Caprover logo
Caprover one-click apps browser
BoxyHQ Jackson (SAML to OAuht) - No Database logo
BoxyHQ Jackson (SAML to OAuht) - No Database
This will create a BoxyHQ Jackson only. You will need to create and configure the database information manually. Intended for advanced users.
Official integration
Created - Last update

Reduce Time to Market without sacrificing your security posture! BoxyHQ’s suite of APIs for security and privacy helps engineering teams build and ship compliant cloud applications faster. SAML Jackson can be used with any web application to integrate the Single Sign-On (SSO) authentication. NOTE: If you turn it to HTTPS, then dont forget change variables from 'http://boxy-hq-only.captain.yourdomain.com' to 'https://boxy-hq-only.captain.yourdomain.com' Note: This app is intended for advanced users who'd like to have a central DB in a single container for BoxyHQ Jackson. You should start by configuring your DB at you self, you can it do before or after you installed the BoxyHQ Jackson.

Deployed services
boxy-hq-only
boxyhq/jackson:$$cap_boxyhq_jackson_version
    5225
    always
    41
    Variables

    External URL

    Default: boxy-hq-only.captain.yourdomain.com

    $$cap_external_url
    The public URL to reach this service. This is used internally to construct the callback url at which the SAML/OIDC IdP sends back the authorization response. (https://boxyhq.com/docs/jackson/deploy/env-variables#external_url)

    SAML Audience

    Default: boxy-hq-only.captain.yourdomain.com

    $$cap_saml_audience
    The value of this setting (same as SP EntityID of Jackson) allows the Jackson instance to verify that it is the intended recipient of a SAML response. The same value is also set in the SAML App created on the IdP end by your customers. Once set do not change this value unless you get your customers to reconfigure their SAML App again. It is case-sensitive. This does not have to be a real URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#saml_audience)

    API Keys

    Default: $$cap_gen_random_hex(64)

    $$cap_jackson_api_keys
    A comma separated list of API keys that will be validated when serving the API requests for SSO connection (/api/v1/connections) and Directory Sync (/api/v1/directory-sync). (https://boxyhq.com/docs/jackson/deploy/env-variables#jackson_api_keys)

    Admin Portal SSO Tenant

    Default: _jackson_boxyhq

    $$cap_admin_portal_sso_tenant
    This will be used as the tenant for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_tenant)

    Admin Portal SSO Product

    Default: _jackson_admin_portal

    $$cap_admin_portal_sso_product
    This will be used as the product for the SSO connections (added from Settings tab) used to login into the Admin portal itself. Set this to a value that is less likely to conflict with the main Enterprise SSO connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#admin_portal_sso_product)

    IDP Enabled

    Default: true

    $$cap_idp_enabled
    Set to true to enable IdP initiated login for SAML. SP initiated login is the only recommended flow but you might have to support IdP login at times. (https://boxyhq.com/docs/jackson/deploy/env-variables#idp_enabled)

    Pre loaded connection

    Default: undefined

    $$cap_pre_loaded_connection
    If you only need a single tenant or a handful of pre-configured tenants then this config will help you read and load IdP (both OpenID and SAML)connections. It works well with the mem DB engine so you don't have to configure any external databases for this to work (though it works with those as well). This is a path (absolute or relative) to a directory that contains files organized in the format described in the next section. (https://boxyhq.com/docs/jackson/deploy/env-variables#pre_loaded_connection)

    Client secret verifier

    Default: $$cap_gen_random_hex(64)

    $$cap_client_secret_verifier
    When tenant and product are used for the SAML flow (and PKCE is not being used) then we use dummy as placeholders for client_id and client_secret. This is not a security issue because SAML is tenanted and hence your Identity Provider will block access to anyone trying to log into your SAML tenant. However for additional security you should set CLIENT_SECRET_VERIFIER to a random secret and use that value as the client_secret during the OAuth 2.0 flow. (https://boxyhq.com/docs/jackson/deploy/env-variables#client_secret_verifier)

