--- title: Use ESVs to override global configuration description: Global configuration contains settings that apply to all realms in your Advanced Identity Cloud environment. Ping Identity manages this configuration on your behalf. However, several global configuration settings contain ESV placeholders set with default values. You can create the following ESV variables to override these default values in your environments to customize specific behaviors. component: pingoneaic page_id: pingoneaic:tenants:esvs-override-global-configuration canonical_url: https://docs.pingidentity.com/pingoneaic/tenants/esvs-override-global-configuration.html --- # Use ESVs to override global configuration Global configuration contains settings that apply to all realms in your Advanced Identity Cloud environment. Ping Identity manages this configuration on your behalf. However, several global configuration settings contain ESV placeholders set with default values. You can create the following ESV variables to override these default values in your environments to customize specific behaviors. | ESV name | ESV information | | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `esv-am-nodes-certificatechain-validation-enforced` | * Possible values Boolean (`true` or `false`) * Default value `false` * Description Lets you collect and validate *all* certificates in a certificate chain using the [Certificate Collector](https://docs.pingidentity.com/auth-node-ref/latest/certificate-collector.html) and [Certificate Validation](https://docs.pingidentity.com/auth-node-ref/latest/certificate-validation.html) nodes. To enable this behavior, set this ESV to `true`. | | `esv-am-secrets-gsm-stableid-version-only` | - Possible values Boolean (`true` or `false`) - Default value `true` - Description Lets you override the default `kid` value of the public key published in the JWK\_URI.By default, the `kid` value indicates only the GSM secret version. Set this to `false` to include the name of the secret in the `kid`.Find more information in [Override default `kid` values](../am-oidc1/managing-jwk_uri.html#override-default-kid-values). | | `esv-enable-oauth2-ignore-critical-headers` | * Possible values Boolean (`true` or `false`) * Default value `false` * Description Lets you ignore critical headers in JWTs used in OAuth 2.0 flows. To enable this behavior, set this ESV to `true`. | | `esv-enable-oauth2-sync-refresh-token-issuer` | - Possible values Boolean (`true` or `false`) - Default value `true` - Description Lets you overwrite the `iss` claim of an introspectable server-side OAuth 2.0 token in the response from the `/oauth2/introspect` endpoint. To enable this behavior, set this ESV to `false`. | | `esv-global-saml-error-page-http-binding` | * Possible values String (`HTTP-POST` or `HTTP-Redirect`) * Default value `HTTP-POST` * Description Lets you specify the HTTP binding used to redirect users to the SAML error page when an error occurs during a SAML 2.0 flow. To specify the HTTP binding, set this ESV to `HTTP-POST` or `HTTP-Redirect`. | | `esv-global-saml-error-page-url` | - Possible values String (URL) - Default value `/saml2/jsp/saml2error.jsp` - Description Lets you specify the URL of the page that's displayed to end users when an error occurs during a SAML 2.0 flow, for example, `https://mycompany.com/auth/saml-error-page.html`. Users are redirected to this page using the configured HTTP binding (`HTTP-POST` by default). You can change the HTTP binding by creating an ESV variable named `esv-global-saml-error-page-http-binding`. | | `esv-global-saml-max-content-length` | * Possible values Integer * Default value 20480 * Description Lets you specify the maximum size, in bytes, for SAML requests. If a SAML request exceeds this size, it will be rejected. Learn more in [this support KB article](https://support.pingidentity.com/s/article/content-length-too-large-error-when-sending-and-receiving-SAML-requests-in-Advanced-Identity-Cloud-or-PingAM). | | `esv-oauth2-grant-only-validated-scopes-on-refresh` | - Possible values Boolean (`true` or `false`) - Default value `true` - Description Lets you disable scope validation script behavior that ensures refresh tokens only obtain access tokens with identical or narrower scopes. Setting this ESV to `false`, re-enables the legacy behavior. Learn more in [Scope validation](../am-oauth2/plugins-scope-validator.html). | | `esv-oauth2-provider-request-object-processing-enforced` | * Possible values Boolean (`true` or `false`) * Default value `false` * Description Lets you enforce certain validation rules when processing OAuth 2.0 request objects. To enable this behavior, set this ESV to `true`. Learn more in [Request Object Processing Specification](../am-reference/services-configuration.html#config-request-object-proc-spec). | | `esv-oauth2-request-object-restrictions-enforced` | - Possible values Boolean (`true` or `false`) - Default value `false` - Description Lets you enforce stricter adherence to the PAR and JAR specifications. Setting the value to `true` enforces the authorization server to ignore authorize parameters outside the `request_uri`. Learn more in [OAuth 2.0 endpoint parameters](../am-oauth2/oauth2-parameters.html#request-uri). | | `esv-scripting-legacy-jwt-validation` | * Possible values Boolean (`true` or `false`) * Default value `true` * Description Lets you disable legacy JWT validation behavior for OAuth 2.0 and OpenID Connect (OIDC) flows. If you require the non-legacy behavior, set this ESV to `false`. | | `esv-scripting-legacynulloidcclaimsscriptbehaviour` | - Possible values Boolean (`true` or `false`) - Default value `false` - Description If the OIDC Claims Plugin Type in the OAuth 2.0 provider is set to `SCRIPTED` but no script is selected, the `userinfo` endpoint returns the `sub` claim, in compliance with the OIDC specification. Previously, the `userinfo` endpoint returned an empty JSON object. If you still require this legacy behavior, set this ESV to `true`. |