Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel1
typeflat

Einleitung

Dieses Kapitel beschreibt die Konfigurationsmöglichkeiten des CoreOne Suite Authentication Service.

Konfigurationsparameter

Folgende generelle Konfigurationsparameter sind vorhanden:

...

Parameter

...

Werte

...

Beschreibung

...

AwsSnsAccessKeyId

...

AwsSnsAccessKeySecret

...

Backend API URI

...

Backend API-HttpClientSettings

...

Block RemoteIp by invalid logon count

...

Contact page feedback URL

...

CoreOne Suite Web Url

...

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

...

SMS-Provider-Type

...

REST

...

Introduction

The CoreOne Authentication Services loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.

Configuration parameters

The following general configuration parameters are available:

Id

Parameter

Available from version

Data type

Example values

Description

1

PluginList

4.0

JSON String Array

Code Block
languagejson
[
    "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password"
]

An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list.

2

UseSSL

4.0

Bool

true

Whether or not to force the usage of SSL

3

SSL-Certificate-Data

4.0

Encrypted String

* * * * *

If set, this certificate can be used to sign tokens

4

SSL-Certificate-Password

4.0

Encrypted String

* * * * *

The password to the certificate data if needed

5

SSL-Certificate-Format

4.0

String

“pfx”

The type of the certificate

9

SMS-Provider-Type

4.0

String

"iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server"

or starting from version 8.x

LogConsoleSmsProvider"

The SMS provider implementation to use for sending SMS messages.

Supported types:

  • iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server → LogConsole

  • iTsense.CoreLogin2.Server.SmsProviders.AwsSmsProvider → AWS SNS

  • iTsense.CoreLogin2.Server.SmsProviders.RestSmsProvider → REST

Or starting from version 8 simply:

  • LogConsoleSmsProvider

  • RestSmsProvider

  • AwsSmsProvider

10

SMS-Provider-Settings

{

4.0

String

Code Block
{ 
	"Method": "
Get
GET",


	"BaseUrl": "
http
https://
/myRestSmsApi/{mobilenumber}/
soap.aspsms.com/aspsmsx.asmx/SimpleTextSMS?UserKey=LZDQT7R7D3&Password=SWn1vQT08UNHBIueL&Recipient={mobilenumber}&Originator=COS&MessageText={message}",


	"SecurityMethod": "
BasicAuthentication
None",


	"Username": "
MyUserName
",


	"Password": "
MyPw
",


	"MobileNumberFormat": "E164",


	"DefaultCountryPrefix": "+41",


	"BodyContent": null,


	"BodyEncodingCodePage": 65001,


	"BodyMediaType": "text/plain",


	"RestResource": null


}

Method: Get / Post / Put
BaseUrl: Rest Base Url, Platzhalter: mobilenumber / message
SecurityMethod: Authentifizierungsmethode (aktuell nur BasicAuthentication supported)
Username: Benutzername
Password: Passwort
MobileNumberFormat:
 - E164: +41 79 111 22 33
 - InternationalWithPrefix: +41791112233
 - InternationalWithoutPrefix: 41791112233
 - LocalWithPrefix: 0791112233
 - LocalNoPrefix: 791112233
DefaultCountryPrefix: Countryprefix falls in der Telefonnummer keiner vorhanden ist
BodyEncodingCodePage: Codepage für die Body-Daten
BodyMediaType: MediaType für die Body-Daten
RestResource:

SMS-Provider-HttpClientSettings

{
"IgnoreSslErrors": false,
"UseProxy": true,
"AllowAutoRedirect": true,
"ProxyConfiguration": null
}

IgnoreSslErrors: Keine Fehlermeldung bei ungültigen SSL-Zertifikaten
UseProxy: Ob ein Proxy verwendet werden soll (Falls true und ProxyConfiguration = null wird der standard Windows Proxy verwendet, sihe Internet Explorer settings)
AllowAutoRedirect: 301 und 302 statuscodes verfolgen
ProxyConfiguration: Konfiguration der Proxy-Einstellungen

TOTP-IssuerName

string

Aussteller (Issuer) welcher in TOTP-Barcodes verwendet wird (sichtbar in TOTP-Clients)

Enable LoginHistory

true / false

Login-History ein / ausschalten

LoginHistory: OnlyLatest

true / false

Definiert ob pro Benutzer alle oder nur das letzte oder alle Logins gespeichert werden soll.

