Security

 

The following settings are available in this menu:

Authentication

Login

  • Account enabled (Enable or disable all accounts on the server. No user will be able to log in. Configuration pages will remain accessible.)
     
  • Login valid after (All logins will be allowed after the timestamp specified, but not before.)
     
  • Login valid before (All logins will be allowed before the timestamp specified, but not after.)
     
  • Max failed login attempts for user(s) (This setting throttles login attempts for the user(s) by limiting the maximum number of attempts in a given time period. All further login attempts are rejected until the oldest login attempt expires (sliding time window). The time period is specified by the "Max failed login attempts period in seconds" setting.)
     
  • Max failed login attempts from IP address (This setting throttles login attempts from one IP address by limiting the maximum number of login attempts in a given time period. All further login attempts are rejected until the oldest login attempt expires (sliding time window). The time period is specified by the "Max failed login attempts period in seconds" setting.)
  • Max failed login attempts from an application integrator's IP address (This setting throttles login attempts from one application integrator's IP address by limiting the maximum number of login attempts in a given time period. All further login attempts are rejected until the oldest login attempt expires (sliding time window). The time period is specified by the "Max failed login attempts period in seconds" setting.)
     
  • Max failed login attempts period in seconds (Set the time period in which each failed login attempt will count towards the maximum failed login attempts.)

Organization

  • Login layout (Set layout that will be used on your ISL Conference Proxy when logging in.)
  • Organization login layout (Set layout that will be shown when logging in to an organization on your ISL Conference Proxy.)

Two-factor Authentication

  • Login without configured Two-Factor Authentication (Disabling this option will force Two-Factor Authentication for all users. This will require the users to configure Two-Factor Authentication on their next login attempt if they do not have at least one Two-Factor Authentication method set.)
  • "Don't ask again on this device" option for 2-Factor authentication (Disabling this option will remove the "Don't ask again on this device" checkbox from the GUI, and the users will no longer be able to skip Two-Factor Authentication on any devices.)

Password

  • Change Password (When this setting is enabled, user(s) can change their password in "Profile". Disable this setting if you wish to prevent users from changing their password. Warning: enabling either the "Require password change" or "Password expiration interval" setting will prompt the user to change his password on the next login, but they will be unable to do so if this setting is disabled. Doing so may lock user(s) out of their account)
     
  • Minimum password length: (User passwords shorter than selected value will be rejected by the system. This requirement can be disabled by setting the value to "0". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
     
  • Maximum password length: (User passwords longer than selected value will be rejected by the system. This requirement can be disabled by setting the value to "0". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
  • List of custom special characters: (The value for this setting is a string containing special characters that should appear in a user's new password. The number of required special characters is set by the "Minimum number of custom special characters required in passwords" setting. Setting this to an empty string will disable the special characters requirement. Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
  • Minimum number of custom special characters required in passwords: (This setting specifies the minimum number of special characters required in users' new passwords. The list of special characters can be set using the "List of custom special characters" setting. This requirement can be disabled by setting the value to "0". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
     
  • Minimum number of uppercase characters required in passwords: (This setting specifies the minimum number of uppercase characters required in users' new passwords. This requirement can be disabled by setting the value to "0". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
     
  • Minimum number of lowercase characters required in passwords: (This setting specifies the minimum number of lowercase characters required in users' new passwords. This requirement can be disabled by setting the value to "0". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
     
  • Minimum number of digit characters required in passwords: (This setting specifies the minimum number of digit characters (0, 1, 2, ..., 9) required in users' new passwords. This requirement can be disabled by setting the value to "0". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
  • Allow passwords to start or end with whitespace: (When this setting is enabled, users' new passwords may start or end with a whitespace character (" ", "\n", ...) otherwise they are rejected by the system. Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)
  • Allow passwords from password_blacklist.txt (When this setting is disabled, users' new passwords are checked against a database of blacklisted passwords (which is set by the system administrator) meant to prevent passwords that are too common/basic. If a user's new password is blacklisted, they are shown the following message: "Password considered too weak. Please choose a stronger password.". Changing the setting value does not affect any existing user passwords and is only applied on a user's next password change)

Note: A custom password_blacklist.txt file can be uploaded to "Private Storage" of ICP to replace the default version.

Session management

User Sessions 

  • View own sessions (When this setting is enabled, the user can list and query their own sessions.)
  • Control own sessions (When this setting is enabled, the user can terminate their own sessions. Please note that the "View own sessions" setting also needs to be enabled.)

