local.env.dist

### ID Broker configuration parameters ###

# Unless otherwise indicated, date and time periods must be specified in
# PHP relative date format. Examples: "+30 days", "+15 minutes", "+4 weeks"
# See http://php.net/manual/en/datetime.formats.relative.php
# for details on this format.

# Do not enclose values in quotation marks. Spaces are allowed if
# appropriate for an individual parameter.

# Parameters are required unless a default is shown or specifically
# described as optional.


# === IDP parameters ===

# The code name of this IdP. Example: "org"
IDP_NAME=


# === AWS AppConfig ===

# The AWS region in use
AWS_REGION

# The AppConfig Application ID (or name)
APP_ID

# The AppConfig Configuration Profile ID (or name)
CONFIG_ID

# The AppConfig Environment ID (or name)
ENV_ID


# === email template data ===

# The user-friendly version of the name of this IdP. For example:
#IDP_DISPLAY_NAME=Some Organization
IDP_DISPLAY_NAME=

# URL of the help center
HELP_CENTER_URL=

# URL of the password manager UI
PASSWORD_PROFILE_URL=https://www.example.com

# help desk email address
SUPPORT_EMAIL=

# alternative name for support; defaults to "support"
SUPPORT_NAME=

# email signature line
EMAIL_SIGNATURE=


# === email service parameters ===

EMAIL_SERVICE_accessToken=
EMAIL_SERVICE_assertValidIp=
EMAIL_SERVICE_baseUrl=
EMAIL_SERVICE_validIpRanges=


# === database parameters ===

MYSQL_ROOT_PASSWORD=
MYSQL_HOST=
MYSQL_DATABASE=
MYSQL_USER=
MYSQL_PASSWORD=


# === API authentication ===

# access key for authentication with the ID Broker API; format is comma-
# separated tokens (no-space), for example:
#API_ACCESS_KEYS=test-cli-abc123,consumer-id-def456,something-unique-ghi789
API_ACCESS_KEYS=


# === Google Analytics ===

# aB-abcdef7890123456789 (i.e. the Google Analytics 4 API secret)
# Note: there is a different secret for every GA Data Stream
# So this must correspond to the secret for the GA_MEASUREMENT_ID below
GA_API_SECRET=

# G-ABCDE67890 (i.e. the Google Analytics property id)
GA_MEASUREMENT_ID=

# This identifies the user.
GA_CLIENT_ID=


# === error notification ===

# If this is defined, error messages will be sent to this email address.
#NOTIFICATION_EMAIL=

# To use Sentry for error alerting, obtain DSN from Sentry dashboard: Settings - Projects - (project) - Client Keys
SENTRY_DSN=


# === user email parameters ===

# Set the following to true or false to enable or disable each message type.
# The default values are as listed here.
#SEND_INVITE_EMAILS=true
#SEND_MFA_RATE_LIMIT_EMAILS=true
#SEND_PASSWORD_CHANGED_EMAILS=true
#SEND_WELCOME_EMAILS=true
# Sent when a user has no backup codes
#SEND_GET_BACKUP_CODES_EMAILS=true
# Sent when user is low on backup codes. See MINIMUM_BACKUP_CODES_BEFORE_NAG
#SEND_REFRESH_BACKUP_CODES_EMAILS=true
#SEND_LOST_SECURITY_KEY_EMAILS=true
#SEND_MFA_OPTION_ADDED_EMAILS=true
#SEND_MFA_OPTION_REMOVED_EMAILS=true
#SEND_MFA_ENABLED_EMAILS=true
#SEND_MFA_DISABLED_EMAILS=true
#SEND_METHOD_REMINDER_EMAILS=true
#SEND_METHOD_PURGED_EMAILS=true
#SEND_PASSWORD_EXPIRING_EMAILS=true
#SEND_PASSWORD_EXPIRED_EMAILS=true

