Versions Compared

Version Old Version 11 New Version 12
Changes made by

Christina Burkhard

Silvan Grüter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
typeflat

Introduction

...

Introduction

The CoreOne Authentication Service loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.

Configuration parameters

The following general configuration parameters are available:

...

SSL-Certificate-Password

...

text

...

Password for the Private-Key of the certificate file (if the service is running in Kestrel and not in IIS)

...

SSL-Certificate-Format

...

pfx / pem

...

Format of th certificate file (currently only pfx supported)

...

Server-Url

...

URL

...

Base-URL of the Server (Incl. Port)

Compatibility

...

Id

Parameter

Data type

Example values

Description

AwsSnsAccessKeyId

AwsSnsAccessKeySecret

Backend API URI

Backend API-HttpClientSettings

Block RemoteIp by invalid logon count

Contact page feedback URL

CoreOne Suite Web Url

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

SMS-Provider-Type

REST

Currently REST implemented

1

PluginList

JSON String Array

Code Block
languagejson
[
    "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password"
]

An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list.

2

UseSSL

Bool

true

Whether or not to force the usage of SSL

3

SSL-Certificate-Data

Encrypted String

* * * * *

If set, this certificate can be used to sign tokens

4

SSL-Certificate-Password

Encrypted String

* * * * *

The password to the certificate data if needed

5

SSL-Certificate-Format

String

“pfx”

The type of the certificate

9

SMS-Provider-Type

String

"iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server"

The SMS provider implementation to use for sending SMS messages

10

SMS-Provider-Settings

String

Code Block
{

 
	"Method": "Get",


	"BaseUrl": "http://myRestSmsApi/{mobilenumber}/{message}",


	"SecurityMethod": "BasicAuthentication",


	"Username": "MyUserName",


	"Password": "MyPw",


	"MobileNumberFormat": "E164",


	"DefaultCountryPrefix": "+41",


	"BodyContent": Zero,


	"BodyEncodingCodePage" :65001,


	"BodyMediaType": "text/plain",


	"RestResource" :Zero

SMS-Provider-HttpClientSettings

{
"IgnoreSslErrors": false,
"UseProxy": true,
"AllowAutoRedirect": true,
"ProxyConfiguration": Zero
}

IgnoreSslErrors: Keine Fehlermeldung bei ungültigen SSL-Zertifikaten
UseProxy: Ob ein Proxy verwendet werden soll (Falls true und ProxyConfiguration = null wird der standard Windows Proxy verwendet, sihe Internet Explorer settings)
AllowAutoRedirect: 301 und 302 statuscodes verfolgen
ProxyConfiguration: Konfiguration der Proxy-Einstellungen

TOTP-IssuerName

string

Issuer that is used in TOTP barcodes (visible in TOTP clients)

Enable LoginHistory

true / false

Login-History on / Turn off

LoginHistory: OnlyLatest

true / false

Defines wether all or only the last or all logins should be saved for each user.

}

Method: Get / Post / Put
BaseUrl: Rest Base Url, Placeholder: mobilenumber / message
SecurityMethod: Authentication method (currently only BasicAuthentication))
Username: Benutzername
Password: Passwort
MobileNumberFormat:
 - E164: +41 79 111 22 33
 - InternationalWithPrefix: +41791112233
 - InternationalWithoutPrefix: 41791112233
 - LocalWithPrefix: 0791112233
 - LocalNoPrefix: 791112233
DefaultCountryPrefix: Countryprefix falls in der Telefonnummer keiner vorhanden ist
BodyEncodingCodePage: Codepage für die Body-Daten
BodyMediaType: MediaType für die Body-Daten
RestResource:

The settings for the configured SMS provider

11

EnableRememberMe

Bool

true

Whether or not to show the Remember Me button on the authentication page

12

RememberMeDuration in seconds

Int

2592000

The lifetime of the remember me cookie in seconds

13

LoginCookieExpiration in seconds

Int

900

The lifetime of the login cookie in seconds

14

LoginCookieExpiration is sliding

Bool

true

If the login cookie should follow a sliding period and therefore be extended with new requests

15

TOTP-IssuerName

String

"COS AUTH DEV"

The name stored as as the issuer in TOTP process.

