System configuration
The configuration XML-blob is divided into components of the Net iD Portal package (Portal and Validator).
<?xml version="1.0" encoding="utf-8"?>
<SystemConfiguration>
<Components>
<Component Id="10" Name="Portal" />
<Component Id="20" Name="Validator" />
</Components>
</SystemConfiguration>This configuration is global for the entire system. However, it’s possible to set the configuration dedicated for an organization by move/copy a specific XML- node from
<SystemConfiguration><Component></Component></SystemConfiguration> to <Organization></Organization> (available in Organization.AdditionalInfo).
Component: Portal:
Name
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Name |
string |
This defines the default name of the instance (usual the name of the product). This will be returned when call GetObject:ApplicationInfo when initialize the information of the client/GUI. |
Pointsharp Net iD Portal |
CacheExpiration
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
CacheExpiration |
integer |
This defines the default expiration time in seconds where the client should handle the idle cache of a user. When the cache is expired, the client/GUI will automatically log out the user. This will be returned when call GetObject:ApplicationInfo when initialize the information of the client/GUI. |
600 |
Security
<Security>
<EncryptionAlgorithm>AES</EncryptionAlgorithm>
<EncryptionLength>256</EncryptionLength>
<IsEnabled>true</IsEnabled>
<HashAlgorithm>SHA256-HMAC</HashAlgorithm>
<CompressionAlgorithm></CompressionAlgorithm>
</Security>EncryptionAlgorithm
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
EncryptionAlgorithm |
string |
This defines the default encryption algorithm within the product (usually between the server and the client/GUI). |
AES |
EncryptionLength
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
EncryptionLength |
integer |
This defines the default length of the encryption algorithm above. |
256 |
IsEnabled
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
IsEnabled |
boolean |
This defines the enable/disable of the encryption above. This parameter can only be changed when running the portal in debug mode. Otherwize, this parameter is always set to "true". |
true |
AuditLog
<AuditLog>
<Type>Concurrency</Type>
<SigningCertificateHash>b4f10553e082c89b6cbb9dbe3f75a4d062080b01</SigningCertificateHash>
</AuditLog>Type
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Type |
string |
This defines the type of handling the audit logging. |
||
Integrated |
Handles the audit log in the same thread of a process with guaranteed interoperability, but demanding performance. |
|||
Concurrency |
Handles the audit log in a new thread of a process for better performance. |
✓ |
||
ReceiverService |
Handles the audit log against the external Receiver Service for large environments. |
DiagnosticLog
<DiagnosticLog>
<Type>Concurrency</Type>
</DiagnosticLog>Type
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Type |
string |
This defines the type of handling the diagnostic logging. |
||
Integrated |
Handles the diagnostic log in the same thread of a process with guaranteed interoperability, but demanding performance. |
|||
Concurrency |
Handles the diagnostic log in a new thread of a process for better performance. |
✓ |
||
ReceiverService |
Handles the diagnostic log against the external Receiver Service for large environments. |
Trace
<Trace>
<Type>Integrated</Type>
<Level>Warning,Error</Level>
<Buffer>1000</Buffer>
<BufferMax>10000</BufferMax>
<Path>C:\temp\</Path>
</Trace>Type
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Type |
string |
This defines the type of handling trace logging. |
||
Undefined |
By default, the trace log is disabled. |
✓ |
||
Integrated |
Handles the trace log against the local instance of the process. The trace will send current action, time and thread into a list of the local instance of the portal which is handled by the web server (IIS). Note that the trace only should be used troubleshooting because of the large amount of data that will demanding performance of the instance and can result in instable instance and local process of the web server. |
Level
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Level |
string |
This defines the level of the trace to be stored. The levels can be combined using a comma between the levels, e.g., |
||
Undefined |
All information will be stored. |
✓ |
||
All |
All information will be stored. |
|||
Info |
Only generic information will be stored. |
|||
Warning |
Only warnings will be stored. |
|||
Error |
Only errors will be stored. |
|||
Debug |
Only debug information will be stored. This requires that the portal runs in debug mode. |
|||
Call |
Only API-CALL information will be stored. |
Buffer
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Buffer |
integer |
This defines the buffer of the trace content in rows before processing the trace file. |
1000 |
TimerService
This defines the configuration of the TimerService-modules.
<Services>
<Service Name="TimerService">
<Modules>
<Module Name="Example">
<ModuleAssemblyFile>Example.dll</ModuleAssemblyFile>
<ModuleClassName>Example.Instance</ModuleClassName>
<TimerSeconds>1800</TimerSeconds>
<TimerStart></TimerStart>
<TimerEnd></TimerEnd>
<ModuleConfiguration></ModuleConfiguration>
</Module>
</Modules>
</Service>
</Services>Services/Service/Module/TimerSeconds
This defines the timer when the module should start recurrently. Default is 1800 seconds (starts per 30 minutes recurrently). If set to zero, the module is disabled.
Services/Service/Module/TimerStart: Services/Service/Module/TimerEnd
This defines the time of the day when the module should be allowed to run. Example:
TimerStart: 01:00:00
TimerEnd: 03:00:00
This example will allow the module to run for two hours of the night between 01:00:00 and 03:00:00.
TimerService/Module/Monitor/ModuleConfiguration/AllowedTask
This defines the customized configuration of the monitor-module that allows which tasks of the module to be runned. It is possible to remove some of the tasks of this module.
Default:
<ModuleConfiguration>
<AllowedTasks>
<Task>DeleteExpiredOneTimePasswords</Task>
<Task>DeleteExpiredTasks</Task>
<Task>LogoutIdleUsers</Task>
<Task>NotifyAuditLogStatus</Task>
<Task>NotifyExpiredCertificates</Task>
<Task>NotifyOrganizations</Task>
<Task>ReleaseUnprocessedTasks</Task>
<Task>RevokeExpiredUsersTokens</Task>
<Task>TerminateExpiredUsers</Task>
<Task>UpdateExpiredCertificates</Task>
<Task>UpdateExpiredTokens</Task>
</AllowedTasks>
</ModuleConfiguration>Services/Service/OrderReceiver/AllowedTask
This defines the customized configuration of the OrderReceiver web service that allows which task the service to be runned. It’s possible to remove some of the tasks of this service. If the task of the call does not match the allowed task list, the call will throw an exception with status code "NPR_TASK_TYPE_DISABLED".
<Services>
<Service Name="OrderReceiver">
<AllowedTasks>
<Task>RevokeToken</Task>
</AllowedTasks>
</Service>
</Services>MediationTasks
This defines the configuration of fallback postal address if an address to a citizen not could be established (e.g. persons with secrecy flags).
In this example, when a citizen person has a secrecy flag, the postal address of the person can not be established and will use the following postal address instead:
Förmedlingsuppdrag, Street address 57, 123 45, STOCKHOLM.
<MediationTasks>
<MediationTask Id="Secrecy" Name="Secrecy">
<Name>Förmedlingsuppdrag</Name>
<Address>Street address 57</Address>
<PostalCode>123 45</PostalCode>
<City>STOCKHOLM</City>
</MediationTask>
</MediationTasks>User
This defines the configuration regarding user items in the portal.
UniqueName
<User>
<UniqueName>
<Syntax>{internal.user.firstname(abbreviation=3,normalize=true)}{internal.user.surname(abbreviation=3,normalize=true)}@{internal.organization.domainsuffix}</Syntax>
<IsGlobal>false</IsGlobal>
</UniqueName>
</User>Syntax
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
Syntax |
string |
This defines the syntax of creating a unique name of a user. See GetData for more information about load dynamic data. As default, the unique name syntax of a user will be the |
{internal.user.firstname(abbreviation=3,normalize=true)}{internal.user.surname(abbreviation=3,normalize=true)}@{internal.organization.domainsuffix} |
SequenceNumberPrefix
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
SequenceNumberPrefix |
string |
This defines a prefix for the structure of generate a sequence number for a user from a date. This is a special feature for Sweden with the name "Ordningsnummer". |
15 |
PersonAgeLimit
This defines a regulation of age of a person with a social security number.
In this case the minimum allowed age of a person is 15 years old, the maximum age allowed age is 70. When search for a person with social security number within this age span there will be a match, not otherwize.
ExcludePrefix means "15" that the first two numeric values will be excluded for special cases (e.g. persons created with a sequence number ("ordningsnummer")).
<User>
<PersonAgeLimit>
<ExcludePrefixes>
<ExcludePrefix>15</ExcludePrefix>
</ExcludePrefixes>
<Min>
<Years>15</Years>
</Min>
<Max>
<Years>70</Years>
</Max>
</PersonAgeLimit>
</User>DefaultGroups
This defines a list of default groups when creating users. A new created user will automatically be a member of this/these group(s).
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
DefaultGroup |
string |
Specifies a default group. Can be specified multiple times to add the user to multiple groups. Value can be either a group name or a unique ID. |
User |
In this case, a new created user will be a member of the user group named "Users" and the user group with unique ID "444".
<User>
<DefaultGroups>
<DefaultGroup>Users</DefaultGroup>
<DefaultGroup>444</DefaultGroup>
</DefaultGroups>
</User>Flags
This defines flags for users in special cases.
In this case, when handling persons with social security numbers it’s possible to flag the users specified with the flag 0x1 "Secrecy". If the Enabled element is set to "true", a user with a social security number tagged with secrecy the officer needs the privilege "UserModeSecrecy" to be able to search and view for this specified person, otherwize the officer is not able to do this and the response will be "NPR_ACCESS_DENIED".
<User>
<Flags>
<Flag Id="0x1" Name="Secrecy">
<Enabled>false</Enabled>
</Flag>
</Flags>
</User>TokenLimit
This defines a specification of amout of tokens a user is allowed to have. If removing the TokenType-element, the limitation is of this type is disabled.
The following example configures maximum token limits for different token types and usage scenarios:
<User>
<TokenLimit>
<TokenType Id="10" Name="SmartCard" Usage="Standard">
<Limit>1</Limit> (1)
</TokenType>
<TokenType Id="10" Name="SmartCard" Usage="Limited">
<Limit>100</Limit> (2)
</TokenType>
<TokenType Id="30" Name="VirtualToken" Usage="Standard">
<SubType Name="TPM">
<Limit>100</Limit> (3)
</SubType>
<SubType Name="SoftToken">
<Limit>500</Limit> (4)
</SubType>
</TokenType>
<TokenType Id="100" Name="File" Usage="Standard">
<SubType Name="PKCS12">
<Limit>1</Limit> (5)
</SubType>
</TokenType>
</TokenLimit>
</User>| 1 | 1 standard smart card |
| 2 | 100 limited smart cards (temporary smart cards) |
| 3 | 100 TPM virtual tokens |
| 4 | 500 soft virtual tokens |
| 5 | 1 PKCS#12 file token |
Default:
<User>
<TokenLimit>
<TokenType Id="10" Name="SmartCard" Usage="Standard">
<Limit>1</Limit>
</TokenType>
<TokenType Id="10" Name="SmartCard" Usage="Limited">
<Limit>2</Limit>
</TokenType>
<TokenType Id="30" Name="VirtualToken" Usage="Standard">
<SubType Name="TPM">
<Limit>1</Limit>
</SubType>
<SubType Name="SoftToken">
<Limit>1</Limit>
</SubType>
</TokenType>
</TokenLimit>
</User>User/List/OriginServiceTypes
This defines a list of different service types of origin of users.
Available service types are the same as {internal.enum.originservicetype}.
User/List/OriginServiceTypes/PrimaryTypeId
This defines the primary/default origin service type. As default, the primary service type is "Internal" (1) which means that the users are stored locally with the possibility to bind a relation users from other service types like Microsoft Active Directory. If primary service type is "MSAD" (2) the users will use the Microsoft Active Directory only.
Internal
Internal/TableName
This defines the table name against the database the purpose of list/search users.
Default:
usrs INNER JOIN orgs ON orgs.orgs_id = usrs.orgs_id LEFT JOIN adnl_ids ON adnl_ids.adnl_id_ent_ref_id = usrs.usrs_id
Internal/Statement
This defines the data of columns to be returned in the response from the database table.
Default:
usrs.usrs_id, usrs.usr_name, usrs.usr_snr, usrs.usr_uniq_name, orgs.org_name, adnl_ids.adnl_id_value
Internal/Conditions/Condition
This defines the conditions of the SQL-query against the database table when list/search users.
Default:
<Conditions>
<Condition>
<Key>usrs.usr_name</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>usrs.usr_fn</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>usrs.usr_sn</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>usrs.usr_snr</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>adnl_ids.adnl_id_value</Key>
<Operator>LIKE</Operator>
<Value>%DIRECTIVE%</Value>
<Separator></Separator>
</Condition>
</Conditions><Conditions>
<Condition>
<Key>usrs.usr_name</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>usrs.usr_ref_id</Key>
<Operator>=</Operator>
<Value>NULL</Value>
<Separator>AND</Separator>
</Condition>
<Condition>
<Key>usrs.usr_empl_type_id</Key>
<Operator>=</Operator>
<Value>1</Value>
<Separator></Separator>
</Condition>
</Conditions>In this example, an officer will not be able to search for alias-users and only active users (employment).
Internal/Presentation
This defines the usage of the statement for presentation in the response
when list/search for users. Default, the response will return headline Name, SerialNumber and UniqueName together with the data of database rows.
Default:
Name=usr_name|SerialNumber=usr_snr|UniqueName=usr_uniq_name
| Name | SerialNumber | UniqueName |
|---|---|---|
John Doe |
1234567890 |
|
John Ingram |
0987654321 |
Microsoft Active Directory
Microsoft Active Directory/Condition
This defines the default LDAP condition against the directory service (MSAD).
Default:
<![CDATA[(&(objectCategory=person)(objectClass=user)(|(&(anr=DIRECTIVE)(!use rAccountControl:1.2.840.113556.1.4.803:=2))))]]>By default, the LDAP filter will search for users against objectCategory:person and objectClass:user with the userAccountControl for users that is enabled in the directory service.
Microsoft Active Directory/ConditionPretermit
This defines the LDAP condition against the directory service for officers with higher privileges.
Default:
<![CDATA[(&(objectCategory=person)(objectClass=user)(|(&(anr=DIRECTIVE))))]]
>By default, the LDAP filter will search for users in the same way like above except userAccountControl which will search for users that also are disabled in the directory service.
Microsoft Active Directory/Presentation
This defines the attributes from the directory service used for presentation when list/search for users.
Name=displayName|SerialNumber=serialNumber[0]|UniqueName=userPrincipalName
| Name | SerialNumber | UniqueName |
|---|---|---|
Administrator |
112233 |
|
SuperAdmin |
445566 |
Microsoft Active Directory/Binding
This defines the attributes that should be used when binding a user from directory service. Binding a user means that the user in the response does not exists locally in the database and need to be created.
Default: InputFieldGivenName=givenName|InputFieldSurname=sn|InputFieldEmailAdress=mai l|InputFieldSerialNumber=serialNumber|ParameterAdditionalIdentityUserPrincip alName=userPrincipalName|ParameterAdditionalIdentityObjectSid=objectSID
In this case, the binding procedure will create a new task with pre-defined values against the input fields in the task (e.g. the email adress from directory service will be published against EmailAddress input field in the task, the user principal name will be published against AdditionalIdentityUserPrincipalName parameter object in the task etc.).
Microsoft Active Directory/Mapping
This defines a mapping structure from native object to customized attribute in the directory service. By default, this configuration is undefined.
Example:
mail=otherMailbox[0]
In this case, the default attribute "mail" should not be used and instead be mapped to customized attribute "otherMailbox" list with the first index of the list ([0]).
Microsoft Entra ID
Microsoft Entra ID/Condition
This defines the search syntaxt against the Microsoft Entra ID, Graph API.
<![CDATA[$search="displayName:DIRECTIVE"&$filter=accountEnabled eq true]]>This will search for users against the Graph API with the condition of displayName attribute and users that are enabled.
Microsoft Entra ID/ConditionPretermit
This defines the search syntax against the Microsoft Entra ID, Graph API for officers with higher privileges.
Default:
<![CDATA[$search="displayName:DIRECTIVE"]]>This will search for users against the Graph API with the condition of displayName attribute and users that are enabled and disabled.
Microsoft Entra ID/Presentation
This defines the attributes from the directory service used for presentation when list/search for users.
Default:
Name=displayName|SID=securityIdentifier|UniqueName=userPrincipalName
Table 5 Example
| Name | SID | UniqueName |
|---|---|---|
Administrator |
S-1-5-21- 2999047346- 759384756- 265759322-0001 |
|
SuperAdmin |
S-1-5-21- 2999047346- 759384756- 265759322-0002 |
Microsoft Entra ID/Binding
This defines the attributes that should be used when binding a user from directory service. Binding a user means that the user in the response does not exists locally in the database and need to be created. See description in the Microsoft Active Directory service above.
Default:
InputFieldGivenName=givenName|InputFieldSurname=surname|InputFieldEmailAdres s=mail|ParameterAdditionalIdentityUserPrincipalName=userPrincipalName|Parame terAdditionalIdentityObjectSid=securityIdentifier
Swedish Tax Agency Navet
Swedish Tax Agency Navet/Condition
This defines the search syntax against the national citizen register of Sweden.
Default:
IdentityLevel=Approved,IdentityType=1.2.752.129.2.1.3.1,IdentityType=1.2.752
This will return persons from the citizen service that are specified as Approved and typed as social security number (swedish: personnummer) or cooperate numbers (swedish: samordningsnummer).
Swedish Tax Agency Navet/Presentation
This defines the data from the national citizen register of Sweden used for presentation.
Default: Name=DisplayName|SerialNumber=PersonalId
| Name | SerialNumber |
|---|---|
John Doe |
19121212-1212 |
Swedish Tax Agency Navet/Binding
This defines the attributes that should be used when binding a user from citizen service. Binding a user means that the user in the response does not exists locally in the database and need to be created. See description in the Microsoft Active Directory service above.
Default: InputFieldGivenName=Forenames|InputFieldMiddleName=MiddleName|InputFieldSurn ame=Surname|InputFieldSerialNumber=PersonalId
Swedish Tax Agency SPAR
Swedish Tax Agency SPAR/Condition
This defines the search syntax against the national citizen register of Sweden.
Default:
IdentityLevel=Approved,IdentityType=1.2.752.129.2.1.3.1,IdentityType=1.2.752
This will return persons from the citizen service that are specified as Approved and typed as social security number (swedish: personnummer) or cooperate numbers (swedish: samordningsnummer).
Swedish Tax Agency SPAR/Presentation
This defines the data from the national citizen register of Sweden used for presentation.
Default:
Name=DisplayName|SerialNumber=PersonalId
| Name | SerialNumber |
|---|---|
John Doe |
19121212-1212 |
Swedish Tax Agency SPAR/Binding
This defines the attributes that should be used when binding a user from citizen service. Binding a user means that the user in the response does not exists locally in the database and need to be created. See description in the Microsoft Active Directory service above.
Default: InputFieldGivenName=Forenames|InputFieldMiddleName=MiddleName|InputFieldSurn ame=Surname|InputFieldSerialNumber=PersonalId
User/Synchronize
This defines configuration of the specific feature that automatically synchronize data from the origin object against the native object of the database table.
Default:
<User>
<Synchronize>
<List>
<OriginServiceTypes>
<OriginServiceType Id="2" Name="Microsoft Active Directory">
<Binding>GivenName=givenName|MiddleName=middlename|Surname=sn|SerialNumber=serialNu mber|EmailAddress=mail</Binding>
</OriginServiceType>
<OriginServiceType Id="10" Name="Microsoft Entra ID">
<Binding>GivenName=givenName|Surname=surname|EmailAddress=mail</Binding>
</OriginServiceType>
<OriginServiceType Id="5" Name="Swedish Tax Agency Navet">
<Binding>GivenName=Forenames|MiddleName=MiddleName|Surname=Surname</Binding>
</OriginServiceType>
<OriginServiceType Id="8" Name="Swedish Tax Agency SPAR">
<Binding>GivenName=Forenames|MiddleName=MiddleName|Surname=Surname</Binding>
</OriginServiceType>
</OriginServiceTypes>
</List>
</Synchronize>
</User>User/PresentationActivities
This defines customized activities that an officer should be able to manage when loading a user object through GetObject:User.
The synax of the configuration per activity will be:
-
Name: The customized name of the activity.
-
Method: The API call method.
-
Type: The type of the API call.
-
Id: The id of the object.
<User>
<PresentationActivities>
<Activity>
<Name>Get tokens</Name>
<Method>GetList</Method>
<Type>Token</Type>
<Id>{internal.user.id}</Id>
</Activity>
</PresentationActivities>
</User>This example will present the activity "Get tokens". The activity will inform the client to call GetList with the type Token and the id 3 which will result a list of tokens for user with id 3.
- Internal/TableName
This defines the table name against the database the purpose of list/search tokens.
Default:
tkns LEFT JOIN orgs ON orgs.orgs_id = tkns.orgs_id LEFT JOIN tkn_tmls ON tkn_tmls.tkn_tmls_id = tkns.tkn_tmls_id
- Internal/Statement
This defines the data of columns to be returned in the response from the database table.
Default:
tkns.tkns_id, tkns.tkn_type, tkns.tkn_snr, tkns.tkn_seqnr1, tkns.tkn_seqnr2, tkns.tkn_cntctlss, tkns.tkn_status, orgs.org_name, tkn_tmls.tkn_tml_name
- Internal/Conditions/Condition
This defines the conditions of the SQL-query against the database table when list/search tokens.
Default:
<Conditions>
<Condition>
<Key>tkns.tkn_snr</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>tkns.tkn_seqnr1</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>tkns.tkn_seqnr2</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator></Separator>
</Condition>
</Conditions>- Internal/Presentation
This defines the usage of the statement for presentation in the response when list/search for tokens. Default, the response will return headline Type, SerialNumber, TemplateName and Status together with the data of database rows.
Default: Type={internal.enum.tokentype(identifier=tkn_type)}|SerialNumber=tkn_snr|Tem plateName=tkn_tml_name|Status={internal.enum.tokenstatus(identifier=tkn_stat us)}
| Type | SerialNumber | TemplateName | Status |
|---|---|---|---|
SmartCard |
1122334455 |
Standard token |
Revoked |
SmartCard |
112233445566 |
Temporary token |
Active |
- Internal/SortBy
This defines sorting of the SQL-query against the database table when list/search tokens.
Default:
tkns.tkns_id=ASC|tkns.tkn_snr=ASC
This will sort the items in by the unique id of the token in ascending order and then the token serialnumber in ascending order.
EndEntity/List/OriginServiceTypes
This defines a list of different service types of origin of end entities.
- Internal/TableName
This defines the table name against the database the purpose of list/search end entities.
Default:
end_entities INNER JOIN orgs ON orgs.orgs_id = end_entities.orgs_id LEFT JOIN ofcs ON ofcs.ofcs_id = end_entities.end_entity_ofc_ref_id LEFT JOIN adnl_ids ON adnl_ids.adnl_id_ent_ref_id = end_entities.end_entities_id
- Internal/Statement
This defines the data of columns to be returned in the response from the database table.
Default:
end_entities.end_entities_id, end_entities.end_entity_name, end_entities.end_entity_type, end_entities.end_entity_status, orgs.org_name
- Internal/Conditions/Condition
This defines the conditions of the SQL-query against the database table when list/search tokens.
Default:
<Conditions>
<Condition>
<Key>end_entities.end_entity_name</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>adnl_ids.adnl_id_value</Key>
<Operator>LIKE</Operator>
<Value>%DIRECTIVE%</Value>
<Separator></Separator>
</Condition>
</Conditions>- Internal/Presentation
This defines the usage of the statement for presentation in the response when list/search for end entities. Default, the response will return headline Name, Type and Status together with the data of database rows.
Default:
Name=end_entity_name|Type={internal.enum.endentitytype(identifier=end_entity
_type)}|Status={internal.enum.endentitystatus(identifier=end_entity_status)}
| Name | Type | Status |
|---|---|---|
WebServer04 |
Computer |
Active |
- Microsoft Active Directory/Condition
This defines the default LDAP condition against the directory service (MSAD).
Default:
<![CDATA[(&(objectCategory=computer)(objectClass=computer)(|(&(anr=DIRECTIVE))))]]>By default, the LDAP filter will search for users against objectCategory:computer and objectClass:computer.
- Microsoft Active Directory/Presentation
This defines the attributes from the directory service used for presentation when list/search for end entities.
Default:
Name=cn|Type=distinguishedName|Status=
| Name | Type | Statu s |
|---|---|---|
WebServer0 5 |
CN=WebServer05,CN=Computers,DC=contoso,DC =net |
|
WebServer0 6 |
CN=WebServer06,CN=Computers,DC=contoso,DC =net |
EndEntity/Synchronize
This defines configuration of the specific feature that automatically synchronize data from the origin object against the native object of the database table.
Default:
<EndEntity>
<Synchronize>
<List>
<OriginServiceTypes>
<OriginServiceType Id="2" Name="Microsoft Active Directory">
<Binding>Name=cn|SerialNumber=serialNumber|MobileNumber=telephoneNumber|EmailAddress=mail</Binding>
</OriginServiceType>
</OriginServiceTypes>
</List>
</Synchronize>
</EndEntity>EndEntity/PresentationActivities
This defines customized activities that an officer should be able to manage when loading a user object through GetObject:EndEntity.
The synax of the configuration per activity will be:
-
Name: The customized name of the activity.
-
Method: The API call method.
-
Type: The type of the API call.
-
EntityType: Specified the entity type (e.g. EndEntity).
-
Id: The id of the object.
<EndEntity>
<PresentationActivities>
<Activity>
<Name>Get certificates</Name>
<Method>GetList</Method>
<Type>Certificate</Type>
<EntityType>EndEntity</EntityType>
<Id>{internal.endentity.id}</Id>
</Activity>
</PresentationActivities>
</EndEntity>This example will present the activity "Get certificates". The activity will inform the client to call GetList with the type Certificate, entity type as EndEntity and the id 44 which will result a list of certificates for end entity with id 44.
Certificate/List/OriginServiceTypes
This defines a list of different service types of origin of certificates.
- Internal/TableName
This defines the table name against the database the purpose of list/search certificates.
Default:
crts LEFT JOIN orgs ON orgs.orgs_id = crts.orgs_id
- Internal/Statement
This defines the data of columns to be returned in the response from the database table.
Default:
crts.crts_id, crts.crt_subject_name, crts.crt_issuer_name, crts.crt_status, orgs.org_name
- Internal/Conditions/Condition
This defines the conditions of the SQL-query against the database table when list/search certificates.
Default:
<Conditions>
<Condition>
<Key>crts.crt_subject_name</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>crts.crt_subject_alt_name</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator>OR</Separator>
</Condition>
<Condition>
<Key>crts.crt_auth_tml_name</Key>
<Operator>LIKE</Operator>
<Value>DIRECTIVE%</Value>
<Separator></Separator>
</Condition>
</Conditions>- Internal/Presentation
This defines the usage of the statement for presentation in the response when list/search for certificates. Default, the response will return headline Name, Issuer, Status and OrganizationName together with the data of database rows.
Default: Name=crt_subject_name|Issuer=crt_issuer_name|Status={internal.enum.certifica testatus(identifier=crt_status)}|OrganizationName=org_name
Example:
| Type | Issuer | Status | OrganizationName |
|---|---|---|---|
John Doe |
ContosoCA v1 |
Expired |
Contoso Ltd. |
John Ingram |
ContosoCA v1 |
Expired |
Contoso Ltd. |
Report/Data/Encoding
This defines the default encoding of the data blob when generate reports.
Default:
<Report>
<Data>
<Encoding>UTF8BOM</Encoding>
</Data>
</Report>This means that the data blob of a report is UTF-8 encoded with BOM to enable import of UTF-8 for other applications (e.g. Microsoft Excel).
Report/List
This defines the configuration of list/search reports in the same way like other objects (see User and Tokens for examples above).
Report/PresentationActivities
This defines customized activities that an officer should be able to manage when loading a report object through GetObject:Report.
Default:
By default, the activities will be Update-/Delete item tasks for current object.
AuditLog/List
This defines the configuration of list/search audit log items in the same way like other objects (see User and Tokens for examples above).
DiagnosticLog/List
This defines the configuration of list/search diagnostic log items in the same way
like other objects (see User and Tokens for examples above).
Organization/List
This defines the configuration of list/search organization items in the same way like other objects (see User and Tokens for examples above).
Organization/PresentationActivities
This defines customized activities that an officer should be able to manage when loading an organization object through GetObject:Organization.
Default:
By default, the activities will be Update-/Delete item tasks for current object.
ActiveUser/List
This defines the configuration of list/search active user items in the same way like other objects (see User and Tokens for examples above).
ActiveUser/IdleExpiration
This defines the default expiration time for inactive activity for a logged in user.
Default:
<ActiveUser>
<IdleExpiration>
<Minutes>20</Minutes>
</IdleExpiration>
</ActiveUser>In this case, the TimerService monitor module will remove the session id of the logged in user if the idle time exceeds 20 minutes and the user has to log in into the system again.
Task/List
This defines the configuration of list/search task items in the same way like other objects (see User and Tokens for examples above).
Task/Validity
This defines the validity for a task. The default will be one week, then the task will be deleted by the TimerService monitor module.
Default:
<Task>
<Validity>
<Default>
<Days>7</Days>
</Default>
</Validity>
</Task>It’s possible to set a validity for a specific task type. Example:
<Task>
<Validity>
<Default>
<Days>7</Days>
</Default>
<TaskType Id="888">
<Weeks>4</Weeks>
</TaskType>
<TaskType Id="999">
<Days>10</Days>
</TaskType>
</Validity>
</Task>In this example, the task type with id 888 will be expired after four weeks and the task type with id 999 will be expired after 10 days. The rest of the tasks will use the default expiration specification.
Task/ProcessValidity
This defines the validity of task processing before the task will be released. The dafault will be one day, then the task will be released to anyone by the TimerService monitor module.
Default:
<Task>
<ProcessValidity>
<Default>
<Days>1</Days>
</Default>
</ProcessValidity>
</Task>It’s possible to set a validity for a specific task type.
<Task>
<ProcessValidity>
<Default>
<Days>1</Days>
</Default>
<TaskType Id="999">
<Hours>1</Hours>
</TaskType>
</ProcessValidity>
</Task>In this example, the task type with id 999 will be released after one hour of inactivity. The rest of the tasks will use the default expiration specification.
Task/LockOnCreate
This defines a flag if a new created task should be locked to the requestor (current user) who created the task, otherwize the task is available for anyone to access.
| Element | Value | Type | Description | Default |
|---|---|---|---|---|
LockOnCreate |
boolean |
Defines whether a new created task should be locked to the requestor (current user) who created the task. If false, the task is available for anyone to access. |
true |
Task/CounterLimit
This defines a limit of number of tasks that are allowed to be created.
<Task>
<CounterLimit>
<TaskType Id="101" Name="CreateUser">200</TaskType>
<TaskType Id="106" Name="UpdateUser">-1</TaskType>
<TaskType Id="120" Name="DeleteUser">0</TaskType>
</CounterLimit>
</Task>In this example, it’s possible to create total amount of 200 "CreateUser" tasks, infinite amount (-1 = infinite) of "UpdateUser" tasks and no (0 = disabled) "DeleteUser" tasks.
Task/Signature
This defines configuration of signature method when signing task actions for
different kind of key algorithms. The two structures are PKCS7 and RAW. PKCS7 will create a CMS-blob against PKCS#7-standard. RAW will create a RAW- signature.
<Task>
<Signature>
<Method PublicKeyAlgorithm="RSA">PKCS7</Method>
<Method PublicKeyAlgorithm="ECC">RAW</Method>
</Signature>
</Task>In this example, it’s possible to use RSA-signatures against the PKCS#7- standard while ECC-signatures should be RAW ECDSA-signatures. By the default, this configuraiton is undefined and always uses the PKCS#7-standard.
Task/TaskInfoList
This defines customized types for a task to be presented when call GetObject:TaskInfo. The types will be using the dynamic attribute structure (GetData).
<Task>
<TaskInfoList>
<Types>
<Type Name="Id">{current.task.id}</Type>
<Type Name="Name">{current.task.typename}</Type>
<Type Name="Status">{current.task.statusname}</Type>
<Type Name="StatusAdditional">{current.task.statusadditionalname}</Type>
<Type Name="Requestor">{internal.user.name(identifier=current.task.requestorid)}</Type>
<Type Name="Processor">{internal.user.name(identifier=current.task.processorid)}</Type>
<Type Name="NextStep">{current.task.nextactioninfo}</Type>
</Types>
</TaskInfoList>
</Task>In this example, the GetObject:TaskInfo call will return an object containing a list of Name/Value for:
-
The id of the task.
-
The task type name.
-
The status.
-
The additional status.
-
The requestor name.
-
The processor name.
-
The next step of action.
GenericData
This defines customized data strings that can be used anywhere in the system.
<GenericData>
<Data Id="Example">Example of a value...</Data>
</GenericData>NotificationManager
This defines configuration of notifications from the system. The notification will be trigged by the TimerService monitor module.
NotificationManager/Purpose/CertificateExpiration/User
This defines the configuration of notifications regaring expiration of user certificates.
NotificationManager/Purpose/CertificateExpiration/EndEntity
This defines the configuration of notifications regaring expiration of end entity certificates.
NotificationManager/Purpose/CertificateExpiration/External
This defines the configuration of notifications regaring expiration of external certificates that has been manually imported into the system.
NotificationManager/Purpose/CertificateExpiration/ManufacturerDatab ase
This defines the configuration of notifications regaring expiration of external certificates that has been automatically synched from external CA.
NotificationManager/Purpose/CertificateExpiration/NotificationLevels: This defines a list of levels when using multiple notifications. In the example below the first notification will be sent when the certificate has 60 days left before expiration. The second notification will be sent when the certificate has 10 days left before expiration etc.
NotificationManager/Purpose/CertificateExpiration/Message
This defines the message in the notification. This value can be a customized string or using a template in the text configuration using GetData (example:
<Message>{internal.language.text(data=CertificateExpirationNotification)}</Me ssage>).
NotificationManager/Purpose/CertificateExpiration/Services
This defines the type of service to be used for sending the notification (e.g. SMTP or SMS). The receiver will be the email address of the object if exists (e.g. user email address, end entity email address), otherwize no notification will be sent.
<NotificationLevels>
<NotificationLevel Id="1">
<Days>60</Days>
</NotificationLevel>
<NotificationLevel Id="2">
<Days>10</Days>
</NotificationLevel>
</NotificationLevels><Message>A certificate will expire soon.</Message>
<Services>
<Service>
<Type>SMTP</Type>
<Receiver></Receiver>
</Service>
<Service>
<Type>SMS</Type>
<Receiver></Receiver>
</Service>
</Services>NotificationManager/Purpose/ServerLicense/Amount
This defines the configuration of notifications regaring server license when number of active users begin to reach its maximum limit.
NotificationManager/Purpose/ServerLicense/Validity
This defines the configuration of notifications regaring server license when validity of the license begins to expire.
NotificationManager/Purpose/OneTimePassword/Login
This defines the configuration of notifications when a user should be notified with an OTP for login into the system.
NotificationManager/Purpose/OneTimePassword/Verify
This defines the configuration of notifications when a user should be notified with an OTP for verification of another device (e.g. Net iD Access).
NotificationManager/Purpose/OneTimePassword/Custom
This defines the configuration of notifications when a user should be notified with an OTP for customized purposes.
NotificationManager/Purpose/AuditLogStatus
This defines the configuration of notifications when an officer/administrator should be notified if verification of the audit log not could be verified.
NotificationManager/Purpose/TokenOrderError
This defines the configuration of notifications when a manufacturer returns an error of an existing token order that need to be sent to noticed so the officer can login into the portal and view the details of the current issue.
<Purpose Type="TokenOrderError">
<Message>An error occurred for token order with id {current.task.id}: </Message>
<Services>
<Service>
<Type>SMTP</Type>
<Receiver>{internal.user.email(identifier=current.task.requestorid)}</Receiver>
</Service>
<Service>
<Type>SMS</Type>
<Receiver>{internal.user.mobile(identifier=current.task.requestorid)}</Receiver>
</Service>
</Services>
</Purpose>ConditionManager
This defines customized conditions for different kind of purposes (e.g. available task types or task action condition depending on input).
Available purposes:
-
TaskType
-
TaskAction
-
TokenTemplateRestriction
Condition/Set/Value
This defines the value of the condition to be used as comparsion (e.g.
{internal.system.datetime}).
Condition/Set/Condition/Operator
This defines the comparsion operator of the value (e.g. ">" (greater than), "<"
(less than), "=" (equals) and "!=" (not equals) etc.).
Condition/Set/Condition/Data
This defines the data for comparsion.
The task type will be present if the user end date and time is either greater than the current time or not specified.
- Result of condition set 1
-
If 2029-12-31 23:59:59 is greater than 2024-05-28 12:33:14, then the condition set is true. Otherwize the conditon set is false.
- Result of the condition set 2
-
If 2029-12-31 23:59:59 equals nothing, then the condition set is true. Otherwize the condition set is false
<ConditionManager>
<Purpose Type="TaskType">
<ConditionList>
<Condition Name="RequireUserNotEnded" Merge="false"> (1)
<Set>
<Type>Dynamic</Type> (2)
<Value>{internal.user.employmentenddate}</Value> (3)
<IndexOf></IndexOf>
<Condition>
<Operator><![CDATA[>]]></Operator> (4)
<Data>{internal.system.datetime}</Data> (5)
</Condition>
</Set>
<Set>
<Type>Dynamic</Type> (6)
<Value>{internal.user.employmentenddate}</Value> (7)
<IndexOf></IndexOf>
<Condition>
<Operator><![CDATA[=]]></Operator> (8)
<Data></Data> (9)
</Condition>
</Set>
</Condition>
</ConditionList>
</Purpose>
</ConditionManager>| 1 | The task type condition named RequireUserNotEnded checks that the user has not been ended or expired.
The condition is declared in two subordinated conditions by the <set> elements. |
| 2 | The Type value Dynamic means that dynamic attribute is used (GetData) |
| 3 | The Value value {internal.user.employmentenddate} is the end date of the user, e.g., 2029-12-31 23:59:59. |
| 4 | The Operator value is set to > (greater than). |
| 5 | The Data value {internal.system.datetime} means current date and time of the system, e.g., 2024-05-28 12:33:14. |
| 6 | The Type value Dynamic means that dynamic attribute is used (GetData) |
| 7 | The Value value {internal.user.employmentenddate} is the end date of the user, e.g., 2029-12-31 23:59:59. |
| 8 | The Operator value is set to = (equals). |
| 9 | The Data value is empty. |
In this example, the two sets are merged (Merge="true"), meaning the condition is only fulfilled if both sets are true.
The second set checks that the user start date is in the past (less than current date time).