Domain Sessions

  • View domain sessions (When this setting is enabled, the user can list and query sessions in their own domain.)
  • Control domain sessions (When this setting is enabled, the user can terminate sessions in their own domain. Please note that the "View domain sessions" setting also needs to be enabled.)

Server Sessions

  • View server sessions (When this setting is enabled, the user can list and query sessions on the server.)
  • Control server sessions (When this setting is enabled, the user can terminate sessions on the server. Please note that the "View server sessions" setting also needs to be enabled.)

Server Administration

Backup(s)

  • User can create backups (Grants access to backup management dashboard where user can configure scheduled backups. Read more about Backup module here.) 

Application Integrators

  • User can manage application integrators (Grants access to integrations dashboard where user can add/update/remove application integrators.)
  • Authorized app RSA key size (When user authorizes an integration application a RSA key pair is generated which serves a role similar to access tokens in OAuth. This setting defines the key size for the RSA key pair.)

SSL

  • User can create SSL certificates (Grants access to SSL module management dashboard where user can create SSL certificates for ISL ConferenceProxy. Read more about SSL module here)

Other

Uncategorized

  • Server public address template (Added support for external load balancer for ISL Conference Proxy)
  • Use single public address in GRID (This option has to be enabled to use external load balancer for ISL Conference Proxy, make sure you also set Server public address template (above) and have correct settings in DNS Server Zones tab.)
  • Record client IPs (Enable to record client IP addresses)
  • Max recorded client IPs to hold in memory (Number of IP addresses stored)
  • Save recorded client IPs interval in seconds (Number of seconds defining how long the IPs recorded should be kept.)
  • Default SSL profile (Default SSL profile sets protocol and cipher suite for "HTTPT SSL", "Application MUX SSL" and "GRID SSL")
  • Redirect HTTP to HTTPS for all user web pages (enable/disable forcing the HTTP traffic to be redirected to HTTPS for user web pages. Default: yes)
  • Redirect HTTP to HTTPS only for login web page (force the HTTPS only for user login page)
  • Disable HTTPS URLs on web pages  (enable/disable automatic usage of SSL on web pages)
  • Blocked file extensions for user upload (.exe ...): (block files of specified type from being uploaded trough modules that support file uploads and download (e.g. ISL Groop, ISL Pronto, ISL AlwaysOn))
  • Allowed file extensions for user upload (.txt ...): (allow only files of specified type from being uploaded trough modules that support file uploads and download (e.g. ISL Groop, ISL Pronto, ISL AlwaysOn))

Note:

Settings for Blocked file extensions and Allowed file extensions work in combination as follows

  • If allowed file extensions are specified then they act as a "whitelist" meaning that only allowed file extensions can be uploaded. 
  • If the same file extension is specified as Allowed and Blocked at the same time then you will not be able to upload it.
  • If allowed file extensions are not specified then Blocked file extensions act as a "blacklist" meaning you will not be able to upload the specified types of files.
  • Allow inline download of user uploaded files (MIME type regex ...): (set which files can be downloaded inline - they will be shown in browser and not directly downloaded. Be careful with adding new file types as they can pose a security risk. e.g. .svg files can contain hidden javascript.) Default syntax below allows text and image files (jpeg,png,gif and webp) to be downloaded inline:
image/(jpeg|png|gif|webp)
text/plain
  • Hide server version in HTTP response and SMTP headers (allow/deny server version to be shown in HTTP response and SMTP headers when sending emails)
  • Remove HTTP Server header in user web pages (Do not include the server header when serving user web pages. Note: Requests to /webaccess will always return the server header.)
  • Disable autocomplete for web login forms (Disable autocomplete function for forms on login pages)
  • Do not cache encrypted web pages to disk (Enable/disable caching of encrypted web pages to disk)
  • Enable forgotten password procedure (Disable the forgot password procedure - no option for recovery email will be shown)
  • Hide account status when performing forgotten password procedure (When forgotten password procedure is triggered, the server will not show if the email entered has an account registered to it - avoids email enumeration, but reduces amount of user feedback)
  • Allow sending forgotten password emails to unregistered email accounts (Allow sending forgotten password emails to addresses not registered with ISL Online account)
  • Allow sending emails by authenticated user (Set if registered user can send emails)
  • Record client address in SMTP headers (client's IP address is added to SMTP header when sending an email)
  • Enable insecure redirect handler (backwards compatibility only) (This is a legacy setting and should not be enabled.)
  • Disable framing of web pages (When true (default) ICP will set X-Frame-Options : SAMEORIGIN  for security reasons preventing ICP to be used in html frames.)
  • HTTP header Referrer-Policy (This setting controls the value of the header returned in all HTTP responses. The default value is "same-origin".)
  • HTTP header Strict-Transport-Security (Enforce strict use of HTTPS on websites. More information can be found here: Strict Transport Security. The header looks like this:
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains

Important: When applying this setting make sure you include only the header value, without the Strict-Transport-Security: prefix. Sample setting value:

max-age=31536000; includeSubDomains
  • HTTP header Public-Key-Pins (associate a specific cryptographic public key with a certain web server. More information can be found here: Public Key Pins.) The header looks like this:
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]

Note: Be mindful when using this header as you can lock yourself out. Additionally the Public-Key-Pins header is being depricated.

  • HTTP header X-XSS-Protection (define what kind of cross-site scripting (XSS) attack prevention headers should be set by ICP. More information can be found here: X-XSS-Protection) The following values are possible:
0 (Disables XSS filtering)
1 (Enables XSS filtering, page is sanitized before being displayed)
1; mode=block (Enables XSS filtering, page is not displayed if XSS is detected)
1; report=<reporting-uri> (Enables XSS filtering, page is sanitized before being displayed and the event is reported to the <reporting-uri> address)

Note: Only configure this setting if required to do so based on your security policy and/or you know exactly what you are doing. It is recommended to leave the setting on default value.

  • Require HTTPS for WebSockets when HTTP to HTTPS redirect is enabled (enable/disable forcing SSL for WebSockets. Default: yes)
  • Require HTTPS for WebAPI when HTTP to HTTPS redirect is enabled (enable/disable forcing SSL for WEBAPI. Default: yes)
  • Require HTTPS for WebAPI2 when HTTP to HTTPS redirect is enabled (enable/disable forcing SSL for WEBAPI2. Default: yes)
  • Filters that define access to webapi2 (Define filters for accessing webapi2 and web pages.) Example of filter syntax:
[user_id=s-1_0_0|path=/users/isllight]

allow_ip 1.2.3.0/24;

[/users/isllight]

[/users]
allow_ip 1.2.3.0/24

Note: In the example above -> /user web pages can be accessed only from 1.2.3.0/24. ISL Light cannot be accessed by anyone except user with id s-1_0_0 in 1.2.3.0/24

  • List of webapi2 calls that will NOT be registered (Specify a list of webapi(s) that will not get registerd on server restart and will not be accessible.)
  • Filters that define access to web pages (Specify filters that restrict access to webpages served by ISL Conference Proxy. Filters based on geolocation and user agents (browsers) are now supported as well.) Examples of filter syntax: (Note: Browser (User Agent) has to be url encoded)
#Deny access to /user/main/login.html page for specific IP's
[/users/main/login.html]
allow_ip 1.2.3.0/24;
allow_ip 172.16.1.0/24;
allow_ip 172.16.99.0/24;

#Deny access to /users/main/downloads.html for users from Slovenia (country code SI)
[/users/main/downloads.html]
filter deny_geoipcc SI

#Deny access to /users/main/downloads.html for users using Google Chrome
#Make sure to put allow_all flag at the end to allow other UAs besides Chrome to access the website
[/users/main/downloads.html]
deny_ua Mozilla%2F5.0%20%28Windows%20NT%2010.0%3B%20Win64%3B%20x64%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F71.0.3578.98%20Safari%2F537.36
allow_all
  • SSL client initiated renegotiation (controls whether a connecting client is allowed to initiate an SSL renegotiation on the server or not)
  • TLS ticket refresh interval in seconds (set interval after which TLS session ticket is refreshed and a fresh handshake is required)
  • User privileges settings (set which users have the permission to attach and resume sessions)
#Default values, "star" means that all users have that permission
#Replace "star" with username if you want to limit the permission to a specific user
[light_session]
star:resume
star:attach
  • User can view list of domains on server (specifies whether users can view a list of their own domains on the server)
  • User can view list of users in own domain (specifies whether users can view other users in the domain)
  • User can view list of users on server (specifies whether users can view a list of other users who have access to the server)
  • User can view list of user groups in own domain (specifies whether users can view list of user groups in own domain)
  • User can create group hierarchy [unsupported preview] (user can create group hierarchy by adding group to another group)
  • View downloads (specifies if the /Downloads pages are protected by allowing access only to users that log in)
  • View program list in /users/programs (By default requests to /users/programs are redirected to the downloads page. Set this to Yes to expose a special interface on /users/programs which allows you to see available versions, platforms, branches etc.)
  •  Download program Wasm debug files (Enabling this setting will allow user to download debug files that are part of Wasm programs.)
  • View network status in /network_status (specifies whether users can view network status at /network_status)
  • Enable system information in /sysinfo (specifies whether to enable system information in /sysinfo)
  • Enable GRID health api in /health/grid (Enable this setting to expose health status with http api on /health/grid)
  • GRID health api secret (Enable this setting to protect api with secret (if not empty, http api requests must have secret provided as URL parameter))
  • Enable public file list in /files (backward compatibility) (If enabled, the files placed placed in public storage will be listed at <server_address>/files)
  • Allow stress test (Allow the stress test to be performed)
  • Store last used language in account (specifies whether to save the last used language in account)
  • Mail template for forgotten password (Customize template for email sent when user forgets his or hers password)
  • Mail template for forgotten password (backwards compatibility v1) (Mail template for forgotten password used for backwards compatibility)
  • Forgot password e-mail token expiry in seconds (Expiry time for forgotten password toke, if the password isn't changed in this time, a new password has to be requested again)
  • Maximum forgot password e-mails per expiry period (Use this option to set a maximum number of forgot password e-mails sent per expiry period. The default value is 5, the expiry period is 30 minutes.)
  • Valid password format (regex) (use this option to specify a valid password format using a regular expression)

