Versions Compared

Version Old Version 14 New Version Current
Changes made by

Witold Wabik

urs.mathis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Name

Datatype

Mandatory

Example

Description

Token specification

Drop Down

oidc

Choose any of the supported token specification oidc, saml2p or ws-fed.

Info

Depending on your selection, the subsequent parameters might change.

Client identificator

String

webshop_android

Each client must be uniquely identified. Provide a value that you also must use in the clients configuration later on. Choose either something self explanatory or a random value if you wanna hide the purpose of the client as a security measurement.

Name

String

Android Webshop Application

Identifies your client in a technical way in the system

Displayname

String

Android Webshop Application

Non technical name used to display the application in various places such as the Self-Service Portal

Version 7 and above

Logout URI

URL

https://www.webshop.com/logout

If no logout URL is provided by the client, the user will be redirected to this URL after a logout.

Redirect Uri (Regex) *

REGEX Pattern

regex:^https:\/\/webshop\.ch$

The client provides an URL where the user will be redirected to after a successful authentication. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system.

Note

Wildcards can be configured, but only do this when absolutely necessary.

Scope

Multi Value

profile email

A list of scopes that the client can request. If the client requests a scope that is not part of this configuration, he will not be able to perform an authentication.

Note

Be careful to only allow the scopes that are really necessary for the application to work with.

Default level of authentication entry

Drop Down

Default

Select a default level of authentication entry that will be used to determinate the authentication flow for the user.

Validate user password using Application Service

Checkbox

Indicates if backend should be used to validate user password (which involves API call and checks password as well as password policies). Otherwise validation is done internally in Authentication Service and password policies are not checked.

Default value - TRUE

Token

For an in detail description of the various tokens, see the Token documentation.

...

Name

Datatype

Mandatory

Example

Description

Require Consent

Checkbox

false

Defines whether or not the user needs to give consent when accessing this client.

Allow remember me

Checkbox

false

Whether or not the user is presented with the option to select “remember me” which will cause the persistence of a cookie in the clients browser for any subsequent logins.

Enable local authentication

Checkbox

true

Specifies if this client can use CoreOne Suite users, or external providers only.

URI

string

https://www.coreone.ch

The url of the client / application.

Email verification redirect uri

REGEX Pattern

regex:^https:\/\/webshop\.ch$

If any external systems are using urls to verify the mail address of authentication users, the provided redirect uri in the link will be tested against this configured pattern.

Note

Wildcards can be configured, but only do this when absolutely necessary.

Post logout redirect URI's

REGEX Pattern

regex:^https:\/\/webshop\.ch$

The client provides an URL where the user will be redirected to after being logged out. It’s good practice to test those URLs against a pattern to ensure that the user can only be redirected to previously configured URLs. This will significantly increase the security of the system.

Note

Wildcards can be configured, but only do this when absolutely necessary.

Identity provider restrictions

REGEX Pattern

regex:^https:\/\/swissid\.ch$

Defines a list of allowed external identity providers that are allowed. If you do not specify any, all configured IdPs are allowed.

Version 7 and above

Required Multi-Factor Authentication

Checkbox

true

Whether or not a MFA authentication is required for the client

Deprecated version 6 and above

Allow self-registration

Checkbox

true

Whether or not a self registration is allowed for this client or not.

Activation disabled

Checkbox

true

If the activation process is enabled in the system, you can disable it for a specific client.

Show in self-service

Checkbox

true

Whether or not the client should be listed in the user self-service portal.

...

Name

Datatype

Mandatory

Example

Description

Require Saml Request Destination

Checkbox

true

Defines whether or not a Saml Requestion Destination has to be present in the AuthnRequest in order to start the authentication

Sign assertions

Checkbox

true

Defines if our saml response is signed with the configured certificate

Signing certificate type

Drop Down

Only when sign assertions is checked

Windows store

The format of the certificate. It can either be hosted in the Windows store or added directly to the configuration as a Base64 encoded text.

Signing certificate

Certificate

Only when sign assertions is checked

MyCert

See above.

Encrypt assertions

Checkbox

true

Defines if our saml response is encrypted with the configured certificate

Encryption certificate type

Drop Down

Only when sign assertions is checked

The format of the certificate. It can either be hosted in the Windows store or added directly to the configuration as a Base64 encoded text.

Encryption certificate

Certificate

Only when sign assertions is checked

See above.