...
Name | Datatype | Mandatory | Example | Description | ||
|---|---|---|---|---|---|---|
Identity Token Life Time | Seconds | ✅ | 3600 | Defines the lifetime of the identity token that will be issues for a user. | ||
Access token life time | Seconds | ✅ | 3600 | Defines the lifetime of that access token that will be issued for a user and a specific client. | ||
Authorization code life time | Seconds | ✅ | 60 | Defines the lifetime of the authorization code that will be used in some authentication processes. Less is more secure! | ||
Refresh token expiration type | Drop Down | ✅ | Absolute |
| ||
Sliding refresh token life time | Seconds | ✅ | 1296000 / 15 days | Sliding lifetime of a refresh token in seconds. | ||
Absolute refresh token life time | Seconds | ✅ | 2592000 / 30 days | Maximum lifetime of a refresh token in seconds | ||
Always include user claims in id token | Checkbox | ✅ | false | When enabled the requested user claims are included in the id token. If disabled the user claims have to be requested from the user info endpoint. | ||
Update access token claims on refresh | Checkbox | ✅ | true | Defines whether or not the access token should be refreshed when a refresh token is requested | ||
Include JSON web tokens | Checkbox | ✅ | true | Specifies whether JWT access tokens should have an embedded unique ID (via the jti claim). | ||
Refresh token usage type | Drop Down | ✅ | OneTime |
| ||
Access token type | Drop Down | ✅ | JWT | Specifies whether the access token is a reference token or a self contained JWT token | ||
Custom subject type | Drop Down | urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress | Specifies what will be delivered as the identifier in the token, for OpenId Connect it will set the sub claim and for SAML the NameIdentifier. |
Authentication
Name | Datatype | Mandatory | Example | Description | ||
|---|---|---|---|---|---|---|
Require Consent | Checkbox | ✅ | false | Defines whether or not the user needs to give consent when accessing this client. | ||
Allow remember me | Checkbox | ✅ | false | Whether or not the user is presented with the option to select “remember me” which will cause the persistence of a cookie in the clients browser for any subsequent logins. | ||
Enable local authentication | Checkbox | ✅ | true | Specifies if this client can use CoreOne Suite users, or external providers only. | ||
URI | string | https://www.coreone.ch | The url of the client / application. | |||
Email verification redirect uri | REGEX Pattern | regex:^https:\/\/webshop\.ch$ | If any external systems are using urls to verify the mail address of authentication users, the provided redirect uri in the link will be tested against the configured pattern.
| |||
Post logout redirect URI's | REGEX Pattern | regex:^https:\/\/webshop\.ch$ | The client will provide an URL where the user will be logged out. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system.
| |||
Identity provider restrictions | REGEX Pattern | regex:^https:\/\/swissid\.ch$ | Defines a list of allowed external identity providers that are allowed. If you do not specify any, all configured IdPs are allowed. Version 7 and above | |||
Required Multi-Factor Authentication | Checkbox | ✅ | true | Whether or not a MFA authentication is required for the client Deprecated version 6 and above | ||
Allow self-registration | Checkbox | ✅ | true | Whether or not a self registration is allowed for this client or not. | ||
Activation disabled | Checkbox | ✅ | true | If the activation process is enabled in the system, you can disable it for a specific client. | ||
Show in self-service | Checkbox | ✅ | true | Whether or not the client should be listed in the user self-service portal. |
...