Table of Contents | ||||
---|---|---|---|---|
|
Introduction
...
Introduction
The CoreOne Authentication Services loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.
Configuration parameters
The following general configuration parameters are available:
Id | Parameter | Available from version | Data type | Example values | Description |
---|
AwsSnsAccessKeyId
AwsSnsAccessKeySecret
Backend API URI
Backend API-HttpClientSettings
Block RemoteIp by invalid logon count
Contact page feedback URL
CoreOne Suite Web Url
Default logonmethods allowed during secret reset (EmptyEntry => No Verification)
SMS-Provider-Type
REST
Currently REST implemented
SMS-Provider-Settings
{
"Method":"Get",
"BaseUrl":"http://myRestSmsApi/{mobilenumber}/{message}",
"SecurityMethod":"BasicAuthentication",
"Username":"MyUserName",
"Password":"MyPw",
"MobileNumberFormat":"E164",
"DefaultCountryPrefix":"+41",
"BodyContent":Zero,
"BodyEncodingCodePage":65001,
"BodyMediaType":"text/plain",
"RestResource":Zero
}
Method: Get / Post / Put
BaseUrl: Rest Base Url, Placeholder: mobilenumber / message
SecurityMethod: Authentication method (currently only BasicAuthentication))
Username: Benutzername
Password: Passwort
MobileNumberFormat:
- E164: +41 79 111 22 33
- InternationalWithPrefix: +41791112233
- InternationalWithoutPrefix: 41791112233
- LocalWithPrefix: 0791112233
- LocalNoPrefix: 791112233
DefaultCountryPrefix: Countryprefix falls in der Telefonnummer keiner vorhanden ist
BodyEncodingCodePage: Codepage für die Body-Daten
BodyMediaType: MediaType für die Body-Daten
RestResource:
SMS-Provider-HttpClientSettings
{
"IgnoreSslErrors": false,
"UseProxy": true,
"AllowAutoRedirect": true,
"ProxyConfiguration": Zero
}
IgnoreSslErrors: Keine Fehlermeldung bei ungültigen SSL-Zertifikaten
UseProxy: Ob ein Proxy verwendet werden soll (Falls true und ProxyConfiguration = null wird der standard Windows Proxy verwendet, sihe Internet Explorer settings)
AllowAutoRedirect: 301 und 302 statuscodes verfolgen
ProxyConfiguration: Konfiguration der Proxy-Einstellungen
TOTP-IssuerName
string
Issuer that is used in TOTP barcodes (visible in TOTP clients)
Enable LoginHistory
true / false
Login-History on / Turn off
LoginHistory: OnlyLatest
true / false
Defines wether all or only the last or all logins should be saved for each user.
Block RemoteIp by invalid logon count
true / false
Defines wether clients that log in incorrectly too often should be blocked.
Max invalid login count
Number
Defines how many incorrect logins lead to the client being blocked.
Invalid login remember duration in seconds
Number
Number of sesconds how long faulty logins should be saved.
ReCaptchaKey
string
Google ReCaptcha API-Key
ReCaptchaSecret
string
stringGoogle ReCaptcha API-Key
ReCaptchaSecret-HttpClientSettings
{
"IgnoreSslErrors": false,
"UseProxy": true,
"AllowAutoRedirect": true,
"ProxyConfiguration": zero
}
IgnoreSslErrors: Keine Fehlermeldung bei ungültigen SSL-Zertifikaten
UseProxy: Ob ein Proxy verwendet werden soll (Falls true und ProxyConfiguration = null wird der standard Windows Proxy verwendet, sihe Internet Explorer settings)
AllowAutoRedirect: 301 und 302 statuscodes verfolgen
ProxyConfiguration: Konfiguration der Proxy-Einstellungen
Verify email adress
true / false
Defines wether email addresses have to be validated for successul login.
Trusted email adress hosts regex
regex
Regex-String, if the email addresses is matched it is automatically considered validated.
Reverify email adress
true / false
Defines wether email addresses have to be revalidated on a regular basis.
Reverify email adress every x days
Number
Defines how often email addresses have to be revalidated.
Password complexity configuration
regex-array, Example: [ ".{8,32}", "[A-Z]", "[a-z]", "[0-9]" ]
List of regex definitions which ALL must match for a password to be valid.
Disable password reset
true / false
Defines wether a password reset is possible
Folgende Konfigurationseinstellungen sind für den Kestrel-Server vorhanden:
...
Parameter
...
Values
...
Description
...
UseSSL
...
true / false
...
