IDP Global Settings

• Details:

  When you create an account with us, these 3 keys get generated for your account required for any API Calls for user operations/ 2FA integration using APIs, etc.

  
  
  
  • Customer Key
  • Customer API Key
  • Customer Token Key

  You can download the Account info from the Download icon beside the Account Details.



• Languages:
  
  
  
  
  • Enable Internationalization: Checking this option will enable dropdown for the Enduser to choose their languages on :- Login page, UserSignUp page. Enabling this option would allow email templates and Custom attributes in different languages.
  • Customer Preferred Language: Select the preferred language from the dropdown. miniOrange Supports English, German, Spanish, Italian, Portugues. English is default language.

• User Onboarding:

  The following settings are available while On-Boarding a user. You can enable 'Allow user to register' setting from Customization --> Login and Registration Branding --> Basic settings.

  
  
  
  • Enable User Auto-Registration (A CSV list with passwords for all the uploaded users will be made available to you): By enabling this option, if you have not provided password for the users while uploading them then a password is generated automatically and assigned to the user and the users are registered. You can get a CSV list of all these users with their generated passwords.
  • Enable Inline Registration for users: By enabling this option, if the user is not present in miniOrange then he will be asked to register when he tries to Single Sign-on into any application. The User will be registered in miniOrange.
  • Enable sending Welcome Emails after user registration: On enabling this option, All the users after successful registration will receive an welcome email from miniOrange to their registered Email IDs
  • Enable sending activation email with password reset link after user registration - On enabling this option, an activation email along with a link to reset password will be sent to all the user who have been newly registered. The User account will be activated only after following the process on the received link.
  • Verify User via OTP on email after registration: You can enable this option to add a verification option before registration completion to verify user via valid email ID.
  • Verify User via OTP on phone after registration: You can enable this option to add a verification option before registration completion to verify user via valid phone number.
  • Skip Alternate Login Method (KBA) Configuration during Inline Registration: This functionality gives you a choice to ask the KBA questions during inline registration. Enable this option if you want to skip this.
  • Redirect user to SSO app after registration: By default, after user signup, a user will see a default page showing thanks for registration message with a link to redirect to login page. Once you enable this option, if a user has first initiated sso request from his application and then clicked the create account link since he has no account. After successful registration, he will be redirected to his app and logged in as the user created.
  • Provision User to Third -Party App before registration: There are few cases where customer has any CRM/AD or any user data store where all users are created first or need to be maintained always. So, in that case. You can enable this option to first create the user in your existing data store and then create in IDP using the unique identifier/username generated using the CRM.
  • Enable Username Alias: Allow users to log in with multiple usernames across applications while tied to a single unique identity.


• User Re-verification:

  Checking this option will force users to re-verify themselves periodically. You can choose when users will get notified about the re-verification and also when the re-verification window will expire, after which their accounts will be disabled automatically.

  
  
  
  • Re-verify users every (months): You can specify the number of months after which re-verification should be invoked.
  • Notify Users of re-verification before (days): You can specify the number of days before which users should be notified about re-verification.
  • Re-verification Period (days): You can specify the number of days after which re-verification should be invoked.
• User Deletion

  The Right to Erasure feature enables end users to schedule the deletion of their own accounts. This capability-based functionality allows organisations to comply with privacy and data protection requirements by providing users the ability to request self-account deletion.

  Once a deletion request is raised, the account enters a scheduled deletion state and is automatically deleted after the configured retention period. Administrators can monitor, reject, or immediately delete accounts through the Account Deletion Requests management section.

  Feature Configuration

  
  
  

  To enable the self-account deletion functionality:

  • Navigate to Product Settings >> Users Tab >> User Deletion
  • Enable the checkbox: Allow Users to Delete Their Accounts
  • Once enabled, the following field appears:
  • Account Deletion Duration (Days) Specify the number of days after which the user’s account will be permanently deleted.
  • Click Save to apply the configuration.

Note:

The configured duration defines the countdown period before permanent account deletion.

Deletion requests are automatically processed after the configured timeline expires.

No manual approval is required for scheduled deletion requests.

• Login & Logout:

  Following options are available in User Login & Logout preferences section.

  
  
  
  • Prevent Concurrent Logins: On enabling this option, User will be able to log in to the application or IdP with only one device at a time. Multiple login from different device will not be allowed.
  • Force Users to change the password on first login: On enabling this option, When a newly created user logs in for the first time, he/she is forced to change the password.
  • Enable login with phone number: On enabling this option, the User can login using his phone number instead of username. Note - The Users should have unique phone numbers.
  • Enable Sign in with Passkey: Allow users to sign in using passkeys (FIDO2/WebAuthn).
  • Show IDP's Based On User Groups: Checking this option will display all the configured IDP's based on User groups. The Users can choose from which IDP he/she should be authenticated
  • Enable shared user login for users: On enabling this option, you can give one set of credentials to multiple users or a group of users and they can login into the application using the same.
  • Enable Single Logout: Checking this option will enable Single Logout of all SP apps configured with miniOrange as an IdP and the apps that are logged in with miniOrange. This only works for the SP Apps that support IdP initiated logout.
  • Enable Session Time out: Default IDP session time out is 90 minutes. Enabling this option will override default IDP session timeout and will enable custom session time out for users.


• Reset Password:
  • Navigate to Product Settings >> Security >> Reset Password.
  • This section allows you to configure how users can recover or reset their passwords.
  
  
  
  • There are three password recovery methods available:
  • Password Recovery via Email
  • Password Recovery via Phone
  • Password Recovery via 2FA
  
  
  
  • Select a recovery method to view and configure the available options for that method.
  • Password Recovery via Email

    Enable one or more of the following options:

  • Send Password Reset Link to Registered Email: Enabling this option will send a password reset link to the email address associated with the account.
  • Send Password Reset Link to Alternate Email: Enabling this option will send a password reset link to an alternate email address provided during account setup.
  • Send OTP to Registered Email: Enabling this option will send a One-Time Password (OTP) to the email address associated with the account, which can be used to reset the password.
  • Send OTP to Alternate Email: Enabling this option will send a One-Time Password (OTP) to the alternate email address, which can be used to reset the password.
  • Password Recovery via Phone

    Enable one or more of the following options:

  • Send OTP to Registered Phone: Enabling this option will send a One-Time Password (OTP) to the registered phone number, which can be used to reset the password.
  • Send Password Reset Link to Registered Phone: Enabling this option will send a password reset link to the phone number associated with the account via SMS.
  
  
  
  • Password Recovery via 2FA

    Enable password reset using multi-factor authentication:

    • Reset via Active 2FA: You will need to authenticate using their active 2FA method to reset their password.
    
    
    
    • Reset via Configured 2FA: You will need to authenticate using their configured 2FA method to reset their password.
    
    
    

  Note: Please follow this guide to know more and configure Password recovery methods.



• MFA:

  The following options are available under Multi Factor Authentication settings.

  
  
  
  • Security Question Limit - The number of security questions a user has to fill during registration.
  • No. of Question to Verify: Out of the total number of security questions, the number of questions that should be verified for authorization.
  • Enable End Users to change their Questions: You can enable/disable the permission for users to update or change the security questions.
  • Enable Two Factor (MFA) at the time of login for additional admin accounts: Enable this option to enforce MFA for all additional admin accounts during login, providing an extra layer of security for administrative access.
  • OTP Length: The total length of digits in the the passcode.
  • OTP Validity (In mins): The time for which the OTP should stay valid. After this time period, current OTP will no longer work and you will have to request for a new OTP.
  • Device Profiles Expiry Time: Device profile expiry is the time after which your registered device gets unregistered so that you can register new devices.
  • Mobile App Issuer Name: Enter the name of the Mobile App Issuer.


• Security Controls:
  • Navigate to Settings >> Security >> Security Controls.
  
  
  
  • Prevent Credentials Auto-Save:

    Enabling this option will prevent the browser from saving passwords for enhanced security.

  • Content-Security-Policy (CSP) Directives:

    This feature allows administrators to configure and manage Content-Security-Policy (CSP) directives from the Security Controls section. CSP headers help secure applications by restricting which resources can be loaded and from where.

  • Enter the required domains or source values in the respective directive fields.
  • Multiple values can be added by separating them with spaces.
  • Click Save to persist the configuration.
  • Configured CSP values are applied to subsequently generated CSP headers.

  Common Configuration Examples

  Directive	Meaning	Example
  Frame-Ancestors	Controls which sites can embed the application inside an iframe.	https://portal.partnercorp.com
  Style-src	Allows loading stylesheets from trusted sources.	https://stackpath.bootstrapcdn.com
  Img-src	Allows loading images from trusted domains.	https://images.pexels.com
  Script-src	Allows loading JavaScript files from trusted sources.	https://www.recaptcha.net
  Font-src	Allows loading fonts from trusted providers.	https://use.typekit.net
  Connect-src (On-Premise only)	Allows API calls or backend connections to trusted endpoints.	https://api.github.com

  
  
  • Source List Reference

    The UI also provides a Source List Reference section that explains supported CSP source values and their behavior.

  • Cloud vs On-Premise Behavior

    The CSP directive behavior differs between Cloud and On-Premise deployments.

    • On-Premise:
      • Configured CSP rules are applied and enforced directly in the application using the Content-Security-Policy header.
      • If any resource does not match the configured policy, the browser blocks it immediately.
    • Cloud:
      • Configured CSP domains are initially added using the Content-Security-Policy-Report-Only header.
      • In this phase, policy violations are captured and logged without blocking resources, allowing administrators to review and refine configurations before enabling enforcement.
      • Exception: The Frame-Ancestors directive is enforced directly to protect against clickjacking attacks.
  • Enable captcha:
  
  
  
  • Captcha for Login: Enable this option to enforce CAPTCHA during the user login process.
  • Captcha for Registration: Enable this option to enforce CAPTCHA during the user registration process.
  • Captcha for Password Reset: Enable this option to enforce CAPTCHA during the password reset process.
  
  

  Note: If you are using a vanity URL, please contact miniOrange Support to whitelist your domain in order to enable CAPTCHA on your site.

  
  
  
  

• Admin: Click Checkbox to receive email notifications whenever bulk operations are performed by the admin within the system.

Following Settings/Configurations are only for On-premise:

• Details:
  
  
  
  • Server Details: You can change the domain URL where the On-Premise version of IdP is hosted as shown in above screenshot.
  
  
  
  • miniOrange cloud user account details: This is required to use SMS or Email service from miniOrange instead of configuring custom SMS or SMTP provider
  • Logging: You can set the logging level of the product as shown in the screenshot below. Default logging level is ALL. You can choose from the following options and change the logging level to any of them:
    • ALL
    • TRACE
    • DEBUG
    • INFO
    • WARN
    • ERROR
    • FATAL
    • OFF

    It is recommended to change it to Error for production environments for best performance. Once you save the logging level there is no need to restart the server for changes to take effect but you should not perform this operation very frequently.

    Note: 1. This option is available only for Main Admin and Super Admin accounts.
    2. Any changes you make here are not persisted across server restarts. You will need to edit 'WEB-INF/classes/log4j.properties' to change levels permanently.

• Users
• Login & Logout:
  
  
  
  • Enable Integrated Windows Authentication (IWA): This option allows you to login with your Windows credentials, without having to enter a username and password.



Following Setting is accessible only for Super Admin:

• Users
• User Onboarding:
  
  
  
  • Enable sending activation emails to customer with Passwords: Super admin can enable or disable activation emails sent to customers which contains passwords.