/
Configuring EmowerID System Settings

You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configuring EmowerID System Settings

You can use system settings to control many aspects of EmpowerID behavior. 

How to change values for any of the system settings

  1. On the navbar expand Infrastructure Admin, then EmpowerID Servers and Settings, and select EmpowerID System Settings.

  2. On the EmpowerID System Settings page, search for the setting that you want to change and click the Edit icon to its left.

     

  3. In the dialog that appears, you can edit the Value and Description fields, and select whether to Encrypt Data for the setting value. When encrypting data, that data is invisible in the UI.

     

  4. After making changes, click Save.

The following table provides the name, default value, and description for each system setting, as well as links to any further information about the setting.

Name

Default Value

Description

Name

Default Value

Description

ABACEmergencyMode

FALSE

Global setting to determine of the organizations is in a crisis emergency mode

ABACHighRiskScore

10000

Threshold Risk Score to be used in ABAC rules

AccountInboxJoinAndProvisionFilter

A.PersonID IS NULL AND A.Disabled = 0 AND A.Deleted = 0 AND A.AccountTypeID  2 AND A.AccountUsageTypeID = 1  AND LENA.FirstName  0 AND LENA.LastName  0  

Filter for join and provision, only accounts matching the criteria will be included. This filter appends to the AccountInboxJoinFilter for join and to AccountInboxProvisionFilter for provision see AccountInboxing_GetJoinAndProvisionFilter for sample of how to extend

AccountInboxJoinByBirthDateFirstNameLastName

TRUE

If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields

AccountInboxJoinByCustomMatch

/* -- this is a sample of how to extend the join rules with custom logic. There would be two extra rules to join by Department and City/State --uncomment the outer comment to make it active --retrieve personID by Department, first and last name UPDATE A SET A.PersonID = PJoined.PersonID, A.AttributeJoinedBy ='Department' FROM #Accounts A INNER JOIN SELECT MINP.PersonID PersonID, P.Department , P.LastName , P.FirstName FROM Person P WITH NOLOCK WHERE P.Department IS NOT NULL AND P.PersonID  3 GROUP BY P.Department, P.LastName , P.FirstName HAVING COUNT1=1 PJoined ON PJoined.Department = A.Department AND PJoined.LastName  = A.LastName AND PJoined.FirstName = A.FirstName WHERE A.PersonID IS NULL --retrieve personID by City and State, first and last name UPDATE A SET A.PersonID = PJoined.PersonID, A.AttributeJoinedBy ='City and State' FROM #Accounts A INNER JOIN SELECT MINP.PersonID PersonID, P.City ,P.State, P.LastName, P.FirstName FROM Person P WITH NOLOCK WHERE P.City IS NOT NULL AND P.State IS NOT NULL AND P.PersonID  3 GROUP BY P.City ,P.State, P.LastName , P.FirstName HAVING COUNT1=1 PJoined ON PJoined.City  = A.City AND PJoined.State  = A.State AND PJoined.LastName  = A.LastName AND PJoined.FirstName = A.FirstName WHERE A.PersonID IS NULL */

Extra custom rule/s that run at the end of the join rules by executing the SQL. It has to follow the sample code 

AccountInboxJoinByEmailFirstNameLastName

TRUE

If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields

AccountInboxJoinByEmployeeIDFirstNameLastName

TRUE

If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields

AccountInboxJoinByPersonalEmailFirstNameLastName

TRUE

If turned on, the join rule will try to join new discovered accounts to people, based on matches on those fields

AccountInboxJoinFilter

A.AllowJoin = 1  

Filter for join, only accounts matching the criteria will be included. This filter appends to the AccountInboxJoinAndProvisionFilter see  AccountInboxing_GetJoinFilter for sample of how to extend

AccountInboxProvisionFilter

A.AllowProvision = 1 AND EXISTSSELECT 1 FROM AccountStore S WHERE A.AccountStoreID = S.AccountStoreID AND S.AllowPersonProvisioning = 1  

Filter for PROVISION, only accounts matching the criteria will be included. This filter appends to the AccountInboxJoinAndProvisionFilter see AccountInboxing_GetProvisionFilter for sample of how to extend

ADUserCreatePostProcessingAlertEnabled

FALSE

Global Setting to Enable or Disable ADUserCreatePostProcessingAlert

AllowSetMustChangePasswordAtNextLogon

TRUE

Allow Set Must Change Password At Next Logon

AllowWebApiMethodInvokeProfiling

TRUE



AllowWebApiMethodInvokesWithoutCheck

TRUE



API_IISAppName

API



ApplicationLauncherOAuthConsumerGUID

f0ade541-52d1-4f60-9201-f58e9dc8f7fb



ApplicationLauncherOAuthProviderApplicationGUID

25629B1D-1585-4D19-A58F-A74D00EA30B0



ApplicationLauncherSamlConnectionID

1



ApplicationLauncherServiceProviderGuid





Azure-AuthorizationRule

MyPolicy1



Azure-ClientID





Azure-ClientSecret





AzureCosmosWFDataAuthKey





AzureCosmosWFDataSerivceEndPoint

https://eidtest.documents.azure.com:443/



Azure-DataCenterLocation





AzureJobEngineDataConnectionString





AzureManticoreConnectionString



Azure Manticore Storage Container Connection String

AzureManticoreContainerName

manticore

The Azure container which holds the session recordings

AzureNotificationHubConnectionString



Azure Notification Hub Connection String

AzureNotificationHubName



Azure Notification Hub Name

Azure-Relay

eidtest10



Azure-RelayNamespace

tenantDRelay



Azure-ResourceGroup

JobEngine



AzureSPOCosmosDocumentDBAuthKey





AzureSPOCosmosDocumentDBServiceEndPointUrl

https://eidtest.documents.azure.com:443/



AzureSPOTableDBStorageDataConnectionString





Azure-SubscriptionID





Azure-TenantID





AzureWebJobDataConnectionString

DefaultEndpointsProtocol=https;AccountName=eidazurejobengine;AccountKey=kNGSID50BEmwdInwNwbOyFmzrO+M/PggUHkSU5Nb9xq/ACzFj0CWn4H5SNALMY17TKJFz7qbnVa8qojP25dVhw==;EndpointSuffix=core.windows.net



AzureWebJobHost

FALSE



AzureWFDataConnectionString

N/A

Specifies the Azure blob connection string when storing workflow data instance in Azure blob. When using Azure blob, the value of the WorkflowDataFactory setting must be updated from SQL to Azure.

BOTEnableBot

FALSE

Enables the EmpowerID Bot

BOTSecret

SI6PAkoG9cY.cwA.lko.Ysq1FIFhEkhAcYelcIkZyaHWkm6kJr0LeiE_JiafgvA

Secret for the EmpowerID bot

BOTUrl

https://webchat.botframework.com/embed/EmpowerIDBot1

Url of the EmpowerID Bot

Captcha-HideAndSkipValidationGloballyForTesting

FALSE

Hide Captcha And Skip Captcha Validation Globally For Testing

ConsumerSelfRegisterEnabled

TRUE

Consumer Self Registration setting to skip person registration in workflow if set to false

CoreIdentityProvisionLogic



Enter custom Core Identity provisioning logic

CountryISOAlpha2Code

US

Country ISO Alpha 2 code used to mask phone numbers during MFA. Refer to http://www.nationsonline.org/oneworld/country_code_list.htm

DeviceRegistrationCookieExpirationInDays

15

Expiration days of the device registration cookie

DisableCartCommentRequired

TRUE

DisableCartCommentRequired

DisableCrossPackagePublishCheck

FALSE



DUOAPIHostname





DUOIntergrationKey





DUOSecretKey





EidAuthenticationPassphrase

761a0e0e0330439286d0a739c7d7553b



EidAuthenticationSalt

016fc391fef14cf0a11e03a7b0814e7c



EIDBrowserExtensionChromeID

ompmlbphcpnjopgdoknaibgjagocjbbe

ID of the latest Chrome Browser Extension in the Chrome Store

EIDBrowserExtensionFFInstallPath

http://www.empowerID.com

Path to the installation location of the Firefox SSO Browser Extension

EIDBrowserExtensionIEInstallPath

http://crossrider.com/download/ie/81138

Path to the installation location of the Internet Explorer SSO Browser Extension

EIDBrowserExtensionVersion

81138

ID of the Browser Extension version used to build the URL for download and installation

EidCdnEnableResourceCheckCache

FALSE



EidCdnServerUrl

/EmpowerIDWebCDN



EidChromeFrameIEVersion

8



EidEnableLocalizationDebugging

FALSE



EidIdPSessionTimeout

480

IdP Portal Session Timeout in minutes

EidInstallationGUID

a32dd358-317b-4c84-bf10-a145236387c5



EidLoginAfterXFailsShowCaptcha

4

After x failures on the login page show the CAPTCHA

EidMaxReportResults

500000

Maximum number of results allowed in the email me as report feature

EidMultiFactorRetryLimit

3

Number of times to retry two-factor authentication before reverting to login page

EidPasswordlessLoginEnabled

TRUE

Option to enable/disable PasswordlessLogin option on the login page

EIDPersonExpirationNotificationDaysBefore

21

How many days to notify before person expires. Used by PersonExpirationNotification permanent WF

EIDPushNotificationTimeout

30

EmpowerID push notification and registration timeout in seconds

EmailApprovalByEmailEnabled

FALSE



EmailEWSEmailProviderMailboxAccountID





EmailEWSEmailProviderMailServerURL





EmailGlobalBCCRecipient



Sends a copy of every email to the specified email address in any mode as a BCC.

EmailSmtpEmailProviderFromAddress



Default from address for all EmpowerID notifications

EmailSmtpEmailProviderMailboxAccountID



AccountID of an account that has a vaulted password to be used for authenticated send email

EmailSmtpEmailProviderMailServer

dc-exch.addomain.com

Email Server used to send out EmpowerID System email messages

EmailSmtpEmailProviderUseSSL

TRUE

Use SSL for SMTP

EmailSmtpPortNumber

25

SMTP Port for TLS 

EmailSmtpUseTLS

TRUE

if true and EmailSmtpEmailProviderUseSSL is true, EID uses TLS to connect to the smtp server   

EmailTestMode

FALSE

If true, sends all emails to a specific email address in the EmailTestModeGlobalRecipient settings.

EmailTestModeGlobalRecipient



Sends a copy of every email to the specified email address in any mode as a recipient.

EmpowerID_IISAppName

EmpowerID



EmpowerIDWebCDN_IISAppName

EmpowerIDWebCDN



EmpowerIDWebIdPForms_IISAppName

EmpowerIDWebIdPForms



EmpowerIDWebIdPSmartCard_IISAppName

EmpowerIDWebIdPSmartCard



EmpowerIDWebIdPWindows_IISAppName

EmpowerIDWebIdPWindows



EmpowerIDWebIdPWSFederation_IISAppName

EmpowerIDWebIdPWSFederation



EmpowerIDWebReports_IISAppName

EmpowerIDWebReports



EnableBulkRecertification

FALSE

Enables or disables the ability to make a bulk decision for multiple recertification items

EnableCookieSecureAttribute

TRUE

Flag to enable/disable secure attribute on all the cookies

EnableRMQServer

FALSE



EnableWorkflowRedirectUrl

FALSE

Enables the redirecturl functionality of workflows

EnvironmentHeaderMessage



Displays a system-wide message at the top banner

GoogleMapsAPIKey

AIzaSyAiqp4HyDyFGg6SPad8gAa-hv-eFQz7FwA

API Key that is used with google maps

GoogleRecaptchaSiteVerifyUrl

https://www.google.com/recaptcha/api/siteverify

Verify url for google recaptcha cannot contain a querystring

HelpLoginMenuLink

https://docs.empowerid.com/

Link to external help

HelpMFALink

https://dotnetworkflow.jira.com/wiki/spaces/E2D/pages/87851239/Multifactor+Authentication

Help link for end user multi-factor authentication

IdPCacheRefreshInterval

0

The interval used to refresh the internal IdP cache for Single Sign On data. If set to ZERO, this setting is DISABLED.

IdPRuntimeCacheTimeout

10

CAUTION: This values should be between 1 and 525,600. The Sliding Expiration Timeout for HTTP Runtime Cache data in the EmpowerID Web IdPs in minutes

InventorySalesForceAccount

FALSE

setting to verify if account object should be inventoried or not

IpInfoAccessToken



IpInfo Access Token

ITShopIManageGrpAccountMode

TRUE

In IT Shop Resources I manage show the simple mode group account grid not RBAC delegation control

ITShopIManageGrpRBACSimpleMode

TRUE

In IT Shop Resources I manage show the RBAC delegation control in simple mode

ITShopMyAccessShowExpiresXDays

30

Setting to control which expiring access shows to the user. Only access expiring in X days.

JoinToCIByBirthDateFirstNameLastName

FALSE

Set this value to true if you want to join Person to Core Identity by FirstName, LastName and DateOfBirth.

JoinToCIByFirstNameLastName

TRUE

Set this value to true if you want to join Person to Core Identity by FirstName and LastName.

JoinToCICustomMatchAttributes



Enter a comma separated list of the attributes that should be used to join Person to Core Identity.  For example: to join by DateOfBirth and SSN enter:  DateOfBirth, SocialSecurityNumber

LocaleFlagsEnabled

FALSE

Enables or disables displaying country flags in the locale picker

LocalePickerEnabled

TRUE

Enables or disables the language picker in the user interface

LocaleRecordingMode

TRUE

Tells the system to record locale keys that are being used

LocalizationDefaultLocale

en-US

Default Fallback Locale

LoginAfterXFailsShowCaptcha

4

After x failures on the login page show the CAPTCHA

LoginLookupAccountByPersonLogonNameToValidatePassword

TRUE

Attempt to validate the password against each of the person's accounts that belong to an Account Store where pass-through authentication is enabled

LoginNameEnableGenerate

TRUE

Enables the Generate endpoint of the LoginName

LoginPageAccountUnlockEnabled

TRUE

Specifies whether or not the account unlock button is enabled on the login page

LoginPageBotEnabled

TRUE

Enable the chat with bot button on the login page

LoginPageConsumerSelfRegisterEnabled

FALSE

Specifies whether or not the self register button is enabled on the login page

LoginPageemaillostusernameEnabled

TRUE

Specifies whether or not mail to username is enabled on the login page

LoginPagePartnerSelfRegisterEnabled

TRUE

Specifies whether or no the partner self register page is enabled on the login page

LoginPagepasswordresetcenterEnabled

TRUE

Specifies whether or not password reset center is enabled on the login page

LoginPageRequestOathTokenEnabled

TRUE

Specifies whether or not request oath token is enabled on the login page

LoginPageSupplierCompanyRegistrationEnabled

TRUE

Specifies whether or not the Supplier Company Registration link is enabled on the login page

MaximumLoginTravelSpeed

450

Maximum Login Travel Speed

MessageBusSettings

[{Id:8f0cade0-99d0-43f5-96e8-b0bbdc8bea7a,PluginType:Syslog,MessageEntryType:Error,ConnectionString:192.168.254.138:514,AuxiliarySettings:{Publisher:null,Subscriber:null,Topic:null}},{Id:55fb5db1-4c65-4070-9307-f038393c7f3a,PluginType:Syslog,MessageEntryType:Information,ConnectionString:192.168.254.138:514,AuxiliarySettings:{Publisher:null,Subscriber:null,Topic:null}}]



MobileClientOAuthApplicationID

A05391D2-D4B0-49F5-9D3B-A8AF009B7247

EmpowerID Mobile Client OAuthProviderApplicationID

OathTokenIssuerName

EmpowerID Dev

Name of the Oath Token Issuer

OAuth_IISAppName

OAuth



OAuthConsumerGUID

91A7642F-0313-4496-9125-D4DB2782D111

OAuth connection for Twilio API access

OwnerRequiredAssigneeTypeID

1

For Responsible Party control - OwnerRequiredAssigneeTypeID - set a value to only allow that type to be assigned - 1 Person 2 Account 3 Group 4 Business Role and Location 5 Management Role 7 Query-Based Collection

PA-BusinessRoleDetails-Custom1

CustomAttribute1,CustomAttribute2,CustomAttribute3,CustomAttribute4,CustomAttribute5,CustomAttribute6,CustomAttribute7,CustomAttribute8,CustomAttribute9,CustomAttribute10

Page attributes for Business Role viewone page custom attributes 1-10

PA-BusinessRoleDetails-Custom11

CustomAttribute11,CustomAttribute12,CustomAttribute13,CustomAttribute14,CustomAttribute15,CustomAttribute16,CustomAttribute17,CustomAttribute18,CustomAttribute19,CustomAttribute20

Page attributes for Business Role viewone page custom attributes 11-20

PA-BusinessRoleDetails-Extension1

ExtensionAttribute1,ExtensionAttribute2,ExtensionAttribute3,ExtensionAttribute4,ExtensionAttribute5,ExtensionAttribute6,ExtensionAttribute7,ExtensionAttribute8,ExtensionAttribute9,ExtensionAttribute10

Page attributes for Business Role viewone page extension attributes 1-10

PA-BusinessRoleDetails-Extension11

ExtensionAttribute11,ExtensionAttribute12,ExtensionAttribute13,ExtensionAttribute14,ExtensionAttribute15,ExtensionAttribute16,ExtensionAttribute17,ExtensionAttribute18,ExtensionAttribute19,ExtensionAttribute20

Page attributes Business Role viewone page extension attributes 11-20

PA-BusinessRoleLocationDetails-Custom1

CustomAttribute1,CustomAttribute2,CustomAttribute3,CustomAttribute4,CustomAttribute5,CustomAttribute6,CustomAttribute7,CustomAttribute8,CustomAttribute9,CustomAttribute10

Page attributes for Business Role Location viewone page custom attributes 1-10

PA-BusinessRoleLocationDetails-Custom11

CustomAttribute11,CustomAttribute12,CustomAttribute13,CustomAttribute14,CustomAttribute15,CustomAttribute16,CustomAttribute17,CustomAttribute18,CustomAttribute19,CustomAttribute20

Page attributes for Business Role Location viewone page custom attributes 11-20

PA-BusinessRoleLocationDetails-Extension

ExtensionAttribute1,ExtensionAttribute2,ExtensionAttribute3,ExtensionAttribute4,ExtensionAttribute5,ExtensionAttribute6,ExtensionAttribute7,ExtensionAttribute8,ExtensionAttribute9,ExtensionAttribute10,ExtensionAttribute11,ExtensionAttribute12,ExtensionAttribute13,ExtensionAttribute14,ExtensionAttribute15

Page attributes for Business Role Location viewone page extension attributes 1-15

Page-PersonDetails-ManageTab-ShowRow1

TRUE

Page-PersonDetails-ShowRow1 to show the first row of attributes

Page-PersonDetails-ManageTab-ShowRow2

FALSE

Page-PersonDetails-ShowRow2 to show the 2nd row of attributes

Page-PersonDetails-ManageTab-ShowRow3

TRUE

Page-PersonDetails-ShowRow3 to show the 3rd row of attributes

Page-PersonDetails-ManageTab-ShowRow4

TRUE