--- default_redirection_url: 'https://home.example.com:8080/' server: address: 'tcp://127.0.0.1:9091' log: level: 'debug' totp: issuer: 'authelia.com' duo_api: hostname: 'api-123456789.example.com' integration_key: 'ABCDEF' authentication_backend: ldap: address: 'ldap://127.0.0.1' base_dn: 'dc=example,dc=com' username_attribute: 'uid' additional_users_dn: 'ou=users' users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))' additional_groups_dn: 'ou=groups' groups_filter: '(&(member={dn})(objectClass=groupOfNames))' group_name_attribute: 'cn' mail_attribute: 'mail' user: 'cn=admin,dc=example,dc=com' access_control: default_policy: 'deny' rules: # Rules applied to everyone - domain: 'public.example.com' policy: 'bypass' - domain: 'secure.example.com' policy: 'one_factor' # Network based rule, if not provided any network matches. networks: - '192.168.1.0/24' - domain: 'secure.example.com' policy: 'two_factor' - domain: ['singlefactor.example.com', 'onefactor.example.com'] policy: 'one_factor' # Rules applied to 'admins' group - domain: 'mx2.mail.example.com' subject: 'group:admins' policy: 'deny' - domain: '*.example.com' subject: 'group:admins' policy: 'two_factor' # Rules applied to 'dev' group - domain: 'dev.example.com' resources: - '^/groups/dev/.*$' subject: 'group:dev' policy: 'two_factor' # Rules applied to user 'john' - domain: 'dev.example.com' resources: - '^/users/john/.*$' subject: 'user:john' policy: 'two_factor' # Rules applied to 'dev' group and user 'john' - domain: 'dev.example.com' resources: - '^/deny-all.*$' subject: ['group:dev', 'user:john'] policy: 'deny' # Rules applied to user 'harry' - domain: 'dev.example.com' resources: - '^/users/harry/.*$' subject: 'user:harry' policy: 'two_factor' # Rules applied to user 'bob' - domain: '*.mail.example.com' subject: 'user:bob' policy: 'two_factor' - domain: 'dev.example.com' resources: - '^/users/bob/.*$' subject: 'user:bob' policy: 'two_factor' session: name: 'authelia_session' expiration: '1h' # 1 hour inactivity: '5m' # 5 minutes domain: 'example.com' redis: host: '127.0.0.1' port: 6379 high_availability: sentinel_name: 'test' regulation: max_retries: 3 find_time: '2m' ban_time: '5m' storage: mysql: address: 'tcp://127.0.0.1:3306' database: 'authelia' username: 'authelia' notifier: smtp: address: 'smtp://127.0.0.1:1025' username: 'test' sender: 'admin@example.com' disable_require_tls: true identity_providers: oidc: cors: allowed_origins: - 'https://google.com' - 'https://example.com' clients: - id: 'abc' secret: '123' consent_mode: 'explicit' userinfo_signing_alg: 'none' ...