When user enters a new password it has to match the regex you specified in ISL Conference Proxy. 

Example

^(?=.*[A-Z].*[A-Z])(?=.*[!@#$&*])(?=.*[0-9].*[0-9])(?=.*[a-z].*[a-z].*[a-z]).{8,}$

The regex above requires the user password to be in the following form:

  • 8 characters length
  • 2 letters in Upper Case
  • 1 Special Character (!@#$&*)
  • 2 numerals (0-9)
  • 3 letters in Lower Case 

Explanation:

More regex information and tutorials can be found here: https://regexone.com/. 

 $                            End anchor. 
 .{8,}                        Ensure string is at least of length 8.
 (?=.*[a-z].*[a-z].*[a-z])    Ensure string has three lowercase letters.
 (?=.*[0-9].*[0-9])           Ensure string has two digits.
 (?=.*[!@#$&*])               Ensure string has one special case letter.
 (?=.*[A-Z].*[A-Z])           Ensure string has two uppercase letters.
^                             Start anchor
  • Invalid password error (use this option to modify the invalid password error notification)
  • Valid e-mail format (regex) (use this option to specify a valid e-mail format using a regular expression)
  • Invalid e-mail error (use this option to modify the invalid e-mail error notification)
  • Error message for disabled module (Use this option if you wish to show an error message when using disabled mode)
  • License specification (This is an internal setting and should not be set)
  • Application MUX SSL test port (set a designated port which can be used by testing tools (e.g. sslscan) to scan for which protocols and ciphers are used by ICP)
  • Application MUX SSL protocol (list SSL protocols that should be enabled on the server side. Most secure protocol shared by client and server will be used)
  • Application MUX SSL cipher suite (list SSL cipher suites that should be used by the server. Most secure cipher shared by client and server will be used)

Note: Please be very careful when changing the MUX SSL settings. Default values are selected to offer maximum security and usability. By changing this settings your service can be severely degraded (security issues, connections not being established...) 

  • HTTP proxy for web client (you can use this option to specify a web proxy that should be used by ISL Conference Proxy, the syntax is proxyaddress:proxyport or username:password@proxyaddress:proxyport if you need to specify a username and a password for your web proxy)
  • Do not use HTTP proxy for addresses (if you set the option above, you can use this setting to specify the addresses where a web proxy should not be used; use commas to separate the addresses)
  • Server Administrator whitelist (user IDs) (If the list is empty then whitelist is disabled and any account that is marked as Administrator can log into configuration pages. For additional security overview you can specify user IDs here and they will act as a whitelist, meaning that only Administrator accounts that are listed here can log into configuration pages. This setting comes in handy, for example, when you have a large number of users and want to make sure that no account was given Administrator access by accident.)
  • Allowed IP addresses for server administration (By default, you can only access ISL Conference Proxy administration from a local machine - you can specify allowed IP addresses in two ways, either list the IP addresses separated with commas or specify an allowed subnet, e.g. 192.168.0.1/255.255.255.0.)
  • Must use SSL for server administration (set to Yes to allow only SSL encrypted access to ISL Conference Proxy administration - note that you will need to use the appropriate https link for administration: https://localhost:7615/conf)
  • Allowed IP addresses for XMLMSG (use this option to set allowed IP addresses that can use the XMLMSG interface for ISL Conference Proxy administration)
  • Must use SSL for XMLMSG (set to Yes to allow only SSL encrypted access to ISL Conference Proxy administration through the XMLMSG interface - note that you will need to use the appropriate https link for administration: https://localhost:7615/xmlmsg)
  • Force networks to public internet address (use this option to override server's autodetect for internet/intranet)
  • Force networks to private intranet address (use this option to override server's autodetect for internet/intranet)
  • Address to view numeric ID mapping (MATCH=ID …) (this setting is used to define multiple lines of IP match to view numeric ID like "192.168.0.0/16=10), matches are done line by line and stop on first match)
  • Enable email matching on authentication (enable users to also log in with their account e-mail address instead of their username)
  • Max accounts when authenticating with email matching (multiple users can have the same email and. When entering an email which matches multiple users the user matching is done based on password entered. This setting controls how many accounts can be matched by an email. If email matches more accounts than the limit specified here the user will be asked to enter his full name to log in.)
  • GRID-wide max failed login attempts (default: "yes" - specify if the failed login attempts are summed across the whole grid. e.g. If limit is set to 60 failed login attempts and there are 20 failed login attempts on server A and 40 on server B then limit is reached.)
  • Max failed attempts to join a session from IP address (default 60) - maximum number of failed attempts to join a session from a specific IP address.
  • Max failed attempts to join a session period in seconds(default 60) - time period defined in seconds for maximum number of failed attempts to join a session in defined time period

Note: Throttling counters for normal and administrative accounts are separate, meaning that if you are being throttled when logging in as a standard user, you will still be able to log in with and administrative account from the same IP address.

  • GRID-wide max failed attempts to join a session (default: "yes" - specify if the failed login attempts are summed across the whole grid )
  • System hashed password scheme (Select the scheme for storing passwords and account settings  for services that don't require reversible storing scheme)
    • You can select between following options:
      • islhash1- selected by default, most secure amongst the available options. It uses the following algorithm for encrypting passwords:
      • islstatic1 - Internal reversible password scheme - LESS SECURE
      • plain text - passwords are stored in plain text

Note: Passwords on ISL Conference Proxy were stored as plain text. With ISL Conference Proxy 4.1.0 new account and password resets use islhash1 scheme for encrpytion/hashing of passwords. User accounts and settings are no longer stored in plain text. Account created before updating to ISL Conference Proxy 4.1 will be still stored as plain text, password change is needed for all old accounts.

  • System reversible password scheme (Select the scheme for storing passwords and account settings for services that require reversible storing scheme)
    • You can select between following options:
      • islstatic1 - Internal reversible password scheme
      • plain text - passwords are stored in plain text
  • Login password scheme (Select scheme for hashing and storing login passwords)
    • You can select between following options:
      • islhash1 - selected by default, most secure amongst the available options.
      • islstatic1 - Internal reversible password scheme - LESS SECURE
      • plain text - passwords are stored in plain text
  • islhash1 salt size (Set the salt size in bytes, default value is 16)
  • islhash1 rounds (Set the number of rounds when hashing the passwords, default value is 10 000)

Possible problems when using islhash1 (PBKDF2):

ISL Light Desk 3.2.1 or older cannot authenticate (3.2.2+ sends password correctly), if the user account has password stored with PBKDF2 scheme, change scheme to plain/reversible and set the password again

ISL AlwaysOn: light::web_session was committed in https://fisheye.islonline.com/changelog/ISL?cs=14670, ISL AlwaysOn Connect 1.2.0 is required for normal operation (uses web session id), 1.1.0 or older will ask for password and won't connect automatically.

ISL Pronto: latest build of module (2.2.1beta48+) is required for normal operation, otherwise ISL Light Desk will ask for password and won't connect automatically

Other important info:

Latest ISL Conference Proxy (4.0.3beta1+), will automatically start using islhash1 scheme for all new accounts or password resets. However, you must use ISL Pronto module 2.2.1beta48+, otherwise ISLCP will keep default mode as plain text!

Latest ISL AlwaysOn module (2.2.3beta7+) is required, if you wish to support users with ISL AlwaysOn Connect 1.1.0 or older and using reversible encryption for passwords (islstatic1)

  • Programs download unsafe arguments action (This setting defines the response of ISL Conference Proxy when an user has unknown parameters in a download URL on ISL Conference Proxy.)
    • You can select between the following options:
      •  No action - no action is performed.
      • Log as warning - selected by default, the attempt is logged in ISL Conference Proxy server log file as warning and an email is sent
      • Reject - rejects the attempt, user encounters Error 403: Forbidden
  • Programs download log unsafe argument values (insecure, only for debugging) (Unsafe arguments are sanitized by default to prevent credentials leaking into logs, "No" by default)
  • Programs download safe arguments (SCOPERX;LCWEBNAMERX;ARGRX;VALRX; ...) 
    Multiline allow list rules, for example to allow x=y for ISL Light and ISL Light Desk:
web;isllight(desk)?;x;y;
  • Require signature for Online update (Check validity of index.xml and software_policy.xml downloaded from http://www.islonline.com/system/updates when determining which updates are available. If this is disabled it is possible to trick ISL Conference Proxy to download third party files, but ISL Conference Proxy will reject them once they are downloaded as all update files are signed.)
  • Require signature for Manual update (Check validity of index.xml and software_policy.xml stored localy when determining which updates are available during a Manual upadte. If this is disabled it is possible to trick ISL Conference Proxy to download third party files, but ISL Conference Proxy will reject them once they are downloaded as all the update files are signed.)
  • Open URL after logout (specify a URL that opens when user logs out of his ICP account.)
  • External authenticator (use this option to specify an external authenticator for all users, you can use existing Microsoft Active Directory, Novell eDirectory, OpenLDAP, Radius or FreeRADIUS for user authentication)
  • External authenticator fail reason specification ([["regex", "html text"], ...]) (specify custom error messages displayed to user on login to reflect the real reason why external authenticator failed)

Note: Html text shown as a response is selected by matching the regex against the error returned by the external authenticator. Default example matches the error response codes returned by LDAP. To learn more about common LDAP errors please refer to: Common Active Directory LDAP errors

  • External authenticator login settings rules ([[rule...], ...]) 
     

Settings were added to configure mapping of external group membership information to ISL Conference Proxy user account settings. Setting is a JSON array of rules "[rule, ...]" executed one by one sequentially. The rules are executed when the user logs in. Available rules:

["key", "KEY", "VALUE"] - set KEY=VALUE
["in-group", "GROUPEXPR", ...] - conditionally execute ... if the user is in GROUPEXPR
["key-group-list", "KEY", "GROUPEXPR_PREFIX"] - set KEY=vector of groups
["key-group-list-comma", "KEY", "GROUPEXPR_PREFIX"] - set KEY=comma separated list of groups
["sync-external-groups-rename", "FROM1", "TO1", "FROM2", "TO2", ...] - renames groups for sync-external-groups using regular expression FROM and replacement TO (uses \1, \2, ... for captures). Renames stop on first FROM match, use multiple sync-external-groups-rename for multiple passes. Rename to empty string will exclude group from sync. Place the rule before "sync-external-groups" and after "groups-from-attr".
["sync-external-groups", "GROUPEXPR_PREFIX"] - for SSO SAML - creates groups with names that start with GROUPEXPR_PREFIX (prefix is removed from group name)
["sync-external-groups", "GROUPEXPR_PREFIX", "GROUPID_PREFIX"] - for LDAP - creates groups with names that start with GROUPEXPR_PREFIX (prefix is removed from group name) and external_id that starts with GROUPID_PREFIX (prefix is removed from external_id). external_id is used as a main identifier, so group renames are supported if external_id stays the same

GROUPEXPR: list of tag:attribute:value
GROUPEXPR_PREFIX: prefix filter, usually set to tag:attribute:

Example:

#Example 
#Users from groups "ISL-admins" and "ISL-limited" have ISL Light enabled, other users do not.
[ 
["key", "light::enabled", "0"],
["in-group", "allgroups:cn:ISL-admins", "key", "light::enabled", "1"],
["in-group", "allgroups:cn:ISL-limited", "key", "light::enabled", "1"] 
]
["sync-external-groups", ":dn:"]
["sync-external-groups", ":dn:", ":objectguid:"]
  • External authenticator allows empty passwords (specifies whether the system should prevent empty passwords from being passed on to the external authenticator)
  • External authenticator backend error reports (specifies whether the system should include errors from external authenticator in error reports)
  • External authenticator maximum sync groups (specifies maximum number of groups to sync)
  • One time passwords (specified whether one-time passwords are used, preventing credential reuse and asking to reauthenticate when needed)
  • External dialog authenticator (which dialog is used for authenticator. Deafult value is $core_login, meaning that the same dialog is used as for core login module of ICP)
  • External dialog authenticator step timeout in seconds (timeout for external authenticator step)
  • Allow legacy login without 2FA support (without external dialog authenticator) (is login allowed without 2 factor authentication)
  • Enable single sign-on SAML (enable single sign-on functionality. While this is enabled the normal login (with ICP users) will not work, all logins will be done via single sign-on)
  • SAML configuration cache max 
  • SAML service provider PEM cert file (path to PEM cert file used by ICP to communicate with identity provider. File should be uploaded to ICP's private storage. Path to files in private storage should be given as objects/<filename>)
  • SAML service provider PEM key file  (path to PEM key file used by ICP to communicate with identity provider. File should be uploaded to ICP's private storage. Path to files in private storage should be given as objects/<filename>)
  • SAML service provider PEM key file passphrase (passphrase for unlocking the PEM key file)
  • SAML identity provider XML metadata URL (XML metadata URL from your Identity provider used to negotiate SAML communication with ICP)
  • SAML identity provider XML metadata URL expire in seconds 
  • SAML identity provider XML metadata file (XML metadata file from your Identity provider used to negotiate SAML communication with ICP)
  • SAML sign authentication request method (select SAML sign authentication request method from the list)
  • SAML request binding method (select SAML request binding method from the list)
  • SAML response binding method (select SAML response binding method from the list)
  • SAML logout from identity provider (enable or disable SAML logout from identity provider)
  • SAML logout NameID attribute (set SAML logout nameID attribute)
  • SAML authenticate on every login (by default when you log out of ICP account your session with Identity provider stays active, meaning that next time you click "Log in" in the ICP you won't have to re-enter the credentials. Set this to yes to always require the user to enter the credentials when logging into ICP.)
  • SAML identity provider initiated login (allow login into ICP by login procedure initiated from SAML system. By contrast the usual workflow is that login is initiated from ICP login page, then user is redirected to SAML page and back to ICP. Default value is Yes.)
     
  • SAML login settings rules ([[rule...], ...]) (SAML rules specify how authentication information obtained via SAML is mapped to ICP's variables and which variables should be set when Single sign-on authentication is performed.) Example rules for integrating with AD FS Identity provider look like this:
[
["key", "domain", "sso"]
,["key-from-attr", "username", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
,["key", "user_profile::password", "0"]
,["key-from-attr", "realname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
,["key", "user_profile::name", "0"]
,["key-from-attr", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
,["key", "user_profile::email", "0"]
,["groups-from-attr", "http://schemas.xmlsoap.org/claims/Group"]
]

Each rule begins either with "key","key-from-attr" or "groups-from-attr".

Rules with the "key" attribute specify that the middle parameter is set to the value in the last field. In the example above the "domain" is set to "sso", meaning that users that log in via Single sign-on will be added to the sso domain. Additionaly parameters user_profile::password, user_profile::name, user_profile::email are all set to 0, meaning that user that signs in via Single sign-on will not be able to change his username, password and email inside ICP as this does not make sense.

Rules with "key-from-attr" and "groups-from-attr" sets the value of the middle parameter to the value obtained from the specified attribute. Attributes are specified by your Identity Provider. In the example above the attributes are used to set username, realname, email and group for a user when Single sign-on is performed. Values are obtained via SAML from Identity Provider.

Additionally, check rules are available to assert key, attribute or a group matches on login. The rules have the following form: 

["check-key", "KEY", "VALUE"] - KEY must match VALUE exactly (empty VALUE will also match non-existing KEY)
["check-attr", "SAMLATTR", "VALUE"] - SAML attribute must match VALUE exactly (attributes are a list of values, so the first match is considered success)
["check-in-group", "GROUPEXPR"] - user must be in GROUPEXPR

E.g. expanding the SAML rules from above by allowing the login only from users of "isl" group would look like this:

[
["key", "domain", "sso"]
,["key-from-attr", "username", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
,["key", "user_profile::password", "0"]
,["key-from-attr", "realname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
,["key", "user_profile::name", "0"]
,["key-from-attr", "email", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
,["key", "user_profile::email", "0"]
,["groups-from-attr", "http://schemas.xmlsoap.org/claims/Group"]
,["check-in-group", "isl"]
]
  • Force application web login (enabling this setting will enforce the web login through the web browser in all ISL Online applications)
  • Authenticode tool (select which tool is used for code code signing)
  • Use authenticode from license (set whether code signing should be done from license or from certificate file)
  • Use authenticode packed parameters (BASE64) (the input expects base64 encoded authenticode license key. This setting overrides other authenticode settings including the setting defined in license)

Note: Software downloaded from ISL Conference Proxy is by default now signed with two different certificates (SHA-1 & SHA-2) to follow latest security standards and at the same time enable backwards compatibility for systems that only support SHA-1 signatures. The options below are duplicated, first set of settings enable you to set up your own SHA-2 certificate, and [compat] settings  enable you to set up your own SHA-1 certificate.

