General properties - CustomerID
These configurations are available in the eidm2.properties
 file. This is the main configuration file of Ubisecure CustomerID. Changes to this file require a server restart.
general.url.base
The base URL defines the beginning of the remote address related to Ubisecure CustomerID services. The setting is used, for example, in hyperlinks incorporated in emails. The context path of the address must be /eidm2/
. Usually this property is included in the eidm2_generated.properties
 file and there is no reason to modify it or reset it.
Default is https://localhost:7443/eidm2/
Example:
general.url.base = https://www.example.com/eidm2/
general.default.returnUrl
The user is directed to the address specified in general.default.returnUrl
, if:
- An error occurs
- The application cannot use any other return URL address
- The user exits a Ubisecure CustomerID service using the return link
You can use a variable for including user locale, for example:Â https://www.ubisecure.com?language=${locale}
Default is https://www.ubisecure.com
Example:
general.default.returnUrl = https://www.ubisecure.com
general.default.logoutReturnUrl
The default logout return URL defines the URL address where the user is redirected when a logout is requested.
You can use a variable for including user locale, for example:Â https://www.ubisecure.com?language=${locale}
Default is https://www.ubisecure.com
Example:
general.default.logoutReturnUrl = https://www.ubisecure.com
general.requestcycle.timeout
This property defines the Wicket request cycle timeout value. The default value is 60 seconds. The value is given in seconds. Adjust this value if e.g organization listings timeout.
Default is 60.
Example:
general.requestcycle.timeout = 60
general.move.roles.with.user
This setting will activate a behavior that will reassign user roles when the user is moved from one organization to another. If the source organization and target organization have the same roles enabled that are assigned to user, the roles assigned from source organization are deassigned and replaced by those of the target organization. Roles which do not exist in target organization or those assigned from other organizations will remain unmodified. If role assignments fail for some reason, deassignment is not performed. This test is performed individually for each reassignable role. There are two possible values:
true
: Roles will be reassigned.false
: Roles are not changed.
Default is false
.
Example:
general.move.roles.with.user = false
general.mail.session
This property defines the JNDI name with which the MailSession configured in Tomcat's context.xml
 is available.
Default is java:comp/env/mail/mailSession
.
Example:
general.mail.session = java:comp/env/mail/MailSession
general.main.ldap.directory
This property defines the main LDAP user authentication data repository. Valid values are
ud
: Ubisecure Directoryad
: Active DirectoryNOTE: Microsoft Active Directory usage for storing user authentication related data will be deprecated in future versions. This is because we will be moving to using an SQL database as the storage for all data and migrations from Microsoft Active Directory will be more problematic than migrations from Ubisecure Directory .
Default is
ud
.Example:
general.main.ldap.directory = ud
general.login.generation
This property defines how the main user authentication data repository specific login attribute is generated. Valid values are
random
: A random string is generated (this value can be used with Ubisecure Directory and Active Directory).mail
: Email address is used (this value can be used with Ubisecure Directory).custom1
: A customer specific generation rule is used (this value can be used with Active Directory).
Default is mail
.
Example:
general.login.generation = mail
general.login.attribute
This property defines the attribute that is used as the username in authentication methods. Any attribute name is a valid value.
If you change this property you also need to change your authentication method configuration correspondingly.
Common values are:
uid
: The uid attribute is commonly used with Ubisecure Directory.sAMAccountName
: The sAMAccountName attribute is commonly used with Active Directory. This is also the default value if Active Directory is used as the user information storage.mail
: The mail attribute is commonly used with both Ubisecure Directory and Active Directory.
Default is uid
.
Example:
general.login.attribute = uid
general.group.samaccountname.generation
This property defines how the sAMAccountName attribute for a group is generated in Active Directory. Valid values are
auto
: Active Directory generates the sAMAccountName attribute automaticallyrandom
: A random string is generatedreadable
: The first 15 letters come from the CN and the last 5 are random to achieve uniqueness.
Default is random
.
Example:
general.group.samaccountname.generation = random
general.admin.organization.roles.restricted
This property defines roles that can be assigned only to users who are in the same organization. In the example below, the user can only get the OrganizationMainUser role in his/her home organization. When you give several values, use the roles' relative name values and separate them with commas.
