, OAuth/OIDC).
Default: false
Source: @config['disableInternalUserManagement'] in SpringServletXmlBeansConfiguration
Type: boolean
When true, disables user management endpoints and controllers for the internal IDP.
Operations like creating internal users, changing passwords, etc. will be blocked.
Default: true
Source: @Value("${allowUnverifiedUsers:true}") in OauthEndpointBeanConfiguration
Type: boolean
When true, users who have not verified their email can still log in.
Set to false to require email verification before allowing authentication.
Default: Determined by active profile (hsqldb, postgresql, or mysql)
Source: @ConfigurationProperties(prefix = "database") in DatabaseProperties
Type: String
The fully-qualified JDBC driver class name. Typically auto-resolved from the active profile:
- HSQLDB:
org.hsqldb.jdbc.JDBCDriver - PostgreSQL:
org.postgresql.Driver - MySQL:
org.mariadb.jdbc.Driver
Default: Determined by active profile
Source: DatabaseProperties
Type: String
JDBC connection URL for the UAA database (e.g. jdbc:postgresql://localhost/uaa).
Default: — (none)
Source: DatabaseProperties
Type: String
Database connection username.
Default: — (none)
Source: DatabaseProperties
Type: String
Database connection password.
Default: 100
Source: DatabaseProperties
Type: int
Maximum number of active connections in the connection pool.
Default: 10
Source: DatabaseProperties
Type: int
Maximum number of idle connections in the pool.
Default: 0
Source: DatabaseProperties
Type: int
Minimum number of idle connections maintained in the pool.
Default: 30000
Source: DatabaseProperties
Type: int
Maximum time (in milliseconds) to wait for a connection from the pool before throwing an exception.
Default: 10
Source: DatabaseProperties
Type: int
Initial number of connections created when the pool starts.
Default: 10
Source: DatabaseProperties
Type: int
Timeout (in seconds) for the validation query.
Default: 5000
Source: DatabaseProperties
Type: long
Interval (in milliseconds) between connection validation checks.
Default: 10
Source: DatabaseProperties
Type: Integer
Connection timeout (in seconds) for establishing a new database connection.
Default: false
Source: DatabaseProperties
Type: boolean
When true, idle connections are validated periodically.
Default: false
Source: DatabaseProperties
Type: boolean
When true, connections that have been abandoned (not returned to the pool) are reclaimed.
Default: true
Source: DatabaseProperties
Type: boolean
When true, logs a stack trace for abandoned connections to help identify leaks.
Default: 300
Source: DatabaseProperties
Type: int
Time (in seconds) after which a connection is considered abandoned.
Default: 15000
Source: DatabaseProperties
Type: int
Interval (in milliseconds) between eviction runs that remove idle connections.
Default: 60000
Source: DatabaseProperties
Type: int
Minimum time (in milliseconds) a connection can sit idle before being eligible for eviction.
Default: false
Source: DatabaseProperties
Type: boolean
When true, enables case-insensitive queries for username lookups. This affects how
users are searched and matched in the database.
Default: false
Source: @Value("${database.useSkipLocked:false}") in JdbcUaaUserDatabase
Type: boolean
When true, uses the SKIP LOCKED clause in SQL queries to avoid lock contention.
Supported by PostgreSQL and MySQL 8+.
Default: -1 (unlimited)
Source: @Value("${database.maxParameters:-1}") in JdbcUaaUserDatabase, JdbcScimGroupMembershipManager
Type: int
Maximum number of SQL parameters allowed in IN clauses. -1 means no limit.
Use this to work around database driver parameter limits.
Default: memory
Source: UaaSessionConfig (reads servlet.session-store from environment)
Type: String
The session storage mechanism. Accepted values:
memory— In-memory sessions (default, suitable for multi-instance deployments that support sticky sessions)database— Database-backed sessions via Spring Session JDBC
Default: true
Source: @ConfigurationProperties(prefix = "servlet") in UaaProperties.Servlet
Type: boolean
When true, the session cookie value is Base64-encoded. Helps with cookie compatibility
across different web servers and proxies.
Default: — (null, session cookie)
Source: UaaProperties.SessionCookie
Type: Integer (nullable)
Maximum age of the session cookie in seconds. When null, the cookie is a session cookie (expires when the browser closes).
Default: 1800
Source: @ConfigurationProperties(prefix = "servlet") in UaaProperties.Servlet
Type: int
Session idle timeout in seconds. After this period of inactivity, the session expires.
Default: [X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto, X-Forwarded-Prefix, Forwarded]
Source: @ConfigurationProperties(prefix = "servlet") in UaaProperties.Servlet
Type: List<String>
HTTP headers that the UAA's request filter will process. These are typically proxy headers used to determine the original client request details.
