...
The following general configuration parameters are available:
Id | Parameter | Available from version | Data type | Example values | Description | |||||
---|---|---|---|---|---|---|---|---|---|---|
1 | PluginList | 4.0 | JSON String Array |
| An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list. | |||||
2 | UseSSL | 4.0 | Bool | true | Whether or not to force the usage of SSL | |||||
3 | SSL-Certificate-Data | 4.0 | Encrypted String | * * * * * | If set, this certificate can be used to sign tokens | |||||
4 | SSL-Certificate-Password | 4.0 | Encrypted String | * * * * * | The password to the certificate data if needed | |||||
5 | SSL-Certificate-Format | 4.0 | String | “pfx” | The type of the certificate | |||||
9 | SMS-Provider-Type | 4.0 | String | "iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server" or starting from version 8.x “ | The SMS provider implementation to use for sending SMS messages. Supported types:
Or starting from version 8 simply:
| |||||
10 | SMS-Provider-Settings | 4.0 | String |
| The settings for the configured SMS provider as documented https://itsense.atlassian.net/l/cp/EupyJ6Sq | |||||
11 | EnableRememberMe | 4.0 | Bool | true | Whether or not to show the Remember Me button on the authentication page | |||||
12 | RememberMeDuration in seconds | 4.0 | Int | 2592000 | The lifetime of the remember me cookie in seconds | |||||
13 | LoginCookieExpiration in seconds | 4.0 | Int | 900 | The lifetime of the login cookie in seconds | |||||
14 | LoginCookieExpiration is sliding | 4.0 | Bool | true | If the login cookie should follow a sliding period and therefore be extended with new requests | |||||
15 | TOTP-IssuerName Publisher-IssuerName | 4.0 8.0 | String | "COS AUTH DEV" | The name stored as as the issuer in TOTP process.
Starting from version 8, this is also used in other places like SMS OTPs and has been renamed to a more generic name → Publisher-IssuerName | |||||
16 | Enable LoginHistory | 4.0 | Bool | true | Whether or not to write login history entries upon each login request | |||||
17 | Block RemoteIp by invalid logon count | 4.0 | Bool | true | Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts. | |||||
18 | Max invalid login count | 4.0 | Int | 5 | The amount of failed logon counts that will lead to a temporary block of the remote IP. | |||||
19 | Invalid login remember duration in seconds | 4.0 | Int | 300 | How many seconds a remote IP will be blocked after a he was | |||||
20 | LoginHistory: OnlyLatest | 4.0 | Bool | true | If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged. | |||||
21 | Enable Welcome-Page | 4.0 | Bool | true | Whether or not to show the Welcome-Page on the IDP or to simply return a 404. | |||||
22 | Enable Console Logger | 4.0 | Bool | false | Whether or not to enable a console logger | |||||
23 | Enable DeveloperExceptionPage | 4.0 | Bool | false | Whether or not to enable the developer exception pages | |||||
24 | Enable Log4Net | 4.0 | Bool | true | Whether or not to enable the Log4Net configuration. | |||||
25 | Backend API URI | 4.0 | String | The URL to the backend API | ||||||
26 | Backend API-HttpClientSettings | 4.0 |
| Any HTTPClients settings for the backend connection (connection to the application server) if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | ||||||
27 | ReCaptchaKey | 5.0 | String | “AD34FAE” | The Google ReCaptcha Key | |||||
28 | ReCaptchaSecret | 5.0 | String | “FFFFAD34FAE” | The Google ReCaptcha Secret | |||||
29 | Verify email address | 5.0 | Bool | true | Whether or not users need to verify their mail | |||||
30 | Trusted email address hosts regex | 5.0 | String | ".*(itsense.ch|coreone.ch)" | Domains to exclude from the verify email address process | |||||
31 | Reverify email address | 5.0 | Bool | true | Whether or not users need to reverify their mail address on a periodically basis | |||||
32 | Reverify email address every x days | 5.0 | Int | 90 | After how many days of the last verification date users need to reverify their mail address | |||||
33 | Password complexity configuration | 4.0 |
| |||||||
35 | DisablePasswordReset | 4.0 |
| |||||||
36 | Default logonmethods allowed during secret reset (EmptyEntry => No Verification) | 4.0 |
| |||||||
37 | OutgoingConnectionsHttpClientSettings | 5.0 |
| Any HTTPClients settings for outgoing connections (such as SwissId Authentication, etc.) if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | ||||||
39 | Subject-Prefix | 5.0 | String | ‘c1s’ | The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.
