Documentation Center

Access Management configuration reference

In the appsettings.json file for Access Management, you can define custom configuration for the Access Management application. within the Tridion Docs environment.

URLs or Kestrel
The settings in this section enable and configure website URLs, both HTTP and HTTPS.
When enabling HTTPS, you must replace the URLs section with a Kestrel section. Refer to the related tasks for information on how to enable HTTPS.
The default port for Access Management is 80. To configure a custom port, change the "80" at the end of the URL to your preferred custom port number.
Database
Type
  • Oracle for an Oracle database
  • MsSql for a Microsoft SQL Server database
ConnectionString

If your database is Oracle, this property configures the database connection string including parameters for Data Source, User ID, and Password.

The following sample code illustrates the property for an Oracle database:

"Data Source=HOST:PORT/SERVICENAME;User Id=USER;Password=PASSWORD"
where:
  • HOST is the hostname of your database server
  • PORT is the port number of your database server
  • SERVICENAME is the name of your Access Management database
  • USER is the name of a user who can access the database
  • PASSWORD is a valid password for that user

If your database is SQL, this property configures the database connection string including parameters for Server, Database, User ID and Password.

The following sample code illustrates the property for a SQL database:

"Server=DBSERVER;Database=DBNAME;User Id=USER;Password=PASSWORD"
where:
  • DBSERVER is the name of your database server
  • DBNAME is the name of your Access Management database
  • USER is the name of a user who can access the database
  • PASSWORD is a valid password for that user
TransactionTimeOut

The maximum amount of time (in seconds) to allow for a transaction to complete.

By default, Access Management allows 60 seconds. If you expect an upload of either type of file to take more time, set a higher value in the

ForceAnonymous

A switch that enable a user to get in to Access Management without logging in, or anonymously, even though the Access Management has been secured.

  • true — Users can get into the Access Management application without having to log in even though security has been configured.
  • false (default) — Users must log in to a secured Access Management application, as normally required.
Logging
logLevel

The level of detail to be recorded in the log file for Access Management, and one of the following values:

Log levelDescription
TraceLog informational messages with the highest level of detail about the application's lowest-level activity.
DebugLog fine-grained informational messages about low-level functionality being executed, intended to discover the source of a problem.
InformationLog warnings, errors of both types, and informational messages.
WarningLog warnings as well as errors of both types.
ErrorLog critical errors and normal errors.
CriticalLog only critical errors.

Refer to the related task for additional information on how to configure logging,

AllowedHosts

(Optional) Enables Host Filtering Middleware for the Access Management website and defines one or more specific host names to which the application can bind. The setting is optional but recommended for validating Host headers.

The value is a semicolon-delimited list of host names without port numbers.

Certificates

(Optional) This section applies only to SAML-based identity providers to define the digital certificate that Access Management will use to communicate with external SAML IdP. Note that it is not used to actually sign a token.

Define the certificate as in the following example:

"Certificates": {
    "Signing": {
      "Path": "Certificates/TridionAccessManagementService.pfx",
      "Password": "****"
    }
  }
ClientSettings
AccessTokenLifetime

The amount of time that an access token provided by Access Management can be used. After the expires, the end user may be requested to sign in again.

The format is hh:mm:ss and the default value is 01:00:00, or one hour.

If the default duration of the token seems to be too short and an annoyance to users, you can increase the duration. Keep in mind, however, that you will be trading off security for user experience.

CacheLifetime

The amount of time (in seconds) for which Access Management caches information about the applications. This includes allowed redirect URLs, API resources, roles and client credentials.

The format is hh:mm:ss and the default value is 00:00:30, or 30 seconds.

Note that when such item are changed, there is a delay between the time of the change and when the change becoming effective. This is a trade off between user experience (for administrators) and performance.

UserSessionLifetime

The amount of time (in seconds) for which Access Management caches information about the user's session.

The format is hh:mm:ss and the default value is 08:00:00, or eight hours.

ShowPII

A switch that determines whether Access Management will show Personally Identifiable Information (PII) in log and error messages. The default setting is true because this information includes valuable diagnostic data, such as URLs. Other than account names, Access Management never shows true PII. If you still consider showing such data to be a security risk, change the value to false. The PII data will be substituted with the text "[PII is hidden]".

AccountOptions
ShowLogoutPrompt

A switch that determines whether Access Management will display a confirmation message to the user when they log out.

If you wish Access Management to display the confirmation, set the value to true.

Be aware that if this property is set to false, Access Management will never show the confirmation prompt, even if the client does not provide an ID token, which we recommended for security reasons. All Tridion user interfaces provide this token, however,

Note that Tridion user interfaces provide an ID token, so don't show a confirmation prompt regardless of this setting.

AutomaticRedirectAfterSignOut

A switch that determines whether Access Management should automatically redirect the user to the Sign in page after they successfully sign out of the application.

  • true — After a user signs out, the application will take the user to the Sign in page.
  • false (default) — After a user signs out, no redirection occurs. The user sees a confirmation that they are signed out, but they must use the "sign in again" button.
IncludeWindowsGroups

A switch that determines whether claims for group membership should be forwarded when Access Management connects to the IdP using Windows authentication (type is "Windows"). When set to true, Access Management will forward the claims.

ForwardedHeadersOptions

If Access Management is running behind the proxy server or load balancer, these settings allow you to configure how forwarded headers are processed.

ForwardedHeaders

An indicator of which forwarded headers can be accepted and processed.

The following values are allowed:

  • All - all headers will be accepted.
  • None - none of the headers will be accepted.
  • XForwardedFor - the header X-Forwarded-For will be accepted.
  • XForwardedHost - the header X-Forwarded-Host will be accepted.
  • XForwardedProto - the headerX-Forwarded-Proto will be accepted.
KnownProxies

The addresses of known proxies from which to accept forwarded headers.

Use this property to specify exact IP address matches. If there is no value set, then all proxy servers will be accepted.

KnownNetworks

Address ranges of known networks from which to accept forwarded headers.

To indicate IP ranges, use CIDR (Classless Inter-Domain Routing) notation.

If there is no value set, then all networks will be accepted.

The following are two examples of how these properties might be configured:

Example 1:

"ForwardedHeadersOptions": {
"ForwardedHeaders": "XForwardedHost, XForwardedProto",
"KnownProxies": [],
"KnownNetworks": ["10.11.12.1/8"]
}
Example 2:
"ForwardedHeadersOptions": {
"ForwardedHeaders": "All",
"KnownProxies": ["127.0.10.1","10.100.10.153"],
"KnownNetworks": []
}
Bootstrap
This section defines the bootstrap files to use for adding predefined data to the environment. The bootstrap files contain predefined data for the environment, including definitions of applications, roles, and service accounts. Every time Access Management starts up, the bootstrap files are validated, the data is merged, and the final bootstrap data is added to the system.
By default, the configuration defines a bootstrap file for Access Management itself along with Content Manager. The bootstrap files are located on the Access Management installation media in the\Resources subfolder.

If you need make any changes to the list of files, you can use either of the following methods:

  • By module (application) name — In a Modules subsection, list the module names define a comma separated list. For example:
    "Bootstrap": {
        "Modules": "AccessManagement, DocsCM"
      }

    The preceding example shows the default value for Tridion Docs

    You can use this method only if all modules follow a standard naming of Bootstrap.{ModuleName}.json and all files are located in the \Resources subfolder.

  • By file name and path — In a Files subsection, list the relative file path as an array. For example:
    "Bootstrap": {
         "Files": [
           "Resources/Bootstrap.AccessManagement.json",
           "Resources/Bootstrap.DocsCM.json"
         ]
     }