Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 25 Next »

Introduction

The CoreOne Authentication Services loads most of it’s configuration from the CoreOne Application Service at runtime. But there are also various settings that are being read from either the application configuration file or from the setting table. This page describes those settings.

Configuration parameters

The following general configuration parameters are available:

Id

Parameter

Available from version

Data type

Example values

Description

1

PluginList

4.0

JSON String Array

[
    "iTsense.CoreLogin2.LoginMethod.Password.Plugin,iTsense.CoreLogin2.LoginMethod.Password"
]

An array with all the supported logon methods. You can add your own by specifying the appropriate namespace in the plugin list.

2

UseSSL

4.0

Bool

true

Whether or not to force the usage of SSL

3

SSL-Certificate-Data

4.0

Encrypted String

* * * * *

If set, this certificate can be used to sign tokens

4

SSL-Certificate-Password

4.0

Encrypted String

* * * * *

The password to the certificate data if needed

5

SSL-Certificate-Format

4.0

String

“pfx”

The type of the certificate

9

SMS-Provider-Type

4.0

String

"iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server"

or starting from version 8.x

LogConsoleSmsProvider"

The SMS provider implementation to use for sending SMS messages.

Supported types:

  • iTsense.CoreLogin2.Server.SmsProviders.LogConsoleSmsProvider,iTsense.CoreLogin2.Server → LogConsole

  • iTsense.CoreLogin2.Server.SmsProviders.AwsSmsProvider → AWS SNS

  • iTsense.CoreLogin2.Server.SmsProviders.RestSmsProvider → REST

Or starting from version 8 simply:

  • LogConsoleSmsProvider

  • RestSmsProvider

  • AwsSmsProvider

10

SMS-Provider-Settings

4.0

String

{ 
	"Method": "GET",
	"BaseUrl": "https://soap.aspsms.com/aspsmsx.asmx/SimpleTextSMS?UserKey=LZDQT7R7D3&Password=SWn1vQT08UNHBIueL&Recipient={mobilenumber}&Originator=COS&MessageText={message}",
	"SecurityMethod": "None",
	"Username": "",
	"Password": "",
	"MobileNumberFormat": "E164",
	"DefaultCountryPrefix": "+41",
	"BodyContent": null,
	"BodyEncodingCodePage": 65001,
	"BodyMediaType": "text/plain",
	"RestResource": null
}

The settings for the configured SMS provider as documented https://itsense.atlassian.net/l/cp/EupyJ6Sq

11

EnableRememberMe

4.0

Bool

true

Whether or not to show the Remember Me button on the authentication page

12

RememberMeDuration in seconds

4.0

Int

2592000

The lifetime of the remember me cookie in seconds

13

LoginCookieExpiration in seconds

4.0

Int

900

The lifetime of the login cookie in seconds

14

LoginCookieExpiration is sliding

4.0

Bool

true

If the login cookie should follow a sliding period and therefore be extended with new requests

15

TOTP-IssuerName

Publisher-IssuerName

4.0

8.0

String

"COS AUTH DEV"

The name stored as as the issuer in TOTP process.

Please make sure this is a unique value for each system.

Starting from version 8, this is also used in other places like SMS OTPs and has been renamed to a more generic name → Publisher-IssuerName

16

Enable LoginHistory

4.0

Bool

true

Whether or not to write login history entries upon each login request

17

Block RemoteIp by invalid logon count

4.0

Bool

true

Whether or not to block clients based on their remote IP address after a given amount of invalid logon counts.

18

Max invalid login count

4.0

Int

5

The amount of failed logon counts that will lead to a temporary block of the remote IP.

19

Invalid login remember duration in seconds

4.0

Int

300

How many seconds a remote IP will be blocked after a he was

20

LoginHistory: OnlyLatest

4.0

Bool

true

If set to true only the last login of a user will be logged. If set to false, each login of a user will be logged.

21

Enable Welcome-Page

4.0

Bool

true

Whether or not to show the Welcome-Page on the IDP or to simply return a 404.

