Security settings

From Onlinehelp
Jump to navigation Jump to search

The Main settings include the security settings, where access to your solution can be restricted.

IP ranges

This area can be used to limit which IP addresses can be used to access specific pages of the Umantis solution. If nothing is entered in this area, the solution can be accessed from anywhere on the Internet. To add a new restriction, click on Enter new IP range.

Settings

The login name or email address may not be longer than 250 characters.

Blocked login

  • Blocked login (number of attempts):
Specify how many times an incorrect password can be entered before access is blocked. The maximum number of login attempts is 20. The default value is 10 attempts.
  • Duration of login block (number of minutes):
Specify for how long logins should be blocked. The minimum lockout period is 5 minutes. The default value is 60 minutes.

Password

If a validity is set for passwords, then this setting has no influence on SSO users, here the guidelines set by the company apply.

Umantis saves all passwords with PBKDF2 encryption.

  • Additional password security:
Specify whether the password must be complex, i.e. whether it must contain special characters, numbers, upper and lower-case letters.
  • Password validity (number of days):
Specify for how many days the password will be valid.
  • Validity period password link (number of hours):
Specify the validity period of the authentication key for setting a new password. After the period defined here (in hours) expires, the password reset link is no longer valid. If no period is defined here, the validity is 24 hours. The maximum validity is 72 hours.
  • Minimum password length (number of characters):
Specify the minimum password length. The default value is 6 characters.
  • Password history (number of repetitions):
Specify how many times the same password can be used.
  • Session timeout/Automatic logout (number of minutes):
Note that the session is automatically closed when all browser tabs/windows are closed in which a Umantis session was active.
Specify here how many minutes of inactivity will cause the user to be automatically logged out. If no value is provided, then automatic logout will occur after eight hours.
  • Notifications:
    To avoid loss of data, you are informed when the session is about to expire and when an Internet connection is unavailable:
  • Automatic logout in:
    When 90% of the inactive period specified under “Automatic logout (number of minutes)” has passed, a notification appears with the option to extend the session:
    Your session will end after this time, and you will be automatically logged out of the system. Any unsaved changes will be lost. Click on “Extend session” to cancel automatic logout and extend the current session.
  • Your session has expired!
    If your session has expired, another notification appears:
    The current session has expired due to inactivity. You can no longer save this form. To avoid loss of data, save any changes locally before leaving this page.
  • No Internet connection!
    If no Internet connection is available, all buttons that trigger actions are automatically disabled (grayed out). If you click on one of these buttons when no Internet connection is available, a notification appears:
    Please establish an Internet connection in order to continue working.
  • Authentication key validity (number of days):
Enter the amount of time for which the authentication key is valid. Use this setting to specify the time period for which access will be available to the relevant processes through the URLs sent via email. In Umantis Applicant Management, this applies to the processes for (third-party) evaluations, assessments and approvals for a job. In Umantis Employee Management, this applies to processes for (third-party) assessments and approvals for participation in events. The specified period of validity will also be indicated in the email sent for each link (“This link is only valid for XX days”). Add the following section to your existing templates, if necessary: [IF LoginKeyValidity.LifeTimeInDays](This link is only valid for [LoginKeyValidity.LifeTimeInDays] day(s).) [END].
Archive (PKI SSO)

Since the end of 2018, PKI is no longer supported

If you work with PKI certificates within your company, and wish to grant users access to the Umantis solution using this type of Single-Sign-On (SSO), please check the box for “Use PKI”. Below that, select which of the four identifiers from the browser certificate should be verified. In the Issuer and Subject fields, regular expressions can be used to further restrict which texts from the certificate are to be verified. Important: If the users access the solution via Cloud SSO (ADFS), then no time limit can be placed on the validity of the password.

  • Use PKI:
Specify whether login via certificate verification should be enabled.

Tip: Checking the PKI certificate integration
The following URL can be used to check whether the PKI certificate has been integrated correctly: https://pki-test.de.umantis.com
If the page appears in red, then the certificate was not correctly integrated, or the certificate authority (CA) was not entered correctly.
If the page appears in green, then the certificate was correctly integrated and the certificate authority (CA) was entered correctly.


Certificate information for identification purposes

  • Use “Issuer” field:
Specify whether the certificate’s “Issuer” field should be used as a key.
  • Use “Issuer” field partial value:
Using a regular expression, indicate the part that should be extracted from the “Issuer” field for comparison with the import data. Please indicate the desired area with ( ). Example: “(\d+)$”
  • Use “Subject” field:
Specify whether the certificate’s “Subject” field should be used as a key.
  • Use “Subject” field partial value:
Using a regular expression, indicate the part that should be extracted from the “Subject” field for comparison with the import data. Please indicate the desired area with ( ). Example: “(\d+)$”
  • Use “NotBefore” field:
Specify whether the certificate’s “NotBefore” field should be checked as an additional security measure. Accuracy: Minutes
  • Use “NotAfter” field:
Specify whether the certificate’s “NotAfter” field should be checked as an additional security measure. Accuracy: Minutes

Token login

  • Public certificate:
Must contain -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

See also Authentication via URL parameters

File extensions

Here you can globally define the file formats that can be used for uploading in select fields.

