You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Configuring EmowerID System Settings
You can use system settings to control many aspects of EmpowerID behavior.
How to change values for any of the system settings
On the navbar expand Infrastructure Admin, then EmpowerID Servers and Settings, and select EmpowerID System Settings.
On the EmpowerID System Settings page, search for the setting that you want to change and click the Edit icon to its left.
In the dialog that appears, you can edit the Value and Description fields, and select whether to Encrypt Data for the setting value. When encrypting data, that data is invisible in the UI.
After making changes, click Save.
The following table provides the name, default value, and description for each system setting, as well as links to any further information about the setting.
Name | Default Value | Description |
---|---|---|
ABACEmergencyMode | FALSE | Global setting to determine of the organizations is in a crisis emergency mode |
ABACHighRiskScore | 10000 | Threshold Risk Score to be used in ABAC rules |
AccountInboxJoinAndProvisionFilter | A.PersonID IS NULL AND A.Disabled = 0 AND A.Deleted = 0 AND A.AccountTypeID 2 AND A.AccountUsageTypeID = 1 AND LENA.FirstName 0 AND LENA.LastName 0 | Filter for join and provision, only accounts matching the criteria will be included. This filter appends to the AccountInboxJoinFilter for join and to AccountInboxProvisionFilter for provision see AccountInboxing_GetJoinAndProvisionFilter for sample of how to extend |
AccountInboxJoinByBirthDateFirstNameLastName | TRUE | If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields |
AccountInboxJoinByCustomMatch | /* -- this is a sample of how to extend the join rules with custom logic. There would be two extra rules to join by Department and City/State --uncomment the outer comment to make it active --retrieve personID by Department, first and last name UPDATE A SET A.PersonID = PJoined.PersonID, A.AttributeJoinedBy ='Department' FROM #Accounts A INNER JOIN SELECT MINP.PersonID PersonID, P.Department , P.LastName , P.FirstName FROM Person P WITH NOLOCK WHERE P.Department IS NOT NULL AND P.PersonID 3 GROUP BY P.Department, P.LastName , P.FirstName HAVING COUNT1=1 PJoined ON PJoined.Department = A.Department AND PJoined.LastName = A.LastName AND PJoined.FirstName = A.FirstName WHERE A.PersonID IS NULL --retrieve personID by City and State, first and last name UPDATE A SET A.PersonID = PJoined.PersonID, A.AttributeJoinedBy ='City and State' FROM #Accounts A INNER JOIN SELECT MINP.PersonID PersonID, P.City ,P.State, P.LastName, P.FirstName FROM Person P WITH NOLOCK WHERE P.City IS NOT NULL AND P.State IS NOT NULL AND P.PersonID 3 GROUP BY P.City ,P.State, P.LastName , P.FirstName HAVING COUNT1=1 PJoined ON PJoined.City = A.City AND PJoined.State = A.State AND PJoined.LastName = A.LastName AND PJoined.FirstName = A.FirstName WHERE A.PersonID IS NULL */ | Extra custom rule/s that run at the end of the join rules by executing the SQL. It has to follow the sample code |
AccountInboxJoinByEmailFirstNameLastName | TRUE | If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields |
AccountInboxJoinByEmployeeIDFirstNameLastName | TRUE | If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields |
AccountInboxJoinByPersonalEmailFirstNameLastName | TRUE | If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields |
AccountInboxJoinFilter | A.AllowJoin = 1 | Filter for join, only accounts matching the criteria will be included. This filter appends to the AccountInboxJoinAndProvisionFilter see AccountInboxing_GetJoinFilter for sample of how to extend |
AccountInboxProvisionFilter | A.AllowProvision = 1 AND EXISTSSELECT 1 FROM AccountStore S WHERE A.AccountStoreID = S.AccountStoreID AND S.AllowPersonProvisioning = 1 | Filter for PROVISION, only accounts matching the criteria will be included. This filter appends to the AccountInboxJoinAndProvisionFilter see AccountInboxing_GetProvisionFilter for sample of how to extend |
ADUserCreatePostProcessingAlertEnabled | FALSE | Global Setting to Enable or Disable ADUserCreatePostProcessingAlert |
AllowSetMustChangePasswordAtNextLogon | TRUE | Allow Set Must Change Password At Next Logon |
AllowWebApiMethodInvokeProfiling | TRUE | |
AllowWebApiMethodInvokesWithoutCheck | TRUE | |
API_IISAppName | API | |
ApplicationLauncherOAuthConsumerGUID | f0ade541-52d1-4f60-9201-f58e9dc8f7fb | |
ApplicationLauncherOAuthProviderApplicationGUID | 25629B1D-1585-4D19-A58F-A74D00EA30B0 | |
ApplicationLauncherSamlConnectionID | 1 | |
ApplicationLauncherServiceProviderGuid | ||
Azure-AuthorizationRule | MyPolicy1 | |
Azure-ClientID | ||
Azure-ClientSecret | ||
AzureCosmosWFDataAuthKey | ||
AzureCosmosWFDataSerivceEndPoint | https://eidtest.documents.azure.com:443/ | |
Azure-DataCenterLocation | ||
AzureJobEngineDataConnectionString | ||
AzureManticoreConnectionString | Azure Manticore Storage Container Connection String | |
AzureManticoreContainerName | manticore | The Azure container which holds the session recordings |
AzureNotificationHubConnectionString | Azure Notification Hub Connection String | |
AzureNotificationHubName | Azure Notification Hub Name | |
Azure-Relay | eidtest10 | |
Azure-RelayNamespace | tenantDRelay | |
Azure-ResourceGroup | JobEngine | |
AzureSPOCosmosDocumentDBAuthKey | ||
AzureSPOCosmosDocumentDBServiceEndPointUrl | https://eidtest.documents.azure.com:443/ | |
AzureSPOTableDBStorageDataConnectionString | ||
Azure-SubscriptionID | ||
Azure-TenantID | ||
AzureWebJobDataConnectionString | DefaultEndpointsProtocol=https;AccountName=eidazurejobengine;AccountKey=kNGSID50BEmwdInwNwbOyFmzrO+M/PggUHkSU5Nb9xq/ACzFj0CWn4H5SNALMY17TKJFz7qbnVa8qojP25dVhw==;EndpointSuffix=core.windows.net | |
AzureWebJobHost | FALSE | |
AzureWFDataConnectionString | N/A | Specifies the Azure blob connection string when storing workflow data instance in Azure blob. When using Azure blob, the value of the WorkflowDataFactory setting must be updated from SQL to Azure. |
BOTEnableBot | FALSE | Enables the EmpowerID Bot |
BOTSecret | SI6PAkoG9cY.cwA.lko.Ysq1FIFhEkhAcYelcIkZyaHWkm6kJr0LeiE_JiafgvA | Secret for the EmpowerID bot |
BOTUrl | https://webchat.botframework.com/embed/EmpowerIDBot1 | Url of the EmpowerID Bot |
Captcha-HideAndSkipValidationGloballyForTesting | FALSE | Hide Captcha And Skip Captcha Validation Globally For Testing |
ConsumerSelfRegisterEnabled | TRUE | Consumer Self Registration setting to skip person registration in workflow if set to false |
CoreIdentityProvisionLogic | Enter custom Core Identity provisioning logic | |
CountryISOAlpha2Code | US | Country ISO Alpha 2 code used to mask phone numbers during MFA. Refer to http://www.nationsonline.org/oneworld/country_code_list.htm |
DeviceRegistrationCookieExpirationInDays | 15 | Expiration days of the device registration cookie |
DisableCartCommentRequired | TRUE | DisableCartCommentRequired |
DisableCrossPackagePublishCheck | FALSE | |
DUOAPIHostname | ||
DUOIntergrationKey | ||
DUOSecretKey | ||
EidAuthenticationPassphrase | 761a0e0e0330439286d0a739c7d7553b | |
EidAuthenticationSalt | 016fc391fef14cf0a11e03a7b0814e7c | |
EIDBrowserExtensionChromeID | ompmlbphcpnjopgdoknaibgjagocjbbe | ID of the latest Chrome Browser Extension in the Chrome Store |
EIDBrowserExtensionFFInstallPath | http://www.empowerID.com | Path to the installation location of the Firefox SSO Browser Extension |
EIDBrowserExtensionIEInstallPath | http://crossrider.com/download/ie/81138 | Path to the installation location of the Internet Explorer SSO Browser Extension |
EIDBrowserExtensionVersion | 81138 | ID of the Browser Extension version used to build the URL for download and installation |
EidCdnEnableResourceCheckCache | FALSE | |
EidCdnServerUrl | /EmpowerIDWebCDN | |
EidChromeFrameIEVersion | 8 | |
EidEnableLocalizationDebugging | FALSE | |
EidIdPSessionTimeout | 480 | IdP Portal Session Timeout in minutes |
EidInstallationGUID | a32dd358-317b-4c84-bf10-a145236387c5 | |
EidLoginAfterXFailsShowCaptcha | 4 | After x failures on the login page show the CAPTCHA |
EidMaxReportResults | 500000 | Maximum number of results allowed in the email me as report feature |
EidMultiFactorRetryLimit | 3 | Number of times to retry two-factor authentication before reverting to login page |
EidPasswordlessLoginEnabled | TRUE | Option to enable/disable PasswordlessLogin option on the login page |
EIDPersonExpirationNotificationDaysBefore | 21 | How many days to notify before person expires. Used by PersonExpirationNotification permanent WF |
EIDPushNotificationTimeout | 30 | EmpowerID push notification and registration timeout in seconds |
EmailApprovalByEmailEnabled | FALSE | |
EmailEWSEmailProviderMailboxAccountID | ||
EmailEWSEmailProviderMailServerURL | ||
EmailGlobalBCCRecipient | Sends a copy of every email to the specified email address in any mode as a BCC. | |
EmailSmtpEmailProviderFromAddress | Default from address for all EmpowerID notifications | |
EmailSmtpEmailProviderMailboxAccountID | AccountID of an account that has a vaulted password to be used for authenticated send email | |
EmailSmtpEmailProviderMailServer | dc-exch.addomain.com | Email Server used to send out EmpowerID System email messages |
EmailSmtpEmailProviderUseSSL | TRUE | Use SSL for SMTP |
EmailSmtpPortNumber | 25 | SMTP Port for TLS |
EmailSmtpUseTLS | TRUE | if true and EmailSmtpEmailProviderUseSSL is true, EID uses TLS to connect to the smtp server |
EmailTestMode | FALSE | If true, sends all emails to a specific email address in the EmailTestModeGlobalRecipient settings. |
EmailTestModeGlobalRecipient | Sends a copy of every email to the specified email address in any mode as a recipient. | |
EmpowerID_IISAppName | EmpowerID | |
EmpowerIDWebCDN_IISAppName | EmpowerIDWebCDN | |
EmpowerIDWebIdPForms_IISAppName | EmpowerIDWebIdPForms | |
EmpowerIDWebIdPSmartCard_IISAppName | EmpowerIDWebIdPSmartCard | |
EmpowerIDWebIdPWindows_IISAppName | EmpowerIDWebIdPWindows | |
EmpowerIDWebIdPWSFederation_IISAppName | EmpowerIDWebIdPWSFederation | |
EmpowerIDWebReports_IISAppName | EmpowerIDWebReports | |
EnableBulkRecertification | FALSE | Enables or disables the ability to make a bulk decision for multiple recertification items |
EnableCookieSecureAttribute | TRUE | Flag to enable/disable secure attribute on all the cookies |
EnableRMQServer | FALSE | |
EnableWorkflowRedirectUrl | FALSE | Enables the redirecturl functionality of workflows |
EnvironmentHeaderMessage | Displays a system-wide message at the top banner | |
GoogleMapsAPIKey | AIzaSyAiqp4HyDyFGg6SPad8gAa-hv-eFQz7FwA | API Key that is used with google maps |
GoogleRecaptchaSiteVerifyUrl | https://www.google.com/recaptcha/api/siteverify | Verify url for google recaptcha cannot contain a querystring |
HelpLoginMenuLink | https://docs.empowerid.com/ | Link to external help |
HelpMFALink | https://dotnetworkflow.jira.com/wiki/spaces/E2D/pages/87851239/Multifactor+Authentication | Help link for end user multi-factor authentication |
IdPCacheRefreshInterval | 0 | The interval used to refresh the internal IdP cache for Single Sign On data. If set to ZERO, this setting is DISABLED. |
IdPRuntimeCacheTimeout | 10 | CAUTION: This values should be between 1 and 525,600. The Sliding Expiration Timeout for HTTP Runtime Cache data in the EmpowerID Web IdPs in minutes |
InventorySalesForceAccount | FALSE | setting to verify if account object should be inventoried or not |
IpInfoAccessToken | IpInfo Access Token | |
ITShopIManageGrpAccountMode | TRUE | In IT Shop Resources I manage show the simple mode group account grid not RBAC delegation control |
ITShopIManageGrpRBACSimpleMode | TRUE | In IT Shop Resources I manage show the RBAC delegation control in simple mode |
ITShopMyAccessShowExpiresXDays | 30 | Setting to control which expiring access shows to the user. Only access expiring in X days. |
JoinToCIByBirthDateFirstNameLastName | FALSE | Set this value to true if you want to join Person to Core Identity by FirstName, LastName and DateOfBirth. |
JoinToCIByFirstNameLastName | TRUE | Set this value to true if you want to join Person to Core Identity by FirstName and LastName. |
JoinToCICustomMatchAttributes | Enter a comma separated list of the attributes that should be used to join Person to Core Identity. For example: to join by DateOfBirth and SSN enter: DateOfBirth, SocialSecurityNumber | |
LocaleFlagsEnabled | FALSE | Enables or disables displaying country flags in the locale picker |
LocalePickerEnabled | TRUE | Enables or disables the language picker in the user interface |
LocaleRecordingMode | TRUE | Tells the system to record locale keys that are being used |
LocalizationDefaultLocale | en-US | Default Fallback Locale |
LoginAfterXFailsShowCaptcha | 4 | After x failures on the login page show the CAPTCHA |
LoginLookupAccountByPersonLogonNameToValidatePassword | TRUE | Attempt to validate the password against each of the person's accounts that belong to an Account Store where pass-through authentication is enabled |
LoginNameEnableGenerate | TRUE | Enables the Generate endpoint of the LoginName |
LoginPageAccountUnlockEnabled | TRUE | Specifies whether or not the account unlock button is enabled on the login page |
LoginPageBotEnabled | TRUE | Enable the chat with bot button on the login page |
LoginPageConsumerSelfRegisterEnabled | FALSE | Specifies whether or not the self register button is enabled on the login page |
LoginPageemaillostusernameEnabled | TRUE | Specifies whether or not mail to username is enabled on the login page |
LoginPagePartnerSelfRegisterEnabled | TRUE | Specifies whether or no the partner self register page is enabled on the login page |
LoginPagepasswordresetcenterEnabled | TRUE | Specifies whether or not password reset center is enabled on the login page |
LoginPageRequestOathTokenEnabled | TRUE | Specifies whether or not request oath token is enabled on the login page |
LoginPageSupplierCompanyRegistrationEnabled | TRUE | Specifies whether or not the Supplier Company Registration link is enabled on the login page |
MaximumLoginTravelSpeed | 450 | Maximum Login Travel Speed |
MessageBusSettings | [{Id:8f0cade0-99d0-43f5-96e8-b0bbdc8bea7a,PluginType:Syslog,MessageEntryType:Error,ConnectionString:192.168.254.138:514,AuxiliarySettings:{Publisher:null,Subscriber:null,Topic:null}},{Id:55fb5db1-4c65-4070-9307-f038393c7f3a,PluginType:Syslog,MessageEntryType:Information,ConnectionString:192.168.254.138:514,AuxiliarySettings:{Publisher:null,Subscriber:null,Topic:null}}] | |
MobileClientOAuthApplicationID | A05391D2-D4B0-49F5-9D3B-A8AF009B7247 | EmpowerID Mobile Client OAuthProviderApplicationID |
OathTokenIssuerName |