22

Enable Console Logger

4.0

Bool

false

Whether or not to enable a console logger

23

Enable DeveloperExceptionPage

4.0

Bool

false

Whether or not to enable the developer exception pages

24

Enable Log4Net

4.0

Bool

true

Whether or not to enable the Log4Net configuration.

25

Backend API URI

4.0

String

"https://localhost:8000/api/"

The URL to the backend API

26

Backend API-HttpClientSettings

4.0

HTTPClient Settings

{
   "IgnoreSslErrors":false,
   "UseProxy":true,
   "AllowAutoRedirect":true,
   "ProxyConfiguration":{
      "Uri":"http://proxy.itsense.ch:8080",
      "BypassList":[
         
      ],
      "BypassProxyOnLocal":false,
      "UseDefaultCredentials":true,
      "Credentials":null
   }
}

Any HTTPClients settings for the backend connection (connection to the application server) if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

27

ReCaptchaKey

5.0

String

“AD34FAE”

The Google ReCaptcha Key

28

ReCaptchaSecret

5.0

String

“FFFFAD34FAE”

The Google ReCaptcha Secret

29

Verify email address

5.0

Bool

true

Whether or not users need to verify their mail

30

Trusted email address hosts regex

5.0

String

".*(itsense.ch|coreone.ch)"

Domains to exclude from the verify email address process

31

Reverify email address

5.0

Bool

true

Whether or not users need to reverify their mail address on a periodically basis

32

Reverify email address every x days

5.0

Int

90

After how many days of the last verification date users need to reverify their mail address

33

Password complexity configuration

4.0

deprecated for version >= 5.x

35

DisablePasswordReset

4.0

deprecated for version >= 5.x

36

Default logonmethods allowed during secret reset (EmptyEntry => No Verification)

4.0

deprecated for version >= 5.x

37

OutgoingConnectionsHttpClientSettings

5.0

HTTPClient Settings

{
   "IgnoreSslErrors":false,
   "UseProxy":true,
   "AllowAutoRedirect":true,
   "ProxyConfiguration":{
      "Uri":"http://proxy.itsense.ch:8080",
      "BypassList":[
         
      ],
      "BypassProxyOnLocal":false,
      "UseDefaultCredentials":true,
      "Credentials":null
   }
}

Any HTTPClients settings for outgoing connections (such as SwissId Authentication, etc.) if needed.

IgnoreSslErrors: Do not throw an error if the SSL certificate is not valid
UseProxy: Should a proxy be used? (If true and there is no ProxyConfiguration, the default Windows settings will be used)
AllowAutoRedirect: Follow 301 and302 statuscodes?
ProxyConfiguration: Proxy settings

39

Subject-Prefix

5.0

String

‘c1s’

The prefix for the subject. The subject will always the the prefix + “:” + the unique identifier.

Make sure to choose something meaningful here

40

ShowTermsAndConditions

5.0

Bool

true

Whether or not the terms and conditions feature is active

41

ShowPrivacyPolicy

5.0

Bool

true

Whether or not the privacy policy feature is active

42

CoreOne Suite Web Url

4.0

deprecated for version >= 5.x

44

Contact page feedback URL

4.0

deprecated for version >= 5.x

45

Password Generator Type

4.0

deprecated for version >= 5.x

46

SamlTimeComparisonTolerance

5.0

Int

47

AwsSnsAccessKeyId

5.0

Encrypted String

* * * *

The AWS SNS Access Key Id

48

AwsSnsAccessKeySecret

5.0

Encrypted String

* * * *

The AWS SNS Access Key Secret

49

SamlRequestTrustLengthInMinutes

5.0

Int

10

The SAML Message Trust Length

50

EnableFireEventInvalidLogin

6.0

Bool

true

Whether or not to fire an invalid login event. You can register to that event an inform users about attempted logins.

51

MaxInvalidLoginCountWithoutFiringEvent

6.0

Int

5

The amount of invalid login attempts that are allowed by the remote IP before an invalid login event is fired.

52

FireEventInvalidLoginCacheDurationInMinutes

6.0

Int

5

How many minutes the invalid login attempts should be cached.

53

DisableReactivation

6.0

Bool

true

Whether or not to disable the reactivation process on the authentication page.

