RapidIdentity Product Guide

The Configuration > General > Settings > General page provides high-level system information and Maintenance Mode settings.

Table 55. General Settings

Field Name	Description
Enable SSL Uploads	A checked box requires strong encryption. This should be left checked unless there are specific reasons to uncheck it. Unchecking this box could have negative security implications.
Google Analytics Account Number	The Google Analytics Account Number can be used to provide information about visits to RapidIdentity browser pages to your Google Analytics account once you specify your Google Analytics Tracking Code.
Icon Proxy URL	This URL specifies a caching proxy that can be used to fetch icons stored on the selected file storage. This is primarily to boost poor S3 performance by fronting it with Amazon CloudFront. Note If the CloudFront distribution points to the S3 bucket being used by the idauto cluster, then the proxy URL must include the path to the icons folder and not just the root of the bucket. Note If the icons need to be made publicly accessible in S3, either by marking each one individually or by adding a bucket policy, then the necessary information will be similar to what is shown below: Warning Do not make your entire bucket publicly accessible or grant the CloudFront distribution full access as that would make all of your RapidIdentity file data publicly accessible!
Enable Maintenance Mode	This puts the RapidIdentity appliance/cluster in maintenance mode, which locks out non-administrative actions. Maintenance is generally a read-only mode as well, meaning that operations which update the state of RapidIdentity are not allowed. Note After performing Maintenance Mode, you will need to navigate to your normal URL appended by /ui/configuration or /login in order to log back in to the server.
System Maintenance	This message is displayed to users when RapidIdentity is in Maintenance Mode. This message can be edited once Maintenance Mode is enabled.

Historically, RapidIdentity supported defining access control for each module (e.g., Files, Dashboard, Requests) at the modular level. For example, if an Administrator wanted to set the Files module to only be accessed by specific users, the configuration would be completed within the Files Module settings. The new Module Access Control feature provides a new configuration option related to the access controls of the individual modules.

In RapidIdentity 2020.0.0, a new configuration and usability feature was added to enable administrators to manage the access control for all modules in a central location instead of having to navigate to each individual module's Settings menu.

The module access control configurations between this menu and individual module settings are synchronized, and both point to the same database configuration. Any changes completed in this menu will be reflected at the individual module level, and any changes completed at the individual module level will be reflected here.

The Module Access Control configuration has four display fields:

The Configuration > General > Settings > Assets menu provides a place for an administrator to determine whether assets should be loaded from the cloud or prevent gzipped assets from being requested. These are managed by the backend RapidIdentity team and are automatically configured for each release.

Enabling Load Assets from the Cloud significantly reduces the load on a RapidIdentity server in a high-traffic environment by having the browser send javascript and css file requests to an AWS CloudFront instead of requiring the RapidIdentity server to process them as well as handle the data traffic.

Choosing Disable Compressed Assets will force the server to command all browsers to request un-compressed assets in situations where zipped assets are causing problems within the production environment.

The Configuration > General > Settings > Authentication menu is a place for administrators to customize authentication variables and control the built-in administrator account.

Global CORS configuration for all RapidIdentity instances is stored in the database. These properties only need to be defined in rapididentity.properties if this particular instance of RapidIdentity needs to be configured differently from other instances. If these are defined, they take precedence over those defined globally in the database.

For each of the sections, the default values have been set. To add a new value to a section, simply click the Add button and enter the new desired value into the resulting field. To remove a value, simply click the X next to it.

The Allowed Methods section lists HTTP request methods that can be used to access resources using cross-origin requests, and defines the methods to be included in the Access-Control-Allow-Methods header in pre-flight responses.

Default Values: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS

The Allowed Headers section lists HTTP request headers that can be used when making cross-origin requests. These headers will also be returned in the Access-Control-Allow-Headers header in pre-flight responses.

Default Values: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, idauto.debug, X-idauto-debug, Authorization

The Allowed Origins section lists all origins allowed to access resources on the server using cross-origin requests. A value of * indicates that resources are allowed to be accessed from any origin.

Default Value: *

The Exposed Headers section lists all headers other than simple response headers that browsers will be allowed to access. These are the headers which will be included in the Access-Control-Expose-Headers header in pre-flight responses.

Default Value: [blank]

The Max Age subsection defines the number of seconds a browser is allowed to cache the result of a pre-flight request. This will be included as the Access-Control-Max-Age header in pre-flight responses. A negative value will prevent the header from being included in pre-flight responses.

Default Value: 1800

This option, when checked, responds to browser requests with Allow Credentials in order to improve security on cross-origin requests.

A cross-domain policy file is an XML document that grants a Flash Player client permission to handle data across domains. More information on crossdomain.xml files is available here. To populate this subsection, simply cut and paste the code for the desired cross-domain policy .xml file.

Default Value: [blank]

When each subsection has been populated as desired, click Save.

The Web Security Configuration menu provides administrators with a powerful interface to configure and define various levels of security for their domains. There are three configuration tabs in this menu:

XFrame Options

The XFrame Options menu is used to define whether or not a browser should be allowed to render a page in a frame. This adds a layer of security ensuring that the content is not embedded in other sites.

Note

These options are only applicable if the Header Enabled checkbox is active, and are only enforced if the user accessing the content is using a browser that supports the X-Frame-Options HTTP header.

When the Header Enabled checkbox is activated, the Header Rules become modifiable.

Note

RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.

For each rule, define a Path Regex (Path Regular Expression) and provide it with a Value. Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, then the server's response will contain the X-Frame-Options header value defined for that path. RapidIdentity ships with some defaults already set for base functionality.

The default RapidIdentity settings define XFrame Options Header Rules for the Claim My Account, Forgot My Password, and Expired Password functionalities. Others may be added if desired.

