Authentication-service (Section)#
Path: /profiles/profile{id, type}/settings/authentication-service
The Authentication Service is a Profile that enables Authentication on the server. It can be configured with any number of authenticators of any type.
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| tenant-id | non-empty-string | optional | ID of the tenant associated with this profile. Token Services and User Management Services linked to this Authentication profile inherit this tenant ID. When this value is set, most facilities and data, like accounts and credentials, will be isolated for each tenant. | |
| sso-expiration-time | uint32 | optional | 3600 | The number of seconds the SSO session will be valid |
| sso-inactivity-timeout | uint32 | optional | The number of seconds the SSO session will be valid while not used | |
| sso-cookie-is-session-cookie | boolean | optional | false | Whether the SSO cookie should persist only for the browser session, i.e. expire when browser is closed. Note that when set to true, the SSO cookie will expire when the browser session does regardless of the value set in sso-expiration-time or in sso-inactivity-timeout. The cookie will however never be valid for a longer duration than set by sso-expiration-time and sso-inactivity-timeout or the longest lasting sso-expiration-time and sso-inactivity-timeout set on any specific authenticator. |
| persisted-sso-session | boolean | optional | false | By default the SSO cookie is not persisted in a database. By setting this to true the cookie is persisted in the session store, and only a reference is used as cookie. This is needed if the SSO cookie contains large amounts of user data. |
| encode-persisted-sso-session-data | boolean | optional | false | When the sso session is persisted to database, this setting enables encoding of the session data. Useful to mitigate against charset encoding problems with the database |
| username-cookie-name | string | optional | username | The name of the cookie that stores the user’s preferences, like username and locale settings |
| delete-username-cookie-on-logout | boolean | optional | false | If enabled, the username cookie is also deleted on a logout. The default is to not delete. |
| logout-redirect-url | uri | optional | If set, the user will be redirected to this URL after logout | |
| enable-preflight | boolean | optional | true | By default the preflight endpoint will be enabled on the anonymous endpoint. This option allows the endpoint to be disabled. |
| protocol-id | leafref | optional | The id of the protocol plugin | |
| sms-provider | leafref | optional | The sms-provider to be used for this zone | |
| api-driven-ui | empty | optional | Enables the API-driven UI to be used on this authentication profile and linked oauth profiles. | |
| cross-site-block-enabled | boolean | optional | Enables the unsafe (e.g. POST) cross-site requests blocking mechanism. Blocks cross-site requests (those originating from a different or third-party domain) with an unsafe method from being accepted, except for endpoints the explicitly allow it. Disabling this feature can help with interoperability but does pose security risks, and should only be enabled if strictly required. |
Subsections#
| Name | Type | Description |
|---|---|---|
| base-url | Section | This setting will let this profile operate under specific URLs. It makes it possible to have many URLs running on the same Curity instance. Each authentication service will redirect using these settings if present. If this is not set, the profile will use the base-url setting from the environment section. The SSO can only occur inside a profile since the SSO cookie is bound to this URL. |
| redirect-url-whitelist | Section | This list is the profile wide redirect whitelist, any redirect will be validated against this list of hosts. By default the endpoints the profile interacts with such as the token service’s authorize, assisted-token and device flow endpoints are added to the list. Any external endpoints that the authentication service redirects to needs to be added here. |
| account-domains | Section | None |
| authentication-actions | Section | Authentication Actions allow you to orchestrate what happens after the credentials are verified but before the session is committed. |
| authenticators | Section | None |
| service-providers | Section | None |
| protocols | Section | None |
| authenticator-filters | Section | None |