54

DisableActivation

6.0

Bool

true

Whether or not to disable the activation process on the authentication page.

56

HowManyPastPasswordsToStore

6.0

Int

10

In order to provide a password history the authentication service will mark old passwords as deleted. This settings indicates how many of those should be stored.

57

Totp Valdiator Type

4.0

deprecated for version >= 5.x

58

SupportedCultures

5.0

JSON String Array

[
    "DE",
    "EN",
    "FR",
    "IT"
]

The supported UI languages. You can remove or add entries.

59

DefaultCulture

6.0

String

“DE”

The default culture to use

60

NtpTimeServers

5.0

JSON String Array

[
    "ntp.company.com"
]

By default the Authentication Service uses some predefined NTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

61

NistTimeServers

5.0

JSON String Array

[
    "nist.company.com
]

By default the Authentication Service uses some predefined NIST servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

62

HttpTimeServers

5.0

JSON String Array

[
    "time.company.com"
]

By default the Authentication Service uses some predefined HTTP servers to do a time sync that is needed for TOTP validation. You can change those defaults here.

63

BackendApiUriV2

6.0

String

'https://localhost:8000/apiv2/'

The URL of the backend API V2

65

CheckUserUnfinishedCertifications

7.0

Bool

false

Whether or not the system should check if the current user has any unfinished certifications processes. If there are any, the system will prevent the user from log in and he has to finish the certifications processes before he is able to login.

66

SelfServiceUrl

7.0

String

"https://portal.coreone.ch"

The URL to the Self-Service Portal which will be used in combination with the setting above and below.

67

CheckDeactivatedDelegations

7.0

Bool

false

Whether or not the system should check if the current user has any deactivated delegations for the current application. If there are any, the system will inform the user about the delegations on the first login.

68

UseRequestIdInQueryString

8.0

Bool

false

Whether or not the RequestId should be passed in the URL from request to request. This is needed, if the browser or the APP does not support cookies. Only enable this, if that’s the case.

100

InstanceRandomBytes

5.0

String

"0EDeH/p/asdfasdf+o="

Random bytes to sign tokens (if not signed with a certificate)

101

SigningCredentialsData

5.0

Encrypted String

* * * *

The credentials to the signing certificate if needed

102

SigningCredentialsFormat

5.0

String

"CertStore"

The format of the signing certificate

103

SigningCredentialsStoreCertificateSubjectDistinguishedName

5.0

String

"CN=coslogin.local, OU=Development, O=ITSENSE AG, L=Aarau, S=AG, C=CH"

The DN of the signing certificate if configured

104

WsFederationPluginLicensee

5.0

Encrypted String

* * * *

The licence information for the plugin

105

WsFederationPluginLicenseKey

5.0

Encrypted String

* * * *

The licence key for the plugin

106

SamlPluginLicensee

5.0

Encrypted String

* * * *

The licence information for the plugin

107

SamlPluginLicenseKey

5.0

Encrypted String

* * * *

The licence key for the plugin

108

EnableInactivityLogout

4.0

deprecated for version >= 5.x

110

EnablePortal

4.0

deprecated for version >= 5.x

111

OperationalStateCleanupSleepInMinutes

5.8

Int

60

How often the operational state clean up should be performed

112

OperationalStateCleanupOlderThanInMinutes

5.8

Int

720

Data that is older than this value will be cleaned

113

WelcomePageRedirectUrl

7.0

string

https://www.mycompany.com

If the user lands on the Welcome Page of the Authentication Service, he will be redirected to the configured URL automatically

114

Captcha provider name

7.0

string

hcaptcha

You can either use recaptcha or hcaptcha.

https://www.google.com/recaptcha/about/

https://www.hcaptcha.com/

Communication

All E-Mails initiated by the Authentication Service will be sent from the Backend Service. This is because the E-Mail-Templates are defined there. You can not define a different SMTP-Server for the Authentication Service. In a HA Scenario, where the Authentication and Backend Service is not running on the same Server, you only need to make sure, that the Server where the Backend Service is running, is authorized (e.g. define as Relay Server in Exchange) to send E-Mails.

How-to articles


  • No labels