| |||||
40 | ShowTermsAndConditions | 5.0 | Bool | true | Whether or not the terms and conditions feature is active | |||||
41 | ShowPrivacyPolicy | 5.0 | Bool | true | Whether or not the privacy policy feature is active | |||||
42 | CoreOne Suite Web Url | 4.0 |
| |||||||
44 | Contact page feedback URL | 4.0 |
| |||||||
45 | Password Generator Type | 4.0 |
| |||||||
46 | SamlTimeComparisonTolerance | 5.0 | Int | |||||||
47 | AwsSnsAccessKeyId | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Id | |||||
48 | AwsSnsAccessKeySecret | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Secret | |||||
49 | SamlRequestTrustLengthInMinutes | 5.0 | Int | 10 | The SAML Message Trust Length | |||||
50 | EnableFireEventInvalidLogin | 6.0 | Bool | true | Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins. | |||||
51 | MaxInvalidLoginCountWithoutFiringEvent | 6.0 | Int | 5 | The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired. | |||||
52 | FireEventInvalidLoginCacheDurationInMinutes | 6.0 | Int | 5 | How many minutes the invalid login attempts should be cached. | |||||
53 | DisableReactivation | 6.0 | Bool | true | Whether or not to disable the reactivation process on the authentication page. | |||||
54 | DisableActivation | 6.0 | Bool | true | Whether or not to disable the activation process on the authentication page. | |||||
56 | HowManyPastPasswordsToStore | 6.0 | Int | 10 | In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored. | |||||
57 | Totp Valdiator Type | 4.0 |
| |||||||
58 | SupportedCultures | 5.0 | JSON String Array |
| The supported UI languages. You can remove or add entries. | |||||
59 | DefaultCulture | 6.0 | String | “DE” | The default culture to use | |||||
60 | NtpTimeServers | 5.0 | JSON String Array |
| By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
61 | NistTimeServers | 5.0 | JSON String Array |
| By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
62 | HttpTimeServers | 5.0 | JSON String Array |
| By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
63 | BackendApiUriV2 | 6.0 | String | The URL of the backend API V2 | ||||||
65 | CheckUserUnfinishedCertifications | 7.0 | Bool | false | Whether or not the system should check if the current user has any unfinished certifications processes. If there are any, the system will prevent the user from log in and he has to finish the certifications processes before he is able to login. | |||||
66 | SelfServiceUrl | 7.0 | String | "https://portal.coreone.ch" | The URL to the Self-Service Portal which will be used in combination with the setting above and below. | |||||
67 | CheckDeactivatedDelegations | 7.0 | Bool | false | Whether or not the system should check if the current user has any deactivated delegations for the current application. If there are any, the system will inform the user about the delegations on the first login. | |||||
68 | UseRequestIdInQueryString | 8.0 | Bool | false | Whether or not the RequestId should be passed in the URL from request to request. This is needed, if the browser or the APP does not support cookies. Only enable this, if that’s the case. | |||||
100 | InstanceRandomBytes | 5.0 | String | "0EDeH/p/asdfasdf+o=" | Random bytes to sign tokens (if not signed with a certificate) | |||||
101 | SigningCredentialsData | 5.0 | Encrypted String | * * * * | The credentials to the signing certificate if needed | |||||
102 | SigningCredentialsFormat | 5.0 | String | "CertStore" | The format of the signing certificate, use “None” to disable static keys and use Automatic-Key-Rotation only (See setting 115-121) | |||||
103 | SigningCredentialsStoreCertificateSubjectDistinguishedName | 5.0 | String | "CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH" | The DN of the signing certificate if configured | |||||
104 | WsFederationPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin | |||||
105 | WsFederationPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin | |||||
106 | SamlPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin | |||||
107 | SamlPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin | |||||
108 | EnableInactivityLogout | 4.0 |
| |||||||
110 | EnablePortal | 4.0 |
| |||||||
111 | OperationalStateCleanupSleepInMinutes | 5.8 | Int | 60 | How often the operational state clean up should be performed | |||||
112 | OperationalStateCleanupOlderThanInMinutes | 5.8 | Int | 720 | Data that is older than this value will be cleaned | |||||
113 | WelcomePageRedirectUrl | 7.0 | string | https://www.mycompany.com | If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically | |||||
114 | Captcha provider name | 7.0 | string | hcaptcha | You can either use recaptcha or hcaptcha. | |||||
115 | Automatic-Key-Rotation Disabled | 8.2 | Bool | false | Whether or not the Server should automatically create and rotate its signing keys | |||||
116 | Automatic-Key-Rotation Signing Algorithms | 8.2 | Json Array |
| Signing algorithms and whether to wrap the keys in an X.509 Certificate or not. Used to generate Keys during Automatic-Key-Rotation. A key for each algorithm is generated and populated in discovery-document during Key-Rotation. For valid Algorithm-Names see RFC7518 Section 3.1 | |||||
117 | Automatic-Key-Rotation DataProtection | 8.2 | Bool | true | Whether or not to encrypt stored keys | |||||
118 | Automatic-Key-Rotation Delete Retired Keys | 8.2 | Bool | true | Wheter or not to delete retired keys from store | |||||
119 | Automatic-Key-Rotation Interval in days | 8.2 | double | 30 | New keys every X days | |||||
120 | Automatic-Key-Rotation PropagationTime in days | 8.2 | double | 2 | Announce new key 2 days in advance in discovery, Backend caches for 24h, so you should not use values below 2! | |||||
121 | Automatic-Key-Rotation RetentionDuration in days | 8.2 | double | 7 | Keep old key for X days in discovery for validation of tokens | |||||
122 | PersistedGrantCleanupSleepInMinutes | 8.1.11 | Int | 1440 | How often the persisted grants, such as authorization codes, should be cleaned up | |||||
123 | PersistedGrantCleanupOlderThanInMinutes | 8.1.11 | Int | 10080 | The minimum age of a grant, such as an authorization code, before it’s getting deleted | |||||
124 | TotpUsageCleanupSleepInMinutes | 8.1.11 | Int | 60 | How often used TOTPs should be cleaned up | |||||
125 | TotpUsageCleanupOlderThanInMinutes | 8.1.11 | Int | 60 | The minimum age of a TOTP before it’s getting deleted | |||||
126 | MaxAhvVerificationAttempts | 8.2 | Int | 5 | How many times the check against the swiss social security register can fail before a support ticket is issued. | |||||
127 | AhvVerificationAttemptsExpirationInMinutes | 8.2 | Int | 5 | Within how many minutes the failed attempts have to be. |
Communication
Info |
---|
All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails. |