1. User authentication

Configure the Authentication setting

Note

To configure Content Hub, you must either be a superuser or have the necessary permissions granted to you through user group policies.

To configure the Authentication setting:

  1. On the menu bar, click Manage .

  2. On the Manage page, click Settings.

  3. On the Settings page, select the Authentication setting.

  4. Add the properties.

  5. Click Save.

Note

You can refer to the configuration example for a better understanding of this setting.

Tip

Content Hub information architects and those in technical roles can find more detailed information about authentication properties in the Accelerate Cookbook for Content Hub, a collection of recipes that provides information to help you successfully set up, configure, and implement Content Hub.

Properties

You can configure the following authentication properties.

Property

Description

Default value

EnableEmailWhiteList

If set to true, only users with email addresses matching one of the configured patterns listed in WhiteListedEmailPatterns can create an account.

true

WhiteListedEmailPatterns

If EnableEmailWhiteList is true, users can only create an account if the email they use matches at least one of the regular expressions in this list property. If the list is empty, there are no restrictions on which email addresses can be used.

empty

DefaultUserGroups

A list of user groups that new users are added to automatically. Any groups in this list that do not already exist are created when a user is added to them by this process. If you don’t want new users to be added to any user groups automatically, this list can be left blank or the property omitted.

empty

EnableBasicAuthentication

If set to true, users can log in using a username and password on the login page. If set to false, they can only log in using external authentication providers.

Note

To ensure successful integrations, set EnableBasicAuthentication to true when using an SDK with an OAuth flow.

false

EnableRegister

If set to true, users can create a new account using the registration page.

Note

This property relies on a public endpoint used to create new user accounts. If you enable this property, you must configure ReCaptcha to avoid validation errors when saving your authentication settings. We also recommend to enable AutoRestrict and use DefaultUserGroups.

false

ShowRegister

If set to true, a link to the RegistrationLink URL shows on the login page.

false

EnableExternalAuthentication

If set to true, external authentication is enabled, letting users log in with one of the configured external authentication providers.

true

EnableConfirmationMail

If set to true, users can only log in after clicking the link in the confirmation email sent to them.

true

EnableLockout

If set to true, user accounts are automatically locked out after exceeding the number of failed login attempts set in AttemptsBeforeLockout.

true

ExpireTimeSpan

Number of minutes that the authentication cookie is valid.

The maximum value is 1,440 minutes (equivalent to 24 hours).

30 minutes

MinutesToLockout

Number of minutes a user is locked out of the system after exceeding the unsuccessful login attempts set by AttemptsBeforeLockout.

5 minutes

AttemptsBeforeLockout

Number of failed login attempts before a user is locked out of the system.

3

AutoRestrict

If set to true, all new users are automatically restricted. Restricted users can only access a specific landing page until an administrator verifies their account.

true

EnableCredentialless

If set to true, users can log in using an external authentication provider without having to create an account for it. If a user's email address already exists in the system, the login is linked to the existing account.

false

UsernameClaimType

By default, the username.

AutoCreateUsers

If set to true, and a user logs in with an external authentication provider, an account is created automatically if the user does not already have one.

false

CookieName

Name of the authentication cookie.

null

CookieDomain

Domain used for the authentication cookie.

null

PostSignOutRedirectUrl

Users are redirected to the specified URL after signing out of the application. If this option is not specified, users are redirected back to the login page.

Note

You can access the remote sign-out page of the authentication service provider at the /signout-{provider-name} endpoint, and you can access the sign-out call back page at the /signout-callback-{provider-name} endpoint.

null

PasswordRules

Rules used to validate user passwords:

  • RequireDigit - the password must contain a digit.

  • RequireLowercase - the password must contain a lowercase character.

  • RequireNonLetterOrDigit - the password must contain a non-alphanumeric character.

  • RequireUppercase - the password must contain an uppercase character.

  • RequiredLength - minimum length for a password.

  • RequireDigit - true

  • RequireLowercase - true

  • RequireNonLetterOrDigit - true

  • RequireUppercase - false

  • RequiredLength - 8

ReCaptcha

ReCaptcha provides protection against spam. Ensure that the correct key and secret are stated. Must be configured if EnableRegister is set to true.

key and secret

ExternalAuthenticationProviders

Configuration settings of the external authentication provider.

Base configuration

EnableForgotPassword

If ShowForgotPassword is true, then this must also be true.

false

PasswordExpiration

Number of minutes that the password is valid. Users are prompted to change their password when it expires.

90 days (129,600 minutes)

RegistrationLink

A registration page URL. If EnableRegister and ShowRegister are true, users who click the registration link on the login page are directed to this URL.

null

SameSiteCompatibility

Used for security purposes.

Note

This Policy property is used only when the samesite_cookie_policy feature is enabled. Contact your account executive to enable it.

  • is_enabled - true

  • user_agent_patterns -

    [ "(Chrome/5|Chrome/6)",
"(CPU iPhone OS 12|iPad; CPU OS 12)",
"^(?=.\bMacintosh; Intel Mac OS X
10_14\b)(?=.\bVersion/\b)(?=.\bSafari\b).$"]

  • Policy - None

SameSite

Controls when and where a cookie is sent. It is designed to enhance security and privacy by restricting cross-site request forgery (CSRF) attacks and unintentional information leakages.

  • SameSite=Strict - ensures that the cookie is only sent in a first-party context, meaning the cookie is only sent if the site for the cookie matches the site shown in the browser's address bar. This is useful for cookies related to sensitive actions, such as changing a password or making a purchase.

    For example, Set-Cookie, promo_shown=1; SameSite=Strict

  • SameSite=Lax - allows the cookie to be sent with top-level navigations, such as when a user follows a link from another site. This is useful for cookies that affect website display, such as promotional banners.

    For example, Set-Cookie: promo_shown=1; SameSite=Lax

  • SameSite=None - allows the cookie to be sent in all contexts, including cross-site requests. This is useful for services that other sites consume, such as widgets, embedded content, or sign-in across multiple sites. Cookies with SameSite=None must also specify the Secure attribute, meaning they require a secure context.

    For example, Set-Cookie: widget_session=abc123; SameSite=None; Secure

ShowForgotPassword

If set to true, a link to the forgotten password page appears on the login page.

false

SlidingExpiration

If set to true, the authentication cookie gets a new expiration time whenever a request is processed more than halfway through the expiration period.

false

TokenLifespan

The period after which password reset and email confirmation tokens expire.

10 hours

If you have suggestions for improving this article, let us know!