# System Configuration Appmixer offers a variety of system configuration options for advanced use cases, allowing you to finely tune the behavior of its underlying workflow and integration engine. To access and set these configuration options, navigate through the [Appmixer Backoffice](https://docs.appmixer.com/appmixer-backoffice) interface to the "System -> System Configuration" page. Please be aware that certain configuration changes may not take immediate effect without restarting the Appmixer engine. For customers with a Self-Managed Appmixer installation, restarting the engine can be done at your convenience to apply the new settings. For those with a hosted Appmixer tenant, it's advisable to reach out to our support team at . Our team can provide guidance on how to effectively set these configuration options and assist with any necessary engine restarts to ensure your configurations are applied as intended.

### Configuration options Below is a list of available configuration options, accompanied by a brief explanation for each and their default values. These defaults are used by Appmixer in instances where no specific value is provided:

Key	Detail	Default value	Needs restart
API_USER_CREATE_SCOPE	By default, the POST /user API is open to enable the sign-in feature for everyone. This option can restrict the access to this endpoint. It takes a list of scopes (comma-separated). If the value is not null, then a JWT token has to be used to call this API. Typically, the value is set to `admin`.	null	false
APP_NAME	This will for example appear in the head title of a sign-in popup for Api Key services.	Appmixer	false
AUTH_HUB_AUTOMATIC	If the auth-hub system plugin is on and this value is true, all OAuth requests for unconfigured services will go through the Authentication Hub. It means that if you install Slack, for example, and do not configure the clientId and clientSecret the engine will use the Appmixer Authentication Hub for Slack authorization.	true	false
DEFAULT_USER_VENDOR	Vendor assigned to newly created users.	No value	false
AUTH_POPUP_DISPLAY_ERR	Whether to display validation errors from the authentication modules.	true	false
AUTH_POPUP_TIMEOUT_ERR	How many seconds before automatically closing the Connecting Account Failed popup window.	5	false
BROKER_MESSAGE_ACK_TIMEOUT	Timeout for message processing.	1500000	false
COMPONENT_FACTORY_TIMEOUT	An attempt to create a component will fail after this timeout.	300000	false
COMPONENT_RECEIVE_TIMEOUT	A message will be retried if the receive() function does not return within this timeout.	1380000	false
LIMIT_FLOW_UPDATE_BYTES	The max size in bytes of a flow descriptor to be able to be saved.	2097152	false
LIMIT_CC_ARCHIVE_MAX_BYTES	Maximum size in bytes for custom components.	10485760	false
LIMIT_WEBHOOK_BYTES	Maximum payload size in bytes for webhook components.	1048576	false
WEBHOOK_REQUEST_TIMEOUT	Timeout in milliseconds for webhook component requests.	10000	false
LIMIT_COMPONENT_STATIC_CALL_MAX_BYTES	Maximum size in bytes of the payload for component static calls.	104857600	false
PUBLIC_FILES_PREFIX	Public files (needed usually for domain verification) can be served from different paths. Path prefixes have to be separated by `:`	`/:/.well-known`	true
RETRY_BACKOFF	In case of an error, a message for a Component is rescheduled for another attempt. A back-off strategy is used. This value defines the number of attempts and the number of minutes between them.	`1,5,60,300,720`	true
DISPATCHER_PREFETCH_COUNT	The maximum number of Rabbit messages being dispatched at the same time.	500	true
INPUT_QUEUE_PREFETCH_COUNT	The maximum number of outgoing Rabbit messages waiting for aknowledgement at the time in the Input Queue. Subsequent incoming messages will not be sent until pending messages are aknowledged.	300	true
WEBHOOK_PREFETCH_COUNT	This is for webhooks from Appmixer to registered URLs. This is the amount of webhook messages that will be processing at a time.	50	true
WEBHOOK_RETRY_COUNT	Number of times that Appmixer will retry sending a webhook. Applies for all webhooks.	20	false
WEBHOOK_RETRY_INTERVAL	Initial interval in milliseconds for retries. Subsequent retries will take longer (multiplied by an internal factor).	30000	false