Determines wether the service should run as htp or https
...
SSL-Certificate-Data
...
byte[] (Base64 Encoded)
...
SSL-certificate file
...
SSL-Certificate-Password
...
text
...
Password for the Private-Key of the certificate file (if the service is running in Kestrel and not in IIS)
...
SSL-Certificate-Format
...
pfx / pem
...
Format of th certificate file (currently only pfx supported)
...
Server-Url
...
URL
...
Base-URL of the Server (Incl. Port)
Compatibility
The following target system releases are supported:
How-to articles
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Related articles
...
1 | PluginList | 4.0 | JSON String Array |
| An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list. | |||||
2 | UseSSL | 4.0 | Bool | true | Whether or not to force the usage of SSL | |||||
3 | SSL-Certificate-Data | 4.0 | Encrypted String | * * * * * | If set, this certificate can be used to sign tokens | |||||
4 | SSL-Certificate-Password | 4.0 | Encrypted String | * * * * * | The password to the certificate data if needed | |||||
5 | SSL-Certificate-Format | 4.0 | String | “pfx” | The type of the certificate | |||||
9 | SMS-Provider-Type | 4.0 | String | "iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server" or starting from version 8.x “ | The SMS provider implementation to use for sending SMS messages. Supported types:
Or starting from version 8 simply:
| |||||
10 | SMS-Provider-Settings | 4.0 | String |
| The settings for the configured SMS provider as documented https://itsense.atlassian.net/l/cp/EupyJ6Sq | |||||
11 | EnableRememberMe | 4.0 | Bool | true | Whether or not to show the Remember Me button on the authentication page | |||||
12 | RememberMeDuration in seconds | 4.0 | Int | 2592000 | The lifetime of the remember me cookie in seconds | |||||
13 | LoginCookieExpiration in seconds | 4.0 | Int | 900 | The lifetime of the login cookie in seconds | |||||
14 | LoginCookieExpiration is sliding | 4.0 | Bool | true | If the login cookie should follow a sliding period and therefore be extended with new requests | |||||
15 | TOTP-IssuerName Publisher-IssuerName | 4.0 8.0 | String | "COS AUTH DEV" | The name stored as as the issuer in TOTP process.
Starting from version 8, this is also used in other places like SMS OTPs and has been renamed to a more generic name → Publisher-IssuerName | |||||
16 | Enable LoginHistory | 4.0 Deprecated in version 10 | Bool | true | Whether or not to write login history entries upon each login request | |||||
17 | Block RemoteIp by invalid logon count | 4.0 | Bool | true | Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts. | |||||
18 | Max invalid login count | 4.0 | Int | 5 | The amount of failed logon counts that will lead to a temporary block of the remote IP. | |||||
19 | Invalid login remember duration in seconds | 4.0 | Int | 300 | How many seconds a remote IP will be blocked after a he was | |||||
20 | LoginHistory: OnlyLatest | 4.0 | Bool | true | If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged. | |||||
21 | Enable Welcome-Page | 4.0 | Bool | true | Whether or not to show the Welcome-Page on the IDP or to simply return a 404. | |||||
22 | Enable Console Logger | 4.0 | Bool | false | Whether or not to enable a console logger | |||||
23 | Enable DeveloperExceptionPage | 4.0 | Bool | false | Whether or not to enable the developer exception pages | |||||
24 | Enable Log4Net | 4.0 | Bool | true | Whether or not to enable the Log4Net configuration. | |||||
25 | Backend API URI | 4.0 | String | The URL to the backend API | ||||||
26 | Backend API-HttpClientSettings | 4.0 |
| Any HTTPClients settings for the backend connection (connection to the application server) if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | ||||||
27 | ReCaptchaKey | 5.0 | String | “AD34FAE” | The Google ReCaptcha Key | |||||
28 | ReCaptchaSecret | 5.0 | String | “FFFFAD34FAE” | The Google ReCaptcha Secret | |||||
29 | Verify email address | 5.0 | Bool | true | Whether or not users need to verify their mail | |||||
30 | Trusted email address hosts regex | 5.0 | String | ".*(itsense.ch|coreone.ch)" | Domains to exclude from the verify email address process | |||||
31 | Reverify email address | 5.0 | Bool | true | Whether or not users need to reverify their mail address on a periodically basis | |||||
32 | Reverify email address every x days | 5.0 | Int | 90 | After how many days of the last verification date users need to reverify their mail address | |||||
33 | Password complexity configuration | 4.0 |
| |||||||
35 | DisablePasswordReset | 4.0 |
| |||||||
36 | Default logonmethods allowed during secret reset (EmptyEntry => No Verification) | 4.0 |
| |||||||
37 | OutgoingConnectionsHttpClientSettings | 5.0 |
| Any HTTPClients settings for outgoing connections (such as SwissId Authentication, etc.) if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | ||||||
39 | Subject-Prefix | 5.0 | String | ‘c1s’ | The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.
