Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The CoreOne Authentication Service Services loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.

Configuration parameters

Info

All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is able to send E-Mails.

The following general configuration parameters are available:

...

Id

...

Parameter

...

Data type

...

Example values

...

Description

...

1

...

PluginList

...

JSON String Array

...

Code Block
languagejson
[
    "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password"
]

...

An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list.

...

2

...

UseSSL

...

Bool

...

true

...

Whether or not to force the usage of SSL

...

3

...

SSL-Certificate-Data

...

Encrypted String

...

* * * * *

...

If set, this certificate can be used to sign tokens

...

4

...

SSL-Certificate-Password

...

Encrypted String

...

* * * * *

...

The password to the certificate data if needed

...

5

...

SSL-Certificate-Format

...

String

...

“pfx”

...

The following general configuration parameters are available:

Id

Parameter

Available from version

Data type

Example values

Description

1

PluginList

4.0

JSON String Array

Code Block
languagejson
[
    "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password"
]

An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list.

2

UseSSL

4.0

Bool

true

Whether or not to force the usage of SSL

3

SSL-Certificate-Data

4.0

Encrypted String

* * * * *

If set, this certificate can be used to sign tokens

4

SSL-Certificate-Password

4.0

Encrypted String

* * * * *

The password to the certificate data if needed

5

SSL-Certificate-Format

4.0

String

“pfx”

The type of the certificate

9

SMS-Provider-Type

4.0

String

"iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server"

The

or starting from version 8.x

LogConsoleSmsProvider"

The SMS provider implementation to use for sending SMS messages.

10

SMS-Provider-Settings

String

Code Block

Supported types:

  • iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server → LogConsole

  • iTsense.CoreLogin2.Server.SmsProviders.AwsSmsProvider → AWS SNS

  • iTsense.CoreLogin2.Server.SmsProviders.RestSmsProvider → REST

Or starting from version 8 simply:

  • LogConsoleSmsProvider

  • RestSmsProvider

  • AwsSmsProvider

10

SMS-Provider-Settings

4.0

String

Code Block
{ 
	"Method": "
Get
GET",
	"BaseUrl": "
http
https://
myRestSmsApi/{mobilenumber}/{
soap.aspsms.com/aspsmsx.asmx/SimpleTextSMS?UserKey=LZDQT7R7D3&Password=SWn1vQT08UNHBIueL&Recipient={mobilenumber}&Originator=COS&MessageText={message}",
	"SecurityMethod": "
BasicAuthentication
None",
	"Username": "
MyUserName
",
	"Password": "
MyPw
",
	"MobileNumberFormat": "E164",
	"DefaultCountryPrefix": "+41",
	"BodyContent": 
Zero
null,
	"BodyEncodingCodePage": 
:
65001,
	"BodyMediaType": "text/plain",
	"RestResource": 
:Zero
null
}

The settings for the configured SMS provider as documented https://itsense.atlassian.net/l/cp/EupyJ6Sq

11

EnableRememberMe

4.0

Bool

true

Whether or not to show the Remember Me button on the authentication page

12

RememberMeDuration in seconds

Int

4.0

Int

2592000

The lifetime of the remember me cookie in seconds

13

LoginCookieExpiration in seconds

4.0

Int

900

The lifetime of the login cookie in seconds

14

LoginCookieExpiration is sliding

4.0

Bool

true

If the login cookie should follow a sliding period and therefore be extended with new requests

15

TOTP-IssuerName

Publisher-IssuerName

4.0

8.0

String

"COS AUTH DEV"

The name stored as as the issuer in TOTP process.

Note

Please make sure this is a unique value for each system.

Starting from version 8, this is also used in other places like SMS OTPs and has been renamed to a more generic name → Publisher-IssuerName

16

Enable LoginHistory

Bool

4.0

Deprecated in version 10

Bool

true

Whether or not to write login history entries upon each login request

17

Block RemoteIp by invalid logon count

4.0

Bool

true

Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts.

18

Max invalid login count

4.0

Int

5

The amount of failed logon counts that will lead to a temporary block of the remote IP.

19

Invalid login remember duration in seconds

4.0

Int

300

How many seconds a remote IP will be blocked after a he was

20

LoginHistory: OnlyLatest

4.0

Bool

true

If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged.

21

Enable Welcome-Page

4.0

Bool

true

Whether or not to show the Welcome-Page on the IDP or to simply return a 404.

22

Enable Console Logger

4.0

Bool

false

Whether or not to enable a console logger

23

Enable DeveloperExceptionPage

4.0

Bool

false

Whether or not to enable the developer exception pages

24

Enable Log4Net

4.0

Bool

true

Whether or not to enable the Log4Net configuration.

25

Backend API URI

4.0

String

"https://localhost:8000/api/"

The URL to the backend API

26

Backend API-HttpClientSettings

4.0

HTTPClient Settings

Code Block
languagejson
{
   "IgnoreSslErrors":
true
false,
   "UseProxy":
false
true,
   "AllowAutoRedirect":
true,
   "ProxyConfiguration":{
null }

Any HTTPClients settings for the backend connection if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

27

ReCaptchaKey

String

“AD34FAE”

The Google ReCaptcha Key

28

ReCaptchaSecret

      "Uri":"http://proxy.itsense.ch:8080",
      "BypassList":[
         
      ],
      "BypassProxyOnLocal":false,
      "UseDefaultCredentials":true,
      "Credentials":null
   }
}

Any HTTPClients settings for the backend connection (connection to the application server) if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

27

ReCaptchaKey

5.0

String

“AD34FAE”

The Google ReCaptcha Key

28

ReCaptchaSecret

5.0

String

“FFFFAD34FAE”

The Google ReCaptcha Secret

29

Verify email address

5.0

Bool

true

Whether or not users need to verify their mail

30

Trusted email address hosts regex

5.0

String

".*(itsense.ch|coreone.ch)"

Domains to exclude from the verify email address process

31

Reverify email address

5.0

Bool

true

Whether or not users need to reverify their mail address on a periodically basis

32

Reverify email address every x days

5.0

Int

90

After how many days of the last verification date users need to reverify their mail address

33

Password complexity configuration

4.0

Note

deprecated for version >= 5.x

35

DisablePasswordReset

4.0

Note

deprecated for version >= 5.x

36

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

4.0

Note

deprecated for version >= 5.x

37

OutgoingConnectionsHttpClientSettings

5.0

HTTPClient Settings

Code Block
languagejson
{
   "IgnoreSslErrors":
true
false,
   "UseProxy":
false
true,
   "AllowAutoRedirect":
true,
   "ProxyConfiguration":{
   
null
   
}

Any HTTPClients settings for outgoing connections if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

39

Subject-Prefix

String

‘c1s’

The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.

Note

Make sure to choose something meaningful here

40

ShowTermsAndConditions

Bool

true

Whether or not the terms and conditions feature is active

41

ShowPrivacyPolicy

Bool

true

Whether or not the privacy policy feature is active

42

CoreOne Suite Web Url

Note

deprecated for version >= 5.x

44

Contact page feedback URL

Note

deprecated for version >= 5.x

45

Password Generator Type

Note

deprecated for version >= 5.x

46

SamlTimeComparisonTolerance

Int

47

AwsSnsAccessKeyId

Encrypted String

* * * *

The AWS SNS Access Key Id

48

AwsSnsAccessKeySecret

Encrypted String

* * * *

The AWS SNS Access Key Secret

49

SamlRequestTrustLengthInMinutes

Int

10

The SAML Message Trust Length

50

EnableFireEventInvalidLogin

Bool

true

Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.

51

MaxInvalidLoginCountWithoutFiringEvent

Int

5

The amount of invalid logins that are allowed by the remote IP before an invalid login event is fired.

52

FireEventInvalidLoginCacheDurationInMinutes

Int

5

How many minutes the invalid logins should be cached.