    DB Engine

    Default: sql

    $$cap_db_engine
    Supported values are redis, sql, mongo, mem, planetscale, dynamodb (https://boxyhq.com/docs/jackson/deploy/env-variables#db_engine)

    DB URL

    Default: postgres://postgres_user:postgres_password@localhost:5432/postgres_db

    $$cap_db_url
    The database URL to connect to. If you are using self-signed certificates then pass sslmode=no-verify instead of sslmode=require in the DB_URL. This is because self-signed certs will be rejected as unauthorized in strict mode. Also, set DB_SSL=true and DB_SSL_REJECT_UNAUTHORIZED=false (see env vars below for more details). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_url)

    DB Type

    Default: postgres

    $$cap_db_type
    Only needed when DB_ENGINE is sql. Supported values are postgres, mysql, mariadb, mssql (https://boxyhq.com/docs/jackson/deploy/env-variables#db_type)

    DB TTL

    Default: 300

    $$cap_db_ttl
    TTL for the code, session and token stores (in seconds). (https://boxyhq.com/docs/jackson/deploy/env-variables#db_ttl)

    DB Cleanup limit

    Default: 1000

    $$cap_db_cleanup_limit
    Limit cleanup of TTL entries to this number. (https://boxyhq.com/docs/jackson/deploy/env-variables#db_cleanup_limit)

    DB Page limit

    Default: 50

    $$cap_db_page_limit
    Page limit

    DB Encryption key

    Default: undefined

    $$cap_db_encryption_key
    To encrypt data at rest specify a 32 character key. You can use openssl to generate a random 32 character key 'openssl rand -base64 24' (https://boxyhq.com/docs/jackson/deploy/env-variables#db_encryption_key)

    SMTP Host

    Default: smtp.example.com

    $$cap_smtp_host
    The SMTP host. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_host)

    SMTP Port

    Default: 587

    $$cap_smtp_port
    The SMTP server port. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_port)

    SMTP User

    Default: info@example.com

    $$cap_smtp_user
    Username for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_user)

    SMTP Password

    Default: undefined

    $$cap_smtp_password
    Password for the SMTP server. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_password)

    SMTP From

    Default: noreply@example.com

    $$cap_smtp_from
    From address used to send mail. (https://boxyhq.com/docs/jackson/deploy/env-variables#smtp_from)

    NextAuth ACL

    Default: tonystark@gmail.com,*@marvel.com

    $$cap_nextauth_acl
    Set this to a comma separated string of email addresses or glob patterns like tonystark@gmail.com,*@marvel.com. Access will be denied to email addresses which don't match. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_acl)

    NextAuth URL

    Default: boxy-hq-only.captain.yourdomain.com

    $$cap_nextauth_url
    When running locally this will point to the local server https://boxyhq.my-domain.com. When deploying to production, set this to the canonical URL of the site. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_url)

    NextAuth Secret

    Default: $$cap_gen_random_hex(64)

    $$cap_nextauth_secret
    Set this to a random string. You can use openssl rand -base64 32 to get one. This secret is used to encrypt JWT and hash the email verification token. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_secret)

    NextAuth Admin credentials

    Default: undefined

    $$cap_nextauth_admin_credentials
    Set this to a comma separated string of the pattern email:password to enable login to the Admin Portal, for example NEXTAUTH_ADMIN_CREDENTIALS=deepak@boxyhq.com:Password123. If you don't specify any value access is denied to all. (https://boxyhq.com/docs/jackson/deploy/env-variables#nextauth_admin_credentials)

    Retraced Host URL

    Default: undefined

    $$cap_retraced_host_url
    If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the URL of the service. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_host_url)