Add a New Rule

To add a new rule, scroll down to beneath each of the configured rules and click Add new rule +. Include a new Path Regex and Value.

Path Regex is a regular expression that represents the URL path to be displayed within the frame.

Value is a choice of three options to define what the browser does with the content found through the Path Regex.

• SAMEORIGIN: The page will be displayed in a frame on the same origin as the page itself.

• DENY: The page will not be displayed in a frame.

• ALLOW-FROM <uri>: The page will be displayed in a frame on the specified origin. Example: allow-from https://www.example.com.

Content Security Policy

The Content Security Policy, or CSP, adds an extra layer of security against attacks such as Cross-Site Scripting or data injection attacks.

Note

These options are only applicable if the Header Enabled checkbox is active, and are only provided if the user accessing the content is using a browser that supports XFrame Options.

When the Header Enabled checkbox is activated, the Header Rules become editable.

Note

RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.

For each rule, define a Path Regex (Path Regular Expression) and provide it with one or more Values. (This is the only header option that accepts multiple values.) Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, the server's response will contain the Content-Security-Policy header values defined for that path. RapidIdentity ships with some defaults already set for base functionality.

The default RapidIdentity settings define Content Security Policy Header Rules for the Claim My Account, Forgot My Password, and Expired Password functionalities. Others may be added as desired. New values may also be added to existing rules by clicking Add within the rule box and adding a new value for that rule.

Note

Once the value is typed in, press the Enter key or click the + on the right to commit the value to the rule.

Add New Rule

To add a new rule, scroll down to beneath each of the configured rules and click Add new rule +. Include a new Path Regex and Value.

Path Regex is a regular expression that represents the URL path to be displayed within the frame.

Value is a choice of options to define the source for the determined policy. This can be one of the following:

• <host-source>: Internet hosts by name or IP address. May include a URL scheme and/or port number if desired. Asterisks may be used as wild cards for leading URLs or defining ports. Examples of this source include http://*.example.com, mail.example.com:443, https://store.example.com, etc.

• <scheme-source>: A scheme such as http: or https:. The colon is required, and the scheme should not be quoted. Data schemes can be specified, but this is not recommended.

• 'self': This refers to the origin from which the protected content is being served, which includes the URL scheme and port number. Single quotes must be included.

  Note

  This setting is recommended for any custom Help links to avoid redirect errors.

• 'none': No URLs will match. Single quotes must be included.

Strict Transport Security

The Strict Transport Security settings instruct web browsers that the content should only be accessed using HTTPS instead of HTTP.

Note

These options are only applicable if the Header Enabled checkbox is active, and are only provided if the user accessing the content is using a browser that supports this feature.

When the Header Enabled checkbox is activated, the Header Rules become modifiable.

Note

RapidIdentity evaluates these rules in order from top to bottom. To reorder rules, click the stack icon on the right of the rule and drag it up or down within the list.

For each rule, define a Path Regex (Path Regular Expression) and provide it with a Value. Every HTTP request that comes into RapidIdentity will be evaluated against the list in order. When a match is found, the server's response will contain the Strict-Transport-Security header value defined for that path.

The default RapidIdentity settings do not define any Strict Transport Security Header Rules, allowing browsers to access each portion of the domain via HTTP. To modify the existing rule or add a new one, click the Header Enabled checkbox at the top of the menu and provide a value for the existing rule or add a new rule.

Add a New Rule

To add a new rule, scroll down to beneath the configured rules and click Add new rule +. Include a Path Regex and Value.

Path Regex is a regular expression that represents the URL path to be displayed within the frame.

Value is a choice of directives to provide the browser with instructions regarding the content found through the Path Regex. Directives include:

• max-age=<expire-time>: Defines the number of seconds that the browser should remember to only access the site via HTTPS.

• includeSubDomains: An optional parameter that applies to all of the site's subdomains as well.

• preload: An optional parameter that includes certification through various browsers' HTTP Strict Transport Security (HSTS) Preload Lists.

The Configuration > General > Settings > File Storage subsection localizes File Storage options for the following storage destinations:

This allows file storage used by RapidIdentity Portal and RapidIdentity Connect to be stored in a location other than on the individual appliances to include CIFS and Amazon Web Services (AWS) S3.

To use file storage other than on individual appliances, click the field next to File Storage and choose the storage destination to be configured. Individual Appliances is the default.

This is important when you have a cluster of either application so that all instances of the application will have access to the same set of files. The migration process wipes out any existing files on the destination file store.

CIFS File Stores

• CIFS is the protocol used by Windows File Sharing and Samba. It is usually the best protocol to use for clusters running outside of AWS.

• Set the Path and access credentials in this section to access the clusters.

S3

• AWS S3 is a cloud storage platform that provides extreme high-availability. It should generally only be used for clusters hosted in AWS.

  Note

  The Bucket Name for a Region/Endpoint must include the full endpoint URL to function as expected. For example, us-north-1 for an endpoint would not work; you would need to enter s3.us-north-1.domain.com for this setting to save successfully.

• Even within AWS, you will generally get much better performance with CIFS than with S3, with the trade-off being between high-availability vs performance.

• AWS IAM Instance Profiles are supported and associated role permissions can be granted to instances when started. When checked, AWS access and secret credentials are hidden from users in the user interface. This security advantage is enhanced since the Instance Profile credentials are temporary and rotated by Amazon, which obviates the need for organizations to manage instance credentials. To leverage AWS IAM Instance Profiles, check the Use Instance IAM Role box.

The Configuration > General > Settings > Migrate Files menu gives administrators a way to move files from one file storage location to another.

The Configuration > General > Settings > Proxies menu is a simple way to add trusted proxies to the system.