Configuration Reference
This page documents every configurable setting in OrbisID, grouped by category.
Environment Variables
These are set in the .env file and passed to Docker containers.
Image and Registry
| Variable | Default | Description |
|---|---|---|
ORBISID_VERSION | Set by release | Docker image version tag |
ORBISID_REGISTRY | orbisid | Docker registry prefix |
Encryption
| Variable | Default | Description |
|---|---|---|
ENCRYPTION_KEY | none (required) | AES-256-GCM key for encrypting credentials at rest. Generate with openssl rand -base64 32. Must be kept safe - if lost, encrypted data cannot be recovered. |
Database (All-in-One)
| Variable | Default | Description |
|---|---|---|
POSTGRES_DB | orbisid | Database name |
POSTGRES_USER | orbisid | Database username |
POSTGRES_PASSWORD | none (required) | Database password |
Database (External)
| Variable | Default | Description |
|---|---|---|
DB_HOST | - | PostgreSQL hostname or IP |
DB_PORT | 5432 | PostgreSQL port |
DB_NAME | orbisid | Database name |
DB_USERNAME | orbisid | Database username |
DB_PASSWORD | - | Database password |
Spring Profile
| Variable | Default | Description |
|---|---|---|
SPRING_PROFILES_ACTIVE | docker | Spring Boot profile. Use docker for containerised deployments. |
Application Settings (UI)
These settings are configured through the OrbisID web interface at Administration > Settings. They are stored in the database and take effect immediately.
Date and Time
| Setting | Default | Description |
|---|---|---|
| Date Format | yyyy-MM-dd | Format for displaying dates throughout the application. Uses Java DateTimeFormatter patterns. |
| DateTime Format | yyyy-MM-dd HH:mm:ss | Format for displaying timestamps. |
Connection
| Setting | Default | Description |
|---|---|---|
| Connection Timeout | 60 | Default timeout (in seconds) when testing connections to target systems. |
Password Policy (UI)
Configured at Administration > Users > Password Policy tab. These control password requirements for all local users.
| Setting | Default | Description |
|---|---|---|
| Minimum Length | 8 | Minimum number of characters in a password. |
| Require Uppercase | Off | Require at least one uppercase letter (A-Z). |
| Require Lowercase | Off | Require at least one lowercase letter (a-z). |
| Require Number | Off | Require at least one digit (0-9). |
| Require Special Character | Off | Require at least one special character (!@#$%^&* etc.). |
| Password Expiry (days) | 0 (disabled) | Force users to change their password after this many days. Set to 0 to disable. |
| Password History | 0 (disabled) | Number of previous passwords to remember. Users cannot reuse a password that appears in their history. Set to 0 to disable. |
Session Settings
These are configured in the backend application properties and cannot be changed at runtime.
| Setting | Value | Description |
|---|---|---|
| Inactivity Timeout | 60 minutes | Session expires after 60 minutes of no API activity. |
| Absolute Timeout | 8 hours | Session expires 8 hours after login, regardless of activity. |
| Max Login Attempts | 5 | Account is locked after 5 consecutive failed login attempts. |
| Lockout Duration | 30 minutes | Locked accounts are automatically unlocked after 30 minutes. |
| Password Work Factor | 12 | BCrypt work factor for password hashing. |
OIDC / SSO Configuration (UI)
Configured at Administration > Authentication. Requires the Enterprise edition.
| Setting | Description |
|---|---|
| Issuer URL | The OpenID Connect issuer URL (e.g., https://login.microsoftonline.com/<tenant>/v2.0). OrbisID discovers endpoints from /.well-known/openid-configuration. |
| Client ID | The OAuth 2.0 client ID registered with your identity provider. |
| Client Secret | The OAuth 2.0 client secret. Encrypted at rest. |
| Redirect URI | The callback URL OrbisID uses for the OIDC flow. Typically https://your-orbisid-domain/oidc-callback. |
| Role Claim | The JWT claim name that maps to an OrbisID role. The claim value should match an OrbisID role name (e.g., ADMINISTRATOR, IAM_GOVERNANCE_ANALYST). |
When OIDC is configured, a Sign in with SSO button appears on the login page. Users can still log in with local credentials.
Users with the role INHERIT_FROM_OIDC_CLAIM will have their effective role determined by the SSO role claim on each login.
Nginx Configuration
The nginx.conf file controls the reverse proxy. Key settings:
| Setting | Value | Description |
|---|---|---|
client_max_body_size | 50m | Maximum upload size for CSV imports and script uploads. Increase if you import very large CSV files. |
proxy_read_timeout | 300s | Backend read timeout. Increase if scans of very large systems time out. |
proxy_connect_timeout | 10s | Backend connection timeout. |
| Security headers | Enabled | X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy are set by default. |
Restricting Actuator Access
The /actuator/ endpoint exposes health check information. In production, restrict access to internal networks by uncommenting the allow/deny rules in nginx.conf:
location /actuator/ {
proxy_pass http://backend;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
}
Connection Pool Settings
The backend uses HikariCP for database connection pooling. Default values are suitable for most deployments.
| Setting | Value | Description |
|---|---|---|
| Maximum Pool Size | 20 | Maximum number of database connections. |
| Minimum Idle | 5 | Minimum idle connections kept open. |
| Connection Timeout | 30s | Maximum time to wait for a connection from the pool. |
| Idle Timeout | 10m | Time before an idle connection is removed. |
| Max Lifetime | 30m | Maximum lifetime of a connection in the pool. |
Scan Agent Configuration
If you deploy Scan Agents, they are configured via their own config.yml. See Scan Agent for details.