Access Management configuration reference
In the appsettings.json file for Access Management, you can define custom configuration for the Access Management application. within the Tridion Docs environment.
- URLs or Kestrel
- The settings in this section enable and configure website URLs, both HTTP and HTTPS.
- Database
-
- Type
-
Oraclefor an Oracle databaseMsSqlfor a Microsoft SQL Server database
- ConnectionString
-
If your database is Oracle, this property configures the database connection string including parameters for
Data Source,User ID, andPassword.The following sample code illustrates the property for an Oracle database:
"Data Source=HOST:PORT/SERVICENAME;User Id=USER;Password=PASSWORD"where:- HOST is the hostname of your database server
- PORT is the port number of your database server
- SERVICENAME is the name of your Access Management database
- USER is the name of a user who can access the database
- PASSWORD is a valid password for that user
- TransactionTimeOut
-
The maximum amount of time (in seconds) to allow for a transaction to complete.
By default, Access Management allows 60 seconds. If you expect an upload of either type of file to take more time, set a higher value in the
- ForceAnonymous
-
A switch that enable a user to get in to Access Management without logging in, or anonymously, even though the Access Management has been secured.
true— Users can get into the Access Management application without having to log in even though security has been configured.false(default) — Users must log in to a secured Access Management application, as normally required.
- Logging
-
- logLevel
-
The level of detail to be recorded in the log file for Access Management, and one of the following values:
Log level Description TraceLog informational messages with the highest level of detail about the application's lowest-level activity. DebugLog fine-grained informational messages about low-level functionality being executed, intended to discover the source of a problem. InformationLog warnings, errors of both types, and informational messages. WarningLog warnings as well as errors of both types. ErrorLog critical errors and normal errors. CriticalLog only critical errors. Refer to the related task for additional information on how to configure logging,
- AllowedHosts
-
(Optional) Enables Host Filtering Middleware for the Access Management website and defines one or more specific host names to which the application can bind. The setting is optional but recommended for validating Host headers.
The value is a semicolon-delimited list of host names without port numbers.
- Certificates
-
(Optional) This section applies only to SAML-based identity providers to define the digital certificate that Access Management will use to communicate with external SAML IdP. Note that it is not used to actually sign a token.
Define the certificate as in the following example:
"Certificates": { "Signing": { "Path": "Certificates/TridionAccessManagementService.pfx", "Password": "****" } } - ClientSettings
-
- AccessTokenLifetime
-
The amount of time that an access token provided by Access Management can be used. After the expires, the end user may be requested to sign in again.
The format is hh:mm:ss and the default value is 01:00:00, or one hour.
If the default duration of the token seems to be too short and an annoyance to users, you can increase the duration. Keep in mind, however, that you will be trading off security for user experience.
- CacheLifetime
-
The amount of time (in seconds) for which Access Management caches information about the applications. This includes allowed redirect URLs, API resources, roles and client credentials.
The format is hh:mm:ss and the default value is 00:00:30, or 30 seconds.
Note that when such item are changed, there is a delay between the time of the change and when the change becoming effective. This is a trade off between user experience (for administrators) and performance.
- UserSessionLifetime
-
The amount of time (in seconds) for which Access Management caches information about the user's session.
The format is hh:mm:ss and the default value is 08:00:00, or eight hours.
- ShowPII
-
A switch that determines whether Access Management will show Personally Identifiable Information (PII) in log and error messages. The default setting is
truebecause this information includes valuable diagnostic data, such as URLs. Other than account names, Access Management never shows true PII. If you still consider showing such data to be a security risk, change the value tofalse. The PII data will be substituted with the text "[PII is hidden]".
- AccountOptions
-
- ShowLogoutPrompt
-
A switch that determines whether Access Management will display a confirmation message to the user when they log out.
If you wish Access Management to display the confirmation, set the value to
true.Be aware that if this property is set to
false, Access Management will never show the confirmation prompt, even if the client does not provide an ID token, which we recommended for security reasons. All Tridion user interfaces provide this token, however,Note that Tridion user interfaces provide an ID token, so don't show a confirmation prompt regardless of this setting.
- AutomaticRedirectAfterSignOut
-
A switch that determines whether Access Management should automatically redirect the user to the Sign in page after they successfully sign out of the application.
true— After a user signs out, the application will take the user to the Sign in page.false(default) — After a user signs out, no redirection occurs. The user sees a confirmation that they are signed out, but they must use the "sign in again" button.
- IncludeWindowsGroups
-
A switch that determines whether claims for group membership should be forwarded when Access Management connects to the IdP using Windows authentication (type is "Windows"). When set to
true, Access Management will forward the claims.
- ForwardedHeadersOptions
-
If Access Management is running behind the proxy server or load balancer, these settings allow you to configure how forwarded headers are processed.
- ForwardedHeaders
-
An indicator of which forwarded headers can be accepted and processed.
The following values are allowed:
All- all headers will be accepted.None- none of the headers will be accepted.XForwardedFor- the headerX-Forwarded-Forwill be accepted.XForwardedHost- the headerX-Forwarded-Hostwill be accepted.XForwardedProto- the headerX-Forwarded-Protowill be accepted.
- KnownProxies
-
The addresses of known proxies from which to accept forwarded headers.
Use this property to specify exact IP address matches. If there is no value set, then all proxy servers will be accepted.
- KnownNetworks
-
Address ranges of known networks from which to accept forwarded headers.
To indicate IP ranges, use CIDR (Classless Inter-Domain Routing) notation.
If there is no value set, then all networks will be accepted.
The following are two examples of how these properties might be configured:
Example 1:
"ForwardedHeadersOptions": { "ForwardedHeaders": "XForwardedHost, XForwardedProto", "KnownProxies": [], "KnownNetworks": ["10.11.12.1/8"] }Example 2:"ForwardedHeadersOptions": { "ForwardedHeaders": "All", "KnownProxies": ["127.0.10.1","10.100.10.153"], "KnownNetworks": [] } - Bootstrap
- This section defines the bootstrap files to use for adding predefined data to the environment. The bootstrap files contain predefined data for the environment, including definitions of applications, roles, and service accounts. Every time Access Management starts up, the bootstrap files are validated, the data is merged, and the final bootstrap data is added to the system.