Tenant management

Configure administrator details, set tenant preferred language and URL for redirection after logoff.

1. Access Technology > Administration > Tenant Management > Configure;
2. Select the created tenant;
3. In Settings, on the General tab, enter thePreferred language, which will be used on all screens and fields of the senior X Platform for G7, G5 and SAML users. Currently, the available languages are English, Spanish and Brazilian Portuguese, however, it is possibledevelop a language pack and make it available for use. If you use LDAP/AD. The default language cannot be changed, this information must come from AD itself.
   After changing the language, the user must leave the platform for this configuration to be carried out. This process is necessary because the cookies that inform the language are generated at the beginning of the session and some messages can take approximately 15 minutes to be translated. When the language is not defined in tenant management or user management, the language configured is that of the browser used;
4. If you want the user not to return to the login screen after leaving the platform, but to another screen, such as the company website, change theURL to redirect after logout. Leave it blank so that the redirection is made to the senior X Platform login screen itself;
5. Optionally change the administrator data defined when creating the tenant;
6. Inform theStandard papers that the user should receive, if no role is assigned to the user during their registration.

Define and configure the data for connecting to the SMTP email server (Simple Mail Transfer Protocol), which will be used to send email exchange notifications.

1. Access Technology > Administration > Tenant Management > Configure;
2. Select the created tenant;
3. In Settings, on the Email tab, enter theServer,Door,User It is Password to only send confirmation emails for tenant creation and password reset;
4. Then tickRequires authentication to determine whether the sending email server requires authentication;
5. ANDSSL enabled and/orTLS enabled to define the form of email server security protocol.

Determine thetypes of authentications on senior X Platform.

1. Access Technology > Administration > Tenant Management > Configure;
2. Select the created tenant;
3. In Settings, on the Authentication tab, determine theTypes of authenticati
   from te

   nant:Authentication on G7Access to systems from the platform is done by users created within the platform itself. When selectingAllow the "Change password after authentication" option in user management, it is possible to indicate that a user must change their password when accessing the platform.

   

   Authentication on G5Users registered in the system's Senior User Manager are imported and displayed on the senior X Platform. In this way, user groups becomeroles. To change your password through the platform, select the optionAllows you to change password.

   When selecting the optionUser must change password at next logon, in the user properties in the Senior User Manager, when accessing the platform it is mandatory to change the user's password via integration.

   

   LDAPUsers are reused, but they need to be related to roles created and maintained on the senior X Platform. For this type of authentication, synchronization with the LDAP server is required:

   1. In Data for LDAP server connection, enterSer
   ver
   2. ,
   Do
   3. or and
   whether SSL is enabled;
   4. In
   Data for importing users from the LDAP server, enter the user data (user, password, user attribute, user name attribute, user description attribute and user email attribute);
   5. Then in the field
      1. Search base
      , inform the bas
      2. e where users will be searched;
      If you want to add criteria to
      3. the search in the user base, enter the fieldUse list filter;Optionally, enter data for importing roles from the LDAP server, which allows obtaining LDAP groups:inform theBase address for paper search on the LDAP server;inform thePaper search filter, applied to the base address for searching papers; Enter the attributes with the name and description of the role and user roles.

   click inCheck connection to test the settings and inSync now for synchronizing users with the server.

   

   SAML authenticationPlatform integration with an ADFS/SAML login. To use this type of authentication, firstly, only on-premises clients must configure the WSO2 API Manager:

   1. Access the WSO2 Tenant stor
   2. e via the URL in the format https://<domain>:<port>/store/?tenant=<tenantdomain>;
   3. Log in with the tenant administ
   4. rator user;Access the My Applications option;In the defined application, configure the property valueCallback URL with https://<domain>/auth/LoginWithCodeServlet.

   1. Then, in the tenant configuration, fill in the fields in SAML Settings:InSAML request redirect URL enter the same property valueCallback URL previously configured. This URL is for internal use by the platform and, therefore, must be provided: https://platform.senior.com.br/auth/LoginWithCodeSer
   2. vlet.;InIdentity Provider Entity Id Enter a name to identify the entity configured for the Identity Provider. Use a name that refers to the company name;
   3. At theService Provider Entity Id Enter a name to identify the entity configured for the Service Provider. Use a name that refers to the name of the serv
   4. ice;InURL to login Enter the SAML URL and the user will be redirected to login. Use the client's ADFS server login URL;
   5. InURL to log out Enter the SAML URL that the user will be redirected to when logging out. Use the client's SAML server logout URL. When setting theURL to log out, when you log out of the platform, it will also be logged out of SAML/ADFS automatically. If you wish this process not to be carried out, keep this field blank.

