Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Introduction

The CoreOne Authentication Service loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.

Configuration parameters

The following general configuration parameters are available:

Id

Parameter

Data type

Example values

Description

1

PluginList

JSON String Array

[
    "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password"
]

An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list.

2

UseSSL

Bool

true

Whether or not to force the usage of SSL

3

SSL-Certificate-Data

Encrypted String

* * * * *

If set, this certificate can be used to sign tokens

4

SSL-Certificate-Password

Encrypted String

* * * * *

The password to the certificate data if needed

5

SSL-Certificate-Format

String

“pfx”

The type of the certificate

9

SMS-Provider-Type

String

"iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server"

The SMS provider implementation to use for sending SMS messages.

Supported types:

  • iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server → LogConsole

  • iTsense.CoreLogin2.Server.SmsProviders.AwsSmsProvider → AWS SNS

  • iTsense.CoreLogin2.Server.SmsProviders.RestSmsProvider → REST

10

SMS-Provider-Settings

String

{ 
	"Method": "Get",
	"BaseUrl": "http://myRestSmsApi/{mobilenumber}/{message}",
	"SecurityMethod": "BasicAuthentication",
	"Username": "MyUserName",
	"Password": "MyPw",
	"MobileNumberFormat": "E164",
	"DefaultCountryPrefix": "+41",
	"BodyContent": Zero,
	"BodyEncodingCodePage" :65001,
	"BodyMediaType": "text/plain",
	"RestResource" :Zero
}

The settings for the configured SMS provider as documented How-To configure SMS Gateway Service

11

EnableRememberMe

Bool

true

Whether or not to show the Remember Me button on the authentication page

12

RememberMeDuration in seconds

Int

2592000

The lifetime of the remember me cookie in seconds

13

LoginCookieExpiration in seconds

Int

900

The lifetime of the login cookie in seconds

14

LoginCookieExpiration is sliding

Bool

true

If the login cookie should follow a sliding period and therefore be extended with new requests

15

TOTP-IssuerName

String

"COS AUTH DEV"

The name stored as as the issuer in TOTP process.

Please make sure this is a unique value for each system.

16

Enable LoginHistory

Bool

true

Whether or not to write login history entries upon each login request

17

Block RemoteIp by invalid logon count

Bool

true

Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts.

18

Max invalid login count

Int

5

The amount of failed logon counts that will lead to a temporary block of the remote IP.

19

Invalid login remember duration in seconds

Int

300

How many seconds a remote IP will be blocked after a he was

20

LoginHistory: OnlyLatest

Bool

true

If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged.

21

Enable Welcome-Page

Bool

true

Whether or not to show the Welcome-Page on the IDP or to simply return a 404.

22

Enable Console Logger

Bool

false

Whether or not to enable a console logger

23

Enable DeveloperExceptionPage

Bool

false

Whether or not to enable the developer exception pages

24

Enable Log4Net

Bool

true

Whether or not to enable the Log4Net configuration.

25

Backend API URI

String

"https://localhost:8000/api/"

The URL to the backend API

26

Backend API-HttpClientSettings

HTTPClient Settings

{
   "IgnoreSslErrors": true,
   "UseProxy": false,
   "AllowAutoRedirect": true,
   "ProxyConfiguration": null
 }

Any HTTPClients settings for the backend connection if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

27

ReCaptchaKey

String

“AD34FAE”

The Google ReCaptcha Key

28

ReCaptchaSecret

String

“FFFFAD34FAE”

The Google ReCaptcha Secret

29

Verify email address

Bool

true

Whether or not users need to verify their mail

30

Trusted email address hosts regex

String

".*(itsense.ch|coreone.ch)"

Domains to exclude from the verify email address process

31

Reverify email address

Bool

true

Whether or not users need to reverify their mail address on a periodically basis

32

Reverify email address every x days

Int

90

After how many days of the last verification date users need to reverify their mail address

33

Password complexity configuration

deprecated for version >= 5.x

35

DisablePasswordReset

deprecated for version >= 5.x

36

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

deprecated for version >= 5.x

37

OutgoingConnectionsHttpClientSettings

HTTPClient Settings

{
   "IgnoreSslErrors": true,
   "UseProxy": false,
   "AllowAutoRedirect": true,
   "ProxyConfiguration": null
 }

Any HTTPClients settings for outgoing connections if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

39

Subject-Prefix

String

‘c1s’

The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.

Make sure to choose something meaningful here

40

ShowTermsAndConditions

Bool

true

Whether or not the terms and conditions feature is active

41

ShowPrivacyPolicy

Bool

true

Whether or not the privacy policy feature is active

42

CoreOne Suite Web Url

deprecated for version >= 5.x

44

Contact page feedback URL

deprecated for version >= 5.x

45

Password Generator Type

deprecated for version >= 5.x

46

SamlTimeComparisonTolerance

Int

47

AwsSnsAccessKeyId

Encrypted String

* * * *

The AWS SNS Access Key Id

48

AwsSnsAccessKeySecret

Encrypted String

* * * *

The AWS SNS Access Key Secret

49

SamlRequestTrustLengthInMinutes

Int

10

The SAML Message Trust Length

50

EnableFireEventInvalidLogin

Bool

true

Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.

51

MaxInvalidLoginCountWithoutFiringEvent

Int

5

The amount of invalid logins that are allowed by the remote IP before an invalid login event is fired.

52

FireEventInvalidLoginCacheDurationInMinutes

Int

5

How many minutes the invalid logins should be cached.

53

DisableReactivation

Bool

true

Whether or not to disable the reactivation process on the authentication page.

54

DisableActivation

Bool

true

Whether or not to disable the activation process on the authentication page.

56

HowManyPastPasswordsToStore

Int

10

In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.

57

Totp Valdiator Type

deprecated for version >= 5.x

58

SupportedCultures

JSON String Array

[
    "DE",
    "EN",
    "FR",
    "IT"
]

The supported UI languages. You can remove or add entries.

59

DefaultCulture

String

“DE”

The default culture to use

60

NtpTimeServers

JSON String Array

[
    "ntp.company.com"
]

By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

61

NistTimeServers

JSON String Array

[
    "nist.company.com
]

By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

62

HttpTimeServers

JSON String Array

[
    "time.company.com"
]

By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

63

BackendApiUriV2

String

'https://localhost:8000/apiv2/'

The URL of the backend API V2

100

InstanceRandomBytes

String

"0EDeH/p/asdfasdf+o="

Random bytes to sign tokens (if not signed with a certificate)

101

SigningCredentialsData

Encrypted String

* * * *

The credentials to the signing certificate if needed

102

SigningCredentialsFormat

String

"CertStore"

The format of the signing certificate

103

SigningCredentialsStoreCertificateSubjectDistinguishedName

String

"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"

The DN of the signing certificate if configured

104

WsFederationPluginLicensee

Encrypted String

* * * *

The licence information for the plugin

105

WsFederationPluginLicenseKey

Encrypted String

* * * *

The licence key for the plugin

106

SamlPluginLicensee

Encrypted String

* * * *

The licence information for the plugin

107

SamlPluginLicenseKey

Encrypted String

* * * *

The licence key for the plugin

108

EnableInactivityLogout

deprecated for version >= 5.x

110

EnablePortal

deprecated for version >= 5.x

111

OperationalStateCleanupSleepInMinutes

Int

60

How often the operational state clean up should be performed

112

OperationalStateCleanupOlderThanInMinutes

Int

720

Data that is older than this value will be cleaned

113

WelcomePageRedirectUrl

string

https://www.mycompany.com

If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically

Communication

All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails.

How-to articles


  • No labels