System setup


When setting up Safewhere*Identify with the configurator, many parameters are set automatically. If you have made any mistakes in any of them or need to fine tune the settings, find the “System setup” page under the connections module. The settings for the system are explained below:

System setup

Entity ID: A name that uniquely defines the instance of Safewhere*Identify in a federation.

Base URL:The (base) URL of the instance of Safewhere*Identify. For example, if the Runtime and Admin modules of an Safewhere*Identify instance are set up at https://company.safewhere.com/runtime and https://company.safewhere.com/admin respectively, the base URL is https://company.safewhere.com

Tenant ID: Since Safewhere*Identify supports multi-tenancy, each tenant needs a unique id. The tenant id usually forms the first fragment of the base URL– e.g. “company” in the above mentioned example.

Role Claim Type: The claim type which stores the roles that are used for granting access to the admin part of the Safewhere*Identify application.

Email Claim Type: The claim type which stores users’ emails. This setting is important if you want the forgotten password feature to work on the Username and Password authentication connection. You can only choose claim types for this setting if all current users in the system have unique values for it.

Device Activation Code Claim Type: The claim type which stores a user’s mobile activation code.

Use for Identity Model: When checked, Safewhere*Identify will use value in system configuration for identity model instead of using value from web.config. This is especially important to set when changing certificates and needing Safewhere*Identify*Admin to still work in the federation.

Signing Certificate

  • Find Value: The value which is used for searching for a signing certificate in a store. This certificate is used to sign requests/responses from this instance of Safewhere*Identify to other parties.
  • Get certificates button: Allow users to select a new cert.
  • Find Type: Defines how a certificate should be searched. Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, FindBySubjectKeyIdentifier.
  • Store Location: Specifies the location of certificatestore. Possible values are: CurrentUser, LocalMachine.
  • Store Name:A specific store name at the location above. Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My.

Organization Display Name: The name, as it will be displayed to visiting users, of the organization that owns the Safewhere*Identify installation.

Organization Name: The official name of the organization that owns the Safewhere*Identify installation.

Organization URL: The official web site address of the organization that owns the Safewhere*Identify installation.

Contact Email: The contact email of the person who can be contacted by other partners in the federation to handle federation issues.

Send email with correlation: When an error is submitted, a notification email will be sent to the email address(es) specified in the “Contact email”.

Contact Given Names: The first name(s) of the person who can be contacted by other partners in the federation to handle federation issues.

Contact Family Name: The last name of the person who can be contacted by other partners in the federation to handle federation issues.

Contact Telephone Number: The phone number of the person who can be contacted by other partners in the federation to handle federation issues.

Malformed request page: Safewhere*Identify exposes dozen of endpoints that other parties can send requests and responses to. For example, [BaseUrl]/runtime/WS-Federation[glossary]/WSFederation.idp is the endpoint which a [glossary]WS-Fed relying party should use to send authentication requests to. However, not all the requests are well-formed and some might not contain all necessary parameters. When such a malformed request comes the user is redirected to this error page instead of the default ASP.NET Server Error page when no dedicated malformed request error page exists for the specific plugin. Please notice that not all endpoints are protected right now. The built-in error page can be found at [BaseUrl]/runtime/PlugIn/MalformedRequest, which is the easiest page for you to link to when setting up the installation.

NemID plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the NemID connections are redirected to this page.

Oces plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the OCES connections are redirected to this page.

Saml2 plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the SAML2.0 connections are redirected to this page.

WS-Federation plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the WS-Federation connections are redirected to this page.

Username and Password plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the Username and Password connections are redirected to this page.

OTP plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the OTP connections are redirected to this page.

Facebook plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the Facebook connections are redirected to this page.

Google plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the Google connections are redirected to this page.

Twitter plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the Twitter connections are redirected to this page.

LinkedIn plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the LinkedIn connections are redirected to this page.

OpenID plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the OpenID connections are redirected to this page.

LiveId plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the Live ID connections are redirected to this page.

Device-based plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the Device-based connections are redirected to this page.

LDAP plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the LDAP connections are redirected to this page.

GenericProvider plugin’s malformed request error page: When this field has a URL then all malformed requests happening in connection with the generic provider connections are redirected to this page.