However, these changes are only effective if the corresponding steps are taken in Configuration mode: Under “Restrictions on file extension”, you can specify restrictions for each of the individual upload fields in the system. They can choose between:

  • “check MIME type”: File format is verified and an error message appears in case of inconsistency
  • "none": All file formats will be allowed for uploads
  • "must": A file must be uploaded, regardless of the format; otherwise, the process cannot be completed

are available for selection. In the article on Restricting the file extension, you will find a use case for the restriction of PDF files.

Restrictions on integration

You have the option to integrate Umantis into your website, for example via iframe. When doing this, it is recommended that you restrict the integration options under Settings > Security settings . Restricting integration prevents misuse through so-called clickjacking.

In the “Restrictions on integration” area, you can implement the following settings (known as “whitelisting”) in two sections:

  • In the upper section, you can explicitly specify the URLs into which the internal view of umantis (e.g. HR, Administration) can be integrated.
    If you are integrating Umantis into your website via iframe, you would enter the website’s URL here (e.g. http://www.company.com). Note that only one URL should be entered here.
  • In the lower section, you can enter multiple URLs (separated by commas) into which the external view of umantis (e.g.: /SelfService, /SelfServiceLine) can be integrated.

Important notes:

  • If you do not add any restrictions on integration, and do not enter any URLs, the individual views of Umantis can be integrated anywhere.
  • Enter a dummy URL (i.e. a non-existent address) for each field if you want to prevent integration altogether.

CORS (Cross-Origin Resource Sharing)

By default, browsers’ same-origin policy will not be violated. With CORS, web browsers and web clients can be allowed to make cross-origin requests . Based on the W3C standard mechanism, the same-origin policy can be circumvented for the following sections of the solution:

  • /XMLExport/ID
  • /CSVExport/ID
  • /Vacancies
  • /VacanciesIntraxData
  • /RssFeed

CORS (Cross-origin resource sharing paths)

Please enter your specific paths separated by commas, e.g. "/XMLExport/ID,/CSVExport/ID".

Access-Control-Allow-Origin

In this section, you can enter your specific domain (“https://exampledomain.com”). If you enter an asterisk (“*”) here, cross-origin requests to the sections of the solution listed above will be allowed from any domain.


Whitelisting setting for general redirects

  • URL
Please specify URLs separated by commas (example: https://www.123company1.com, https://www.123company2.com).

Whitelisting setting for redirection after logout

  • URL
Please specify URLs separated by commas (example: https://www.123company1.com, https://www.123company2.com).
[x] Activate cookie attributes Same site=strict

We recommend enabling this option (if not already enabled). If the checkbox is checked, only cookies that have been set by the same page can be read. If a user is directed to the URL by a link from another page, the cookie cannot be set during the initial call.

[ ] X-Frame-Options - Activate sameorigin

If the checkbox is checked, only pages from the same source page (same origin) can be integrated in an iFrame. This security setting is used to prevent pages from being integrated in third-party sites without your permission. If you deliberately integrate pages of your HTM solution in an iFrame in other sites, please uncheck this checkbox (e.g. job board on company website, HTM solution on intranet).

Whitelisting URL settings for CSP

Important Notes:

  • You can set whitelisting URL settings to determine which URLs should bypass the Content Security Policy. This may be necessary when using external services, such as tracking tools.
  • In general, we do not recommend bypassing the Content Security Policy. If such settings are made, you do so "at your own risk".
  • Please note that the "URLs" field will only be visible (even in [Configuration mode]) if the "Enable CSP whitelist URLs" checkbox has been checked.
[ ] Enable CSP Whitelist URLs

If this option is enabled, specified URLs are treated as whitelist for CSP validation

  • URLs
Please specify URLs separated by commas (example: https://www.123company1.com, https://www.123company2.com).

Whitelisting setting for URL parameters

This setting can be used to define external URL parameters that are used for applicant tracking, for example. The parameters stored here are carried over even in the case of automatic redirects to further URLs, e.g. the redirect to /Vacancies/ID/Application/CheckLogin/ID within the application process. This ensures that tracking is maintained throughout the entire application process. External URL parameters that are not defined in the whitelist are automatically removed in the case of such redirects.