53

DisableReactivation

Bool

true

Whether or not to disable the reactivation process on the authentication page.

54

DisableActivation

Bool

true

Whether or not to disable the activation process on the authentication page.

56

HowManyPastPasswordsToStore

Int

10

In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.

57

Totp Valdiator Type

Note

deprecated for version >= 5.x

58

SupportedCultures

JSON String Array

Code Block
languagejson
[
    "DE",
    "EN",
    "FR",
    "IT"
]

The supported UI languages. You can remove or add entries.

59

DefaultCulture

String

“DE”

The default culture to use

60

NtpTimeServers

JSON String Array

Code Block
languagejson
[
    "ntp.company.com"
]

By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

61

NistTimeServers

JSON String Array

Code Block
languagejson
[
    "nist.company.com
]

By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

62

HttpTimeServers

JSON String Array

Code Block
languagejson
[
    "time.company.com"
]

By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

63

BackendApiUriV2

String

'https://localhost:8000/apiv2/'

The URL of the backend API V2

100

InstanceRandomBytes

String

"0EDeH/p/asdfasdf+o="

Random bytes to sign tokens (if not signed with a certificate)

101

SigningCredentialsData

Encrypted String

* * * *

The credentials to the signing certificate if needed

102

SigningCredentialsFormat

String

"CertStore"

The format of the signing certificate

103

SigningCredentialsStoreCertificateSubjectDistinguishedName

String

"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"

The DN of the signing certificate if configured

104

WsFederationPluginLicensee

Encrypted String

* * * *

The licence information for the plugin

105

WsFederationPluginLicenseKey

Encrypted String

* * * *

The licence key for the plugin

106

SamlPluginLicensee

Encrypted String

* * * *

The licence information for the plugin

107

SamlPluginLicenseKey

Encrypted String

* * * *

The licence key for the plugin

108

EnableInactivityLogout

Note

deprecated for version >= 5.x

110

EnablePortal

Note

deprecated for version >= 5.x

111

OperationalStateCleanupSleepInMinutes

Int

60

How often the operational state clean up should be performed

112

OperationalStateCleanupOlderThanInMinutes

Int

720

Data that is older than this value will be cleaned

113

WelcomePageRedirectUrl

string

https://www.mycompany.com

If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically

How-to articles

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel in ( "how-to" , "einstellungen" ) and type = "page" and space = "IKB"

...

"Uri":"http://proxy.itsense.ch:8080",
      "BypassList":[
         
      ],
      "BypassProxyOnLocal":false,
      "UseDefaultCredentials":true,
      "Credentials":null
   }
}

Any HTTPClients settings for outgoing connections (such as SwissId Authentication, etc.) if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

39

Subject-Prefix

5.0

String

‘c1s’

The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.

Note

Make sure to choose something meaningful here

40

ShowTermsAndConditions

5.0

Bool

true

Whether or not the terms and conditions feature is active

41

ShowPrivacyPolicy

5.0

Bool

true

Whether or not the privacy policy feature is active

42

CoreOne Suite Web Url

4.0

Note

deprecated for version >= 5.x

44

Contact page feedback URL

4.0

Note

deprecated for version >= 5.x

45

Password Generator Type

4.0

Note

deprecated for version >= 5.x

46

SamlTimeComparisonTolerance

5.0

Int

This setting only applies if CoreOne Authentication Service acts in the role as the IdP.

If CoreOne Authentication Service acts in the role as SP the setting must be configured in GenericSamlOptions

47

AwsSnsAccessKeyId

5.0

Encrypted String

* * * *

The AWS SNS Access Key Id

48

AwsSnsAccessKeySecret

5.0

Encrypted String

* * * *

The AWS SNS Access Key Secret

49

SamlRequestTrustLengthInMinutes

5.0

Int

10

The SAML Message Trust Length

50

EnableFireEventInvalidLogin

5.0

Bool

true

Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.

51

MaxInvalidLoginCountWithoutFiringEvent

5.0

Int

5

The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired.

52

FireEventInvalidLoginCacheDurationInMinutes

5.0

Int

5

How many minutes the invalid login attempts should be cached.

53

DisableReactivation

5.0

Bool

true

Whether or not to disable the reactivation process on the authentication page.

54

DisableActivation

5.0

Bool

true

Whether or not to disable the activation process on the authentication page.

56

HowManyPastPasswordsToStore

6.0

Int

10

In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.

57

Totp Valdiator Type

4.0

Note

deprecated for version >= 5.x

58

SupportedCultures

6.0

JSON String Array

Code Block
languagejson
[
    "DE",
    "EN",
    "FR",
    "IT"
]

The supported UI languages. You can remove or add entries.

59

DefaultCulture

6.0

String

“DE”

The default culture to use

60

NtpTimeServers

6.0

JSON String Array

Code Block
languagejson
[
    "ntp.company.com"
]

By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

61

NistTimeServers

6.0

JSON String Array

Code Block
languagejson
[
    "nist.company.com
]

By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

62

HttpTimeServers

6.0

JSON String Array

Code Block
languagejson
[
    "time.company.com"
]

By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

63

BackendApiUriV2

6.0

String

'https://localhost:8000/apiv2/'

The URL of the backend API V2

65

CheckUserUnfinishedCertifications

7.0

Bool

false

Whether or not the system should check if the current user has any unfinished certifications processes. If there are any, the system will prevent the user from log in and he has to finish the certifications processes before he is able to login.

66

SelfServiceUrl

7.0

String

"https://portal.coreone.ch"

The URL to the Self-Service Portal which will be used in combination with the setting above and below.

67

CheckDeactivatedDelegations

7.0

Bool

false

Whether or not the system should check if the current user has any deactivated delegations for the current application. If there are any, the system will inform the user about the delegations on the first login.

68

UseRequestIdInQueryString

8.0

Bool

false

Whether or not the RequestId should be passed in the URL from request to request. This is needed, if the browser or the APP does not support cookies. Only enable this, if that’s the case.

70

Nevis ApprovalRequest MessageTemplates

9.0

Complex object

Code Block
{
  "PushNameKey" : "Module.DM.AuthenticationService.LoginMethod.Nevis.PushApprovalMessageTemplate", 
  "QrNameKey" : "Module.DM.AuthenticationService.LoginMethod.Nevis.QrApprovalMessageTemplate"
}

The name keys used for the push notifications.

71

Nevis Android AppLink

9.0

String

"https://please-set-the-nevis-android-app.itsense.ch"

This link will be used to generate the Play Store link to the Authenticator App.

72

Nevis Apple AppLink

9.0

String

"https://please-set-the-nevis-apple-app.itsense.ch"

This link will be used to generate the App Store link to the Authenticator App.

73

Nevis Tenant Id

9.0

String

"yourtenantid"

The tenant id of your Nevis Authentication Cloud

74

Nevis API Key

9.0

String

“yourapikey”

The API Key of your Nevis Authentication Cloud

75

Nevis Customer App Link

9.0

String

“https://my.customer.ch/deeplink-proxy/tenant”

If the deep link for the authentication has to be forrwarded to a customer specific proxy, you can define the url here.

100

InstanceRandomBytes

5.0

String

"0EDeH/p/asdfasdf+o="

Random bytes to sign tokens (if not signed with a certificate) and encrypt values.

101

SigningCredentialsData

5.0

Encrypted String

* * * *

The credentials to the signing certificate if needed

102

SigningCredentialsFormat

5.0

String

"CertStore"

The format of the signing certificate, use “None” to disable static keys and use Automatic-Key-Rotation only (See setting 115-121)

103

SigningCredentialsStoreCertificateSubjectDistinguishedName

5.0

String

"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"

The DN of the signing certificate if configured

104

WsFederationPluginLicensee

5.0

Encrypted String

* * * *

The licence information for the plugin

105

WsFederationPluginLicenseKey

5.0

Encrypted String

* * * *

The licence key for the plugin

106

SamlPluginLicensee

5.0

Encrypted String

* * * *

The licence information for the plugin

107

SamlPluginLicenseKey

5.0

Encrypted String

* * * *

The licence key for the plugin

108

EnableInactivityLogout

4.0

Note

deprecated for version >= 5.x

110

EnablePortal

4.0

Note

deprecated for version >= 5.x

111

OperationalStateCleanupSleepInMinutes

5.8

Int

60

How often the operational state clean up should be performed

112

OperationalStateCleanupOlderThanInMinutes

5.8

Int

720

Data that is older than this value will be cleaned

113

WelcomePageRedirectUrl

7.0

string

https://www.mycompany.com

If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically

114

Captcha provider name

7.0

string

hcaptcha

You can either use recaptcha or hcaptcha.

https://www.google.com/recaptcha/about/

https://www.hcaptcha.com/

115

Automatic-Key-Rotation Disabled

8.2

Bool

false

Whether or not the Server should automatically create and rotate its signing keys

116

Automatic-Key-Rotation Signing Algorithms

8.2

Json Array

Code Block
languagejson
[
   {
      "Name": "RS256",
      "X509": true
   },
   {
      "Name": "ES256",
      "X509": true
   },
   {
      "Name": "PS256",
      "X509": true
   }
]

Signing algorithms and whether to wrap the keys in an X.509 Certificate or not. Used to generate Keys during Automatic-Key-Rotation. A key for each algorithm is generated and populated in discovery-document during Key-Rotation.

For valid Algorithm-Names see RFC7518 Section 3.1

117

Automatic-Key-Rotation DataProtection

8.2

Bool

true

Whether or not to encrypt stored keys

118

Automatic-Key-Rotation Delete Retired Keys

8.2

Bool

true

Wheter or not to delete retired keys from store

119

Automatic-Key-Rotation Interval in days

8.2

double

30

New keys every X days

120

Automatic-Key-Rotation PropagationTime in days

8.2

double

2

Announce new key 2 days in advance in discovery, Backend caches for 24h, so you should not use values below 2!

121

Automatic-Key-Rotation RetentionDuration in days

8.2

double

7

Keep old key for X days in discovery for validation of tokens

122

PersistedGrantCleanupSleepInMinutes

8.1.11

Int

1440

How often the persisted grants, such as authorization codes, should be cleaned up

123

PersistedGrantCleanupOlderThanInMinutes

8.1.11

Int

10080

The minimum age of a grant, such as an authorization code, before it’s getting deleted

124

TotpUsageCleanupSleepInMinutes

8.1.11

Int

60

How often used TOTPs should be cleaned up

125

TotpUsageCleanupOlderThanInMinutes

8.1.11

Int

60

The minimum age of a TOTP before it’s getting deleted

126

MaxAhvVerificationAttempts

8.2

Int

5

How many times the check against the swiss social security register can fail before a support ticket is issued.

127

AhvVerificationAttemptsExpirationInMinutes

8.2

Int

5

Within how many minutes the failed attempts have to be.

128

IsGridDisplay

8.2.6

Bool

true

Flag to determine if External Logon Providers should be displayed as a grid of icons without display names if true or as list of buttons if false

129

NumberOfIconsInGridRow

8.2.6

Int

6

Max number of icons in one row in grid when IsGridDisplay is true

130

IsExternalProvidersTopComponent

8.2.6

Bool

true

Flag to determine if List/Grid of External Logon Providers should be at the top (true) or the bottom (false) of Login Page

131

ExternalLogonIdTokenCleanupSleepInMinutes

9.1

Int

60

How often obsolete id_tokens should be cleaned up (there are ones used in external logon logout process)

If set to 0, this will disable the feature.

132

ExternalLogonIdTokenCleanupOlderThanInMinutes

9.1

Int

60

The minimum age of a id_tokens before it’s getting obsolete

Communication

Info

All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails.