User Portal Web configuration

The User Portal IIS files are installed here by default:

C:\Program Files\Pointsharp\UserPortal

The User Portal is using the Pointsharp ID Web Services which requires some keys to be properly set in the User Portal Web.config file.

These keys can be edited using your IIS manager’s Application Settings.

Settings for PointsharpFormLogin

Key name Value Description

FORM_AUTH_METHOD

Windows Password

The authentication method to use when authenticating with the Pointsharp ID.

FORM_TYPE

1

0 = Login with Username

1 = Login with Username and Password

SIGN_OUT_ENABLED

true

Set to true to enable sign out from the User Portal. This feature will only work for Forms login.

SIGN_OUT_TO_ROOT

true

Forms login will require this value to be true.

true: A sign-out should result in going back to root (/Home/Index)

false: Sign-out to a “you are signed out” page. The page will try to close itself, but due to not all browsers supporting the browser tab self-termination, it will not always take effect.

Forms login should use true, to avoid an inconvenient loop. Using forms login will disallow the last view by default and ask for credentials.

PS_SHARED_KEY

The Shared key (password) to be used for decrypting Pointsharp SSO Ticket from Pointsharp Access Gateway.

If Forms Authentication is configured "Do not use cookie", proxy via Pointsharp Access Gateway will fail.

PS_IV

The initialization vector (IV) to be used for decrypting Pointsharp SSO Ticket. If Empty default IV is used, length must be 16 chars.

Pointsharp ID Web application config and debug

Key name Value Description

PSID_LOG_FILE

…/logs/userportal.log

String value with relative path to the log file that logs should be printed to.

PSID_BINARY_FOLDER

C:\Program Files\PointSharp\PointSharp ID\bin

Set to the installation bin folder for the Pointsharp ID.

PSID_DEBUG

true

Set to true for debug level in the logging for this application. Nice to have whenever something is not working.

LOG_ACTIONS_IN_PSID_DEBUG

true

Set to true to log each request path in debug, such as /Device/Index.

PSID_WS_USERNAME

username

String value with the username required to connect to web services.

PSID_WS_PASSWORD

P@ssw0rd

String value with the password in plaintext used to connect to web services.

PSID_WS_DOMAIN

psid.ps.net

String value with the domain name of the web services.

PSID_WS_CERTIFICATE_STORENAME

My

Certificate store name. Can be one of: AddressBook, AuthRoot, CertificateAuthority, My, Root, TrustedPeople or TrustedPublisher

PSID_WS_CERTIFICATE_STORELOCATION

LocalMachine

Certificate store location. Can be one of: CurrentUser or LocalMachine

PSID_WS_CERTIFICATE_THUMBPRINT

Certificate Thumbprint. If set, certificate will be fetched from STORENAME/STORELOCATION and used for web service.

USER_STORAGE

PS_Storage

String value of the specific User Storage to retrieve user data with web services. Setting a specific User Storage, facilitates dealing with duplicate usernames. Leave blank will search all User Storages, and fail for overlapping usernames.

WEB_SERVICE_URL

http://localhost/

WEB_SERVICE_VERSION

-1

The version of the Pointsharp ID Web Services to use.

0 = use old web services

1 or higher = use specific version of web services

-1 = use the latest version

Account settings

The Account folder contains HTML formatted files containing license agreement in various languages. The name of the files has to follow the format:

license.[LANG].html

[LANG] is replaced with the language the license is translated into.

This means that you can add any number of license agreements written in different languages by following the conditions described.

/Account/Create

This path leads to the create account wizard.

Key name Value Description

USE_LICENSE_AGREEMENT

true

Boolean value deciding if the user has to accept a license agreement before creating an account. Editable and located in App_Data/Account folder.

AUTO_ADD_PSIDMEMBER

true

Boolean value deciding if a user can be added as a PSIDmember automatically (true), or if an administrator must add the user (false).

USER_NAME_DISPLAY_ATTRIBUTE

displayName

String value with the AD attribute to use for a user when displaying his/her name in the User Portal view.

ALTERNATE_USERNAME_ATTRIBUTE

Add an alternative username attribute (e.g. "mail") if the user is logging in with another username credential than the Pointsharp user username. This is used as a fallback when the fetch based on username is failing. Leave blank to disable this search.

ALLOW_UNLOCK_USER

true

Decides if a user is allowed to unlock its own account or not.

ALLOW_UNLOCK_DOMAIN_USER

false

Decides if a user is allowed to unlock the Windows account or not.

SIGN_OUT_TO_ROOT

false

true: A sign-out should result in going back to root (/Home/Index). See Forms login.

false: Sign-out to a “you are signed out” page. The page will try to close itself, but due to not all browsers supporting the browser tab self-termination, it will not always take effect.

Security token settings

This section describes the security token (and mobile token) management related settings. The user management features can be turned on and off by editing the value to its corresponding configuration key.

/Token/

Start for token management, lists all alternatives.

/Token/Add

Path to add security token wizard.

/Token/Test

Path to test/sync security token.

/Token/Modify

This path leads to a list of current security tokens. Select a token to view a list of modification alternatives.

Key name Value Description

ALLOW_SECURITY_TOKEN_MANAGEMENT

true

Set to true to allow user to use advanced options.

ALLOW_SECURITY_TOKEN_MODIFICATIONS

true

Set to true to allow user to modify and view his/her security tokens (such as remove).

ALLOW_SECURITY_TOKEN_SYNC_TEST

true

Set to true to allow user to test synchronization of his/her security tokens.

ALLOW_SECURITY_TOKEN_ADD

true

Set to true to allow user to add a new security token to an account or not.

SECURITY_TOKEN_SELECTABLE_TYPES

HardwareToken,MobileToken

Determine which security tokens that are allowed for a user to select using the User Portal. String representation of a comma separated list containing the enabled security tokens.

  • HardwareToken

  • PointSharpLoginToken

  • FidoToken

  • FidoTpmToken

  • GoogleMobileToken

  • Certificate

They are case and order sensitive, and are required to be separated with a comma, with NO spaces in between.

GOOGLE_MOBILE_TOKEN_DISPLAY_ID

Pointsharp Mobile Token

The ID displayed in the Google Authenticator when the token is configured (overridden in GOOGLE_MOBILE_TOKEN_QR)

GOOGLE_MOBILE_TOKEN_TIME_BASED

true

Set to true to provide user with a Time-Based OTP whenever enabled for any selected (Google) Authenticator Token (for TOTP in GOOGLE_MOBILE_TOKEN_QR)

GOOGLE_MOBILE_TOKEN_ISSUER

Pointsharp

The issuer displayed in the Google Authenticator when the token is configured (overridden in GOOGLE_MOBILE_TOKEN_QR)

GOOGLE_MOBILE_TOKEN_QR

Set this for the Authenticator QR code:

otpauth://totp/Pointsharp%20Mobile%20Token:{username}?secret={secret}

Overrides the GOOGLE_MOBILE_TOKEN_DISPLAY_ID and GOOGLE_MOBILE_TOKEN_ISSUER settings when creating the QR code. Leave blank to disable this.
Example 1. TOTP and HOTP

For TOTP:

otpauth://totp/Pointsharp%20Mobile%20Token:{username}?secret={secret}

For HOTP: otpauth://hotp/PointSharp%20Mobile%20Token:{username}?secret={secret}&counter=0

(GOOGLE_MOBILE_TOKEN_TIME_BASED must still be false). The strings {username} and {displayname} is dynamically replaced for the user using the User Portal.

POINTSHARP_TOTP_TOKEN_QR

Set this for Pointsharp Authenticator QR code:

psotpauth://totp/Pointsharp%20Authenticator:{username}?secret={secret}

USE_TIME_BASED_SECURITY_TOKENS

true

Set to true to provide user with a Time-Based OTP whenever enabled for any selected Hardware Security Token.

USE_PIN_PROTECTED_MOBILE_TOKENS

true

Set to true to only allow user to select security tokens where PIN is required before use.

MOBILE_TOKEN_OTP_LENGTH

6

Decides the length of an OTP of a mobile token. Any other value than 6, 7 or 8 will be set to 6 by default.

DIST_SRV_URL

http://ps.cloudapp.net

The location of the distribution server. This URL is used when displaying URL info to user when sending a new Mobile Token - Note that the setting needs to be enabled from Pointsharp ID for the URL to be displayed.

DIST_SRV_PATH

/gt

The path on the distribution server for device detection and redirection to Apple App Store or Google Play Store. Default set to /gt for Google Authenticator. Set to /mt for Microsoft Authenticator.

Authenticator

Pointsharp ID and the User Portal has support for any third-party app implementing the RFC6238. The standard is used by the Google Authenticator, as well as Microsoft’s own Authenticator. The advantage is ease of configuration for end-user that only needs to scan a QR-code to configure its OTP generator to be compatible with a Pointsharp ID environment. Other advantages is time-based enabled mobile token.

Key name Value Description

GOOGLE_MOBILE_TOKEN_DISPLAY_ID

Pointsharp Mobile Token

The id of the specific OTP generator in an Authenticator application that has multiple OTP generators enabled. Changeable by the user.

GOOGLE_MOBILE_TOKEN_ ISSUER

Pointsharp

The issuer, to separate multiple OTP generators from the other. Not changeable by the user.

GOOGLE_MOBILE_TOKEN_TIME_BASED

true

Boolean value deciding if the Authenticator should use Time-Based or not.

To enable QR-code scanning, either let the user go to the Pointsharp Mobile Token Distribution service (default configuration) or enable a display method of the activation code in Pointsharp ID Admin GUI (Tokens > Portal Settings).

Not all Authenticator implementations have all features enabled (QR-code scanning, issuer, etc).

Access Gateway device settings

This section describes the device management related settings, the UPMAP and Device Portal redirect. The user management features can be turned on and off by editing the value to its corresponding configuration key.

/Device/

Device management, list of all alternatives.

/Device/Add

Path to add new device wizard.

/Device/Modify

Goes to a list of current devices, when one is selected a list of modification alternatives are listed.

Key name Value Description

ALLOW_SECURE_ACTIVESYNC

true

Set to true to allow user to configure Secure ActiveSync devices.

ALLOW_DEVICE_ADD

true

Boolean value. Allow adding a device to Access Gateway or not.

ALLOW_DEVICE_MODIFICATIONS

true

Boolean value. Set to True allows the user to modify and view his/her devices (such as remove), and listing the device.

Decide which features to enable for modification, in DEVICE_MODIFICATION_FLAGS.

NEW_DEVICE_USERAGENT_PATTERN

*

The device pattern required to start sync using a time frame. Set to * to allow any device.

NEW_DEVICE_TIMEFRAME_MINUTES

30

Determine the length of a device time frame (in minutes) when adding new device with time frame.

0 or empty, disables using a time frame. If enabled, it will be the sync alternative used in “Getting Started”.

DEVICE_MODIFICATION_FLAGS

1123

These are the number values that determine the state options available to users on their devices.

1 — the state can be enabled

2 — the state can both be disabled and enabled

3 — the state can only be disabled

State (in order)

  • content wipe

  • remove

  • block

  • pending/quarantine

To disable a state (2 or 3) – or accept a device – the ALLOW_USER_ACCEPT needs to be set to true.

LOST_DEVICE

0

Number value deciding what function should be used for lost devices (leave empty to disable function).

0 – block/disable

1 – remove

2 – content wipe

These functions need to be enabled in DEVICE_MODIFICATION_FLAGS to take effect

ALLOW_USER_ACCEPT

true

Boolean value deciding if a user is allowed to accept his/her own device that is disabling any state. Decide which state that could be disabled, in DEVICE_MODIFICATION_FLAGS.

DISPLAY_DEVICE_CLIENT_SETUP

false

Set to true to allow user to see a configuration description for their devices.

DEVICE_MANAGEMENT_FILTER

Determine the devices that the user is allowed to manage. It is based on device type, e.g. set to 'Outlook' for Outlook clients only.
Example 2. Device modification flags

In this example we use the setting:

1123

as a setting for the:

DEVICE_MODIFICATION_FLAGS

1 — the state for feature can be enabled

2 — the state for feature can both be disabled and enabled

3 — the state for feature can only be disabled

State for feature (in order)

  • content wipe (with setting 1 in this example)

  • remove (with setting 1 in this example)

  • block (with setting 2 in this example)

  • pending/quarantine (with setting 3 in this example)

The first position is the setting for the feature content wipe.

The 1 indicates that “the state for feature content wipe can be enabled”, which means that the user will be able to perform a content wipe on his/her device, i.e. to execute/enable a content wipe. However, the user cannot revoke a content wipe, i.e. he/she will not be able to stop/disable a content wipe in progress.

If the same position instead had been set to 2, a content wipe can be both started and stopped (enabled and disabled) by a user from the User Portal.

If the position instead had been set to 3, then the user would only be able to revoke a content wipe, but never able to invoke the same.

The other features follow the same pattern with “can invoke function of the feature”, “both invoke and revoke” and “revoke function of the feature”.

Position Feature State 1 State 2 State 3

1

Content wipe

User can perform a content wipe on selected device.

Same as 1 and 3.

User can undo a content wipe that has not yet been executed.

2

Remove

User can remove selected device.

Same as 1.

Same as 0.

3

block/disable

User can block a device.

Same as 1 and 3.

User can unblock a blocked device.

4

pending/quarantine

Same as 0.

Same as 3.

User can accept quarantined or pending device.
The value of ALLOW_USER_ACCEPT has to be true for state 3 to take effect for position 1, 3 and 4. Moreover, state 0 for a feature will disable the other states (feature is disabled).

This means that our example setting 1123 gives that the user can perform a content wipe, remove a device, both block and unblock, and accept a device in a pending or quarantine state.

User portal mapping (UPMAP)

The UPMAP file (in Settings folder) maps the user device to a chosen title and image. The concept is to map a device using a part of — or its full — Device ID, Device type, or user agent, to a title and specific image – both describing the device in a more user readable way.

A user can list his/her devices in Device Management (/Device/). The data displayed of each device can be controlled/modified in the App_Data/Settings/device.upmap (User Portal Map) file. Each row in the file has the following “pipe” (‘|’) separated format:

[deviceId]|[deviceType]|[deviceUserAgent]|[title]|[image]

It is order sensitive. A row is only applied if all (three) device attributes result in a match.
[deviceId]

The pattern of a device ID. If a device has a stored ID which contains this string (not case-sensitive) a match is made. Use * to match any ID.

[deviceType]

The pattern of the type of device. If a device has a stored type which contains this string (not case-sensitive) a match is made. Use * to match any type.

[deviceUserAgent]

The pattern of the user agent of a device. If a device has a stored user agent (also known as device pattern) which contains this string (not case-sensitive) a match is made. Use * to match any user agent.

[title]

The title to provide the fully matched device when displayed in the User Portal. Use * to use the default title which corresponds to the device name (device user agent).

[image]

The name of the image (without file ending, the image has to be a PNG file) to use for the matched device when displayed in the User Portal. Use * to use the default image (*Contents/Image/Device_default.png*).

If the image is not found, the default image will be used instead. To add a new image (PNG) to use, place it in the /Content/Images/upmap folder.
Using the row *|*|*|*|* will result in all default values for any device, and is REQUIRED at the end of the document. Use // in the beginning of a row to make a comment.

Any changes to the file will not be updated until a restart of the services is made.

Device setup guide

The Setup folder contains Access Gateway device setup guides.

By default, there is only one device description called General added. The folder contains one English and one Swedish general description of how to set up a device to use ActiveSync towards the Access Gateway.

New setup guides are added by adding a new HTML-formatted file to:

/App_Data/Setup/[New Device]/[New Device].[LANG].html

[New Device]

Enter name of the device setup guide to add.

[LANG]

Acronym for the language the setup guide is written in, for example, “en” (English) and “sv” (Swedish). If the setup guide is supported in more than one language, the next setup guide is placed in the same folder but with a new [LANG] value. Full list of possible values of [LANG] can be found at:

http://msdn.microsoft.com/en-us/library/system.globalization.cultureinfo(v=vs.71).aspx (Culture Info Class).

The only displayable language from the User Portal is limited to the languages supported in the User Portal itself.
You also have to add an image for the device in the /Content/Images/pdf folder for each new description added, an image following the naming standard [New Device].png.

Password settings

This section describes the Pointsharp Password management related settings. The user management features can be turned on and off by editing the value to its corresponding configuration key.

/PointsharpPassword/

Pointsharp Password management, list alternatives.

/PointsharpPassword/Add

Path to add/update/send new Pointsharp Password wizard.

/PointsharpPassword/Edit

Path to edit/change Pointsharp Password view.

Key name Value Description

ALLOW_POINTSHARP_PASSWORD

true

Boolean value deciding if the Pointsharp Password Management is enabled in User Portal or not.

ALLOW_ADD_POINTSHARP_PASSWORD

true

Set to true to allow the user to add/send new Pointsharp Password.

ALLOW_EDIT_POINTSHARP_PASSWORD

true

Boolean value deciding if the Pointsharp Password should be editable or not.

Password reset settings

This section describes the Password Reset feature integrated in User Portal.

This feature settings requires synchronization with the settings in Pointsharp ID Admin GUI client.
/PointsharpPassword/Reset

Pointsharp Password reset.

/WindowsPassword/Reset

Windows Domain Password reset.

Possible steps in Password Reset wizard:

  1. Provide username and secret/attribute value

  2. Provide OTP on OTP Challenge

  3. Provide new password

  4. Repeat new password on Password Challenge

Step 1 and step 3 are required.

Step 2 and step 4 are optional, configurable in Pointsharp ID Admin GUI client, and has to be synchronized in User Portal to work as expected.

Key name Value Description

ALLOW_RESET_PASSWORD

false

Boolean value deciding if the reset of any password should be used at all.

ALLOW_WINDOWS_PASSWORD

false

Boolean value deciding if the Windows Password management is enabled.

RESET_POINTSHARP_PASSWORD_STEPS

-1

Decides which steps to use when reset of Pointsharp Password is performed.

0 for the required steps only

1 for OTP Challenge

2 for Repeat Password, and

3 for all four steps.

Set -1 to exclude all steps.

RESET_WINDOWS_PASSWORD_STEPS

-1

Decides which steps to use when reset of Windows Domain Password is performed. Same step descriptions apply as for RESET_POINTSHARP_PASSWORD_STEPS.

JavaScript Password Validation

It is possible to validate the password on client side before it is sent to the Web Services. The reason is that if a user by mistake enters a password not following policies required by Pointsharp ID Web Services, for example, wrong length of password, the response will be a reject and the user has to start over.

To enter a validation step on client side, simply update the script located at:

Scripts/Validation/password_reset_setpassword.js

The only part of the script to be considered is the function validate that takes the user-entered password as a parameter. Validate the password, and if it is incorrect then return false (the view will be updated with an X next to the text box, and the entered value will not be sent to the server). If the password is correct, then return true (the new password is sent to the server for validation, and if passed then the next step in the password reset wizard will be displayed).

If the password policy is updated in Pointsharp ID Admin GUI, then make sure that your validation script is meeting the new requirements as well.

Getting started settings

The Getting Started feature is only shown – and is the only shown feature – if a user is coming to the User Portal and is not currently added as a PSID member. However, this feature can still be accessed by going to /Start/All.

/Start/All

Path to the Getting Started wizard.

Key name Value Description

ALLOW_GETTING_STARTED

true

Set to true to allow user to use getting started wizard.

ALLOW_GETTING_STARTED_FOR_PSID_MEMBER

true

Boolean value deciding if the feature is accessible by a PSID member.

GETTING_STARTED_FLAGS

12300

The flags are read as position in the wizard for a function. The flags decide the order of execution.

0 disables the function.

