The following settings are used to configure the authentication of users. By default, the authentication mechanism of the servlet container or application server is used. Alternatively, single sign-on (SSO) can be used with OpenID Connect (OIDC).
-
Mobile apps for Android and iOS are not compatible with single sign-on. Use the setting
auth.type = REALMto use signoSign/Universal via the apps. -
To use single sign-on, the setting of the key
web.ssmPublicUrlis mandatory.
auth.type
|
Description |
Specifies the type of authentication. To use OpenID Connect, the keys |
|
|
Possible values |
|
The authentication mechanism of the servlet container or application server is used. |
|
|
Users are authenticated by an authorization server by means of OpenID Connect. |
|
|
Default value |
|
|
auth.realm.forceLowerCaseUsername
|
Description |
If this setting is enabled, the user name is case-insensitive. Users ‘John Smith’ and ‘john smith’ share the same data in the system, such as documents. Both users can log in, however, as long as the log-in mechanism allows this, but signoSign/Universal uses the lower case user name internally. |
|
|
Possible values |
|
The search is not case-sensitive. ‘John Smith’ and ‘john smith’ refer to the same user account. |
|
|
The search is case-sensitive. ‘John Smith’ and ‘john smith’ refer to different user accounts. |
|
|
Default value |
|
|
auth.oidc.discoveryUrl
|
Description |
The URL of the identity server’s OpenID provider metadata. The URL usually ends with /.well-known/openid-configuration. This value must be set in order to use OpenID Connect. |
|
Possible values |
A URL. |
|
Default value |
- |
auth.oidc.clientId
|
Description |
The identifier that signoSign/Universal is registered with for the identity server. An application that uses OpenID Connect must be registered with the identity server, which assigns the identifier required for the authorization code flow. This value must be set in order to use OpenID Connect. |
|
Possible values |
Any string of characters. |
|
Default value |
- |
auth.oidc.clientSecret
|
Description |
The secret defined in the identity server, which signoSign/Universal uses for the authorization code flow. This value must be set in order to use OpenID Connect. |
|
Possible values |
Any string of characters. |
|
Default value |
- |
auth.oidc.scope
|
Description |
The scope values used for the authorization code flow. For basic functionality, OpenID Connect requires the value openid. |
|
Possible values |
Any string of characters. |
|
Default value |
|
auth.oidc.usernameClaim
|
Description |
The value (claim) in the token from which the user name is taken. If the value is not present or is empty, it is not possible to log in to signoSign/Universal. |
|
Possible values |
Any string of characters. |
|
Default value |
|
The default value email is a default claim that is inserted into the token by the scope email. If the value email is not included in auth.oidc.scope, this setting should be checked.
auth.oidc.tenantClaim
|
Description |
The claim in the token from which the tenant identification is taken. If the value is not present or empty, it is not possible to log in to signoSign/Universal if the application is running in multi-client mode. |
|
Possible values |
An alphanumeric string that is unique for each client. |
|
Default value |
|
This claim is mandatory if the system is operated in client mode. See also the section Multi-client capability.
authorised.oidc.rolesClaim
|
Description |
The value (claim) in the token from which the user roles are taken. If the value is not present in the token, is empty or is not a JSON array, it is not possible to log in to signoSign/Universal. |
|
Possible values |
Any string of characters. |
|
Default value |
|
The default value roles is not a default claim because OpenID Connect does not define a default for user roles. The value must be inserted into the tokens by proprietary configuration of the identity server and by using custom scopes.
auth.oidc.tokenAudience
|
Description |
From the perspective of the identity server, signoSign/Universal is a resource. An OAuth access token is always issued for a resource. This setting can be used to define a list of valid resources. The signoSign/Universal REST API will only accept access tokens whose aud claim value is included in this list. The check is disabled if no value has been defined. |
|
Possible values |
A comma-separated list of identifiers. |
|
Default value |
- |
If the signoSign/Universal REST API is publicly available, providing this list is strongly recommended for security reasons. The public REST API should always check whether an access token was issued for the API.
auth.oidc.tokenIssuer
|
Description |
A list of additional trustworthy access token issuers. The issuer from the OpenID provider metadata is always trustworthy. The signoSign/Universal REST API will only accept access tokens whose iss claim value is known. |
|
Possible values |
A comma-separated list of identifiers. |
|
Default value |
The issuer from OpenID provider metadata, if available. |