| |||||
40 | ShowTermsAndConditions | 5.0 | Bool | true | Whether or not the terms and conditions feature is active | |||||
41 | ShowPrivacyPolicy | 5.0 | Bool | true | Whether or not the privacy policy feature is active | |||||
42 | CoreOne Suite Web Url | 4.0 |
| |||||||
44 | Contact page feedback URL | 4.0 |
| |||||||
45 | Password Generator Type | 4.0 |
| |||||||
46 | SamlTimeComparisonTolerance | 5.0 | Int | This setting only applies if CoreOne Authentication Service acts in the role as the IdP. If CoreOne Authentication Service acts in the role as SP the setting must be configured in GenericSamlOptions | ||||||
47 | AwsSnsAccessKeyId | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Id | |||||
48 | AwsSnsAccessKeySecret | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Secret | |||||
49 | SamlRequestTrustLengthInMinutes | 5.0 | Int | 10 | The SAML Message Trust Length | |||||
50 | EnableFireEventInvalidLogin | 5.0 | Bool | true | Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins. | |||||
51 | MaxInvalidLoginCountWithoutFiringEvent | 5.0 | Int | 5 | The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired. | |||||
52 | FireEventInvalidLoginCacheDurationInMinutes | 5.0 | Int | 5 | How many minutes the invalid login attempts should be cached. | |||||
53 | DisableReactivation | 5.0 | Bool | true | Whether or not to disable the reactivation process on the authentication page. | |||||
54 | DisableActivation | 5.0 | Bool | true | Whether or not to disable the activation process on the authentication page. | |||||
56 | HowManyPastPasswordsToStore | 6.0 | Int | 10 | In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored. | |||||
57 | Totp Valdiator Type | 4.0 |
| |||||||
58 | SupportedCultures | 6.0 | JSON String Array |
| The supported UI languages. You can remove or add entries. | |||||
59 | DefaultCulture | 6.0 | String | “DE” | The default culture to use | |||||
60 | NtpTimeServers | 6.0 | JSON String Array |
| By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
61 | NistTimeServers | 6.0 | JSON String Array |
| By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
62 | HttpTimeServers | 6.0 | JSON String Array |
| By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
63 | BackendApiUriV2 | 6.0 | String | The URL of the backend API V2 | ||||||
65 | CheckUserUnfinishedCertifications | 7.0 | Bool | false | Whether or not the system should check if the current user has any unfinished certifications processes. If there are any, the system will prevent the user from log in and he has to finish the certifications processes before he is able to login. | |||||
66 | SelfServiceUrl | 7.0 | String | "https://portal.coreone.ch" | The URL to the Self-Service Portal which will be used in combination with the setting above and below. | |||||
67 | CheckDeactivatedDelegations | 7.0 | Bool | false | Whether or not the system should check if the current user has any deactivated delegations for the current application. If there are any, the system will inform the user about the delegations on the first login. | |||||
68 | UseRequestIdInQueryString | 8.0 | Bool | false | Whether or not the RequestId should be passed in the URL from request to request. This is needed, if the browser or the APP does not support cookies. Only enable this, if that’s the case. | |||||
70 | Nevis ApprovalRequest MessageTemplates | 9.0 | Complex object |
| The name keys used for the push notifications. | |||||
71 | Nevis Android AppLink | 9.0 | String | This link will be used to generate the Play Store link to the Authenticator App. | ||||||
72 | Nevis Apple AppLink | 9.0 | String | This link will be used to generate the App Store link to the Authenticator App. | ||||||
73 | Nevis Tenant Id | 9.0 | String | "yourtenantid" | The tenant id of your Nevis Authentication Cloud | |||||
74 | Nevis API Key | 9.0 | String | “yourapikey” | The API Key of your Nevis Authentication Cloud | |||||
75 | Nevis Customer App Link | 9.0 | String | “https://my.customer.ch/deeplink-proxy/tenant” | If the deep link for the authentication has to be forrwarded to a customer specific proxy, you can define the url here. | |||||
100 | InstanceRandomBytes | 5.0 | String | "0EDeH/p/asdfasdf+o=" | Random bytes to sign tokens (if not signed with a certificate) and encrypt values. | |||||