Note

Please make sure this is a unique value for each system.

16

Enable LoginHistory

Bool

true

Whether or not to write login history entries upon each login request

17

Block RemoteIp by invalid logon count

Bool

true

/ false

Defines wether clients that log in incorrectly too often should be blocked.

Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts.

18

Max invalid login count

Number

Defines how many incorrect logins lead to the client being blocked.

Int

5

The amount of failed logon counts that will lead to a temporary block of the remote IP.

19

Invalid login remember duration in seconds

Number

Number of sesconds how long faulty logins should be saved.

ReCaptchaKey

string

Google ReCaptcha API-Key

ReCaptchaSecret

string

stringGoogle ReCaptcha API-Key

ReCaptchaSecret-HttpClientSettings

{
"IgnoreSslErrors": false,
"UseProxy": true,
"AllowAutoRedirect": true,
"ProxyConfiguration": zero
}

IgnoreSslErrors: Keine Fehlermeldung bei ungültigen SSL-Zertifikaten
UseProxy: Ob ein Proxy verwendet werden soll (Falls true und ProxyConfiguration = null wird der standard Windows Proxy verwendet, sihe Internet Explorer settings)
AllowAutoRedirect: 301 und 302 statuscodes verfolgen
ProxyConfiguration: Konfiguration der Proxy-Einstellungen

Verify email adress

true / false

Defines wether email addresses have to be validated for successul login.

Trusted email adress hosts regex

regex

Regex-String, if the email addresses is matched it is automatically considered validated.

Reverify email adress

true / false

Defines wether email addresses have to be revalidated on a regular basis.

Reverify email adress every x days

Number

Defines how often email addresses have to be revalidated.

Password complexity configuration

regex-array, Example: [ ".{8,32}", "[A-Z]", "[a-z]", "[0-9]" ]

List of regex definitions which ALL must match for a password to be valid.

Disable password reset

true / false

Defines wether a password reset is possible

Folgende Konfigurationseinstellungen sind für den Kestrel-Server vorhanden:

...

Parameter

...

Values

...

Description

...

UseSSL

...

true / false

...

Determines wether the service should run as htp or https

...

SSL-Certificate-Data

...

byte[] (Base64 Encoded)

...

SSL-certificate file

Int

300

How many seconds a remote IP will be blocked after a he was

20

LoginHistory: OnlyLatest

Bool

true

If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged.

21

Enable Welcome-Page

Bool

true

Whether or not to show the Welcome-Page on the IDP or to simply return a 404.

22

Enable Console Logger

Bool

false

Whether or not to enable a console logger

23

Enable DeveloperExceptionPage

Bool

false

Whether or not to enable the developer exception pages

24

Enable Log4Net

Bool

true

Whether or not to enable the Log4Net configuration.

25

Backend API URI

String

"https://localhost:8000/api/"

The URL to the backend API

26

Backend API-HttpClientSettings

HTTPClient Settings

Code Block
languagejson
{
   "IgnoreSslErrors": true,
   "UseProxy": false,
   "AllowAutoRedirect": true,
   "ProxyConfiguration": null
 }

Any HTTPClients settings for the backend connection if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

27

ReCaptchaKey

String

“AD34FAE”

The Google ReCaptcha Key

28

ReCaptchaSecret

String

“FFFFAD34FAE”

The Google ReCaptcha Secret

29

Verify email address

Bool

true

Whether or not users need to verify their mail

30

Trusted email address hosts regex

String

".*(itsense.ch|coreone.ch)"

Domains to exclude from the verify email address process

31

Reverify email address

Bool

true

Whether or not users need to reverify their mail address on a periodically basis

32

Reverify email address every x days

Int

90

After how many days of the last verification date users need to reverify their mail address

33

Password complexity configuration

Note

deprecated for version >= 5.x

35

DisablePasswordReset

Note

deprecated for version >= 5.x

36

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

Note

deprecated for version >= 5.x

37

OutgoingConnectionsHttpClientSettings

HTTPClient Settings

Code Block
languagejson
{
   "IgnoreSslErrors": true,
   "UseProxy": false,
   "AllowAutoRedirect": true,
   "ProxyConfiguration": null
 }

Any HTTPClients settings for outgoing connections if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

39

Subject-Prefix

String

‘c1s’

The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.

