Introduction
The CoreOne Authentication Services loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.
Configuration parameters
The following general configuration parameters are available:
Id | Parameter | Available from version | Data type | Example values | Description |
---|---|---|---|---|---|
1 | PluginList | 4.0 | JSON String Array | [ "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password" ] | An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list. |
2 | UseSSL | 4.0 | Bool | true | Whether or not to force the usage of SSL |
3 | SSL-Certificate-Data | 4.0 | Encrypted String | * * * * * | If set, this certificate can be used to sign tokens |
4 | SSL-Certificate-Password | 4.0 | Encrypted String | * * * * * | The password to the certificate data if needed |
5 | SSL-Certificate-Format | 4.0 | String | “pfx” | The type of the certificate |
9 | SMS-Provider-Type | 4.0 | String | "iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server" or starting from version 8.x “ | The SMS provider implementation to use for sending SMS messages. Supported types:
Or starting from version 8 simply:
|
10 | SMS-Provider-Settings | 4.0 | String | GET { "Method": "Get", "BaseUrl": "http://myRestSmsApi/{mobilenumber}/{message}", "SecurityMethod": "BasicAuthentication", "Username": "MyUserName", "Password": "MyPw", "MobileNumberFormat": "E164", "DefaultCountryPrefix": "+41", "BodyContent": Zero, "BodyEncodingCodePage" :65001, "BodyMediaType": "text/plain", "RestResource" :Zero } POST | The settings for the configured SMS provider as documented How-To configure SMS Gateway Service |
11 | EnableRememberMe | 4.0 | Bool | true | Whether or not to show the Remember Me button on the authentication page |
12 | RememberMeDuration in seconds | 4.0 | Int | 2592000 | The lifetime of the remember me cookie in seconds |
13 | LoginCookieExpiration in seconds | 4.0 | Int | 900 | The lifetime of the login cookie in seconds |
14 | LoginCookieExpiration is sliding | 4.0 | Bool | true | If the login cookie should follow a sliding period and therefore be extended with new requests |
15 | TOTP-IssuerName | 4.0 | String | "COS AUTH DEV" | The name stored as as the issuer in TOTP process. Please make sure this is a unique value for each system. |
16 | Enable LoginHistory | 4.0 | Bool | true | Whether or not to write login history entries upon each login request |
17 | Block RemoteIp by invalid logon count | 4.0 | Bool | true | Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts. |
18 | Max invalid login count | 4.0 | Int | 5 | The amount of failed logon counts that will lead to a temporary block of the remote IP. |
19 | Invalid login remember duration in seconds | 4.0 | Int | 300 | How many seconds a remote IP will be blocked after a he was |
20 | LoginHistory: OnlyLatest | 4.0 | Bool | true | If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged. |
21 | Enable Welcome-Page | 4.0 | Bool | true | Whether or not to show the Welcome-Page on the IDP or to simply return a 404. |
22 | Enable Console Logger | 4.0 | Bool | false | Whether or not to enable a console logger |
23 | Enable DeveloperExceptionPage | 4.0 | Bool | false | Whether or not to enable the developer exception pages |
24 | Enable Log4Net | 4.0 | Bool | true | Whether or not to enable the Log4Net configuration. |
25 | Backend API URI | 4.0 | String | The URL to the backend API | |
26 | Backend API-HttpClientSettings | 4.0 | { "IgnoreSslErrors": true, "UseProxy": false, "AllowAutoRedirect": true, "ProxyConfiguration": null } | Any HTTPClients settings for the backend connection if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | |
27 | ReCaptchaKey | 5.0 | String | “AD34FAE” | The Google ReCaptcha Key |
28 | ReCaptchaSecret | 5.0 | String | “FFFFAD34FAE” | The Google ReCaptcha Secret |
29 | Verify email address | 5.0 | Bool | true | Whether or not users need to verify their mail |
30 | Trusted email address hosts regex | 5.0 | String | ".*(itsense.ch|coreone.ch)" | Domains to exclude from the verify email address process |
31 | Reverify email address | 5.0 | Bool | true | Whether or not users need to reverify their mail address on a periodically basis |
32 | Reverify email address every x days | 5.0 | Int | 90 | After how many days of the last verification date users need to reverify their mail address |
33 | Password complexity configuration | 4.0 | deprecated for version >= 5.x | ||