# define the following to change the default subject line
# default subjects are defined in application/common/components/Emailer.php
#SUBJECT_FOR_INVITE=
#SUBJECT_FOR_MFA_RATE_LIMIT=
#SUBJECT_FOR_PASSWORD_CHANGED=
#SUBJECT_FOR_WELCOME=
#SUBJECT_FOR_GET_BACKUP_CODES=
#SUBJECT_FOR_REFRESH_BACKUP_CODES=
#SUBJECT_FOR_LOST_SECURITY_KEY=
#SUBJECT_FOR_MFA_OPTION_ADDED=
#SUBJECT_FOR_MFA_OPTION_REMOVED=
#SUBJECT_FOR_MFA_ENABLED=
#SUBJECT_FOR_MFA_DISABLED=
#SUBJECT_FOR_MFA_MANAGER=
#SUBJECT_FOR_MFA_MANAGER_HELP=
#SUBJECT_FOR_METHOD_VERIFY=
#SUBJECT_FOR_METHOD_REMINDER=
#SUBJECT_FOR_METHOD_PURGED=
#SUBJECT_FOR_PASSWORD_EXPIRING=
#SUBJECT_FOR_PASSWORD_EXPIRED=
#SUBJECT_FOR_ABANDONED_USERS=

# If this is defined, HR notification emails will be sent here
HR_NOTIFICATIONS_EMAIL=test@test.com

# The number of days of not using a security key after which we email
# the user. Defaults to 62.
#LOST_SECURITY_KEY_EMAIL_DAYS=

# Nag the user if they have FEWER than this number of backup codes
# Defaults to 4
#MINIMUM_BACKUP_CODES_BEFORE_NAG=

# Don't resend the same type of email to the same user for X days
# Defaults to 31
#EMAIL_REPEAT_DELAY_DAYS=

# How long to delay new user invite email.
# Default is 0 (not delayed)
#INVITE_EMAIL_DELAY_SECONDS=0


# === Password parameters ===

# number of passwords to remember for "recent password" restriction
# defaults to 10
#PASSWORD_REUSE_LIMIT=

# time span before which the user should set a new password
# defaults to "+1 year"
#PASSWORD_LIFESPAN=

# extension to password lifespan for users that have at least one
# 2-step Verification option, defaults to "+4 years"
#PASSWORD_MFA_LIFESPAN_EXTENSION=

# grace period after PASSWORD_LIFESPAN after which the account will
# be locked; defaults to "+30 days"
#PASSWORD_EXPIRATION_GRACE_PERIOD=


# === New user invite parameters ===
# time span before the invite code expires; defaults to "+1 month"
#INVITE_LIFESPAN=

# grace period after the invite lifespan, after which the invite will
# be deleted; defaults to "+3 months"
#INVITE_GRACE_PERIOD=


# === MFA parameters ===

# Require MFA for all new users, default is disabled
#MFA_REQUIRED_FOR_NEW_USERS=false

# If false, 'require_mfa' cannot be set to 'no' for any user, default=true
#MFA_ALLOW_DISABLE=true

# MFA_LIFETIME defines the amount of time in which an MFA must be verified
# defaults to "+2 hours"
#MFA_LIFETIME=

# Email address to include in bcc for manager mfa emails
# By default does not include a bcc address.
#MFA_MANAGER_BCC=

# Email address to include in bcc for manager mfa help emails
# By default does not include a bcc address.
#MFA_MANAGER_HELP_BCC=

# Required parameters for TOTP service
#MFA_TOTP_apiBaseUrl=
#MFA_TOTP_apiKey=
#MFA_TOTP_apiSecret=

# Required parameters for WebAuthn service
#MFA_WEBAUTHN_apiBaseUrl=
#MFA_WEBAUTHN_apiKey=
#MFA_WEBAUTHN_apiSecret=
#MFA_WEBAUTHN_appId=
#MFA_WEBAUTHN_rpDisplayName=
#MFA_WEBAUTHN_rpId=
# Array of origins allowed as relying parties (with scheme, without port or path)
#RP_ORIGINS=

# === Password Recovery Method parameters ===

# defines the expiration time -- the amount of time in which a recovery
# method must be verified; defaults to "+5 days"
#METHOD_lifetime=

# If a recovery method has been expired longer than this amount of time,
# it will be removed; defaults to "+15 days"
# Note: if the sum of METHOD_lifetime and METHOD_gracePeriod are longer
# than EMAIL_REPEAT_DELAY_DAYS, additional reminder(s) may be sent to
# verify the recovery method.
#METHOD_gracePeriod=

# number of digits in verification code; defaults to 6
#METHOD_codeLength=

# maximum number of verification attempts allowed; defaults to 10
#METHOD_maxAttempts=


# === User nag intervals for MFAs and Password Recovery Methods. ===

# interval between reminders to add MFAs; defaults to "+30 days"
#MFA_ADD_INTERVAL=

# interval between reminders to add recovery methods; defaults to "+6 months"
#METHOD_ADD_INTERVAL=

# interval between reminders to review profile; defaults to "+6 months"
#PROFILE_REVIEW_INTERVAL=


# === Creation of new "contingent" user with no primary email address. ===

# time before expiration of a "contingent" user
#CONTINGENT_USER_DURATION=+4 weeks


# === Deletion of inactive users after a configurable amount of time ===

# Enable deletion of inactive users
#INACTIVE_USER_DELETION_ENABLE=false

# Time a user record can remain inactive before being deleted ===
#INACTIVE_USER_PERIOD=+18 months


# === Abandoned User configuration variables ===

# Time a user record can remain abandoned before HR is notified
#ABANDONED_USER_abandonedPeriod=+6 months

# URL for best practices
#ABANDONED_USER_bestPracticeUrl=

# URL for instruction on how to deactivate user accounts
#ABANDONED_USER_deactivateInstructionsUrl=

# === Debug and development ===

# specify one of [prod|dev|test]; defaults to prod
#APP_ENV=

# === Composer ===
# (optional) auth key for Composer to bypass GitHub rate limiting, example:
#COMPOSER_AUTH={"github-oauth":{"github.com":"12341142b12441234c12414124d124e1234124f2"}}
#COMPOSER_AUTH=

# (optional) IP Address of development machine. Used for Xdebug connection.
#REMOTE_DEBUG_IP=

# === haveibeenpwned configs ===

# Check password against hibp on login
HIBP_CHECK_ON_LOGIN=true

# Check interval
HIBP_CHECK_INTERVAL=+1 week

# Grace period to allow user to change password
HIBP_GRACE_PERIOD=+1 week

# Set to true to track hibp but not expire leaked passwords
HIBP_TRACKING_ONLY=false

# Email address to bcc pwned alerts
HIBP_NOTIFICATION_BCC=

# === Google Sheets config ===

# enable Google Sheets export
GOOGLE_enableSheetsExport=false

# application name to send to Google API
GOOGLE_applicationName=id-broker

# file path to a json auth file
GOOGLE_jsonAuthFilePath=/data/auth.json

# json string to use for auth if json auth file is not provided
GOOGLE_jsonAuthString={}

# delegated admin account
GOOGLE_delegatedAdmin=admin@example.com

# spreadsheet ID
GOOGLE_spreadsheetId=putAnActualSheetIDHerejD70xAjqPnOCHlDK3YomH

# === external groups sync sets === #

# Note: Collapse JSON auth key from Google to a single line for the ...JsonAuthString values.
# Example command to format and copy to your clipboard:
# cat service-account-key-from-google-abcdef123456.json | jq -c "." | pbcopy

# EXTERNAL_GROUPS_SYNC_set1AppPrefix=
# EXTERNAL_GROUPS_SYNC_set1GoogleSheetId=
# EXTERNAL_GROUPS_SYNC_set1JsonAuthString=
## Optional:
# EXTERNAL_GROUPS_SYNC_set1ErrorsEmailRecipient=

# EXTERNAL_GROUPS_SYNC_set2AppPrefix=
# EXTERNAL_GROUPS_SYNC_set2GoogleSheetId=
# EXTERNAL_GROUPS_SYNC_set2JsonAuthString=
## Optional:
# EXTERNAL_GROUPS_SYNC_set2ErrorsEmailRecipient=

# ... with as many sets as you want.