Show Consent Page: When this is activated, users will on the authentication list page (also known as the selector page), be shown a link to the consent page. On the consent page users can give consent to issue data to the different Relying Parties registered in the system.

Sign metadata: When this is activated, SAML 2.0 metadata that Safewhere*Identify generates will be signed.

Show Home Realm Discovery configuration: enables user to select what HRD mechanisms to be applied for an RP when being ticked. When option is not checked, all HRD mechanism will be applied.

STS Default Certificate Claim Type:The default certificate Claim type value which is used with STS Plugin provider.

STS Default Name Claim Type:The numerable value of name claim type option. When UseDefault is selected, the default certificate Claim type value which is used with STS Plugin provider will be used for the username endpoint and mixed username endpoint

STS Default Name Token Type:The default token type value which is used with STS Plugin provider.

STS Default Token Life Time:The default token life time value which is used with STS Plugin provider.

STS Maximum Token Life Time:The maximum token life time value which is used with STS Plugin provider.

STS Default Name Identifier Claim Type of Received Security Token:The default name identifier claim type value of received security token which is used with STS plugin provider.

STS Attribute name storing the name identifier claim type of Received Security Token:The attribute name storing the name identifier claim type of received security token which is used with STS plugin provider.

STS Enable WS Trust 14 Certificate Message Endpoint: An endpoint which authenticates the client with an X.509 certificate. The client credentials are included in the header of a SOAP message. Confidentiality is preserved by encryption inside the SOAP message.

STS Enable WS Trust 14 Certificate Mixed Endpoint: An endpoint which authenticates the client with an X.509 certificate. The client credentials are included in the header of a SOAP message. Confidentiality is preserved at the transport layer (SSL).

STS Enable WS Trust 14 Username Message Endpoint: An endpoint which authenticates the client with its username and password. The client credentials are included in the header of a SOAP message. Confidentiality is preserved by encryption inside the SOAP message.

STS Enable WS Trust 14 Username Mixed Endpoint: An endpoint which authenticates the client with its username and password. The client credentials are included in the header of a SOAP message. Confidentiality is preserved at the transport layer (SSL).

STS Enable WS Trust OIO IDWS Endpoint: An endpoint which authenticates the client with OIO IDWS profile. The client credentials are included in the header of a SOAP message. Confidentiality is preserved at the transport layer (SSL).

STS Enable WS Trust 14 Issuedtokensymmetricbasic256sha256 Endpoint: An endpoint which accepts client credential as an issued token instead of username/password or certificate. The client credentials are included in the header of a SOAP message. Confidentiality is preserved by encryption inside the SOAP message.

STS Enable WS Trust 14 Issuedmixedtokensymmetricbasic256sha256 Endpoint: An endpoint which accepts client credential as an issued token instead of username/password or certificate. The client credentials are included in the header of a SOAP message. Confidentiality is preserved at the transport layer (SSL).

STS Service Certificate: The Service Certificate is used to sign requests/responses from this instance of STS Plugin to other parties.

  • Find Value: The value which is used for searching for a signing certificate in a store. This certificate is used to sign requests/responses from this instance of Safewhere*Identify to other parties.
  • Get certificates button: Allow users to select a new cert.
  • Find Type: Defines how a certificate should be searched. Possible values are: FindByThumbprint, FindBySubjectName, FindBySubjectDistinguishedName, FindByIssuerName, FindByIssuerDistinguishedName, FindBySerialNumber, FindByTimeValid, FindByTimeNotYetValid, FindByTimeExpired, FindByTemplateName, FindByApplicationPolicy, FindByCertificatePolicy, FindByExtension, FindByKeyUsage, and FindBySubjectKeyIdentifier.
  • Store Location: Specifies the location of certificate store.Possible values are: CurrentUser, LocalMachine.
  • Store Name:A specific store name at the location above.Possible values are: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My.

Expired Password Renewal Logic: Allow users with expired passwords to use Reset Password Page to renew it. When set to ‘True’, the user request will receive the ‘forgotten password mail’ after making the request from the ‘forgotten password page’ although his password is expired.

Offer manual update of users’ passwords on user form: When activated, a field called “New Password” will be placed on the ‘Update user’ form, that when filled in and saved will be validated and updated for the user record. Also on new user this field will be displayed when value is set to “Set new password manually”. Further,a “set password” option will appear in the context drop down on the user list.

Was this helpful ?Good Somewhat Bad