  • Authenticode enabled (use this option to enable code signing for all executables downloaded from the server using the provided custom authenticode certificate - if using codesign from the licence, there is no need to enable this setting.)
  • Authenticode hash function (select hash algorithm used by authenticode, you can select between MD5, SHA1, SHA256 , SHA384 and SHA512. Default value: Autodetect)
  • Authenticode publisher certificate file (PKCS#7) (use this option to set the certificate file - in DER PKCS#7 format)
  • Authenticode private key file (PEM) (use this option to set the private key file)
  • Authenticode private key passphrase (use this option to set the private key passphrase in case you use an encrypted private key)
  • Authenticode enabled [compat] (use this option to enable/disable the second authenticode for dual-sign scenarios - code signing for all executables downloaded from the server)
  • Authenticode hash function [compat] (select hash algorithm used by the second authenticode, you can select between MD5, SHA1, SHA256 , SHA384 and SHA512. Default value: Autodetect)
  • Authenticode publisher certificate file [compat] (PKCS#7) (use this option to set the second certificate file - in DER PKCS#7 format)
  • Authenticode private key file [compat] (PEM) (use this option to set the second private key file)
  • Authenticode private key passphrase [compat] (use this option to set the second private key passphrase in case you use an encrypted private key)
  • reCAPTCHA v3 required (require reCAPTCHA v3 on login pages)
    • reCAPTCHA v3 can not prevent the user from proceeding forward. When reCAPTCHA v3 is enabled and user opens your webpage, the request is evaluated by Google and a probability of user being a legitimate user is returned. You have to specify your own way of allowing/denying requests based on this value. 
  • reCAPTCHA v3 site key (enter site key you received when registering captcha v3)
  • reCAPTCHA v3 secret key (enter secret key your received when registering captcha v3) 
  • reCAPTCHA v2 required (require reCAPTCHA v2 on login pages - works independently of reCAPTCHA v3)
    • reCAPTCHA v2 has two modes of operation and can prevent the user from proceeding forward. When registering reCAPTCHA v2 for your website you have to select the Invisible option for reCAPTCHA v2 to work correctly with ICP as described in this topic: reCAPTCHA.
    • If reCAPTCHA v2 works independently of reCAPTCHA v3  (reCAPTCHA v2 required only when v3 score is less setting is disabled), then user will either be let trough or shown a validation window where he will have to recognize images to prove that he is human.
    • If reCAPTCHA v2 works in combination with reCAPTCHA v3 (reCAPTCHA v2 required only when v3 score is less setting is disabled), then user will be either let trough or shown the "I'm not a robot checkbox" depending on the value returned by reCAPTCHA v3.
  • reCAPTCHA v2 required only when v3 score is less: (Only trigger reCAPTCHA v2 validation if the score returned by reCAPTCHA v3 is smaller than specified value. Value specified should be in in the range 0 - 100 specifying the probability in percents. Usual score returned for a valid request by reCAPTCHA v3 is around 90)
  • reCAPTCHA v2 site key (enter site key you received when registering captcha v2)
  • reCAPTCHA v2 secret key (enter secret key you received when registering captcha v2)
  • reCAPTCHA maximum verify queue (0 for unlimited) (maximum number of captcha requests waiting in the queue to be authenticated by Google. When queue is full the new requests are denied. Usually the reason a queue would fill up is network issue between ICP and Google.)
  • reCAPTCHA verify response is ignored (user is allowed to login even with invalid captcha) (if user fails to solve captcha, is he still allowed to log in)
  • CAPTCHA fail 2 ban score (set the threshold score for captcha response. If response is lower than set value a fail2ban tag will be logged and you can use fail 2 ban or similar approach to block offending IP adresses.)
  • reCAPTCHA ignore list of errors(when reCAPTCHA fails, an error is returned. Set which errors are to be ignored and reCAPTCHA treated as solved). Default errors to be ignored:
  • Additional reCAPTCHA protected webapis (use this option to list additional webapis that you would like to protect with reCAPTCHA)
invalid_input_secret_ggl (when google site secret is invalid in ICP configuration)	
internal_net_failed (when ICP cannot solve captcha solution because of net error)
internal_ctx_invalid (when ICP edge server cannot update captchat state from origin server)	
rounds = 10000

salt = random_bytes(16)

output = rounds + ':' + base64(salt) + ':' + base64(PKCS5_PBKDF2_HMAC(password, salt, rounds, sha512))

verify = unbase64(output[2]) == PKCS5_PBKDF2_HMAC(password, unbase64(output[1]), output[0], sha512)
Tags: isl conference proxy, settings, configuration, basics, security

Was this article helpful?