...
The following general configuration parameters are available:
Id | Parameter | Available from version | Data type | Example values | Description | |||||
---|---|---|---|---|---|---|---|---|---|---|
1 | PluginList | 4.0 | JSON String Array |
| An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list. | |||||
2 | UseSSL | 4.0 | Bool | true | Whether or not to force the usage of SSL | |||||
3 | SSL-Certificate-Data | 4.0 | Encrypted String | * * * * * | If set, this certificate can be used to sign tokens | |||||
4 | SSL-Certificate-Password | 4.0 | Encrypted String | * * * * * | The password to the certificate data if needed | |||||
5 | SSL-Certificate-Format | 4.0 | String | “pfx” | The type of the certificate | |||||
9 | SMS-Provider-Type | 4.0 | String | "iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server" or starting from version 8.x “ | The SMS provider implementation to use for sending SMS messages. Supported types:
Or starting from version 8 simply:
| |||||
10 | SMS-Provider-Settings | 4.0 | String |
|
|
|
|
|
|
|
|
|
|
| The settings for the configured SMS provider as documented |
11 | EnableRememberMe | 4.0 | Bool | true | Whether or not to show the Remember Me button on the authentication page | ||
12 | RememberMeDuration in seconds | 4.0 | Int | 2592000 | The lifetime of the remember me cookie in seconds | ||
13 | LoginCookieExpiration in seconds | 4.0 | Int | 900 | The lifetime of the login cookie in seconds | ||
14 | LoginCookieExpiration is sliding | 4.0 | Bool | true | If the login cookie should follow a sliding period and therefore be extended with new requests | ||
15 | TOTP-IssuerName Publisher-IssuerName | 4.0 8.0 | String | "COS AUTH DEV" | The name stored as as the issuer in TOTP process.
|
16
Enable LoginHistory
Bool
true
Starting from version 8, this is also used in other places like SMS OTPs and has been renamed to a more generic name → Publisher-IssuerName | |||||||||
16 | Enable LoginHistory | 4.0 Deprecated in version 10 | Bool | true | Whether or not to write login history entries upon each login request | ||||
17 | Block RemoteIp by invalid logon count | 4.0 | Bool | true | Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts. | ||||
18 | Max invalid login count | 4.0 | Int | 5 | The amount of failed logon counts that will lead to a temporary block of the remote IP. | ||||
19 | Invalid login remember duration in seconds | 4.0 | Int | 300 | How many seconds a remote IP will be blocked after a he was | ||||
20 | LoginHistory: OnlyLatest | 4.0 | Bool | true | If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged. | ||||
21 | Enable Welcome-Page | 4.0 | Bool | true | Whether or not to show the Welcome-Page on the IDP or to simply return a 404. | ||||
22 | Enable Console Logger | 4.0 | Bool | false | Whether or not to enable a console logger | ||||
23 | Enable DeveloperExceptionPage | 4.0 | Bool | false | Whether or not to enable the developer exception pages | ||||
24 | Enable Log4Net | 4.0 | Bool | true | Whether or not to enable the Log4Net configuration. | ||||
25 | Backend API URI | 4.0 | String | The URL to the backend API | |||||
26 | Backend API-HttpClientSettings | 4.0 |
|
|
|
|
Any HTTPClients settings for the backend connection if needed.
IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings
27
ReCaptchaKey
String
“AD34FAE”
The Google ReCaptcha Key
28
ReCaptchaSecret
String
“FFFFAD34FAE”
The Google ReCaptcha Secret
29
Verify email address
Bool
true
Whether or not users need to verify their mail
30
Trusted email address hosts regex
String
".*(itsense.ch|coreone.ch)"
Domains to exclude from the verify email address process
31
Reverify email address
Bool
true
Whether or not users need to reverify their mail address on a periodically basis
32
Reverify email address every x days
Int
90
After how many days of the last verification date users need to reverify their mail address
33
Password complexity configuration
Note |
---|
deprecated for version >= 5.x |
35
DisablePasswordReset
Note |
---|
deprecated for version >= 5.x |
36
Default logonmethods allowed during secret reset (EmptyEntry => No Verification)
Note |
---|
deprecated for version >= 5.x |
37
OutgoingConnectionsHttpClientSettings
Code Block | ||
---|---|---|
| ||
{
"IgnoreSslErrors": true,
"UseProxy": false,
"AllowAutoRedirect": true,
"ProxyConfiguration": null
} |
Any HTTPClients settings for outgoing connections if needed.
IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings
39
Subject-Prefix
String
‘c1s’
The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.
Note |
---|
Make sure to choose something meaningful here |
40
ShowTermsAndConditions
Bool
true
Whether or not the terms and conditions feature is active
41
ShowPrivacyPolicy
Bool
true
Whether or not the privacy policy feature is active
42
CoreOne Suite Web Url
Note |
---|
deprecated for version >= 5.x |
44
| Any HTTPClients settings for the backend connection (connection to the application server) if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | |||||||||
27 | ReCaptchaKey | 5.0 | String | “AD34FAE” | The Google ReCaptcha Key | |||||
28 | ReCaptchaSecret | 5.0 | String | “FFFFAD34FAE” | The Google ReCaptcha Secret | |||||
29 | Verify email address | 5.0 | Bool | true | Whether or not users need to verify their mail | |||||
30 | Trusted email address hosts regex | 5.0 | String | ".*(itsense.ch|coreone.ch)" | Domains to exclude from the verify email address process | |||||
31 | Reverify email address | 5.0 | Bool | true | Whether or not users need to reverify their mail address on a periodically basis | |||||
32 | Reverify email address every x days | 5.0 | Int | 90 | After how many days of the last verification date users need to reverify their mail address | |||||
33 | Password complexity configuration | 4.0 |
| |||||||
35 | DisablePasswordReset | 4.0 |
| |||||||
36 | Default logonmethods allowed during secret reset (EmptyEntry => No Verification) | 4.0 |
| |||||||
37 | OutgoingConnectionsHttpClientSettings | 5.0 |
| Any HTTPClients settings for outgoing connections (such as SwissId Authentication, etc.) if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | ||||||
39 | Subject-Prefix | 5.0 | String | ‘c1s’ | The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.
| |||||
40 | ShowTermsAndConditions | 5.0 | Bool | true | Whether or not the terms and conditions feature is active | |||||
41 | ShowPrivacyPolicy | 5.0 | Bool | true | Whether or not the privacy policy feature is active | |||||
42 | CoreOne Suite Web Url | 4.0 |
| |||||||
44 | Contact page feedback URL | 4.0 |
| |||||||
45 | Password Generator Type | 4.0 |
| |||||||
46 | SamlTimeComparisonTolerance | 5.0 | Int | This setting only applies if CoreOne Authentication Service acts in the role as the IdP. If CoreOne Authentication Service acts in the role as SP the setting must be configured in GenericSamlOptions | ||||||
47 | AwsSnsAccessKeyId | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Id | |||||
48 | AwsSnsAccessKeySecret | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Secret | |||||
49 | SamlRequestTrustLengthInMinutes | 5.0 | Int | 10 | The SAML Message Trust Length | |||||
50 | EnableFireEventInvalidLogin | 5.0 | Bool | true | Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins. | |||||
51 | MaxInvalidLoginCountWithoutFiringEvent | 5.0 | Int | 5 | The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired. | |||||
52 | FireEventInvalidLoginCacheDurationInMinutes | 5.0 | Int | 5 | How many minutes the invalid login attempts should be cached. | |||||
53 | DisableReactivation | 5.0 | Bool | true | Whether or not to disable the reactivation process on the authentication page. | |||||
54 | DisableActivation | 5.0 | Bool | true | Whether or not to disable the activation process on the authentication page. | |||||
56 | HowManyPastPasswordsToStore | 6.0 | Int | 10 | In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored. | |||||
57 | Totp Valdiator Type | 4.0 |
| |||||||
58 | SupportedCultures | 6.0 | JSON String Array |
| The supported UI languages. You can remove or add entries. | |||||
59 | DefaultCulture | 6.0 | String | “DE” | The default culture to use | |||||
60 | NtpTimeServers | 6.0 | JSON String Array |
| By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
61 | NistTimeServers | 6.0 | JSON String Array |
| By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
62 | HttpTimeServers | 6.0 | JSON String Array |
| By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. | |||||
63 | BackendApiUriV2 | 6.0 | String | The URL of the backend API V2 | ||||||
65 | CheckUserUnfinishedCertifications | 7.0 | Bool | false | Whether or not the system should check if the current user has any unfinished certifications processes. If there are any, the system will prevent the user from log in and he has to finish the certifications processes before he is able to login. | |||||
66 | SelfServiceUrl | 7.0 | String | "https://portal.coreone.ch" | The URL to the Self-Service Portal which will be used in combination with the setting above and below. | |||||