Default is <empty>
.
Example:
general.admin.organization.roles.restricted = OrganizationMainUser
general.admin.organization.roles.protected
This property defines a list of roles that cannot be deleted from organizations.
Default is eIDMMainUser, OrganizationAdmin, OrganizationMainUser, OrganizationMandates, OrganizationOwner
.
Example:
general.admin.organization.roles.protected = eIDMMainUser, OrganizationAdmin, OrganizationMainUser, OrganizationMandates, OrganizationOwner
general.admin.organization.roles.reservednames
This property defines a list of role names that cannot be given to a role when creating a new role.
Default is OrganizationMainUser, OrganizationOwner, OrganizationMandates
.
Example:
general.admin.organization.roles.reservednames = SuperUser
general.admin.organization.users.includerolemembers
This property defines whether users should be included in the organization user list by role memberships or only by user's location. It also defines if mandate delegation is possible for those users in the same organization. There are two possible values:
true
: Users are members in organizations if they have received a role or a mandate delegation from the organization.
false
: Users are members in organizations if they are directly stored in them.NOTE: At the moment enabling this feature will negatively affect the performance of the system. This will be fixed in the future.
Default is false
.
Example:
general.admin.organization.users.includerolemembers = true
general.admin.user.roles.protected
This property defines a list of roles that cannot be removed from users.
Default is <empty>
.
Example:
general.admin.user.roles.protected = OrganizationMainUser
general.user.self.enable.account
This property defines if the user is able to re-register to enable his/her account when the account is disabled.
Default is true
.
Example:
general.user.self.enable.account = true
general.organization.name.oid
This property defines if company IDs are saved in OID format. Organizations' names that are company IDs are converted to OID format. There are two possible values:
true
: Company IDs are saved in OID format.false
: No conversion will be made.
Default is false
.
Example:Â
general.organization.name.oid = false
general.authprovider.enabled
This property can be used to disable authentication provider feature (saml.ap.custid authentication method), which is useful in registration workflows where user's became active automatically.
If the SAML AP authentication method is enabled you might want to hide it from the Ubisecure SSO login screen by modifying the used Ubisecure SSO template a little. You can use external method grouping for this purpose. What you need to do is described below:
- In the template properties file set
usemethodgroups
 to true. - In the template properties file set
methodgroups
 for example to visibleexternalmethods. - In the template properties file add the following new property:
visibleexternalmethods.members
 and add the names of all the external methods that you want to be visible. For example like this:- visibleexternalmethods.members = tupas.op.1, tupas.nordea.1
- In the
uas_<locale code>.properties
 files define the corresponding language key:GROUP_VISIBLEEXTERNALMETHODS_TITLE
. The value can be left empty if you don't want an additional title to be presented.
There are two possible values:
true
: SAML AP is enabled.false
: SAML AP is disabled.
Default is true
.
Example:Â
general.authprovider.enabled = true
general.approval.reject.promptforreason
This property can be used to enforce or enable a free text reject message for the event of rejecting user applications. There are two possible values:
optional
: The Reject button will display a modal window with a text area component where the reason for the rejection can be entered. Pressing the modal window's Reject button will complete the rejection whether the text area is filled or empty.required
: The Reject button will display a modal window with a text area component where the reason for the rejection can be entered. Pressing the modal window's Reject button while the text area is empty will display an error message on the modal window and the action can only be completed when some text has been entered.
Default is optional
.
Example:Â
general.approval.reject.promptforreason = required
general.accepted.origin.whitelist
This property defines a list of domains that are just accepted without any further examination when checking for CSRF issues.
Default is <empty>
.
Example:
general.accepted.origin.whitelist = example.com, example.org
general.unsecure.debuglog.include.rest.password
This property defines if the REST system user password is included in the diagnostics log on debug level in error situations. We have this extra configuration parameter because usually we don't want to include any passwords in logs, but when debugging certain error situations seeing the REST system user password might be helpful. You might want to use this only in testing environments or clean up the logs after debugging. There are two possible values:
true
: REST system user password is included in error log entries on debug level.false
: REST system user password is never included in diagnostics log.
Default is false
.
Example:Â
general.unsecure.debuglog.include.rest.password = true