Notes:

  • No parameters are stored by default.
  • If you store multiple parameters, you can insert them separated by commas (e.g., _ga,_tracking).
  • The parameters are case-sensitive.
  • The Umantis-specific URL parameters are also forwarded without any special whitelisting settings (e.g. ?source, ?srcText, ?tracking_id).

CAPTCHA activation

When activating the CAPTCHA on login screens, it becomes active immediately. When activating the CAPTCHA on application forms, the CAPTCHA must also be set to visible via "Configuration mode". This way it can be decided for each individual application form whether the CAPTCHA should be used for this form.

  • Enable CAPTCHA for internal login screens
e.g. login HR cockpit (/), login Manager cockpit (/SelfServiceLine), login for Committees/Board members (/SelfServiceBoard), Third party approver (/SelfServiceAppraisal), Vacancy approver (/SelfServiceApprovals)
  • Enable CAPTCHA for external forms
e.g. application forms:
External job market (applicants):
  • /Vacancies/ID/Application/New/ID
  • /Vacancies/ID/Application/New/ID/ID
  • /Vacancies/ID/FurtherApplication/Apply/ID
  • /Vacancies/ID/FurtherApplication/ApplyFromJobAbo/ID
  • /Vacancies/InitiativeApplication/ID
  • /Vacancies/InitiativeApplication/OnlyApplication/ID
  • /Vacancies/InitiativeApplication/ApplyFromJobAbo/ID
Internal job market:
  • /VacanciesIntraxData/ID/Application/New/ID
  • /VacanciesIntraxData/ID/FurtherApplication/Apply/ID
  • /Vacancies/ID/FurtherApplication/ApplyFromJobAbo/ID
  • /Vacancies/InitiativeApplication/OnlyApplication/ID
  • /VacanciesIntraxData/InitiativeApplication/ApplyFromJobAbo/ID
Recruiter:
  • /VacanciesRecruiter/ID/Application/New/ID
  • /Vacancies/Register/ID
  • Enable CAPTCHA for external login screens
e.g. login to Applicant cockpit (/SelfService), login for External Recruiters (/SelfServiceRecruiter)


Notes:

  • We have chosen a simple variant for the CAPTCHA feature, as this ensures the greatest possible privacy for you and your data. Many of the more current CAPTCHA options, which look simpler to the end user, work by transmitting the user's data, such as browser history, usage behavior, and more, to third parties to analyze whether the user is human or a potential bot. Privacy is our highest priority, which is why we have decided against such an option.
  • The captcha has no influence on SSO, because with Single Sign On the user is redirected to the login page of the SSO server, and then directly logged into his cockpit, i.e. the captcha does not come into play.

Notes on the captcha display

Regardless of the above settings under "Captcha activatio", a captcha will be displayed after a certain number of failed attempts if someone repeatedly tries to log in with different usernames. This is to prevent automated attacks using scripts. The measure applies to all login attempts originating from the same IP address. After a certain period of time without further failed login attempts, the captcha is automatically deactivated.

This security-related feature is to prevent potential attackers from automatically retrieving valid usernames from a publicly accessible endpoint. Background: A login behaves differently depending on whether a user exists or not, which means that usernames could easily be identified. The captcha is only displayed if several user logins to your Umantis solution from the same IP address fail consecutively.

Actions

Virus scanner

The Umantis application automatically checks all files that are uploaded (in the background, unnoticed by users). The anti-virus program ClamAv is used here as a code component.

If the virus scanner detects a suspicious file or a virus, the user is informed of the situation with an error message and/or failed file upload.

Changing the email address

Note that people registered in the system (user roles in umantis) will receive an email with a confirmation link when changing their email address. Only after they access this link is the new email address valid and stored in the system. When people are newly entered in the system by the HR department, a verificationemail with a confirmation link is sent to their email address.

No verification/confirmation will be requested for imported email addresses. The same will apply if administrators modify the email address. In that case, it will be immediately regarded as verified.

For applicants (Umantis Applicant Management), confirming or not confirming the email address has no functional effect; therefore, applicants will not automatically receive a request to confirm their email address.
However, if you want the applicants to confirm their email address anyway, you can copy the following link into the email (Welcome email for applications):

  • <a href="https://[Special.Hostname]/SelfService?UserID=[Person.ID]&CustomFunction=ActivateMailaddress&token=[Activate.Token]">Confirm email address</a>.

If you work with IP ranges, you should accept the following paths:

In the email special settings, please fill in the fallback sender address to ensure that the emails that are sent out have the correct (company-specific) sender.

Retrieved from "https://en.onlinehelp.umantis.com/index.php?title=Security_settings&oldid=8854"