35 | DisablePasswordReset | 4.0 | deprecated for version >= 5.x | ||
36 | Default logonmethods allowed during secret reset (EmptyEntry => No Verification) | 4.0 | deprecated for version >= 5.x | ||
37 | OutgoingConnectionsHttpClientSettings | 5.0 | { "IgnoreSslErrors": true, "UseProxy": false, "AllowAutoRedirect": true, "ProxyConfiguration": null } | Any HTTPClients settings for outgoing connections if needed. IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid | |
39 | Subject-Prefix | 5.0 | String | ‘c1s’ | The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier. Make sure to choose something meaningful here |
40 | ShowTermsAndConditions | 5.0 | Bool | true | Whether or not the terms and conditions feature is active |
41 | ShowPrivacyPolicy | 5.0 | Bool | true | Whether or not the privacy policy feature is active |
42 | CoreOne Suite Web Url | 4.0 | deprecated for version >= 5.x | ||
44 | Contact page feedback URL | 4.0 | deprecated for version >= 5.x | ||
45 | Password Generator Type | 4.0 | deprecated for version >= 5.x | ||
46 | SamlTimeComparisonTolerance | 5.0 | Int | ||
47 | AwsSnsAccessKeyId | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Id |
48 | AwsSnsAccessKeySecret | 5.0 | Encrypted String | * * * * | The AWS SNS Access Key Secret |
49 | SamlRequestTrustLengthInMinutes | 5.0 | Int | 10 | The SAML Message Trust Length |
50 | EnableFireEventInvalidLogin | 6.0 | Bool | true | Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins. |
51 | MaxInvalidLoginCountWithoutFiringEvent | 6.0 | Int | 5 | The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired. |
52 | FireEventInvalidLoginCacheDurationInMinutes | 6.0 | Int | 5 | How many minutes the invalid login attempts should be cached. |
53 | DisableReactivation | 6.0 | Bool | true | Whether or not to disable the reactivation process on the authentication page. |
54 | DisableActivation | 6.0 | Bool | true | Whether or not to disable the activation process on the authentication page. |
56 | HowManyPastPasswordsToStore | 6.0 | Int | 10 | In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored. |
57 | Totp Valdiator Type | 4.0 | deprecated for version >= 5.x | ||
58 | SupportedCultures | 5.0 | JSON String Array | [ "DE", "EN", "FR", "IT" ] | The supported UI languages. You can remove or add entries. |
59 | DefaultCulture | 6.0 | String | “DE” | The default culture to use |
60 | NtpTimeServers | 5.0 | JSON String Array | [ "ntp.company.com" ] | By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. |
61 | NistTimeServers | 5.0 | JSON String Array | [ "nist.company.com ] | By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here. |
62 | HttpTimeServers | 5.0 | JSON String Array | [ "time.company.com" ] | By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here. |
63 | BackendApiUriV2 | 6.0 | String | The URL of the backend API V2 | |
100 | InstanceRandomBytes | 5.0 | String | "0EDeH/p/asdfasdf+o=" | Random bytes to sign tokens (if not signed with a certificate) |
101 | SigningCredentialsData | 5.0 | Encrypted String | * * * * | The credentials to the signing certificate if needed |
102 | SigningCredentialsFormat | 5.0 | String | "CertStore" | The format of the signing certificate |
103 | SigningCredentialsStoreCertificateSubjectDistinguishedName | 5.0 | String | "CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH" | The DN of the signing certificate if configured |
104 | WsFederationPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin |
105 | WsFederationPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin |
106 | SamlPluginLicensee | 5.0 | Encrypted String | * * * * | The licence information for the plugin |
107 | SamlPluginLicenseKey | 5.0 | Encrypted String | * * * * | The licence key for the plugin |
108 | EnableInactivityLogout | 4.0 | deprecated for version >= 5.x | ||
110 | EnablePortal | 4.0 | deprecated for version >= 5.x | ||
111 | OperationalStateCleanupSleepInMinutes | 5.8 | Int | 60 | How often the operational state clean up should be performed |
112 | OperationalStateCleanupOlderThanInMinutes | 5.8 | Int | 720 | Data that is older than this value will be cleaned |
113 | WelcomePageRedirectUrl | 7.0 | string | https://www.mycompany.com | If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically |
114 | Captcha provider name | 7.0 | string | hcaptcha | You can either use recaptcha or hcaptcha. |
Communication
All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails.