Security Settings

SapphireIMS has a number of built-in security features for users. This includes the support for self-service to reset the password or unlock the account, set inactivity timeout for the session, enable single sign-on, set a secret pin, set a limit on unsuccessful attempts to login beyond which the account gets locked and limit the number of concurrent sessions for a user. Apart from this you can configure Two Factor Authentication (2FA) for Login, Forgot/Change Password, Unlock Account which causes a One-Time Password (OTP) to be sent via e-mail or SMS and which needs to be entered for performing the operation.

This topic describes the configuration of the security features.

Configuring the Security Features

Click on the option 'Security Settings' under Settings > User Management. The Security Settings configuration screen is displayed.

The fields are described below.

Serial No	Field Name	Description
	Self Service Action	Settings for the self-service actions
1	Enable Forgot Password	Check this if 'Forgot Password' has to be enabled. The Forgot Password option will be displayed in the Login screen. Refer to Getting Started->Forgot Password on how to reset the password.
2	Display Text in Login Page	Enter the text to be displayed on the Login Screen for Forgot Password option. This can also be entered in the Global Settings.
3	Enable Unlock Account	Check this if 'Unlock Account' has to be enabled. The Unlock Account option will be displayed in the Login screen. Refer to Getting Started->Unlock Account on how to unlock the account.
4	Display Text in Login Page	Enter the text to be displayed on the Login Screen for Unlock Account option. This can also be entered in the Global Settings.
5	Enable Password Change Notification	Check this if a notification has to be sent to the user on password change. You can also create the template for the notification.
6	Email Subject	Enter the text which has to be sent on the subject line. A macro 'MACRO_CUSTOMER_TITLE' can be used in the subject line and e-mail body and is replaced with the organization name which is configured.
7	Email Body	Enter the text which has to be sent in the e-mail.
8	Enable Unlock Account Notification	Check this if a notification has to be sent to the user on account unlocking. You can also create the template for the notification.
9	Email Subject	Enter the text which has to be sent on the subject line. A macro 'MACRO_CUSTOMER_TITLE' can be used in the subject line and e-mail body and is replaced with the organization name which is configured.
10	Email Body	Enter the text which has to be sent in the e-mail.
	Security Details	Enter the Security Settings
11	User Session Timeout	Enter the session timeout value after which the login session will be terminated if it is inactive.
12	Enable AD Authentication	Enable AD Authentication. For configuration of SSO refer to the topic Settings->User Management->AD and LDAP Integration->Configure Single Sign-On (SSO).
13	Password Policy	Select this to enable 'Password Policy' enforcement. If enabled, you can enable among the following criteria in the policy: At least one lowercase character At least one uppercase character At least one numeric character At least one special character Minimum number of characters By default, the password policy is enabled.
14	Change User Password at First Logon	If checked, user is forced to change their password at the first logon. You can select the 'Type of Users' which are among the following: 'DB Users': Users locally added in SapphireIMS 'AD Users': Users present in Active Directory 'All': Includes all users
15	Enable Captcha	'Enable Captcha' for 'Forgot Password' / 'Unlock Account' operations and for 'Login'.
16	Enable Secret PIN	'Enable Secret PIN' which is used to validate the user before changing the password.
17	Secret PIN length	Specify the maximum and minimum number of digits for the PIN. By default the values are 4 and 3.
18	Enable Security Question	Enable Security Question for 'Forgot Password' and 'Unlock Account' operations. Note: The Forgot Password and Unlock Account options on the login screen are displayed only if the Security Question is enabled.
19	User Lock Failed Attempts	Check against this option and specify the maximum number of failed login attempts after which the account should get locked. By default the value is 3.
20	Maximum sessions per user	Check against this option and specify the maximum number of concurrent login sessions per user. By default the value is 1.
21	If Maximum sessions exceeded	This option determines the action the system will take if the maximum sessions are exceeded: Invalidate Old Session: The oldest session is logged out and a new session created Prevent Authentication: A new login is blocked User Notification Popup: A pop-up appears and the user is given the choice to invalidate the earlier session and proceed to a new login or cancel this login.
22	Restrict Portal Access	Select 'Web' to restrict login from the web portal. Select 'Mobile' to restrict login from the mobile application.
23	Type of Access	If login is restricted, it can be for 'All Users' or 'Specific Users'. In the case of specific users, the restriction is based on an additional field which needs to be defined. The 'User Additional Field Name' has to be specified. If the value in this field is 1 then login is restricted for that user.
24	Display Message	If login is restricted, you can customize the message displayed.
25	Whitelisted IP Address/ Subnetmask	Access to the portal can be restricted and enabled to users selectively based on the IP address or Subnetmask of the devices from which they are accessing. Enter the address and click on 'Add'. Repeat to add multiple IP address or Subnetmask.
26	Whitelisted HostNames	Access to the portal can also be restricted and enabled to users selectively based on the Host Names of the devices from which they are accessing. Enter the Host Name and click on 'Add'. Repeat to add multiple Host Names.

Click on 'Update'. Proceed to the next section for setting the parameters for 2 Factor Authentication.

Note: 2 Factor Authentication can be enabled either with E-mail or SMS only or with both. If you want to enable 2 Factor Authentication via Email proceed to the section Two Factor Authentication via Email. If you want to enable 2 Factor Authentication via SMS proceed to the section Two Factor Authentication via SMS. If you want to enable both Email and SMS, then go through both sections.

Two Factor Authentication via Email

Click on the option 'Security Settings' under Settings > User Management. Select the 'Two Factor Authentication' tab. The Two Factor Authentication configuration screen is displayed.
Select 'OTP Mode' as 'Email' or 'Both'.

The fields are described in the table below. The settings can be individually decided for Web and Mobile access.

Serial No	Field Name	Description
1	OTP Mode	Select the OTP mode as 'Email' or 'Both'.
2	OTP Number of Digits	Enter the number of digits to be generated for the OTP. By default it is 6.
3	OTP Maximum Life Time	Enter the period (in minutes) for which the OTP remains valid. By default it is 5 minutes.
4	OTP Maximum Resend Count	Enter the number of re-sends allowed for the OTP. By default it is 1.
5	Enable TFA for Login	Move the slider button if TFA has to be enabled for login. Warning: Before enabling this setting, ensure that the SMTP server or SMS gateway settings are properly configured.
6	Type of TFA for Login	If TFA is enabled for Login, you can select 'All users' or restrict to 'Specific Users'. If it is specific users then select one or more users from the disabled list and move them to the enabled list.
7	Whitelisted hosts	Specify the Whitelisted hosts from which the Two Factor Authentication can be bypassed. You can specify either a Subnetmask or a range of IP addresses.
8	Enable TFA for Forgot / Change Password	Move the slider button if TFA has to be enabled for Forgot / Change Password operation.
9	Enable TFA for Unlock Account	Move the slider button if TFA has to be enabled for Unlock Account operation.
10	Enable TFA for Automation	Move the slider button if TFA has to be enabled for Automation task execution.
11	Email subject for Login	Enter the subject line for the OTP e-mail. You can use the following macros in the subject line and e-mail body MACRO_CUSTOMER_TITLE: Substitutes the Customer name configured MACRO_OPERATION_NAME: Substitutes the operation for which the OTP is being sent MACRO_OTP_CODE: Substitutes the OTP code MACRO_OTP_MAX_LIFE_TIME: Substitutes the validity period for the OTP
12	Email body for Login	Enter the text of the e-mail.
13	Email subject for Automation	Enter the subject line for the OTP e-mail. You can use the following macros in the subject line and e-mail body MACRO_CUSTOMER_TITLE: Substitutes the Customer name configured MACRO_OPERATION_NAME: Substitutes the operation for which the OTP is being sent MACRO_OTP_CODE: Substitutes the OTP code MACRO_OTP_MAX_LIFE_TIME: Substitutes the validity period for the OTP
14	Email body for Automation	Enter the text of the e-mail.

Click on 'Update' to save the settings. If the 'OTP Mode' is selected as 'Both' refer to the section Two Factor Authentication via SMS to configure the parameters for SMS.
A sample OTP email is shown below.

Two Factor Authentication via SMS

Click on the option 'Security Settings' under Settings > User Management. Select the 'Two Factor Authentication' tab. The Two Factor Authentication configuration screen is displayed.
Select 'OTP Mode' as 'SMS' or 'Both'.

The fields are described in the table below. The settings can be individually decided for Web and Mobile access.

Serial No	Field Name	Description
1	OTP Mode	Set the OTP mode as 'SMS' or 'Both'.
2	OTP Number of Digits	Enter the number of digits to be generated for the OTP. By default it is 6.
3	OTP Maximum Life Time	Enter the period (in minutes) for which the OTP remains valid. By default it is 5 minutes.
4	OTP Maximum Resend Count	Enter the number of re-sends allowed for the OTP. By default it is 1.
5	Enable TFA for Login	Check this box if TFA has to be enabled for login.
6	Type of TFA for Login	If TFA is enabled for Login, you can select 'All users' or restrict to 'Specific Users'. If it is specific users then select one or more users from the disabled list and move them to the enabled list.
7	Whitelisted hosts	Specify the whitelisted hosts from which the Two Factor Authentication can be bypassed. You can specify either a subnet mask or a range of IP addresses.
8	Enable TFA for Forgot / Change Password	Check this box if TFA has to be enabled for Forgot / Change Password operation.
9	Enable TFA for Unlock Account	Check this box if TFA has to be enabled for Unlock Account operation.
10	Enable TFA for Automation	Check this box if TFA has to be enabled for Automation task execution.
11	OTP SMS Text Message for Login	Enter the text for the OTP SMS. You can use the following macros in the SMS MACRO_CUSTOMER_TITLE: Substitutes the Customer name configured MACRO_OPERATION_NAME: Substitutes the operation for which the OTP is being sent MACRO_OTP_CODE: Substitutes the OTP code MACRO_OTP_MAX_LIFE_TIME: Substitutes the validity period for the OTP
12	OTP SMS Text Message for Automation	Enter the text for the OTP SMS. You can use the following macros in the SMS MACRO_CUSTOMER_TITLE: Substitutes the Customer name configured MACRO_OPERATION_NAME: Substitutes the operation for which the OTP is being sent MACRO_OTP_CODE: Substitutes the OTP code MACRO_OTP_MAX_LIFE_TIME: Substitutes the validity period for the OTP
	SMS Gateway Configuration	If you click on the link to configure the SMS Gateway settings following fields are displayed in the pop-up window.
12	SMS Gateway Request Type	Select GET or POST as the request type
13	SMS Gateway Username	Specify the Gateway username
14	SMS Gateway Password	Specify the Gateway password
15	SMS Gateway Success Status Code	The response code sent by the Gateway to check success.
16	SMS Gateway Success Response Body	The response string sent by the Gateway on success which is checked to indicate a success or failure
17	SMS Gateway URL	Enter the gateway URL. The following macros can be used in the URL MACRO_MOBILE_NUMBER: Substitutes the mobile number of the receiver MACRO_TEXT_SMS: Substitutes the text message MACRO_USER_NAME: Substitutes the Gateway user name MACRO_PASSWORD: Substitutes the Password

Click on 'Update' to save the settings. If the 'OTP Mode' is selected as 'Both' refer to the section Two Factor Authentication via Email to configure the parameters for Email.

Security Settings for SapphireIMS Enterprise+ Edition (for Managed Service Providers)

This section applies to installations where the Enterprise+ Edition has been installed.

Two Factor Authentication is supported only for the SapphireMSP login. The settings are available under MSP Settings ->Manage System Variables settings screen. The TFA email subject, email body, SMS text message and SMS gateway URL configuration is available in 'OneTimePassword_Email_SMS_Template.properties'. This property file is available in the following specified path:

<Sapphire Installed Path>/ WebManagement/standalone/deployments/SapphireMSP.war/WEB-INF/classes/sapphire/msp/OneTimePassword_Email_SMS_Template.properties

Server restart is not required when any changes are done in the property file.
To enable Two Factor Authentication for Login, set the setting key 'TWO_FACTOR_AUTHENTICATION_LOGIN' as 1. During login the user is prompted for the OTP.
'Forgot Password' and 'Unlock Account' self-service is not supported.