Settings: auth
The following settings are used to configure the authentication of users. As standard, the authentication mechanism of the servlet container or application server is used. Alternatively, Single Sign On (SSO) with OpenID Connect (OIDC) can be used.
Mobile apps for Android and iOS are not compatible with Single Sign On. Use the setting
auth.type = REALMto use signoSign/Universal via the apps.The setting of the key
web.ssmPublicUrlis essential for the use of single sign-on.
auth.type
Description | Specifies the type of authentication. To use OpenID Connect, the keys | |
Possible values |
| The authentication mechanism of the servlet container or application servers is used. |
| Users are authenticated by an authorization server by means of OpenID Connect. | |
Default value |
| |
auth.realm.forceLowerCaseUsername
Description | If this setting is activated, the user name is case-insensitive. Users "John Smith" and "john smith" share the same data in the system, such as documents. Both users can log in, however, as long as the log-in mechanism allows this, but signoSign/Universal uses the lower case user name internally. | |
Possible values |
| The search is not case-sensitive. "John Smith" and "john smith" refer to the same user account. |
| The search is case-sensitive. "John Smith" and "john smith" refer to the different user accounts. | |
Default value |
| |
auth.oidc.discoveryUrl
Description | The URL of the OpenID provider metadata of the identity server. The URL generally ends with /.well-known/openid-configuration. To use OpenID Connect, this value must be specified. |
Possible values | A URL. |
Default value | - |
auth.oidc.clientId
Description | The identifier that signoSign/Universal is registered with for the identity server. An application that uses OpenID Connect must be registered with the identity server. This identifier will then be issued and it is needed for the authorization code flow. To use OpenID Connect, this value must be specified. |
Possible values | Any string of characters. |
Default value | - |
auth.oidc.clientSecret
Description | The secret specified with the identity server that signoSign/Universal uses for the authorization code flow. To use OpenID Connect, this value must be specified. |
Possible values | Any string of characters. |
Default value | - |
auth.oidc.scope
Description | The scope values that are used for the authorization code flow. For the fundamental functionality, OpenID Connect requires the value openid. |
Possible values | Any string of characters. |
Default value |
|
auth.oidc.usernameClaim
Description | The value (claim) in the token from which the user name is taken. If the value is not present or is empty, it is not possible to log in to signoSign/Universal. |
Possible values | Any string of characters. |
Default value |
|
The standard value email is a standard claim that is inserted into the token by the scope email. If the value email is not contained in auth.oidc.scope, this setting should be checked.
auth.oidc.rolesClaim
Description | The value (claim) in the token from which the user roles are taken. If the value is not present in the token, is empty or is not a JSON array, it is not possible to log in to signoSign/Universal. |
Possible values | Any string of characters. |
Default value |
|
The standard value roles is not a standard claim because OpenID Connect does not define a standard for user roles. The value must be inserted into the token by proprietary setting of the identity server and by using custom scopes.
auth.oidc.tokenAudience
Description | From the perspective of the identity server, signoSign/Universal is a resource. An OAuth access token is always issued for a resource. This setting can be used to specify a list of valid resources. The signoSign/Universal REST API will only accept the access token if its aud claim value is included in this list. The check is deactivated if no value has been specified. |
Possible values | A comma-separated list of identifiers. |
Default value | - |
If the signoSign/Universal REST API is available publicly, specifying this list is strongly recommended for security reasons. The public REST API should always check whether an access token was issued for the API.
auth.oidc.tokenIssuer
Description | A list of additional trustworthy access token issuers. The issuer from the OpenID provider metadata is always trustworthy. The signoSign/Universal REST API will only accept access tokens if their iss claim value is known. |
Possible values | A comma-separated list of identifiers. |
Default value | The issuer from OpenID provider metadata, if available. |