67 | CheckDeactivatedDelegations | 7.0 | Bool | false | Whether or not the system should check if the current user has any deactivated delegations for the current application. If there are any, the system will inform the user about the delegations on the first login. | |||||
68 | UseRequestIdInQueryString | 8.0 | Bool | false | Whether or not the RequestId should be passed in the URL from request to request. This is needed, if the browser or the APP does not support cookies. Only enable this, if that’s the case. | |||||
70 | Nevis ApprovalRequest MessageTemplates | 9.0 | Complex object |
| The name keys used for the push notifications. | |||||
71 | Nevis Android AppLink | 9.0 | String | This link will be used to generate the Play Store link to the Authenticator App. | ||||||
72 | Nevis Apple AppLink | 9.0 | String | This link will be used to generate the App Store link to the Authenticator App. | ||||||
73 | Nevis Tenant Id | 9.0 | String | "yourtenantid" | The tenant id of your Nevis Authentication Cloud | |||||
74 | Nevis API Key | 9.0 | String | “yourapikey” | The API Key of your Nevis Authentication Cloud | |||||
75 | Nevis Customer App Link | 9.0 | String | “https://my.customer.ch/deeplink-proxy/tenant” | If the deep link for the authentication has to be forrwarded to a customer specific proxy, you can define the url here. | |||||
100 | InstanceRandomBytes | 5.0 | String | "0EDeH/p/asdfasdf+o=" | Random bytes to sign tokens (if not signed with a certificate) and encrypt values. | |||||
101 | SigningCredentialsData | 5.0 | Encrypted String | * * * * | The credentials to the signing certificate if needed | |||||
102 | SigningCredentialsFormat | 5.0 | String | "CertStore" | The format of the signing certificate, use “None” to disable static keys and use Automatic-Key-Rotation only (See setting 115-121) | |||||
103 | SigningCredentialsStoreCertificateSubjectDistinguishedName | 5.0 | String | "CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH" | The DN of the signing certificate if configured | |||||
104 | WsFederationPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin | |||||
105 | WsFederationPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin | |||||
106 | SamlPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin | |||||
107 | SamlPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin | |||||
108 | EnableInactivityLogout | 4.0 |
| |||||||
110 |
45
EnablePortal | 4.0 |
|
111 |
SamlTimeComparisonTolerance
Int
47
AwsSnsAccessKeyId
Encrypted String
* * * *
The AWS SNS Access Key Id
48
AwsSnsAccessKeySecret
Encrypted String
* * * *
The AWS SNS Access Key Secret
49
SamlRequestTrustLengthInMinutes
Int
10
The SAML Message Trust Length
50
EnableFireEventInvalidLogin
Bool
true
Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.
51
MaxInvalidLoginCountWithoutFiringEvent
Int
5
The amount of invalid logins that are allowed by the remote IP before an invalid login event is fired.
52
FireEventInvalidLoginCacheDurationInMinutes
Int
5
How many minutes the invalid logins should be cached.
53
DisableReactivation
Bool
true
Whether or not to disable the reactivation process on the authentication page.
54
DisableActivation
Bool
true
Whether or not to disable the activation process on the authentication page.
56
HowManyPastPasswordsToStore
Int
10
In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.
57
Totp Valdiator Type
Note |
---|
deprecated for version >= 5.x |
58
SupportedCultures
JSON String Array
language | json |
---|
OperationalStateCleanupSleepInMinutes | 5.8 | Int | 60 | How often the operational state clean up should be performed | |||||
112 | OperationalStateCleanupOlderThanInMinutes | 5.8 | Int | 720 | Data that is older than this value will be cleaned | ||||
113 | WelcomePageRedirectUrl | 7.0 | string | https://www.mycompany.com | If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically | ||||
114 | Captcha provider name | 7.0 | string | hcaptcha | You can either use recaptcha or hcaptcha. | ||||
115 | Automatic-Key-Rotation Disabled | 8.2 | Bool | false | Whether or not the Server should automatically create and rotate its signing keys | ||||
116 | Automatic-Key-Rotation Signing Algorithms | 8.2 | Json Array |
|
|
|
The supported UI languages. You can remove or add entries.
59
DefaultCulture
String
“DE”
The default culture to use
60
NtpTimeServers
JSON String Array
Code Block | ||
---|---|---|
| ||
[
"ntp.company.com"
] |
By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.
61
NistTimeServers
JSON String Array
Code Block | ||
---|---|---|
| ||
[
"nist.company.com
] |
By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.
62
HttpTimeServers
JSON String Array
Code Block | ||
---|---|---|
| ||
[
"time.company.com"
] |
By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.
63
BackendApiUriV2
String
The URL of the backend API V2
100
InstanceRandomBytes
String
"0EDeH/p/asdfasdf+o="
Random bytes to sign tokens (if not signed with a certificate)
101
SigningCredentialsData
Encrypted String
* * * *
The credentials to the signing certificate if needed
102
SigningCredentialsFormat
String
"CertStore"
The format of the signing certificate
103
SigningCredentialsStoreCertificateSubjectDistinguishedName
String
"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"
The DN of the signing certificate if configured
104
WsFederationPluginLicensee
Encrypted String
* * * *
The licence information for the plugin
105
WsFederationPluginLicenseKey
Encrypted String
* * * *
The licence key for the plugin
106
SamlPluginLicensee
Encrypted String
* * * *
The licence information for the plugin
107
SamlPluginLicenseKey
Encrypted String
* * * *
The licence key for the plugin
108
EnableInactivityLogout
Note |
---|
deprecated for version >= 5.x |
110
EnablePortal
Note |
---|
deprecated for version >= 5.x |
111
OperationalStateCleanupSleepInMinutes
Int
60
How often the operational state clean up should be performed
112
OperationalStateCleanupOlderThanInMinutes
Int
720
Data that is older than this value will be cleaned
113
WelcomePageRedirectUrl
string
https://www.mycompany.com
If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically
Communication
Info |
---|
All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails. |
How-to articles
Filter by label (Content by label) | ||||||
---|---|---|---|---|---|---|
|
Related articles
...
| Signing algorithms and whether to wrap the keys in an X.509 Certificate or not. Used to generate Keys during Automatic-Key-Rotation. A key for each algorithm is generated and populated in discovery-document during Key-Rotation. For valid Algorithm-Names see RFC7518 Section 3.1 | ||||
117 | Automatic-Key-Rotation DataProtection | 8.2 | Bool | true | Whether or not to encrypt stored keys |
118 | Automatic-Key-Rotation Delete Retired Keys | 8.2 | Bool | true | Wheter or not to delete retired keys from store |
119 | Automatic-Key-Rotation Interval in days | 8.2 | double | 30 | New keys every X days |
120 | Automatic-Key-Rotation PropagationTime in days | 8.2 | double | 2 | Announce new key 2 days in advance in discovery, Backend caches for 24h, so you should not use values below 2! |
121 | Automatic-Key-Rotation RetentionDuration in days | 8.2 | double | 7 | Keep old key for X days in discovery for validation of tokens |
122 | PersistedGrantCleanupSleepInMinutes | 8.1.11 | Int | 1440 | How often the persisted grants, such as authorization codes, should be cleaned up |
123 | PersistedGrantCleanupOlderThanInMinutes | 8.1.11 | Int | 10080 | The minimum age of a grant, such as an authorization code, before it’s getting deleted |
124 | TotpUsageCleanupSleepInMinutes | 8.1.11 | Int | 60 | How often used TOTPs should be cleaned up |
125 | TotpUsageCleanupOlderThanInMinutes | 8.1.11 | Int | 60 | The minimum age of a TOTP before it’s getting deleted |
126 | MaxAhvVerificationAttempts | 8.2 | Int | 5 | How many times the check against the swiss social security register can fail before a support ticket is issued. |
127 | AhvVerificationAttemptsExpirationInMinutes | 8.2 | Int | 5 | Within how many minutes the failed attempts have to be. |
128 | IsGridDisplay | 8.2.6 | Bool | true | Flag to determine if External Logon Providers should be displayed as a grid of icons without display names if true or as list of buttons if false |
129 | NumberOfIconsInGridRow | 8.2.6 | Int | 6 | Max number of icons in one row in grid when IsGridDisplay is true |
130 | IsExternalProvidersTopComponent | 8.2.6 | Bool | true | Flag to determine if List/Grid of External Logon Providers should be at the top (true) or the bottom (false) of Login Page |
131 | ExternalLogonIdTokenCleanupSleepInMinutes | 9.1 | Int | 60 | How often obsolete id_tokens should be cleaned up (there are ones used in external logon logout process) If set to 0, this will disable the feature. |
132 | ExternalLogonIdTokenCleanupOlderThanInMinutes | 9.1 | Int | 60 | The minimum age of a id_tokens before it’s getting obsolete |
Communication
Info |
---|
All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails. |