The table below includes all of the properties you can override in the Authentication worker by adding them to the configuration file you send to your API Server.
In most cases you should use the defaults - don't include them in your config file.
The only property you will need to add is the array of providers you want to use on your site. Depending on those providers, you might need to update the
There's an example configuration at the bottom of the page.
Property | Type | Description |
---|---|---|
accountManagement | Boolean | Globally enables or disables account management. Default: true. If set to false and a call to RenderLoginForm is made with |
authSessionExpiryMs | Integer | The AuthSession expiry time. AuthSessions exist to handle the time between generating the login form and the user logging in or being redirected off to a third party and coming back. Default: 3600000 |
authSessionTimeoutTaskPeriodMs | Integer | How often the AuthSession expiry task runs. Default: 600000 |
cacertsOverridePath | String | The path to the cacerts file the worker should use. In certain circumstances cacerts files may be named differently based on environment to ensure mix-ups between environments do not happen, e.g. DEV_cacerts, LIVE_cacerts, etc. In such cases this parameter may be specified to override the default cacerts path. Default "${APISERVER}/data/auth/cacerts" |
cacertsKeyStorePassword | String | Specifies the password the cacerts file is secured with |
debug | Boolean | If true the worker will start in debug mode |
hbTemplateOverrideRoot | String | The path to the root override handlebars template directory. See the Handlebars Templates article for more information |
hbCacheTemplates | Boolean | Whether the worker should cache handlebar templates in memory. Disable when developing handlebar templates so that changes to the templates appear immediately. Default: true |
hbMaintenanceModeHeaderTemplate | String | Handlebars header template, evaluated and output to the user when renderLoginForm, /authenticate, or /reentry are called when site logins are in maintenance mode |
hbMaintenanceModeBodyTemplate | String | Handlebars body template, evaluated and output to the user when renderLoginForm, /authenticate, or /reentry are called while site logins are in maintenance mode |
linkOnLogin | Boolean | Boolean. Default: false Globally enables or disables user linking across all providers based on a common email address being found between provider user logins |
sessionIdWrapperQueryParams | Array | Specifies the name of a query parameter, the value of which may contain the authSessionId (AS) and authSessionNonce (ASN) query parameters For example, when coming back from a redirect from certain services the only way to include the sessionId and nonce in the return URL is as the value of a URL parameter with a set name, eg "state" in: http://gi00466:5506/icm/apiserver/formsservice/http/reentry?state=AS:fc875ad3-ac9b-437f-a48c-53b28b98bf9f_ASN:f0818282-3c93-4307-80f9-11c5a7658b9f By specifying ["state"] as the value of this configuration parameter the /reentry method will look inside the value of the specified parameter and attempt to extract the authSessionId (AS) and authSessionNonce (ASN) from it (if it exists on the URL), assuming the value of the parameter is in the format 'AS:UUID_ASN:UUID'. Case insensitive "state" is a required value for OAuth2 based providers (eg Google and Facebook) to work correctly Default: ["state"] |
sessionIdWrapperFormFields | Array | Specifies the name of an incoming form field parameter, the value of which may contain the authSessionId (AS) and authSessionNonce (ASN) query parameters. Assumes the value of the parameter is in the format 'AS:UUID_ASN:UUID'. Case insensitive "RelayState" is a required value for SAML2 providers to work correctly Default: ["RelayState"] |
userLinkingEmailMode | String | One of: "none" The users are linked, and no email is sent at all "notification" The users are linked, and an email is sent to the email address of the account being linked to notifying the user that this has been done "confirmationrequired" An email is sent to the email address of the account being linked to. The email includes a PIN that must be entered for linking and login to proceed |
userProfileToObjectFieldMapping | Object | Maps UserProfile class fields (left) to user profile object data fields (right). See Site User Profile Mapping for a full explanation. Default:{ |
providers | The list of configured providers. See the other articles in this documentation for examples. Default providers may be supplied via the providerConfig.json file shipped with the worker |
Example Configuration
This example configuration shows the entry for the worker added to the apiserverconfig file accessible using the file manager, and sent to the API Server when installing your workers. It includes an override root for the Handlebars template, a user profile mapping for "old style" user profile forms, and four providers (myldapsever, facebook, google and icmsiteuser). Account linking on login has also been set up.
{
"name": "auth",
"instances": 1,
"hbTemplateOverrideRoot": "E:/iCM10/APIServer/data/auth/hbTemplateOverrideRoot",
"hbMaintenanceModeBodyTemplate": "{{maintenanceDetails.offlineComment}} <br><br> {{#gt maintenanceDetails.schedules.size 0}} Site logins are scheduled to come back online at {{formatDate maintenanceDetails.schedules.0.getParsedScheduleDate.getTime \"%H:%M\"}} on {{formatDate maintenanceDetails.schedules.0.getParsedScheduleDate.getTime \"%d/%m/%Y\"}}{{/gt}}",
"userProfileToObjectFieldMapping": {
"mapping": {
"TITLE": {
"mappings": ["CONTACT.NAME.TITLE"]
},
"PREFERREDNAME": {
"mappings": ["CONTACT.NAME.PREFNAME"]
},
"FORENAME": {
"mappings": ["CONTACT.NAME.FIRSTNAME"]
},
"SURNAME": {
"mappings": ["CONTACT.NAME.LASTNAME"]
},
"EMAIL": {
"mappings": ["CONTACT.WEBADDRESS.EMAIL"]
},
"BIRTHDAY": {
"mappings": ["CONTACT.BIRTHDAY"],
"inputDateFormat": "yyyyMMddHHmmss.SSS'Z'"
}
}
},
"linkOnLogin": true,
"providers": [{
"providerName": "myldapserver",
"providerDisplayName": "My LDAP Server",
"type": "ldapsso",
"userPrefix": "LD_",
"params": {
"ldapServer": "myldapserver:3268",
"baseDN": "DC=forrest,DC=gump,DC=alabama",
"domainName": "FORREST",
"allowLinkingFromThisProvider": false,
"allowLinkingToThisProvider": false,
"profileFieldsToUpdate": ["FORENAME", "SURNAME"],
"queryUserUsername": "username",
"queryUserPassword": "password",
"usernameAttribute": "samAccountName",
"userProfileAttributeMapping": {
"mapping": {
"SAMACCOUNTNAME": {
"mappings": ["UNIQUEID"]
},
"GIVENNAME": {
"mappings": ["PREFERREDNAME", "FORENAME"]
},
"SN": {
"mappings": ["SURNAME"]
},
"WHENCREATED": {
"mappings": ["BIRTHDAY"]
}
}
}
}
}, {
"providerName": "facebook",
"providerDisplayName": "Facebook",
"type": "facebook",
"userPrefix": "FB_",
"params": {
"allowLinkingFromThisProvider": true,
"allowLinkingToThisProvider": true,
"appId": "0000000000000",
"secret": "0000000000000000000000",
"checkConsentToStoreData": true,
"failIfConsentNotGiven": true,
"consentMessage": "Here's a custom consent message"
}
}, {
"providerName": "google",
"providerDisplayName": "Google",
"type": "google",
"userPrefix": "G_",
"params": {
"allowLinkingFromThisProvider": true,
"allowLinkingToThisProvider": true,
"clientId": "00000000000000000000.apps.googleusercontent.com",
"secret": "0000000000000000"
}
}, {
"providerName": "icmsiteuser",
"providerDisplayName": "iCM Site User",
"type": "icmsiteuser",
"params": {
"allowLinkingFromThisProvider": false,
"allowLinkingToThisProvider": true,
}
}]
}