General properties - CustomerID

These configurations are available in the eidm2.properties file. This is the main configuration file of Ubisecure CustomerID. Changes to this file require a server restart.

general.url.base

The base URL defines the beginning of the remote address related to Ubisecure CustomerID services. The setting is used, for example, in hyperlinks incorporated in emails. The context path of the address must be /eidm2/. Usually this property is included in the eidm2_generated.properties file and there is no reason to modify it or reset it.

Default is https://localhost:7443/eidm2/
Example:

general.url.base = https://www.example.com/eidm2/

general.default.returnUrl

The user is directed to the address specified in general.default.returnUrl, if:

  • An error occurs
  • The application cannot use any other return URL address
  • The user exits a Ubisecure CustomerID service using the return link

You can use a variable for including user locale, for example: https://www.ubisecure.com?language=${locale}

Default is https://www.ubisecure.com

Example:

general.default.returnUrl = https://www.ubisecure.com

general.default.logoutReturnUrl

The default logout return URL defines the URL address where the user is redirected when a logout is requested.

You can use a variable for including user locale, for example: https://www.ubisecure.com?language=${locale}

Default is https://www.ubisecure.com
Example:

general.default.logoutReturnUrl = https://www.ubisecure.com

general.requestcycle.timeout

This property defines the Wicket request cycle timeout value. The default value is 60 seconds. The value is given in seconds. Adjust this value if e.g organization listings timeout.

Default is 60.
Example:

general.requestcycle.timeout = 60

general.move.roles.with.user

This setting will activate a behavior that will reassign user roles when the user is moved from one organization to another. If the source organization and target organization have the same roles enabled that are assigned to user, the roles assigned from source organization are deassigned and replaced by those of the target organization. Roles which do not exist in target organization or those assigned from other organizations will remain unmodified. If role assignments fail for some reason, deassignment is not performed. This test is performed individually for each reassignable role. There are two possible values:

  • true: Roles will be reassigned.
  • false: Roles are not changed.

Default is false.

Example:

general.move.roles.with.user = false

general.mail.session

This property defines the JNDI name with which the MailSession configured in Tomcat's context.xml is available.

Default is java:comp/env/mail/mailSession.
Example:

general.mail.session = java:comp/env/mail/MailSession

general.main.ldap.directory

This property defines the main LDAP user authentication data repository. Valid values are

  • ud: Ubisecure Directory

  • ad: Active Directory

    NOTE: Microsoft Active Directory usage for storing user authentication related data will be deprecated in future versions. This is because we will be moving to using an SQL database as the storage for all data and migrations from Microsoft Active Directory will be more problematic than migrations from Ubisecure Directory .


    Default is ud.

    Example:

    general.main.ldap.directory = ud

general.login.generation

This property defines how the main user authentication data repository specific login attribute is generated. Valid values are

  • random: A random string is generated (this value can be used with Ubisecure Directory and Active Directory).
  • mail: Email address is used (this value can be used with Ubisecure Directory).
  • custom1: A customer specific generation rule is used (this value can be used with Active Directory).

Default is mail.
Example:

general.login.generation = mail

general.login.attribute

This property defines the attribute that is used as the username in authentication methods. Any attribute name is a valid value.

If you change this property you also need to change your authentication method configuration correspondingly.
Common values are:

  • uid: The uid attribute is commonly used with Ubisecure Directory.
  • sAMAccountName: The sAMAccountName attribute is commonly used with Active Directory. This is also the default value if Active Directory is used as the user information storage.
  • mail: The mail attribute is commonly used with both Ubisecure Directory and Active Directory.

Default is uid.

Example:

general.login.attribute = uid

general.group.samaccountname.generation

This property defines how the sAMAccountName attribute for a group is generated in Active Directory. Valid values are

  • auto: Active Directory generates the sAMAccountName attribute automatically
  • random: A random string is generated
  • readable: The first 15 letters come from the CN and the last 5 are random to achieve uniqueness.

Default is random.

Example:

general.group.samaccountname.generation = random

general.admin.organization.roles.restricted

This property defines roles that can be assigned only to users who are in the same organization. In the example below, the user can only get the OrganizationMainUser role in his/her home organization. When you give several values, use the roles' relative name values and separate them with commas.