Block RemoteIp by invalid logon count

true / false

Definiert ob Clients welche sich zu oft falsch einloggen geblockt werden sollen.

Max invalid login count

Zahl

Definiert wie viele fehlerhafte Logins zum blockieren des Clients führen.

Invalid login remember duration in seconds

Zahl

Anzahl Sekunden wie lange fehlerhafte Logins gespeichert werden sollen.

ReCaptchaKey

string

Google ReCaptcha API-Key

ReCaptchaSecret

string

stringGoogle ReCaptcha API-Key

ReCaptchaSecret-HttpClientSettings

{
"IgnoreSslErrors": false,
"UseProxy": true,
"AllowAutoRedirect": true,
"ProxyConfiguration": null
}

IgnoreSslErrors: Keine Fehlermeldung bei ungültigen SSL-Zertifikaten
UseProxy: Ob ein Proxy verwendet werden soll (Falls true und ProxyConfiguration = null wird der standard Windows Proxy verwendet, sihe Internet Explorer settings)
AllowAutoRedirect: 301 und 302 statuscodes verfolgen
ProxyConfiguration: Konfiguration der Proxy-Einstellungen

Verify email adress

true / false

Definiert ob E-Mail-Adressen für ein erfolgreiches Login validiert sein müssen

Trusted email adress hosts regex

regex

Regex-String, wenn die E-Mail-Adresse matched wird sie automatisch als validiert betrachtet

Reverify email adress

true / false

Definiert ob E-Mail-Adressen regelmässig revalidiert werden müssen.

Reverify email adress every x days

Zahl

Definiert wie oft E-Mail-Adressen revalidiert werden müssen.

Password complexity configuration

regex-array, z.B: [ ".{8,32}", "[A-Z]", "[a-z]", "[0-9]" ]

Liste von Regex-definitionen welche ALLE matchen müssen damit ein Passwort gültig ist.

Disable password reset

true / false

Definiert ob ein Passwort-Reset möglich ist.

Folgende Konfigurationseinstellungen sind für den Kestrel-Server vorhanden:

...

Parameter

...

Werte

...

Beschreibung

...

UseSSL

...

true / false

...

Legt fest ob der Service als htp oder https laufen soll

...

SSL-Certificate-Data

...

byte[] (Base64 Encoded)

...

SSL-Zertifikatsdatei

...

SSL-Certificate-Password

...

text

...

Passwort für den Private-Key der Zertifikatsdatei (falls der Dienst in Kestrel und nicht in IIS läuft)

...

SSL-Certificate-Format

...

pfx / pem

...

Format der Zertifikatsdatei (Aktuell nur pfx unterstützt)

...

Server-Url

...

URL

...

Base-URL des Servers (Inkl. Port)

Kompatibilität

Folgende Zielsystem Releases werden unterstützt:

How-to Artikel

Filter by label (Content by label)
showLabelsfalse
showSpacefalse
cqllabel in ( "how-to" , "einstellungen" ) and type = "page" and space = "IKB"

Verwandte Artikel

...

The settings for the configured SMS provider as documented https://itsense.atlassian.net/l/cp/EupyJ6Sq

11

EnableRememberMe

4.0

Bool

true

Whether or not to show the Remember Me button on the authentication page

12

RememberMeDuration in seconds

4.0

Int

2592000

The lifetime of the remember me cookie in seconds

13

LoginCookieExpiration in seconds

4.0

Int

900

The lifetime of the login cookie in seconds

14

LoginCookieExpiration is sliding

4.0

Bool

true

If the login cookie should follow a sliding period and therefore be extended with new requests

15

TOTP-IssuerName

Publisher-IssuerName

4.0

8.0

String

"COS AUTH DEV"

The name stored as as the issuer in TOTP process.

Note

Please make sure this is a unique value for each system.

Starting from version 8, this is also used in other places like SMS OTPs and has been renamed to a more generic name → Publisher-IssuerName

16

Enable LoginHistory

4.0

Deprecated in version 10

Bool

true

Whether or not to write login history entries upon each login request

17

Block RemoteIp by invalid logon count

4.0

Bool

true

Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts.

18

Max invalid login count

4.0

Int

5

The amount of failed logon counts that will lead to a temporary block of the remote IP.

19

Invalid login remember duration in seconds

4.0

Int

300

How many seconds a remote IP will be blocked after a he was

20

LoginHistory: OnlyLatest

4.0

Bool

true

If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged.

21

Enable Welcome-Page

4.0

Bool

true

Whether or not to show the Welcome-Page on the IDP or to simply return a 404.

22

Enable Console Logger

4.0

Bool

false

Whether or not to enable a console logger

23

Enable DeveloperExceptionPage

4.0

Bool

false

Whether or not to enable the developer exception pages

24

Enable Log4Net

4.0

Bool

true

Whether or not to enable the Log4Net configuration.

25

Backend API URI

4.0

String

"https://localhost:8000/api/"

The URL to the backend API

26

Backend API-HttpClientSettings

4.0

HTTPClient Settings

Code Block
languagejson
{
   "IgnoreSslErrors":false,
   "UseProxy":true,
   "AllowAutoRedirect":true,
   "ProxyConfiguration":{
      "Uri":"http://proxy.itsense.ch:8080",
      "BypassList":[
         
      ],
      "BypassProxyOnLocal":false,
      "UseDefaultCredentials":true,
      "Credentials":null
   }
}

Any HTTPClients settings for the backend connection (connection to the application server) if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

27

ReCaptchaKey

5.0

String

“AD34FAE”

The Google ReCaptcha Key

28

ReCaptchaSecret

5.0

String

“FFFFAD34FAE”

The Google ReCaptcha Secret

29

Verify email address

5.0

Bool

true

Whether or not users need to verify their mail

30

Trusted email address hosts regex

5.0

String

".*(itsense.ch|coreone.ch)"

Domains to exclude from the verify email address process

31

Reverify email address

5.0

Bool

true

Whether or not users need to reverify their mail address on a periodically basis

32

Reverify email address every x days

5.0

Int

90

After how many days of the last verification date users need to reverify their mail address

33

Password complexity configuration

4.0

Note

deprecated for version >= 5.x

35

DisablePasswordReset

4.0

Note

deprecated for version >= 5.x

36

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

4.0

Note

deprecated for version >= 5.x

37

OutgoingConnectionsHttpClientSettings

5.0

HTTPClient Settings

Code Block
languagejson
{
   "IgnoreSslErrors":false,
   "UseProxy":true,
   "AllowAutoRedirect":true,
   "ProxyConfiguration":{
      "Uri":"http://proxy.itsense.ch:8080",
      "BypassList":[
         
      ],
      "BypassProxyOnLocal":false,
      "UseDefaultCredentials":true,
      "Credentials":null
   }
}

Any HTTPClients settings for outgoing connections (such as SwissId Authentication, etc.) if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

39

Subject-Prefix

5.0

String

‘c1s’

The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.

Note

Make sure to choose something meaningful here

40

ShowTermsAndConditions

5.0

Bool

true

Whether or not the terms and conditions feature is active

41

ShowPrivacyPolicy

5.0

Bool

true

Whether or not the privacy policy feature is active

42

CoreOne Suite Web Url

4.0

Note

deprecated for version >= 5.x

44

Contact page feedback URL

4.0

Note

deprecated for version >= 5.x

45

Password Generator Type

4.0

Note

deprecated for version >= 5.x

46

SamlTimeComparisonTolerance

5.0

Int

This setting only applies if CoreOne Authentication Service acts in the role as the IdP.

If CoreOne Authentication Service acts in the role as SP the setting must be configured in GenericSamlOptions

47

AwsSnsAccessKeyId

5.0

Encrypted String

* * * *

The AWS SNS Access Key Id

48

AwsSnsAccessKeySecret

5.0

Encrypted String

* * * *

The AWS SNS Access Key Secret

49

SamlRequestTrustLengthInMinutes

5.0

Int

10

The SAML Message Trust Length

50

EnableFireEventInvalidLogin

5.0

Bool

true

Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.

