Authentication (Conf)


../../../../_images/authentication.png

Base

  • Default locale: the default language is preset (English).

  • Token expiration interval [Advanced]: a token released after a user authentication. When a user logs on the device for the first time, a token is released and remains valid for a preset period of time ("token expiration interval"). In this period, the authentication process is very fast since user authentication is already certified by the token. The time for token expiration must be calibrated carefully, because a too long period of time can create a security gap, instead a too short time involves the regeneration of the token, which leads to a decrease in performance.

  • Alias management [Advanced]: if checked, it enables the alias management. Aliases are used when users have more than one username.

Identity detail

  • Delete job cache: if checked, the cache deletion is enabled.

  • Lifetime cache in minutes: the amount of time (in minutes) cached files exist on disk before being deleted.

  • Cache execution cron: the scheduling time for the cache execution: how often the service for deleting the cache data is executed (for further details, refer to the Cron Trigger Tutorial (Quartz Cron) section).

  • Merge details and groups: information about identity details and their groups are taken from all active provider types (LDAP, AD and Database) configured in the system. By default data are collected by the caching system from the first provider in which they are found. otherwise, if Merge is checked, data come from all active providers. For example, if a secondary provider contains the group related to an identity but the user authentication is performed on the primary provider, the Merge field must be enabled, to collect information about that group.

  • Groups optimization count [Advanced]: the optimization count for groups.

Card

  • Internal card registration from client: if checked, cards may be registered to the internal card management if no suitable external provider was found.

  • Creation card from client: if checked, the card registration from the client (especially MFPs) is enabled.

  • Card Strong Authentication Login [Advanced]: if checked, a PIN-code is required every time a user logs in with a card.

  • Card PIN minimum length [Advanced]: the minimum length the card PIN has to be.

  • Card PIN maximum length [Advanced]: the maximum length the card PIN has to be.

  • Card PIN type: the charactertypes that are allowed for the card pin. Choose between numeric and alphanumeric. Keep in mind, that some MFPs might not support alphanumeric PINs.

  • Deny same character [Advanced]: if checked, it is not possible to create PINs consisting of the same characters (e.g., 1111, aaaa, etc.).

  • Deny sequential digits [Advanced]: if checked, number sequences, e.g., 1234, are prohibited.

  • Deny sequential letters [Advanced]: if checked, sequential letters, e.g., abcd, are prohibited.

  • Minimum digits [Advanced]: enter the minimum amount of digits a PIN is required to contain.

  • Minimum letters [Advanced]: enter the minimum amount of letters a PIN is required to contain.

  • Mixed strong Authentication Login [Advanced]: if checked, a mixed strong authentication login is enabled.

  • Administrative mask for card: the strategy used can be:

    • ADMINISTRATIVE_MASK_ENABLED: the alphanumeric string of the card is not shown in plain text but instead masked with asterisks.

    • ADMINISTRATIVE_MASK_DISABLED: the alphanumeric string of the card is shown in plain text.

Note

In the database, the alphanumeric string is in clear, so it is readable.

  • Fixed length administrative mask for card [Advanced]: if checked a fixed amount of characters are masked for cards.

  • Number of unmasked card suffix chars [Advanced]: the number of unmasked card characters.

  • Overwrite new cards on the old ones [Advanced]: if checked, it is possible to overwrite old cards with new ones.

  • Delete card mappings to disabled users [Advanced]: if checked, card mappings of disabled users are deleted.

PIN

  • Creation strategy: the strategy used for the creation of a PIN code:

    • NONE: no PIN code is created.

    • AUTO_GENERATION_PIN: it enables the automatic creation of a PIN once the user first logs in.

    • CREATION_PIN_FROM_CLIENT: it enables the creation of a PIN from client.

    • AUTO_GENERATION_PIN_FOR_INTERNAL_USERS: it enables the automatic creation of a PIN once an internal user first logs.

  • PIN length: the length of a PIN code.

  • PIN expire strategy: the strategy to delete expired user PIN mappings. Possible values are OFF, INTERNAL (i.e., guest users) or ALL.

  • Auto generated PIN lifetime: the lifetime for auto generated PINs in hours.

  • Expired PIN cleanup execution cron: the cron expression to clean up expired PINs.

  • Email subject: email subject templates for emails sent to users after a PIN autocreation.

  • Email body: mail body templates for emails sent to user after a PIN autocreation.

  • Notification on PIN renew [Advanced]: if checked, an email is sent with a notification about the PIN renewal.

  • Administrative mask for PIN: the strategy used can be:

    • ADMINISTRATIVE_MASK_ENABLED: the numeric string of the PIN is not in plain text (with asterisks).

    • ADMINISTRATIVE_MASK_DISABLED: the numeric string of the PIN is in plain text.

  • Fixed length administrative mask for PIN [Advanced]: if checked a fixed amount of characters are masked for PINs.

  • Number of unmasked PIN suffix chars [Advanced]: the number of unmasked PIN characters.

[Advanced] Authentication Providers

Genius Server supports authentication from different types of provider. An external authentication system as LDAP, Active Directory or database can be unavailable for different reasons (e.g. maintenance, faults, technical problems). When users login, Genius Server tries to connect to external providers in a specified order. When an authentication provider is unreachable, it is listed in a blacklist and not contacted until its service returns to the normal operating mode. This feature limits the authentication time considerably especially when external providers are switched off for maintenance.

The following settings configure the watchdog which checks connections to providers on the blacklist:

  • Fallback authentication enabled: if enabled, authentication credentials are temporary cached allowing authentication also when origin authentication providers are not reachable. This credential cache has the same temporal settings of the identity detail cache. For each identity only one couple of username and password, one PIN and one card is cached.

  • Identity detail search max results: maximum number of result after an authentication provider identity detail search.

Note

When an external provider is inserted into the blacklist, the system produces an ERROR type Event Protocol. When it is removed, the system produces an INFO type Event Protocol. Providers are disabled until they are removed from the blacklist. When a provider is disabled, the system could not obtain information about users, for example when the login provider is operative and the user detail provider is disabled.

To save, press the Save Changes button and then Back.