    Retraced External URL

    Default: undefined

    $$cap_retraced_external_url
    If you'd like to use the Admin Portal to manage our Audit Logs service (Retraced) then set this env var to the Public URL of the service. If this is the same as RETRACED_HOST_URL above then you can skip this and it will default to the value of RETRACED_HOST_URL. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_external_url)

    Retraced Admin root token

    Default: undefined

    $$cap_retraced_admin_root_token
    you need to set the admin root token for Retraced so that we can connect to Retraced and fetch projects and audit logs. (https://boxyhq.com/docs/jackson/deploy/env-variables#retraced_admin_root_token)

    Terminus Proxy Host URL

    Default: undefined

    $$cap_terminus_proxy_host_url

    Terminus Admin root token

    Default: undefined

    $$cap_terminus_admin_root_token

    OTEL Exporter OTLP Metrics endpoint

    Default: undefined

    $$cap_otel_exporter_otlp_metrics_endpoint
    Target URL to which the exporter is going to send metrics.. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_endpoint-or-otel_exporter_otlp_metrics_endpoint)

    OTEL Exporter OTLP Metrics headers

    Default: undefined

    $$cap_otel_exporter_otlp_metrics_headers
    Headers relevant for the endpoint, useful for specifying authentication details for providers. (https://boxyhq.com/docs/jackson/deploy/env-variables#otel_exporter_otlp_headers-or-otel_exporter_otlp_metrics_headers)

    OpenID JWS algorithms

    Default: RS256

    $$cap_openid_jws_alg
    The algorithm used to sign the id_token. Jackson uses jose to create the ID token. Supported algorithms can be found at https://github.com/panva/jose/issues/114#digital-signatures. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_jws_alg)

    OpenID RSA Private key

    Default: undefined

    $$cap_openid_rsa_private_key
    Base64 value of private key. To generate one 'openssl genrsa -out private-key.pem 3072' then 'openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private-key.pem -out private_key.pem' and 'cat private_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_private_key)

    OpenID RSA Public key

    Default: undefined

    $$cap_openid_rsa_public_key
    Base64 value of public key. You can generate the public key from the private key as shown below 'openssl rsa -in private_key.pem -pubout -out public_key.pem' and than 'cat public_key.pem | base64'. (https://boxyhq.com/docs/jackson/deploy/env-variables#openid_rsa_public_key)

    Public key

    Default: undefined

    $$cap_public_key
    This is the public key of the private key used to sign the SAML requests. Jackson expects the public key to be base64 encoded. (https://boxyhq.com/docs/jackson/deploy/env-variables#public_key)

    Private key

    Default: undefined

    $$cap_private_key
    This is the private key used to sign the SAML requests. Jackson expects the private key to be base64 encoded. To generate a private key and public key pair you can use the following command 'openssl req -x509 -newkey rsa:2048 -keyout key.pem -out public.crt -sha256 -days 365 -nodes' then 'cat public.crt | base64' and that 'cat key.pem | base64' (https://boxyhq.com/docs/jackson/deploy/env-variables#private_key)

    BoxyHQ License key

    Default: undefined

    $$cap_boxyhq_license_key

    Webhook URL

    Default: undefined

    $$cap_webhook_url
    Specify a webhook URL to receive events about sso and directory connections. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_url)

    Webhook Secret

    Default: undefined

    $$cap_webhook_secret
    Specify a secret to be used to sign the webhook payload. This is used to verify the authenticity of the webhook payload. (https://boxyhq.com/docs/jackson/deploy/env-variables#webhook_secret)

    Node Options

    Default: --max-http-header-size=81920 --dns-result-order=ipv4first

    $$cap_node_options

    Next Telemetry disabled

    Default: 1

    $$cap_next_telemetry_disabled

    BoxyHQ Jackson Version

    Default: 1.13.0

    $$cap_boxyhq_jackson_version
    Check out their Docker page for the valid tags https://hub.docker.com/r/boxyhq/jackson/tags/
    © 2025, Built with Gatsby - Source code available on GitHub