51

MaxInvalidLoginCountWithoutFiringEvent

5.0

Int

5

The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired.

52

FireEventInvalidLoginCacheDurationInMinutes

5.0

Int

5

How many minutes the invalid login attempts should be cached.

53

DisableReactivation

5.0

Bool

true

Whether or not to disable the reactivation process on the authentication page.

54

DisableActivation

5.0

Bool

true

Whether or not to disable the activation process on the authentication page.

56

HowManyPastPasswordsToStore

6.0

Int

10

In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.

57

Totp Valdiator Type

4.0

Note

deprecated for version >= 5.x

58

SupportedCultures

6.0

JSON String Array

Code Block
languagejson
[
    "DE",
    "EN",
    "FR",
    "IT"
]

The supported UI languages. You can remove or add entries.

59

DefaultCulture

6.0

String

“DE”

The default culture to use

60

NtpTimeServers

6.0

JSON String Array

Code Block
languagejson
[
    "ntp.company.com"
]

By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

61

NistTimeServers

6.0

JSON String Array

Code Block
languagejson
[
    "nist.company.com
]

By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

62

HttpTimeServers

6.0

JSON String Array

Code Block
languagejson
[
    "time.company.com"
]

By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

63

BackendApiUriV2

6.0

String

'https://localhost:8000/apiv2/'

The URL of the backend API V2

65

CheckUserUnfinishedCertifications

7.0

Bool

false

Whether or not the system should check if the current user has any unfinished certifications processes. If there are any, the system will prevent the user from log in and he has to finish the certifications processes before he is able to login.

66

SelfServiceUrl

7.0

String

"https://portal.coreone.ch"

The URL to the Self-Service Portal which will be used in combination with the setting above and below.

67

CheckDeactivatedDelegations

7.0

Bool

false

Whether or not the system should check if the current user has any deactivated delegations for the current application. If there are any, the system will inform the user about the delegations on the first login.

68

UseRequestIdInQueryString

8.0

Bool

false

Whether or not the RequestId should be passed in the URL from request to request. This is needed, if the browser or the APP does not support cookies. Only enable this, if that’s the case.

70

Nevis ApprovalRequest MessageTemplates

9.0

Complex object

Code Block
{
  "PushNameKey" : "Module.DM.AuthenticationService.LoginMethod.Nevis.PushApprovalMessageTemplate", 
  "QrNameKey" : "Module.DM.AuthenticationService.LoginMethod.Nevis.QrApprovalMessageTemplate"
}

The name keys used for the push notifications.

71

Nevis Android AppLink

9.0

String

"https://please-set-the-nevis-android-app.itsense.ch"

This link will be used to generate the Play Store link to the Authenticator App.

72

Nevis Apple AppLink

9.0

String

"https://please-set-the-nevis-apple-app.itsense.ch"

This link will be used to generate the App Store link to the Authenticator App.

73

Nevis Tenant Id

9.0

String

"yourtenantid"

The tenant id of your Nevis Authentication Cloud

74

Nevis API Key

9.0

String

“yourapikey”

The API Key of your Nevis Authentication Cloud

75

Nevis Customer App Link

9.0

String

“https://my.customer.ch/deeplink-proxy/tenant”

If the deep link for the authentication has to be forrwarded to a customer specific proxy, you can define the url here.

100

InstanceRandomBytes

5.0

String

"0EDeH/p/asdfasdf+o="

Random bytes to sign tokens (if not signed with a certificate) and encrypt values.