  • First position is Add Security Token

  • Second position is Add Pointsharp Password

  • The third position is Add Device for ActiveSync

  • The fourth is Reset Pointsharp Password

  • The fifth is Reset Windows Password

DISPLAY_GETTING_STARTED

true

Boolean value deciding if the feature should be displayed in /Home/Index or not.

Please note that the list of features that is enabled is depending on each feature setting. For example, if ALLOW_POINTSHARP_PASSWORD is set to false, no Pointsharp Password will be sent to the user in the getting started wizard. If the AUTO_ADD_PSID_MEMBER is set to false and no user exists, then the getting started option will react as if ALLOW_GETTING_STARTED was false (account is required to proceed with the process). The wizard will simply skip the creating account step if the user exists. Moreover, please note that even if the ALLOW_GETTING_STARTED_FOR_PSID_MEMBER is set to true, no user will be redirected to the Getting Started feature. This since there is no indicator set on the user, whether the user has finished the wizard or not.

To work around: If the flag is true and the user is already added as a PSID member, the user has to go to the path of this feature to be able to run the wizard.

Views

The views can be edited by changing the translations, images, colors and item sizes.

Translations and text

The Translations folder contains XML files with culture specific translations for the whole User Portal. It is possible to update current languages, remove and add new languages.

The translation files are located under /App_Data/Translations/ and has to follow the format: culture.[LANG].xml

Add a new language

It is possible to copy an existing file and update its content. There are two variables that has to be changed for the new translations to work as expected:

<cultureName>

The display name of the language to be used in the language dropdown list, for example, “English” or “Svenska” etc.

<culture>

[LANG]

[LANG]

Acronym for the language that the setup guide is written in, for example, “en” (English) and “sv” (Swedish). Full list of possible values can be found at:

http://msdn.microsoft.com/en-us/library/system.globalization.cultureinfo(v=vs.71).aspx (Culture Info Class).

The displayable languages in the User Portal are limited to the languages supported by the User Portal itself.

The default language is the file located first in alphabetical order in this folder. This means that you can set any language as default by adding 1_ to the [LANG] acronym in the file name, in order to make it the default language.

For example, to make English the default language, set the file name to culture.1_en.xml (instead of culture.en.xml).

The default language is selected if no other language could be matched with the preferred languages set by the requesting browser.

For example, a browser on an OS installed in German will get the German translation. If German is not available, the default language is next in line to be applied.

You must restart the application pool (in the IIS) where the User Portal is located, to make the new translation settings to take effect. All translations are read into memory at the first start of the User Portal.

CSS details

There are three CSS files that can be edited in order to change position, color and appearance of the User Portal.

These files are Layout.css, Menu.css and SiteExtensions.css, and are located in the Content folder.

Layout.css

Contains the general appearance of the site. The classes and ID are used in Views/Shared/_Layout.cshtml

SiteExtensions.css

Contains classes and ID used in more specific sub views such as Input.cshtml.

Menu.css

Contains classes and ID used to handle dropdown/dropup lists (language selection).

Images

All the existing images for the User Portal are located in the Content/Images folder and subfolders. The naming pattern for the images are based on the URL path of the function or feature they belong to.

[Area of the feature]_[function].png

For instance, the image Device_enable.png is the image used for enabling a device.

All images located in the folders are editable by simply replacing the images. Note that most images sizes are set in the view. Always verify by re-loading the User Portal size if ever updating any files. The CSS files should help with changing the sizes of the images on the fly.

pdf folder

Images for device setup instructions. The name of the image has to be the same as [New Device] in line with the pattern [New Device].png.

Shared folder

Images stored here are used for several features.

Upmap folder

Images stored here are used for the User Portal Mapping made in the UPMAP file.

Both folders pdf and upmap will require new images if the features related to them are extended. The new images need to follow the naming standard setup for folders/features.

Other

Key name Value Description

ALLOW_ADVANCED_OPTIONS

true

Set to true to allow user to use advanced options.

ALLOW_LOST_OPTIONS

true

Set to true to allow user to use lost options.

USE-PS-XSRF

false

Decides whether the anti-XSRF filter should be used or not.