Because this configuration uses "AND" logic, it is not possible to use this specific setup to allow for alternative scenarios, such as requiring the end date to be in the future or not specified at all.
<ConditionManager>
<Purpose Type="TaskType">
<ConditionList>
<Condition Name="RequireUserNotEnded" Merge="true"> (1)
<Set>
<Type>Dynamic</Type>
<Value>{internal.user.employmentenddate}</Value>
<IndexOf></IndexOf>
<Condition>
<Operator><![CDATA[>]]></Operator>
<Data>{internal.system.datetime}</Data>
</Condition>
</Set>
<Set>
<Type>Dynamic</Type>
<Value>{internal.user.employmentstartdate}</Value>
<IndexOf></IndexOf>
<Condition>
<Operator><![CDATA[<]]></Operator>
<Data>{internal.system.datetime}</Data>
</Condition>
</Set>
</Condition>
</ConditionList>
</Purpose>
</ConditionManager>| 1 | The Condition attribute Merge is set to true so both sets must be fulfilled to enable the condition. |
Condition/Set/IndexOf
This defines part of the value of the condition.
In this example, a part of the value will be used.
Value will return the serial number of a user, for example, 191212121234.
It will then be parsed from index 8 and the next 4 characters which will result in 1234.
This can be used for conditions to allow or not allow the last four digits of the social security number of a user.
<Set>
<Type>Dynamic</Type>
<Value>{internal.user.serialnumber}</Value>
<IndexOf>8,4</IndexOf>
</Set>In this example, the condition checks whether the InputField in the task named MYNAME is MYVALUE.
If the InputField is MYVALUE, the task moves to the task action with the reference MYTASKACTION and skips the task actions between the current action and MYTASKACTION.
<ConditionManager>
<Purpose Type="TaskAction">
<ConditionList>
<Condition Name="TestCondition" Merge="true">
<Set>
<Type>Dynamic</Type>
<Value>{current.task.myname}</Value>
<IndexOf></IndexOf>
<Condition>
<Operator><![CDATA[=]]></Operator>
<Data>MYVALUE</Data>
</Condition>
</Set>
<ActionList>
<Action>
<Name>TaskActionReference</Name>
<Value>MYTASKACTION</Value>
</Action>
</ActionList>
</Condition>
</ConditionList>
</Purpose>
</ConditionManager>UserGroup/UserRestrictions
This defines configuration of restricted user groups. This structure can be used to exlude users of operations, e.g. managers.
In this example, two user groups, Managers and Administrators, are specified internally.
The user group CN=Managers is specified for active directory (AD).
If a user is a member in one of these groups, it is possible to use ConditionManager with the TaskType purpose.
<UserGroup>
<UserRestrictions>
<OriginServiceTypes>
<OriginServiceType Id="1" Name="Internal">
<Group>Managers</Group>
<Group>Administrators</Group>
</OriginServiceType>
<OriginServiceType Id="2" Name="Microsoft Active Directory">
<Group>CN=Managers,OU=Groups,OU=Users and Groups,DC=dev2k19,DC=net</Group>
</OriginServiceType>
</OriginServiceTypes>
</UserRestrictions>
</UserGroup>With this condition, the officer will not be able to create task with specified type for specified user.
<Condition Name="RequireUserNotRestricted" Merge="false">
<Set>
<Type>Dynamic</Type>
<Value>{internal.user.hasrestriction}</Value>
<IndexOf></IndexOf>
<Condition>
<Operator><![CDATA[=]]></Operator>
<Data>false</Data>
</Condition>
</Set>
</Condition>UserGroup/Assignment
This defines optional configuration of user group assignment.
In this example, all organizations with correct permissions will be returned when assigning a user to a user group. In this scenario it is possible to assign a user to a user group for another organization, for example, a user should be able to view audit logs in organization A and also be able to view diagnostic log in organization B).
<UserGroup>
<Assignment>
<CrossOrganization>true</CrossOrganization>
</Assignment>
</UserGroup>Office/Assignment
This defines optional configuration of office assignment.
In this example, all organizations with correct permissions will be returned when assign a user to an office. In this scenario it is possible to have a user and office as a restriction for other offices.
<Office>
<Assignment>
<CrossOrganization>true</CrossOrganization>
</Assignment>
</Office>CertificateApprovementManager
This defines configuration of certificate approvals. Certificate approvals can be used as a separated rule structure for different kind of purposes, for example, login or a task type.
In this example, a certificate issued by CN=DEV2K12R2CA, DC=dev2k12r2, DC=net must have a validity of one year to be able to create a task with id 101.
<CertificateApprovementManager>
<Approvement>
<Purpose>
<Type>TaskType</Type>
<Value>101</Value>
</Purpose>
<Issuer>CN=DEV2K12R2CA, DC=dev2k12r2, DC=net</Issuer>
<ValidityTimeSpan>
<Years>1</Years>
</ValidityTimeSpan>
</Approvement>
</CertificateApprovementManager>In this example, a certificate issued by CN=SITHS Type 1 CA v1, O=Inera AB, C=SE must have a validity of five years to be able to login as an officer into the portal.
The certificate must also include the SEIS-number certificate extension (1.2.752.34.2.1) with the value 1234567890.
<CertificateApprovementManager>
<Approvement>
<Purpose>
<Type>Login</Type>
<Value>Officer</Value>
</Purpose>
<Issuer>CN=SITHS Type 1 CA v1, O=Inera AB, C=SE</Issuer>
<ValidityTimeSpan>
<Years>5</Years>
</ValidityTimeSpan>
<MatchRules>
<Type>1.2.752.34.2.1</Type>
<Position>1-4=1234|5-10=567890</Position>
</MatchRules>
</Approvement>
</CertificateApprovementManager>