101

SigningCredentialsData

5.0

Encrypted String

* * * *

The credentials to the signing certificate if needed

102

SigningCredentialsFormat

5.0

String

"CertStore"

The format of the signing certificate, use “None” to disable static keys and use Automatic-Key-Rotation only (See setting 115-121)

103

SigningCredentialsStoreCertificateSubjectDistinguishedName

5.0

String

"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"

The DN of the signing certificate if configured

104

WsFederationPluginLicensee

5.0

Encrypted String

* * * *

The licence information for the plugin

105

WsFederationPluginLicenseKey

5.0

Encrypted String

* * * *

The licence key for the plugin

106

SamlPluginLicensee

5.0

Encrypted String

* * * *

The licence information for the plugin

107

SamlPluginLicenseKey

5.0

Encrypted String

* * * *

The licence key for the plugin

108

EnableInactivityLogout

4.0

Note

deprecated for version >= 5.x

110

EnablePortal

4.0

Note

deprecated for version >= 5.x

111

OperationalStateCleanupSleepInMinutes

5.8

Int

60

How often the operational state clean up should be performed

112

OperationalStateCleanupOlderThanInMinutes

5.8

Int

720

Data that is older than this value will be cleaned

113

WelcomePageRedirectUrl

7.0

string

https://www.mycompany.com

If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically

114

Captcha provider name

7.0

string

hcaptcha

You can either use recaptcha or hcaptcha.

https://www.google.com/recaptcha/about/

https://www.hcaptcha.com/

115

Automatic-Key-Rotation Disabled

8.2

Bool

false

Whether or not the Server should automatically create and rotate its signing keys

116

Automatic-Key-Rotation Signing Algorithms

8.2

Json Array

Code Block
languagejson
[
   {
      "Name": "RS256",
      "X509": true
   },
   {
      "Name": "ES256",
      "X509": true
   },
   {
      "Name": "PS256",
      "X509": true
   }
]

Signing algorithms and whether to wrap the keys in an X.509 Certificate or not. Used to generate Keys during Automatic-Key-Rotation. A key for each algorithm is generated and populated in discovery-document during Key-Rotation.

For valid Algorithm-Names see RFC7518 Section 3.1

117

Automatic-Key-Rotation DataProtection

8.2

Bool

true

Whether or not to encrypt stored keys

118

Automatic-Key-Rotation Delete Retired Keys

8.2

Bool

true

Wheter or not to delete retired keys from store

119

Automatic-Key-Rotation Interval in days

8.2

double

30

New keys every X days

120

Automatic-Key-Rotation PropagationTime in days

8.2

double

2

Announce new key 2 days in advance in discovery, Backend caches for 24h, so you should not use values below 2!

121

Automatic-Key-Rotation RetentionDuration in days

8.2

double

7

Keep old key for X days in discovery for validation of tokens

122

PersistedGrantCleanupSleepInMinutes

8.1.11

Int

1440

How often the persisted grants, such as authorization codes, should be cleaned up

123

PersistedGrantCleanupOlderThanInMinutes

8.1.11

Int

10080

The minimum age of a grant, such as an authorization code, before it’s getting deleted

124

TotpUsageCleanupSleepInMinutes

8.1.11

Int

60

How often used TOTPs should be cleaned up

125

TotpUsageCleanupOlderThanInMinutes

8.1.11

Int

60

The minimum age of a TOTP before it’s getting deleted

126

MaxAhvVerificationAttempts

8.2

Int

5

How many times the check against the swiss social security register can fail before a support ticket is issued.

127

AhvVerificationAttemptsExpirationInMinutes

8.2

Int

5

Within how many minutes the failed attempts have to be.

128

IsGridDisplay

8.2.6

Bool

true

Flag to determine if External Logon Providers should be displayed as a grid of icons without display names if true or as list of buttons if false

129

NumberOfIconsInGridRow

8.2.6

Int

6

Max number of icons in one row in grid when IsGridDisplay is true

130

IsExternalProvidersTopComponent

8.2.6

Bool

true

Flag to determine if List/Grid of External Logon Providers should be at the top (true) or the bottom (false) of Login Page

131

ExternalLogonIdTokenCleanupSleepInMinutes

9.1

Int

60

How often obsolete id_tokens should be cleaned up (there are ones used in external logon logout process)

If set to 0, this will disable the feature.

132

ExternalLogonIdTokenCleanupOlderThanInMinutes

9.1

Int

60

The minimum age of a id_tokens before it’s getting obsolete

Communication

Info

All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails.