Use ESVs to override global configuration

Global configuration contains settings that apply to all realms in your Advanced Identity Cloud environment. Ping Identity manages this configuration on your behalf. However, several global configuration settings contain ESV placeholders set with default values. You can create the following ESV variables to override these default values in your environments to customize specific behaviors.

ESV name ESV information

ESV name	ESV information
`esv-global-saml-error-page-url`	Possible values String (URL) Default value `/saml2/jsp/saml2error.jsp` Description Lets you specify the URL of the page that’s displayed to end users if an error occurs during the SAML authentication process. For example, `https://mycompany.com/auth/saml-error-page.html`.
`esv-global-saml-max-content-length`	Possible values Integer Default value 20480 Description Lets you specify the maximum size, in bytes, for SAML requests. If a SAML request exceeds this size, it will be rejected. Learn more in this support KB article.
`esv-enable-oauth2-ignore-critical-headers`	Possible values Boolean (`true` or `false`) Default value `false` Description Lets you ignore critical headers in JWTs used in OAuth 2.0 flows. To enable this behavior, set this ESV to `true`.
`esv-enable-oauth2-sync-refresh-token-issuer`	Possible values Boolean (`true` or `false`) Default value `true` Description Lets you overwrite the `iss` claim of an introspectable server-side OAuth 2.0 token in the response from the `/oauth2/introspect` endpoint. To enable this behavior, set this ESV to `false`.
`esv-oauth2-provider-request-object-processing-enforced`	Possible values Boolean (`true` or `false`) Default value `false` Description Lets you enforce certain validation rules when processing OAuth 2.0 request objects. To enable this behavior, set this ESV to `true`. Learn more in Request Object Processing Specification.
`esv-oauth2-request-object-restrictions-enforced`	Possible values Boolean (`true` or `false`) Default value `false` Description Lets you enforce stricter adherence to the PAR and JAR specifications. Setting the value to `true` enforces the authorization server to ignore authorize parameters outside the `request_uri`. Learn more in OAuth 2.0 endpoint parameters.
`esv-scripting-legacynulloidcclaimsscriptbehaviour`	Possible values Boolean (`true` or `false`) Default value `false` Description If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to `SCRIPTED` but no script is selected, the `userinfo` endpoint returns the `sub` claim, in compliance with the OIDC specification. Previously, the `userinfo` endpoint returned an empty JSON object. If you still require this legacy behavior, set this ESV to `true`.
`esv-scripting-legacy-jwt-validation`	Possible values Boolean (`true` or `false`) Default value `true` Description Lets you enable legacy JWT validation behavior for OAuth 2.0 and OpenID Connect flows. If you require the legacy behavior, set this ESV to `false`.

esv-global-saml-error-page-url

Possible values: String (URL)
Default value: /saml2/jsp/saml2error.jsp
Description: Lets you specify the URL of the page that’s displayed to end users if an error occurs during the SAML authentication process. For example, https://mycompany.com/auth/saml-error-page.html.

esv-global-saml-max-content-length

Possible values: Integer
Default value: 20480
Description: Lets you specify the maximum size, in bytes, for SAML requests. If a SAML request exceeds this size, it will be rejected. Learn more in this support KB article.

esv-enable-oauth2-ignore-critical-headers

Possible values: Boolean (true or false)
Default value: false
Description: Lets you ignore critical headers in JWTs used in OAuth 2.0 flows. To enable this behavior, set this ESV to true.

esv-enable-oauth2-sync-refresh-token-issuer

Possible values: Boolean (true or false)
Default value: true
Description: Lets you overwrite the iss claim of an introspectable server-side OAuth 2.0 token in the response from the /oauth2/introspect endpoint. To enable this behavior, set this ESV to false.

esv-oauth2-provider-request-object-processing-enforced

Possible values: Boolean (true or false)
Default value: false
Description: Lets you enforce certain validation rules when processing OAuth 2.0 request objects. To enable this behavior, set this ESV to true. Learn more in Request Object Processing Specification.

esv-oauth2-request-object-restrictions-enforced

Possible values: Boolean (true or false)
Default value: false
Description: Lets you enforce stricter adherence to the PAR and JAR specifications. Setting the value to true enforces the authorization server to ignore authorize parameters outside the request_uri. Learn more in OAuth 2.0 endpoint parameters.

esv-scripting-legacynulloidcclaimsscriptbehaviour

Possible values: Boolean (true or false)
Default value: false
Description: If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to SCRIPTED but no script is selected, the userinfo endpoint returns the sub claim, in compliance with the OIDC specification. Previously, the userinfo endpoint returned an empty JSON object. If you still require this legacy behavior, set this ESV to true.

esv-scripting-legacy-jwt-validation

Possible values: Boolean (true or false)
Default value: true
Description: Lets you enable legacy JWT validation behavior for OAuth 2.0 and OpenID Connect flows. If you require the legacy behavior, set this ESV to false.

PingOne Advanced Identity Cloud

Use ESVs to override global configuration