101 | SigningCredentialsData | 5.0 | Encrypted String | * * * * | The credentials to the signing certificate if needed | |||||
102 | SigningCredentialsFormat | 5.0 | String | "CertStore" | The format of the signing certificate, use “None” to disable static keys and use Automatic-Key-Rotation only (See setting 115-121) | |||||
103 | SigningCredentialsStoreCertificateSubjectDistinguishedName | 5.0 | String | "CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH" | The DN of the signing certificate if configured | |||||
104 | WsFederationPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin | |||||
105 | WsFederationPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin | |||||
106 | SamlPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin | |||||
107 | SamlPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin | |||||
108 | EnableInactivityLogout | 4.0 |
| |||||||
110 | EnablePortal | 4.0 |
| |||||||
111 | OperationalStateCleanupSleepInMinutes | 5.8 | Int | 60 | How often the operational state clean up should be performed | |||||
112 | OperationalStateCleanupOlderThanInMinutes | 5.8 | Int | 720 | Data that is older than this value will be cleaned | |||||
113 | WelcomePageRedirectUrl | 7.0 | string | https://www.mycompany.com | If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically | |||||
114 | Captcha provider name | 7.0 | string | hcaptcha | You can either use recaptcha or hcaptcha. | |||||
115 | Automatic-Key-Rotation Disabled | 8.2 | Bool | false | Whether or not the Server should automatically create and rotate its signing keys | |||||
116 | Automatic-Key-Rotation Signing Algorithms | 8.2 | Json Array |
| Signing algorithms and whether to wrap the keys in an X.509 Certificate or not. Used to generate Keys during Automatic-Key-Rotation. A key for each algorithm is generated and populated in discovery-document during Key-Rotation. For valid Algorithm-Names see RFC7518 Section 3.1 | |||||
117 | Automatic-Key-Rotation DataProtection | 8.2 | Bool | true | Whether or not to encrypt stored keys | |||||
118 | Automatic-Key-Rotation Delete Retired Keys | 8.2 | Bool | true | Wheter or not to delete retired keys from store | |||||
119 | Automatic-Key-Rotation Interval in days | 8.2 | double | 30 | New keys every X days | |||||
120 | Automatic-Key-Rotation PropagationTime in days | 8.2 | double | 2 | Announce new key 2 days in advance in discovery, Backend caches for 24h, so you should not use values below 2! | |||||
121 | Automatic-Key-Rotation RetentionDuration in days | 8.2 | double | 7 | Keep old key for X days in discovery for validation of tokens | |||||
122 | PersistedGrantCleanupSleepInMinutes | 8.1.11 | Int | 1440 | How often the persisted grants, such as authorization codes, should be cleaned up | |||||
123 | PersistedGrantCleanupOlderThanInMinutes | 8.1.11 | Int | 10080 | The minimum age of a grant, such as an authorization code, before it’s getting deleted | |||||
124 | TotpUsageCleanupSleepInMinutes | 8.1.11 | Int | 60 | How often used TOTPs should be cleaned up | |||||
125 | TotpUsageCleanupOlderThanInMinutes | 8.1.11 | Int | 60 | The minimum age of a TOTP before it’s getting deleted | |||||
126 | MaxAhvVerificationAttempts | 8.2 | Int | 5 | How many times the check against the swiss social security register can fail before a support ticket is issued. | |||||
127 | AhvVerificationAttemptsExpirationInMinutes | 8.2 | Int | 5 | Within how many minutes the failed attempts have to be. | |||||
128 | IsGridDisplay | 8.2.6 | Bool | true | Flag to determine if External Logon Providers should be displayed as a grid of icons without display names if true or as list of buttons if false | |||||
129 | NumberOfIconsInGridRow | 8.2.6 | Int | 6 | Max number of icons in one row in grid when IsGridDisplay is true | |||||
130 | IsExternalProvidersTopComponent | 8.2.6 | Bool | true | Flag to determine if List/Grid of External Logon Providers should be at the top (true) or the bottom (false) of Login Page | |||||
131 | ExternalLogonIdTokenCleanupSleepInMinutes | 9.1 | Int | 60 | How often obsolete id_tokens should be cleaned up (there are ones used in external logon logout process) If set to 0, this will disable the feature. | |||||
132 | ExternalLogonIdTokenCleanupOlderThanInMinutes | 9.1 | Int | 60 | The minimum age of a id_tokens before it’s getting obsolete |
Communication
Info |
---|
All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails. |