Default is <empty>.
Example:

general.admin.organization.roles.restricted = OrganizationMainUser

general.admin.organization.roles.protected

This property defines a list of roles that cannot be deleted from organizations.

Default is eIDMMainUser, OrganizationAdmin, OrganizationMainUser, OrganizationMandates, OrganizationOwner.
Example:

general.admin.organization.roles.protected = eIDMMainUser, OrganizationAdmin, OrganizationMainUser, OrganizationMandates, OrganizationOwner

general.admin.organization.roles.reservednames

This property defines a list of role names that cannot be given to a role when creating a new role.

Default is OrganizationMainUser, OrganizationOwner, OrganizationMandates.
Example:

general.admin.organization.roles.reservednames = SuperUser

general.admin.organization.users.includerolemembers

This property defines whether users should be included in the organization user list by role memberships or only by user's location. It also defines if mandate delegation is possible for those users in the same organization. There are two possible values:

  • true: Users are members in organizations if they have received a role or a mandate delegation from the organization.
  • false: Users are members in organizations if they are directly stored in them.

    NOTE: At the moment enabling this feature will negatively affect the performance of the system. This will be fixed in the future.

Default is false.
Example:

general.admin.organization.users.includerolemembers = true

general.admin.user.roles.protected

This property defines a list of roles that cannot be removed from users.
Default is <empty>.
Example:

general.admin.user.roles.protected = OrganizationMainUser

general.user.self.enable.account

This property defines if the user is able to re-register to enable his/her account when the account is disabled.
Default is true.
Example:

general.user.self.enable.account = true


general.organization.name.oid

This property defines if company IDs are saved in OID format. Organizations' names that are company IDs are converted to OID format. There are two possible values:

  • true: Company IDs are saved in OID format.
  • false: No conversion will be made.

Default is false.

Example: 

general.organization.name.oid = false

general.authprovider.enabled

This property can be used to disable authentication provider feature (saml.ap.custid authentication method), which is useful in registration workflows where user's became active automatically.

If the SAML AP authentication method is enabled you might want to hide it from the Ubisecure SSO login screen by modifying the used Ubisecure SSO template a little. You can use external method grouping for this purpose. What you need to do is described below:

  • In the template properties file set usemethodgroups to true.
  • In the template properties file set methodgroups for example to visibleexternalmethods.
  • In the template properties file add the following new property: visibleexternalmethods.members and add the names of all the external methods that you want to be visible. For example like this:
    • visibleexternalmethods.members = tupas.op.1, tupas.nordea.1
  • In the uas_<locale code>.properties files define the corresponding language key: GROUP_VISIBLEEXTERNALMETHODS_TITLE. The value can be left empty if you don't want an additional title to be presented.

There are two possible values:

  • true: SAML AP is enabled.
  • false: SAML AP is disabled.

Default is true.

Example: 

general.authprovider.enabled = true

general.approval.reject.promptforreason

This property can be used to enforce or enable a free text reject message for the event of rejecting user applications. There are two possible values:

  • optional: The Reject button will display a modal window with a text area component where the reason for the rejection can be entered. Pressing the modal window's Reject button will complete the rejection whether the text area is filled or empty.
  • required: The Reject button will display a modal window with a text area component where the reason for the rejection can be entered. Pressing the modal window's Reject button while the text area is empty will display an error message on the modal window and the action can only be completed when some text has been entered.

Default is optional.
Example: 

general.approval.reject.promptforreason = required

general.accepted.origin.whitelist

This property defines a list of domains that are just accepted without any further examination when checking for CSRF issues.
Default is <empty>.
Example:

general.accepted.origin.whitelist = example.com, example.org

general.unsecure.debuglog.include.rest.password

This property defines if the REST system user password is included in the diagnostics log on debug level in error situations. We have this extra configuration parameter because usually we don't want to include any passwords in logs, but when debugging certain error situations seeing the REST system user password might be helpful. You might want to use this only in testing environments or clean up the logs after debugging. There are two possible values:

  • true: REST system user password is included in error log entries on debug level.
  • false: REST system user password is never included in diagnostics log.

Default is false.

Example: 

general.unsecure.debuglog.include.rest.password = true