WEBHOOK_RETRY_MAX	Maximum interval in milliseconds between retries.	1800000	false
WEBHOOK_USER_CREATED	URL that will be called when new user is created (sign-up).	No value	false
WEBHOOK_FLOW_COMPONENT_ERROR	URL that will be called when a running flow encounters an error.	No value	false
WEBHOOK_FLOW_COMPONENT_ERROR_INCLUDE_QUOTA	Include quota errors among the errors sent to the registered webhook URL.	false	false
WEBHOOK_FLOW_COMPONENT_ERROR_INCLUDE_RETRY	Include retry attempts among the errors sent to the registered webhook URL. If false, the error will be sent, when all 30 attempts to process a message fail. If true, every failed attempt will be sent.	false	false
WEBHOOK_FLOW_STOPPED	URL that will be called when a flow is stopped due to an incompatible module upgrade.	No value	false
STRICT_COOKIES	If set to true, the engine will reject any incoming HTTP requests that have cookies that don't comply with the HTTP cookies RFC specification.	false	true
GARBAGE_COLLECTOR_CONTINUITY_SCOPES_TTL	The maximum time in days before continuity scopes are garbage collected. A continuity scope is a state of a flow including data from the flow runtime needed to continue the flow from a certain component onwards. For example, the Plivo.SendSMSAndWaitForReply sends an SMS and waits for an event (webhook) from Plivo that contains an SMS with a reply. The continuity scope contains all the data needed to continue the flow at a later time (when the webhook from Plivo is received which can take hours to days.	100	false
GC_FILES_ENABLED	If the Garbage collector for files is enabled.	true	true
GC_FILES_RULES	Rules for the Gargabge collector.	See below.	false
IDP_CONFIG	Identity provider configuration. Please see Configuring Single-Sing-On for more informations.	No value	false
IDP_ROLES_PATH	Identity provider configuration. Please see Configuring Single-Sing-On for more informations.	No value	false
IDP_DEFAULT_REDIRECT	Identity provider configuration. Please see Configuring Single-Sing-On for more informations.	No value	false

GC\_FILES\_RULES ``` [ { "scope": "user", /** * The GC will never delete files created in the past TTL (in hours). By default, * set to 720 hours. The reason is to prevent the GC from removing files that could be needed by the * flows. */ "ttl": 720, // 30 days /** * The user will be blocked from saving any files if the limit is reached. */ "hardLimit": 2000000000 // 2 GB } ] You can have different rules for different user scopes: [ { "scope": "user:, "ttl": 720, "hardLimit": 2000000000 }, { "scope": "admin", "ttl":1440, "hardLimit": 90000000000 } ] ``` ## Configuring Single Sign-On Configuring Single Sign-On (SSO) for Appmixer allows your users to authenticate using their existing identity provider. Appmixer supports **OpenID Connect (OIDC)** and **SAML** standards for seamless integration. **Required Configuration Parameters** To set up SSO, you'll need to gather the following information from your Identity Provider (IdP): * **`idp_type`**: This specifies the authentication method. It can be either `oidc` or `saml`. * **`authorization_url`**: This is the URL where users will be redirected to log in via your IdP. * **`client_id`**: An identifier for your client application. **Appmixer-Specific Parameters** The following parameters are typically not part of a standard IdP configuration and will likely need to be added manually: * **`domains`**: A list of domains for which you want to enable SSO. Any user with an email address from a domain listed here will be redirected to your IdP's authentication page. For example: `["yourcompany.com", "example.org"]` * **`role_mapping`**: This object maps roles from your IdP to Appmixer's roles. Appmixer currently supports `admin` and `user` roles. For example, if your IdP uses "administrator" for admins and "member" for users, your mapping might look like: `{"admin": "administrator", "user": "member"}` **Parameters Based on Authentication Type** You'll also need additional parameters depending on whether you're using SAML or OIDC: **SAML** * **`,certificate`**: The certificate used to sign SAML requests. * **`reauth_method` :** What method to use to re-authenticate a user when their session expires. Can be either `popup` or `iframe` . While