Authentication Settings
This section of behavior settings deals with LDAP, SSO and SAML settings. The available settings are:
Behavior Setting | Value | Description |
ALLOW_SSO_AT_SIGN | NO | If set to YES, SSO user id’s will be generated from the SSO primary key in its entirety. If set to NO, the User ID within the header is treated as a potential email address, and the characters preceding @ are assumed to be the User ID within ExtraView. For example, if the User ID within the header is john_smith@mycompany.com, then the resultant User ID is assumed to be john_smith |
CUSTOM_AUTHENTICATION | NO, YES, HYBRID, LDAP, LDAP-HYBRID, SAML | This setting can have one of five values, NO, YES, HYBRID, LDAP or LDAP-HYBRID. When the value is NO, ExtraView uses its standard inbuilt authentication. If it set to YES, custom authentication (with user custom code) will be used rather than using the inbuilt user authentication scheme. If the value of HYBRID is selected, then ExtraView attempts to perform the custom authentication first. If this is unsuccessful, then the standard inbuilt authentication method is called. If it set to LDAP, LDAP authentication will be used rather than the inbuilt user authentication scheme. If the value of LDAP-HYBRID is selected, then ExtraView attempts to perform the LDAP authentication first. If this is unsuccessful, then the standard inbuilt authentication method is called. When the CUSTOM_AUTHENTICATION behavior setting is set to YES and a user’s account is updated with the Expire password checkbox being checked, then if the custom authentication routine returns true indicating that the authentication was successful, the Change Password form is presented to the user during the login process. When the CUSTOM_AUTHENTICATION behavior setting is set to HYBRID and the user’s account is set to expired (same as above), then it does not matter what the custom authentication routine returns as long as the credentials are valid, and the Change Password form is also presented for the user to change their password. |
ENABLE_DEVICE_VERIFICATION | NO | When this setting has a value of YES, then ExtraView will perform an additional check when users sign on. If the user is signing on from an unrecognized browser or device, an email is sent to the user with a code they need to enter to haver that browser or device recognized as a trusted source |
ENABLE_TWO_FACTOR_AUTH | NO | When this setting is YES, ExtraView will require a second level of authentication before allowing the user access to their account. This second authentication factor is via an email sent to the user with a verification code that must be entered before the user enters their account |
LDAP_ALLOWED_STALE_INTERVAL | 240 | The minimum number of minutes between LDAP upsert operations on a single user. This stops ExtraView accessing the LDAP server with every operation that requires user information in order to optimize performance. After this interval, a fresh check of the LDAP server is made |
LDAP_DEFAULT_AREA | <AREA_ID> | The default area_id to be set when adding a new user by retrieving their details from the LDAP server |
LDAP_DEFAULT_PROJECT | <PROJECT_ID> | The default project_id to be set when adding a new user by retrieving their details from the LDAP server |
LDAP_HOST | ldaps://<hostname>:<port> | The URL to the LDAP server, e.g. ldap://blah.com:389 |
LDAP_MANAGER | <DN_FOR_USER_LOOKUP> | The “Security Principal” or user accessing LDAP |
LDAP_PSWRD | <LDAP_MGR_PASSWORD> | The password to the LDAP server. Note that this does not appear in clear text, but as a row of asterisks. |
LDAP_ROOT | <SEARCH_BASE_DN> | The root directory of the LDAP server or search base, e.g. ou=blahWorker, o=blah.com |
LDAP_SEARCH_FITLER | LDAP filters may be defined in the behavior setting or may be defined in the Configuration.properties file. The behavior setting takes precedence over the Configuration.properties entry. LDAP filters are defined in RFC 2254. As an example, if you wanted to add a filter to only retrieve records with mycompany within the email address, you could set this as the filter: (mail=*mycompany*) The parentheses are essential. | |
LDAP_UPSERT | YES | This setting controls upserting LDAP information to ExtraView. THe possible values are YES or NO. When this value is NO, LDAP will not be used to add or update ExtraView user information. A valid LDAP user that is not already an ExtraView user will not be able to log in to ExtraView. When this setting is set to YES, the LDAP Background Task must be configured and must be running. The timer in LDAP_ALLOWED_STALE_INTERVAL is used to refresh the LDAP cached information within ExtraView. The information within ExtraView for a user is also refreshed when the user signs on. |
LDAP_UPSERT_DEFAULT_USER_ROLE | <EXTRAVIEW_ROLE> | If this setting contains a valid role, then this is the role a user is given when the LDAP upsert takes place. If this setting does not contain a value, then the role defined in the behavior setting named LIMITED_USER_ROLE is used instead. |
LDAP_USER_LOOKUP | YES or NO | When this behavior setting is set to YES, whenever a user performs an operation to lookup the details of another user, ExtraView will ask the LDAP server for the information. At the same time this is done, the information for the user within ExtraView, will be synchronized with the information within the LDAP record |
SAML_ASSERTION_CONSUMER_URL | The URL of the consumer service that receives the authentication response from the SAML IDP. This is the URL that invokes the Consumer Servlet. This field is required to be set when CUSTOM_AUTHENTICATION = SAML | |
SAML_AZURE_ENCODING | NO | This setting may be YES or NO. It defines whether or not to URI encode the Base64-encoded AuthnRequest in the SAML 2.0 protocol |
SAML_ESIG_MODAL_WINDOW | Setting this to a value of YES will cause the system to display E-signature validation in a modal popup window when using SAML authentication. If not set to YES,the system will display a child a popup window | |
SAML_PASSWORD_AUTHEN_CTX | YES | When using SAML as an authentication protocol, setting this to a value of YES will cause the system to add the user’s password to the AuthnContextClassRef, otherwise an empty value will be added. Normally this should have a value of YES. |
SAML_SSO_SERVICE | <some url> | When using the SAML authentication protocol, this is the URL of the SSO service to which the SAML SP sends an authentication request. This URL points to a target in the IDP |
SAML_SSO_SP_ENTITY_ID | The SP Entity ID is typically the URL or other identifier given by the Service Provider (SP) for the SAML authentication service that uniquely identifies it to the IDP | |
SSO_DEFAULT_AREA | 0 | This setting is used to identify the Business Area ID for a new user being created within ExtraView, when SSO headers authenticate the new user, and it is the first time the user has signed on. In this case, the user is created automatically and this Business Area ID is associated with the user. |
SSO_DEFAULT_PROJECT | 0 | This setting is used to identify the Project ID within the Business Area specified in SSO_DEFAULT_AREA, for a new user being created within ExtraView, when SSO headers authenticate the new user, and it is the first time the user has signed on. In this case, the user is created automatically, and this Project ID is associated with the user. Set this to zero if you do not want to associate the user with a specific Project, but you have set SSO_DEFAULT_AREA to a value |
SSO_FAILED_LOGIN_MESSAGE | This message is displayed if the user who attempted to sign on is not recognized | |
SSO_SIGNOFF_REDIRECT_URL | This is a URL to which the user is directed, after signing off from ExtraView | |
SSO_SIGNOFF_REDIRECT_URL | This is a URL to which the user is directed, after signing off from ExtraView | |
SSO_STATE | NO | Enable Single Sign On in this instance (YES/NO) |