Default: — (null)
Source: @Value("${jwt.token.signing-key:#{null}}") in OauthEndpointBeanConfiguration
Type: String
Legacy property for specifying a single token signing key (RSA private key in PEM format or
symmetric key). Prefer using jwt.token.policy.keys instead for key rotation support.
Default: — (null)
Source: @Value("${jwt.token.signing-alg:#{null}}") in OauthEndpointBeanConfiguration
Type: String
Legacy signing algorithm override (e.g. RS256, HS256). Prefer using
jwt.token.policy.keys[].signingAlg instead.
Default: — (null)
Source: @Value("${jwt.token.signing-cert:#{null}}") in OauthEndpointBeanConfiguration
Type: String
Legacy signing certificate (X.509 in PEM format) for the signing key. Used as the verification certificate for RS256 tokens when provided.
Default: false
Source: @Value("${jwt.token.revocable:false}") in OauthEndpointBeanConfiguration
Type: boolean
When true, all JWT access tokens issued by the default zone are stored in the revocable
token store, allowing them to be revoked before expiration.
Default: true
Source: @Value("${jwt.token.queryString.enabled:true}") in SpringServletXmlBeansConfiguration
Type: boolean
When true, allows access tokens to be passed via query string parameters.
Disable for increased security (tokens in query strings may be logged).
Default: — (null)
Source: @Value("${jwt.token.policy.activeKeyId:#{null}}") in OauthEndpointBeanConfiguration
Type: String
The key ID of the currently active signing key from the jwt.token.policy.keys map.
Tokens are signed with this key. Other keys in the map remain valid for verification,
enabling key rotation.
Default: {} (empty map)
Source: @config['jwt.token.policy.keys'] in OauthEndpointBeanConfiguration
Type: Map<String, Map<String, String>>
A map of key IDs to signing key configurations. Each entry has:
signingKey— RSA private key in PEM formatsigningAlg— Algorithm (e.g.RS256)
jwt:
token:
policy:
activeKeyId: key-id-1
keys:
key-id-1:
signingAlg: RS256
signingKey: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----Default: Falls back to jwt.token.policy.global.accessTokenValiditySeconds
Source: @Value in OauthEndpointBeanConfiguration
Type: int
Access token lifetime in seconds for the default identity zone. Overrides the global value.
Default: Falls back to jwt.token.policy.global.refreshTokenValiditySeconds
Source: @Value in OauthEndpointBeanConfiguration
Type: int
Refresh token lifetime in seconds for the default identity zone. Overrides the global value.
Default: 43200 (12 hours)
Source: @Value("${jwt.token.policy.global.accessTokenValiditySeconds:43200}") in OauthEndpointBeanConfiguration
Type: int
Global default for access token lifetime in seconds. Applies to all zones unless overridden.
Default: 2592000 (30 days)
Source: @Value("${jwt.token.policy.global.refreshTokenValiditySeconds:2592000}") in OauthEndpointBeanConfiguration
Type: int
Global default for refresh token lifetime in seconds. Applies to all zones unless overridden.
Default: opaque
Source: @Value in OauthEndpointBeanConfiguration
Type: String
Format of issued refresh tokens. Accepted values:
opaque— Opaque, randomly generated token stored in the databasejwt— Self-contained JWT refresh token
Default: false
Source: @Value("${jwt.token.refresh.unique:false}") in OauthEndpointBeanConfiguration
Type: boolean
When true, only one refresh token can exist per user/client combination. Issuing a new
refresh token invalidates the previous one.
Default: false
Source: @Value("${jwt.token.refresh.rotate:false}") in OauthEndpointBeanConfiguration
Type: boolean
When true, a new refresh token is issued each time the current refresh token is used
to obtain a new access token (refresh token rotation).
Default: — (not set)
Source: Referenced in uaa.yml comments
Type: boolean
When true, refresh tokens are only granted to clients that have refresh_token
in their scopes for offline access.
Default: [] (empty set)
Source: @config['jwt.token.claims.exclude'] in OauthEndpointBeanConfiguration
Type: List<String>
A list of claim names to exclude from issued JWT tokens. For example, to omit
the authorities claim: exclude: [authorities].
Default: {} (empty)
Source: Loaded via @config['oauth']['clients']
Type: Map<String, OAuthClientConfig>
Bootstrap client definitions loaded at startup. Each entry is keyed by client ID and contains:
id— Client IDsecret— Client secretauthorized-grant-types— Comma-separated grant typesscope— Comma-separated scopesauthorities— Comma-separated authoritiesredirect-uri— Comma-separated redirect URIsautoapprove— Auto-approved scopesallowpublic— Allow public (no secret) authjwks— Inline JWKS for private_key_jwt authjwks_uri— URI to fetch JWKSname— Display name
Default: — (not set)
Source: UaaConfiguration.OAuth.Client
Type: String (boolean-like)
When true, existing OAuth clients are overwritten on bootstrap with the values
defined in the configuration file.
Default: []
Source: UaaConfiguration.OAuth.Client
Type: List<String>
List of client IDs that are auto-approved for all scopes (user consent is not requested).
Default: [openid, scim.me, cloud_controller.read, cloud_controller.write, cloud_controller_service_permissions.read, password.write, scim.userids, uaa.user, approvals.me, oauth.approvals, profile, roles, user_attributes, uaa.offline_token]
Source: @config['oauth']['user']['authorities'] in OauthEndpointBeanConfiguration
Type: List<String>
Default authorities (group memberships) automatically assigned to every new user.
Default: 500
Source: @Value("${clientMaxCount:500}") in ClientAdminEndpoints
Type: int
Maximum number of clients returned in a single list/search response from the
client admin API (/oauth/clients).
Default: 0
Source: @Value("${password.policy.global.minLength:0}") in ScimBeanConfiguration
Type: int
Global minimum password length. Applies across all zones unless overridden.
Set to 0 to impose no minimum.
Default: 255
Source: @Value("${password.policy.global.maxLength:255}") in ScimBeanConfiguration
Type: int
Global maximum password length.
Default: 0
Source: @Value in ScimBeanConfiguration
Type: int
Global minimum number of uppercase characters required. 0 means not enforced.
Default: 0
Source: @Value in ScimBeanConfiguration
Type: int
Global minimum number of lowercase characters required.
Default: 0
Source: @Value in ScimBeanConfiguration
Type: int
Global minimum number of digit characters required.
Default: 0
Source: @Value in ScimBeanConfiguration
Type: int
Global minimum number of special characters required.
Default: 0 (no expiry)
Source: @Value in ScimBeanConfiguration
Type: int
Number of months before a password expires globally. 0 means passwords never expire.
Default: Falls back to password.policy.global.minLength
Source: @Value("${password.policy.minLength:#{globalPasswordPolicy.getMinLength()}}") in ScimBeanConfiguration
Type: int
Minimum password length for the default identity zone. Falls back to the global value if not set.
Default: Falls back to global
Source: @Value in ScimBeanConfiguration
Type: int
Maximum password length for the default identity zone.
Default: Falls back to global
Source: @Value in ScimBeanConfiguration
Type: int
Required uppercase characters for the default zone.
Default: Falls back to global
Source: @Value in ScimBeanConfiguration
Type: int
Required lowercase characters for the default zone.
Default: Falls back to global
Source: @Value in ScimBeanConfiguration
Type: int
Required digits for the default zone.
Default: Falls back to global
Source: @Value in ScimBeanConfiguration
Type: int
Required special characters for the default zone.
Default: Falls back to global
Source: @Value in ScimBeanConfiguration
Type: int
Password expiry in months for the default zone.
Default: 0
Source: @ConfigurationProperties(prefix = "oauth.client.secret.policy.global") in UaaProperties.GlobalClientSecretPolicy
Type: int
Global minimum length for client secrets. Applies across all zones unless overridden.
Default: 255
Source: UaaProperties.GlobalClientSecretPolicy
Type: int
Global maximum length for client secrets.
Default: 0
Source: UaaProperties.GlobalClientSecretPolicy
Type: int
Global minimum uppercase chars for client secrets.
Default: 0
Source: UaaProperties.GlobalClientSecretPolicy
Type: int
Global minimum lowercase chars for client secrets.
Default: 0
Source: UaaProperties.GlobalClientSecretPolicy
Type: int
Global minimum digits for client secrets.
Default: 0
Source: UaaProperties.GlobalClientSecretPolicy
Type: int
Global minimum special characters for client secrets.
Default: 0 (no expiry)
Source: UaaProperties.GlobalClientSecretPolicy
Type: int
Number of months before a client secret expires.
Default: Falls back to global
Source: UaaProperties.DefaultClientSecretPolicy
Type: int
Default zone min client secret length. If set to -1 (or not set), the global value is used.
Default: Falls back to global
Source: UaaProperties.DefaultClientSecretPolicy
Type: int
Default zone max client secret length. If -1, uses global.
Default: 5
Source: @Value("${authentication.policy.global.lockoutAfterFailures:5}") in OauthEndpointBeanConfiguration
Type: int
Global number of consecutive failed login attempts before locking the account.
Default: 1200 (20 minutes)
Source: @Value("${authentication.policy.global.countFailuresWithinSeconds:1200}") in OauthEndpointBeanConfiguration
Type: int
Global time window (in seconds) during which failed attempts are counted toward lockout.
Default: 300 (5 minutes)
Source: @Value("${authentication.policy.global.lockoutPeriodSeconds:300}") in OauthEndpointBeanConfiguration
Type: int
Global duration (in seconds) for which an account remains locked after exceeding the failure threshold.
Default: Falls back to global
Source: @Value in OauthEndpointBeanConfiguration
Type: int
Default zone lockout failure threshold. Falls back to global if not specified.
Default: Falls back to global
Source: @Value in OauthEndpointBeanConfiguration
Type: int
Default zone failure counting window.
Default: Falls back to global
Source: @Value in OauthEndpointBeanConfiguration
Type: int
Default zone lockout duration.
Default: false
Source: @Value("${authentication.enableUriEncodingCompatibilityMode:false}") in OauthEndpointBeanConfiguration
Type: boolean
Enables a backward-compatible URI encoding mode for client authentication. When true,
client credentials are decoded using a legacy algorithm for compatibility with older clients.
Default: [] (empty)
Source: @config['scim']['users'] in ScimBeanConfiguration
Type: List<String>
Bootstrap users created at startup. Each entry is a pipe-delimited string:
username|password|email|firstName|lastName|groups[|origin]
Example:
scim:
users:
- admin|admin|admin@example.com|Admin|User|uaa.admin
- marissa|koala|marissa@test.org|Marissa|Bloggs|uaa.userDefault: {}
Source: Loaded via @config['scim']['groups']
Type: Map<String, String>
Bootstrap groups created at startup. Keys are group names, values are human-readable descriptions. These groups are created in the default identity zone.
scim:
groups:
scim.read: Read all SCIM entities
scim.write: Create, modify and delete SCIM entitiesDefault: []
Source: Loaded via config map
Type: List<String>
Mappings from external (LDAP) groups to internal UAA groups. Each entry is pipe-delimited:
internal_group|external_group_dn
scim:
external_groups:
- internal.read|cn=developers,ou=scopes,dc=test,dc=comDefault: true
Source: @Value("${scim.userids_enabled:true}") in UserIdConversionEndpoints
Type: boolean
Enables the /ids/Users endpoint for converting usernames to user IDs.
Default: false
Source: @Value("${scim.user.override:false}") in ScimBeanConfiguration
Type: boolean
When true, bootstrap users defined in scim.users overwrite existing users with the same
username on every startup.
Default: false
Source: @Value("${scim.delete.deactivate:false}") in JdbcScimUserProvisioning
Type: boolean
When true, SCIM user DELETE operations deactivate the user (set active=false) instead
of permanently deleting the record.
Default: 500
Source: @Value("${userMaxCount:500}") in ScimUserEndpoints
Type: int
Maximum number of users returned in a single list/search response from the SCIM Users API.
Default: 500
Source: @Value("${groupMaxCount:500}") in ScimGroupEndpoints
Type: int
Maximum number of groups returned in a single list/search response from the SCIM Groups API.
Default: — (null)
Source: @Value("${delete.users:#{null}}") in ScimBeanConfiguration
Type: List<String>
List of usernames to delete on bootstrap. Used to remove specific users during startup.
Default: true
Source: @ConfigurationProperties(prefix = "login") in UaaProperties.Login
Type: boolean
When true, "Create Account" and "Forgot Password" links are displayed on the login page.
Default: — (null)
Source: UaaProperties.Login
Type: String
URL to redirect to after successful login if no redirect was requested.
Default: false
Source: UaaProperties.Login
Type: boolean
When true, the login page first asks for the user's email to discover which
identity provider (IDP) should be used for authentication.
Default: false
Source: UaaProperties.Login
Type: boolean
When true, users see an account chooser UI that lets them pick from previously used accounts.
Default: http://localhost:8080/uaa
Source: @Value("${login.entityBaseURL:http://localhost:8080/uaa}") in SpringServletXmlBeansConfiguration, SamlRelyingPartyRegistrationRepositoryConfig
Type: String
The base URL of this UAA instance for SAML SP metadata generation. This URL appears in the
SAML metadata as the service provider's base location. When null, UAA uses the request URL,
which enables automatic zone subdomain resolution.
Default: unit-test-sp (production deployments should override)
Source: @Value("${login.entityID:unit-test-sp}") in SamlConfiguration
Type: String
The SAML entity ID (issuer name) for this UAA instance as a SAML Service Provider.
This value is declared in SAML SP metadata as the entityID attribute.
Default: Email
Source: @Value("${login.prompt.username.text:Email}") in SpringServletXmlBeansConfiguration
Type: String
The label text displayed for the username input field on the login page.
Default: Password
Source: @Value("${login.prompt.password.text:Password}") in SpringServletXmlBeansConfiguration
Type: String
The label text displayed for the password input field on the login page.
Default: — (null)
Source: UaaProperties.Login
Type: Map<String, Object>
Customizes the visual branding of the login UI. Supports the following sub-keys:
companyName— Company name displayed in the UIproductLogo— Base64-encoded product logo imagesquareLogo— Base64-encoded square logofooterLegalText— Legal text in the footerfooterLinks— Map of link names to URLsbanner.logo— Base64-encoded banner logobanner.text— Banner textbanner.textColor— Banner text color (hex)banner.backgroundColor— Banner background color (hex)banner.link— Banner link URL
Default: — (null)
Source: UaaProperties.Login
Type: String
When set, automatically routes users to the specified IDP origin key, skipping the login page.
Default: — (null, no restriction)
Source: @Value("${login.allowedGroups:#{null}}") in SpringServletXmlBeansConfiguration
Type: List<String>
When set, only users who are members of at least one of these groups can log in. Null means no restriction.
Default: false
Source: @Value("${login.checkOriginEnabled:false}") in SpringServletXmlBeansConfiguration
Type: boolean
When true, the UAA checks the user's origin during authentication to ensure it matches
the expected IDP.
Default: -1 (unlimited)
Source: @Value("${login.maxUsers:-1}") in SpringServletXmlBeansConfiguration
Type: int
Maximum number of users allowed in the system. -1 means unlimited.
Default: true
Source: @Value("${login.allowOriginLoop:true}") in SpringServletXmlBeansConfiguration
Type: boolean
When true, allows redirect loops between origins during authentication flows.
Default: false
Source: @Value("${login.aliasEntitiesEnabled:false}") in AliasEntitiesConfig
Type: boolean
When true, enables identity provider and client alias entities across identity zones.
Default: — (not set)
Source: @config['login']['oauth']['providers'] in SpringServletXmlBeansConfiguration
Type: Map<String, Map>
External OAuth 2.0 and OIDC provider definitions. Each provider entry includes:
type—oauth2.0oroidc1.0authUrl/discoveryUrl— Authorization or discovery URLtokenUrl— Token endpointtokenKey/tokenKeyUrl— Key for token verificationissuer— Expected token issuerscopes— List of scopes to requestlinkText— Text for the login linkrelyingPartyId/relyingPartySecret— Client credentialsattributeMappings— Attribute mapping configuration
Default: — (none)
Source: SamlConfigProps
Type: String
The ID of the active key from the login.saml.keys map. SAML requests and metadata are
signed with this key.
Default: {} (empty)
Source: SamlConfigProps
Type: Map<String, SamlKey>
Map of key IDs to SAML key configurations. Each key has:
key— RSA private key in PEM formatcertificate— X.509 certificate in PEM formatpassphrase— Optional key passphrase
Default: — (null, falls back to login.entityID)
Source: SamlConfigProps
Type: String
Alias for the SAML SP entity ID. Used in SSO URLs like /saml/SSO/alias/{entityIDAlias}.
If not set, falls back to the host portion of login.entityID.
Default: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Source: SamlConfigProps, @Value("${login.saml.nameID:...}") in SamlRelyingPartyRegistrationRepositoryConfig
Type: String
Default SAML NameID format requested in authentication requests.
Default: 0
Source: SamlConfigProps
Type: int
The index of the Assertion Consumer Service (ACS) endpoint to use.
Default: true
Source: SamlConfigProps
Type: Boolean
When true, the generated SAML SP metadata includes a signature. When false,
no signature is included in the metadata XML.
Default: true
Source: SamlConfigProps
Type: Boolean
When true, SAML authentication requests (AuthnRequest) sent to IDPs are signed.
Default: true
Source: SamlConfigProps
Type: Boolean
When true, the SP metadata declares that it wants incoming SAML assertions to be signed.
Default: SHA256
Source: SamlConfigProps
Type: String
Algorithm used for SAML signatures. Accepted values: SHA1, SHA256, SHA512.
Default: false
Source: SamlConfigProps
Type: Boolean
When true, the InResponseTo field in incoming SAML assertions is not validated.
Useful for IDP-initiated SSO flows.
Default: — (not configured)
Source: SamlConfigProps (via EnvironmentAware)
Type: Map<String, Map<String, Object>>
SAML Identity Provider definitions. Each entry is keyed by a provider alias and includes:
idpMetadata— Inline metadata XML or URL to metadatanameID— NameID format for this IDPassertionConsumerIndex— ACS index for this IDPmetadataTrustCheck— Validate metadata signatureshowSamlLoginLink— Show login link on login pagelinkText— Text for the login linkiconUrl— Icon URL for the login linkaddShadowUserOnLogin— Create local user on first loginemailDomain— Email domains for IDP discoveryexternalGroupsWhitelist— Allowed external groupsattributeMappings— Attribute mapping configuration
Default: — (none)
Source: UaaProperties.Login, SamlConfigProps (deprecated since 77.20.0)
Type: String
Legacy property for the SAML SP private key. Use login.saml.keys instead.
The key, password, and certificate are grouped together:
login.serviceProviderKey— RSA private key in PEMlogin.serviceProviderKeyPassword— Key passphraselogin.serviceProviderCertificate— X.509 certificate in PEM
Default: /login
Source: @ConfigurationProperties(prefix = "logout") in UaaProperties.Logout
Type: String
URL to redirect to after logout. Relative URLs are resolved against the UAA base URL.
Default: false
Source: UaaProperties.LogoutRedirectParameter
Type: boolean
When true, the redirect query parameter on the logout endpoint is ignored.
Default: [] (empty, no restriction)
Source: UaaProperties.LogoutRedirectParameter
Type: List<String>
Allowed redirect URLs for the logout endpoint. If empty, all redirects are allowed.
logout:
redirect:
parameter:
whitelist:
- https://app1.example.com/logout-success
- https://app2.example.com/logout-successDefault: — (null, uses internal /forgot_password)
Source: @Value("${links.global.passwd:#{null}}") in SpringServletXmlBeansConfiguration
Type: String
Custom URL for the "Forgot Password" link on the login page. When null, the UAA's internal forgot-password flow is used.
Default: — (null, uses internal /create_account)
Source: @Value("${links.global.signup:#{null}}") in SpringServletXmlBeansConfiguration
Type: String
Custom URL for the "Create Account" link on the login page. When null, the UAA's internal account creation flow is used.
Default: — (null)
Source: @Value("${links.global.homeRedirect:#{null}}") in SpringServletXmlBeansConfiguration
Type: String
URL to redirect to after login when no target redirect was specified.
Default: false
Source: @Value("${cors.enforceSystemZonePolicyInAllZones:false}") in CorsProperties
Type: boolean
When true, the system (default) zone's CORS policy is enforced in all identity zones,
overriding per-zone CORS configurations.
Default: 1728000 (20 days)
Source: @Value("${cors.default.max_age:1728000}") in CorsProperties
Type: int
Maximum time (in seconds) a preflight response can be cached for default CORS requests.
Default: [".*"] (all URIs)
Source: CorsProperties.DefaultAllowed
Type: List<String>
Regex patterns for URIs that allow CORS requests (non-XHR). Default permits all.
Default: [".*"] (all origins)
Source: CorsProperties.DefaultAllowed
Type: List<String>
Regex patterns for allowed CORS origins (non-XHR).
Default: [Accept, Authorization, Content-Type, Accept-Language, Content-Language]
Source: CorsProperties.DefaultAllowed
Type: List<String>
Allowed request headers for default CORS.
Default: [GET, POST, PUT, OPTIONS, DELETE, PATCH]
Source: CorsProperties.DefaultAllowed
Type: List<String>
Allowed HTTP methods for default CORS.
Default: false
Source: CorsProperties.DefaultAllowed
Type: boolean
Whether default CORS responses include Access-Control-Allow-Credentials: true.
Default: 1728000 (20 days)
Source: @Value("${cors.xhr.max_age:1728000}") in CorsProperties
Type: int
Maximum preflight cache time for XHR CORS requests.
Default: [".*"]
Source: CorsProperties.XhrAllowed
Type: List<String>
Regex patterns for URIs that allow XHR CORS requests.
Default: [".*"]
Source: CorsProperties.XhrAllowed
Type: List<String>
Regex patterns for allowed XHR CORS origins.
Default: [Accept, Authorization, Content-Type, Accept-Language, Content-Language, X-Requested-With]
Source: CorsProperties.XhrAllowed
Type: List<String>
Allowed request headers for XHR CORS. Includes X-Requested-With by default.
Default: [GET, OPTIONS]
Source: CorsProperties.XhrAllowed
Type: List<String>
Allowed HTTP methods for XHR CORS. More restrictive than the default CORS policy.
Default: true
Source: CorsProperties.XhrAllowed
Type: boolean
Whether XHR CORS responses include Access-Control-Allow-Credentials: true.
Default is true for XHR.
Default: localhost
Source: @ConfigurationProperties(prefix = "smtp") in SmtpProperties
Type: String
SMTP server hostname for sending emails (account verification, password reset, etc.).
Default: 25
Source: SmtpProperties
Type: int
SMTP server port.
Default: "" (empty)
Source: SmtpProperties
Type: String
Username for SMTP authentication.
Default: "" (empty)
Source: SmtpProperties
Type: String
Password for SMTP authentication.
Default: false
Source: SmtpProperties
Type: boolean
When true, enables SMTP authentication using smtp.user and smtp.password.
Default: false
Source: SmtpProperties
Type: boolean
When true, enables STARTTLS encryption for SMTP connections.
Default: TLSv1.2
Source: SmtpProperties
Type: String
SSL/TLS protocol versions to use for SMTP connections.
Default: "" (empty)
Source: SmtpProperties
Type: String
The "From" address for emails sent by the UAA.
Default: — (null)
Source: @ConditionalOnProperty(value = "notifications.url") in MessagingConfig
Type: String
URL of an external notification service. When set, HTTP-based notifications are used instead of SMTP emails. When not set, falls back to email-based messaging.
Default: true
Source: NotificationsProperties
Type: boolean
When true, notifications are sent for events occurring in the default identity zone.
Default: false
Source: NotificationsProperties
Type: boolean
When true, verifies SSL certificates when connecting to the notification service.
Default: — (not set)
Source: YAML config, injected via @config['ldap']
Type: String
Path to the LDAP profile configuration file. Determines the bind mode:
ldap/ldap-simple-bind.xml— Simple bind (user DN pattern)ldap/ldap-search-and-bind.xml— Search then bindldap/ldap-search-and-compare.xml— Search then compare
Default: — (not set)
Source: YAML config
Type: String
LDAP server URL (e.g. ldap://localhost:389/ or ldaps://ldap.example.com:636/).
Default: — (not set)
Source: YAML config
Type: String
The DN used to bind to the LDAP server for user searches (search-and-bind mode).
Default: — (not set)
Source: YAML config
Type: String
Password for the bind DN.
Default: — (not set)
Source: YAML config
Type: String
Base DN for LDAP user searches (e.g. dc=test,dc=com).
Default: — (not set)
Source: YAML config
Type: String
LDAP search filter for finding users. {0} is replaced with the username
(e.g. cn={0} or (uid={0})).
Default: — (not set)
Source: YAML config
Type: String
DN pattern for simple-bind mode. {0} is replaced with the username.
Multiple patterns can be separated by semicolons.
Example: cn={0},ou=Users,dc=test,dc=com;cn={0},ou=OtherUsers,dc=example,dc=com
Default: — (not set)
Source: YAML config
Type: String
How LDAP referrals are handled. Common values: follow, ignore.
Default: false
Source: YAML config
Type: boolean
When true, skips SSL certificate verification for LDAPS connections.
Should only be used in development/testing.
Default: — (not set)
Source: YAML config
Type: String
Path to the LDAP groups configuration file (e.g. ldap/ldap-groups-map-to-scopes.xml).
Default: — (not set)
Source: YAML config
Type: String
Base DN for LDAP group searches.
Default: — (not set)
Source: YAML config
Type: String
Filter for finding group membership (e.g. member={0}).
Default: 10
Source: YAML config
Type: int
Maximum depth for nested group lookups.
Default: — (not set)
Source: YAML config
Type: boolean
When true, LDAP groups are automatically created as UAA groups if they don't exist.
Default: — (required)
Source: UaaConfiguration.Encryption
Type: String
Label identifying the active encryption key from the encryption_keys list.
Used for encrypting new data. All listed keys can be used for decryption.
Default: — (required)
Source: UaaConfiguration.Encryption
Type: List<EncryptionKey>
List of encryption keys. Each key has:
label— Unique identifierpassphrase— Encryption passphrase
encryption:
active_key_label: key-1
encryption_keys:
- label: key-1
passphrase: MY-PASSPHRASE
- label: key-2
passphrase: MY-OLD-PASSPHRASEMultiple keys allow for key rotation: new data is encrypted with the active key; old data encrypted with any listed key can still be decrypted.
Default: OnlyLimited (only log rate-limited requests)
Source: UaaConfiguration.RateLimit
Type: String
Controls rate limiting log verbosity. Accepted values:
OnlyLimited— Only log when a request is rate-limitedAllCalls— Log all calls with rate-limit infoAllCallsWithDetails— Log all calls with full details
Default: — (not set)
Source: UaaConfiguration.RateLimit
Type: String
Regex pattern to extract a credential identifier from JWT claims for per-credential
rate limiting. Example: 'JWT:Claims+"sub"\s*:\s*"(.*?)"'
Default: []
Source: UaaConfiguration.RateLimit
Type: List<LimiterMapping>
List of rate limiting rules. Each mapping has:
name— Rule namewithCallerRemoteAddressID— Per-IP rate limit (e.g.50r/s)withCallerCredentialsID— Per-credential rate limitglobal— Global rate limitpathSelectors— List of path matching rules:equals:/path— Exact matchstartsWith:/prefix— Prefix matchother— Catch-all for unmatched paths
ratelimit:
limiterMappings:
- name: LoginPage
withCallerRemoteAddressID: 50r/1s
pathSelectors:
- "equals:/login"
- name: EverythingElse
global: 1000r/s
pathSelectors:
- "other"Default: 10000 (10 seconds)
Source: @Value("${rest.template.timeout:10000}") in RestTemplateConfig
Type: int
Connection and read timeout (in milliseconds) for outbound HTTP requests made by the UAA (e.g. OIDC metadata fetch, notification service calls).
Default: 10
Source: @Value("${rest.template.maxTotal:10}") in RestTemplateConfig
Type: int
Maximum total number of outbound HTTP connections in the connection pool.
Default: 5
Source: @Value("${rest.template.maxPerRoute:5}") in RestTemplateConfig
Type: int
Maximum number of connections per route (per target host).