Note

Make sure to choose something meaningful here

40

ShowTermsAndConditions

Bool

true

Whether or not the terms and conditions feature is active

41

ShowPrivacyPolicy

Bool

true

Whether or not the privacy policy feature is active

42

CoreOne Suite Web Url

Note

deprecated for version >= 5.x

44

Contact page feedback URL

Note

deprecated for version >= 5.x

45

Password Generator Type

Note

deprecated for version >= 5.x

46

SamlTimeComparisonTolerance

Int

47

AwsSnsAccessKeyId

Encrypted String

* * * *

The AWS SNS Access Key Id

48

AwsSnsAccessKeySecret

Encrypted String

* * * *

The AWS SNS Access Key Secret

49

SamlRequestTrustLengthInMinutes

Int

10

The SAML Message Trust Length

50

EnableFireEventInvalidLogin

Bool

true

Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.

51

MaxInvalidLoginCountWithoutFiringEvent

Int

5

The amount of invalid logins that are allowed by the remote IP before an invalid login event is fired.

52

FireEventInvalidLoginCacheDurationInMinutes

Int

5

How many minutes the invalid logins should be cached.

53

DisableReactivation

Bool

true

Whether or not to disable the reactivation process on the authentication page.

54

DisableActivation

Bool

true

Whether or not to disable the activation process on the authentication page.

56

HowManyPastPasswordsToStore

Int

10

In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.

57

Totp Valdiator Type

Note

deprecated for version >= 5.x

58

SupportedCultures

JSON String Array

Code Block
languagejson
[
    "DE",
    "EN",
    "FR",
    "IT"
]

The supported UI languages. You can remove or add entries.

59

DefaultCulture

String

“DE”

The default culture to use

60

NtpTimeServers

JSON String Array

Code Block
languagejson
[
    "ntp.company.com"
]

By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

61

NistTimeServers

JSON String Array

Code Block
languagejson
[
    "nist.company.com
]

By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

62

HttpTimeServers

JSON String Array

Code Block
languagejson
[
    "time.company.com"
]

By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

63

BackendApiUriV2

String

'https://localhost:8000/apiv2/'

The URL of the backend API V2

100

InstanceRandomBytes

String

"0EDeH/p/asdfasdf+o="

Random bytes to sign tokens (if not signed with a certificate)

101

SigningCredentialsData

Encrypted String

* * * *

The credentials to the signing certificate if needed

102

SigningCredentialsFormat

String

"CertStore"

The format of the signing certificate

103

SigningCredentialsStoreCertificateSubjectDistinguishedName

String

"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"

The DN of the signing certificate if configured

104

WsFederationPluginLicensee

Encrypted String

* * * *

The licence information for the plugin

105

WsFederationPluginLicenseKey

Encrypted String

* * * *

The licence key for the plugin

106

SamlPluginLicensee

Encrypted String

* * * *

The licence information for the plugin

107

SamlPluginLicenseKey

Encrypted String

* * * *

The licence key for the plugin

108

EnableInactivityLogout

Note

deprecated for version >= 5.x

110

EnablePortal

Note

deprecated for version >= 5.x

111

OperationalStateCleanupSleepInMinutes

Int

60

How often the operational state clean up should be performed

112

OperationalStateCleanupOlderThanInMinutes

Int

720

Data that is older than this value will be cleaned

How-to articles

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel in ( "how-to" , "einstellungen" ) and type = "page" and space = "IKB"

...