a hidden iframe is the neat way of handling this situation, this method is not allowed by some identity providers, so popup is used instead to ensure wider compatibility. If you are not sure about your provider's policy, you should use `popup` . **OIDC** * **`issuer`**: A unique string that identifies your identity provider. * **`client_secret`**: A secret identifier for your client application. * **`token_url`**: The URL where Appmixer can obtain a new OIDC token. * **`metadata_url`**: A publicly accessible URL provided by your IdP that contains essential information for the authentication process. **Important Considerations**\ \ Most of these parameters will be provided when you download the configuration from your Identity Provider. You'll primarily need to manually add the **`domains`** and **`role_mapping`** fields. It's crucial that your **`metadata_url`** is publicly accessible. This is generally true for cloud-based identity providers like AWS IAM and Google ID. However, if you're self-hosting your IdP, you might need to adjust your network configuration to ensure its public accessibility. Appmixer does not currently support configuring a proxy to access an IdP; this must be handled via your hosting machine's network settings. If you encounter issues, please contact our support center.\ \ **Configuration Examples**\ \ Once you've gathered all the necessary information, your configuration JSON should resemble one of the following examples: {% tabs %} {% tab title="OIDC" %} ```json { "idp_type": "oidc", "client_id": "a361cbac-a420-42ca-8f07-fc3520d5c36b", "client_secret": "0841fb03-55b8-4b0d-aeb0-330374348c09", "issuer": "my-idp", "domains": ["client.io"], "token_url": "https://idp.example.com/auth/realms/apm/protocol/openid-connect/token", "authorization_url": "https://idp.example.com/auth/realms/apm/protocol/openid-connect/auth", "metadata_url": "https://idp.example.com/auth/realms/apm/.well-known/openid-configuration", "role_mapping": { "admin": "adm", "user": "usr" } } ``` {% endtab %} {% tab title="SAML" %} ```json { "idp_type": "saml", "client_id": "my-client-id" "authorization_url": "https://idp.example.com/auth/realms/apm/protocol/saml", "certificate": "MIIClTCCAX0CBgGV0[...]6smvQM7VU=", "domains": ["localhost", "client.io"], "role_mapping": { "admin": "adm", "user": "usr" } "default_redirect": "https://myapp.appmixer.ai/login" } ``` {% endtab %} {% endtabs %} **Applying Your Configuration** Paste your finalized configuration JSON as a new Appmixer **System Configuration** with the key `IDP_CONFIG`.

**Additional Parameters** **`handle_roles`**: Identity Providers (IdPs) may manage either Authentication and Authorization or just Authentication. By default, Appmixer delegates only authentication to the IdP. To allow the IdP to manage authorization as well (importing roles from the IdP), set this variable to `true` . By doing this, the roles in Appmixer will be ignored for all users who sign in through IdP, meaning some users might not be able to sign in if the proper role isn't granted to them. Please check auto\_grant\_user\_role, below. **`auto_grant_user_role`**: Works in combination with handle\_roles. If this is set to `true` then all users that are allowed to log in will be granted the minimum permissions needed to operate Appmixer. If this is `false` such users will be denied access until they get the appropriate permissions. **`enforce_sso`**: By default, we do not disable the legacy email access. If you'd rather have users log in exclusively using Single Sign-On, you can do so by setting this variable to `true` . **`disable_legacy_signup` :** This property is similar to enforce\_sso, but only applies to new users. If set to `true` the option to sign up will be removed, and new users will only be able to access through Single Sign-On, while existing users will retain the ability to sign in with email and password. This is a weaker check than enforce\_sso, so if both are active, this check will be ignored. **`roles_path`**: (Only required if **`handle_roles`** is `true`) This is the path within your IdP's authentication response where a user's roles can be found. The value varies between Identity Providers. Refer to the table below for common IdPs:

Identity Provider	Roles Path
Keycloak	realm_access.roles
Google ID	~~<not supported>~~
Google Workspace	depends on configuration
Amazon IAM	-

SAML **`default_redirect`**: This should be the URL of your login page. It's used as a fallback if an authentication error prevents Appmixer from retrieving a valid redirect URL from the identity provider. **`expects_signed_assertions`** : Whether each single assertion will be signed separately. Defaults to `false` . ### Providers Configuration #### Google Workspace This section explains how to set up Single Sign-On using Google Workspace. 1. First, log in to your [Google Admin control panel](https://admin.google.com/) 2. In the menu on the left, select `Apps -> Web and Mobile Apps`\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/2Y3I337t8ZUJZlCHCVVZ/CleanShot%202025-09-22%20at%2009.53.45@2x.png) 3. Now, in the new tab, select `Add App -> Add Custom SAML app`\ \ .\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/5VLvKVgAgtzp7HfvNhxG/CleanShot%202025-09-22%20at%2009.54.45@2x.png) 4. Choose a name for your app and note all the details provided by Google; we will need them later. 5. On step 3 of the procedure, when prompted to provide the service provider details, please follow the screenshot, replacing `` with the actual URL of your application.\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/CXE9jxPiXn44UL8WZqNV/CleanShot%202025-09-22%20at%2010.00.58@2x.png) 6. Leave everything blank on the last step `Attribute Mapping` for now. 7. Now that our SAML application is ready, we need to enable it for the users in our tenant. You can do it as you would for any other application (like Gmail, Drive, and so on). 8. Finally, let's set up the roles needed to log in to Appmixer. 9. Go to `Directory -> Users -> More options -> Manage custom attributes` \ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/Xk1Yu1tEwmFHi5vnBdio/CleanShot%202025-08-12%20at%2012.43.32@2x.png) 10. On the next page, select `Add Custom Attribute` on the top right.\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/5um8ZbqR1K5IcRCfbAgm/CleanShot%202025-08-12%20at%2012.45.00@2x.png) 11. Configure the attribute as shown in the screenshot. You can use any value you want for `Category` and `Description`. You can also change the name of your field.\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/BMG2YdsUqRCLfKn0jAsD/CleanShot%202025-08-12%20at%2012.35.14@2x.png) 12. Choose a user you want to assign roles to and expand the `Users Informations` tab.\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/LOQNEWKecGnoPdAiuzOS/CleanShot%202025-08-12%20at%2012.48.11@2x.png) 13. You will find the newly created attribute. If you scroll down, you can write any string here; they will have to match the content of the **`role_mapping`** in your configuration on Appmixer (Step 15).\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/b3JHlHcErEhF6dM0JCnv/CleanShot%202025-08-12%20at%2012.50.11@2x.png) 14. Now go back to the app we created earlier and edit the attribute mapping to expose the newly created attribute. If you decided to use `Roles` like in the example, you can follow the screenshot in this case too; otherwise, please replace the role in the left drop-down of the screenshot with the one you created before. Keep the value of `App attributes` to `Role` .\ ![](https://content.gitbook.com/content/gA9J5A1N66u2GrNSZK7X/blobs/RSwSSanKSMs6Z33RTCDu/CleanShot%202025-08-12%20at%2012.38.14@2x.png) 15. When creating the configuration JSON for Appmixer, please use the following format:
```json { "idp_type": "saml", "client_id": "authorization_url": , "issuer": "my-idp", "certificate": , "domains": [], "role_mapping": { "admin": , "user": } "default_redirect": , "expects_signed_assertions": false, "handle_roles": true, "reauth_method": "popup" } ``` \ (\*) **\** is the one provided on point 5 of this guide, not the one shown in the App's metadata. They are called in the same way, and this can cause confusion, but they are completely different values.
16. Please feel free to choose any value for `enforce_sso` and `disable_legacy_signup` and `auto_grant_user_role` based on your company policies. 17. Minify the JSON and add it to the Appmixer configuration under the name `IDP_CONFIG` .