Default: 0 (no keep-alive limit)
Source: @Value("${rest.template.maxKeepAlive:0}") in RestTemplateConfig
Type: int
Maximum keep-alive time (in milliseconds) for persistent HTTP connections. 0 means no limit.
Default: 2000
Source: @Value("${rest.template.validateAfterInactivity:2000}") in RestTemplateConfig
Type: int
Time (in milliseconds) after which an idle connection is validated before reuse.
Default: 0
Source: @Value("${rest.template.retryCount:0}") in RestTemplateConfig
Type: int
Number of times to retry failed outbound HTTP requests. 0 means no retries.
Default: uaa
Source: @Value("${brave.localServiceName:uaa}") in TracingAutoConfiguration
Type: String
The service name reported in distributed traces (Brave/Zipkin).
Default: true
Source: @Value("${brave.supportsJoin:true}") in TracingAutoConfiguration
Type: boolean
When true, incoming spans can be joined (shared) rather than always creating child spans.
Default: false
Source: @Value("${brave.traceId128Bit:false}") in TracingAutoConfiguration
Type: boolean
When true, trace IDs are 128 bits instead of 64 bits. Recommended for compatibility
with systems like AWS X-Ray.
Default: 10000 (10 seconds)
Source: @Value("${uaa.shutdown.sleep:10000}") in HealthzEndpoint
Type: long
Time (in milliseconds) the /healthz endpoint waits during shutdown before the process exits.
During this period, the endpoint returns HTTP 503, allowing load balancers to drain connections.
Default: 10000 (10 seconds)
Source: @Scheduled(fixedRateString = "${uaa.health.db.rate:10000}") in HealthzEndpoint
Type: long
Interval (in milliseconds) between database connectivity health checks.
Default: 2500
Source: @Value("${delete.expirationRunTime:2500}") in OauthEndpointBeanConfiguration
Type: int
Maximum runtime (in milliseconds) for a single expired-token cleanup run in the revocable token store.
Default: — (null, limited mode disabled)
Source: @Value("${uaa.limitedFunctionality.statusFile:#{null}}") in LimitedModeProperties
Type: File
Path to a file that, when present, puts the UAA into limited-functionality mode. In this mode, only whitelisted endpoints and HTTP methods are allowed.
Default: {} (empty set)
Source: LimitedModeProperties.Permitted
Type: Set<String>
Set of endpoint patterns that remain accessible when the UAA is in limited-functionality mode.
Default: {} (empty set)
Source: LimitedModeProperties.Permitted
Type: Set<String>
Set of HTTP methods allowed when the UAA is in limited-functionality mode.
Default: true
Source: @ConfigurationProperties(prefix = "metrics") in UaaProperties.Metrics
Type: boolean
Enables or disables metrics collection.
Default: false
Source: UaaProperties.Metrics
Type: boolean
When true, collects metrics for each individual request (higher overhead).
When false, only aggregate metrics are collected.
Default: false
Source: @Value("${zones.paths.enabled:false}") in ZonePathContextRewritingFilterConfiguration
Type: boolean
When true, enables path-based identity zone routing via /z/{subdomain}/ URL prefixes.
This allows multiple zones to be accessed through the same hostname using different
URL paths instead of different subdomains.
Default: [] (empty, defaults to localhost)
Source: @ConfigurationProperties(prefix = "zones") in UaaProperties.Zones
Type: Set<String>
A comprehensive list of hostnames that route to the UAA default zone. The UAA uses these to distinguish zone subdomains. If a request's hostname is not in this list and has extra subdomain levels, it is treated as a zone subdomain.
zones:
internal:
hostnames:
- uaa.example.com
- login.example.comDefault: ['self']
Source: @ConfigurationProperties(prefix = "csp") in UaaProperties.Csp
Type: List<String>
Content Security Policy script-src directive values. Controls which sources are allowed
to execute JavaScript on UAA pages.
Default: — (not set)
Source: YAML config
Type: String
Directory path for UAA log files (e.g. /tmp/uaa/logs).
Configuration values are resolved in the following order (later sources override earlier ones):
uaa/src/main/resources/uaa.yml— Embedded defaults in the application JAR$CLOUDFOUNDRY_CONFIG_PATH/uaa.yml— External config file via Cloud Foundry config path$UAA_CONFIG_PATH/uaa.yml— External config file via UAA-specific config path$UAA_CONFIG_URL— Remote configuration URL- System properties and environment variables — Standard Spring Boot property resolution
The spring_profiles property activates Spring profiles that control database selection and
optional features:
| Profile | Purpose |
|---|---|
hsqldb |
In-memory HSQLDB database (default for development) |
postgresql |
PostgreSQL database |
mysql |
MySQL/MariaDB database |
ldap |
Enable LDAP authentication |
saml |
Enable SAML support |
Multiple profiles can be combined: spring_profiles: postgresql,ldap