   1. Configure certifica
   2. te
   3. Sign authentication requests: With this option checked, the request will be signed with the identity provider's private key (SAML);

   Sign assertions: The SAML authentication response will be signed and validated, preventing it from being modified;Identity provider public certificate (PEM format): Enter the public certificate that will be responsible for signing the identity provider's responses.

   Observation We recommend that the certificate is configured to sign the XML of theSAMLResponse, this functionality improves the level of security in user authentication.

   1. Now make user data SAML:
   In
   2. Claim that defines the user's username

   enter the URL of the username claim returned by SAML, even if configured on the ADFS server

   ;

   • In Claim that defines the user's e
   mail
   • It is Claim that defines the user name
   enter email and full name, respectively, returned by SAML, even configured on the ADFS server
   ;
   Exa
   mple:
   Identity Provider Entity I
   • d: http://adfs.empresa.com.br/adfs/services/tru
   • st
   Service Provider Entity Id

   seniorX

   URL to login: https://adfs.cliente.com.br/adfs/lsURL to log out: https://adfs.cliente.com.br/adfs/ls/?wa=wsignout1.0Claim that defines the user's username: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierClaim that defines the user's email : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressClaim that defines the user name : http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameRole that will be defined for new users: Determine the default role that will be applied to the user who accesses the platform for the first time.

In all types of authentication, it is not possible to use the characters "/" and "@" in user information.

Defining the formatToken generation must be configured to:

• "Reuse the same token for multiple user sessions": allows that when using the same user in sessions on different machines, all sessions are synchronized, allowing, for example, when logging off on one of the machines, all other sessions are also closed.
• "Generate a different token for each user session": means that, when using the same login to authenticate on different machines, each session is independent.

Access Token Lifecycle (Authentication)

Access token lifecycle
GENERATION	VALIDITY	RENOVATION	REVOCATION
The access token is generated when a user authenticates on the senior X Platform, either through the platform's own login screen or through theintegration via API.	The access token is valid forseven days counted from the moment authentication is carried out. The token expires after seven days regardless of whether it is used or not.	The access token can be renewed atup to 15 days after his generation. When an access token is renewed, a new one is generated with a default validity of seven days. Renewal is done automatically by senior X Platform itself, but it can also be caused byintegration via API.	The access token is revoked when a user logs out of the session, either through the platform menu or through theintegration via API.

Configure the IPs that will have access to the environment and, thus, restrict access to the platform to a specific range of IPs, preventing access from a home or location outside the country.

Users who have the configurationExternal Access to the System enabled on paper, do not apply to this restriction.

1. Access Technology > Administration > Tenant Management > Configure;
2. Select the created tenant;
3. In Settings, on the Access Source tab, select the check boxEnable access source control to restrict IP ranges;
4. Set valid IP ranges. Mandatory fieldHome;
5. click in+ to add different IP ranges.

Password policy characteristics are defined and applied to all users in the tenant. They have basic settings for minimum and maximum password length and character combinations.

For password reset, configure the communication method when performing a password reset. So that the user is taken to a personalized screen after "Forgot your password? Click here", inform thePassword reset screen URL.

This reset should be used when there is no longer access to the current password, such as if you forget it.

Google Recaptcha

Create and configure a Google Recaptcha for the senior X Platform:

1. Log in with a Google account and access the Recaptcha creation URL;
2. Complete the form to register a new website:
   • Tag
   • : any value (ex: seniorx.recaptcha);reCAPTCHA type: reCAPTCHA v2 > "I'm not a robot" checkbox. If the type of recaptcha is not this, there is a risk that it will not work corr
   • ectly;Domains: add the domain(s) on which recaptcha will be allowed (ex: senior.com.br). It is necessary to add the domain to the password recovery screen, otherwise the recaptcha will not work;
   • Own
   • ers: Google account;Select t
   he optionAccept the reCAPTCHA Terms of Service and clickTo send.

3. Write down the site key and secret key that will be displayed on the screen;
4. click inAccess Settings to open the Recaptcha configuration form again;
5. In the optionSecurity Preference, change it to be as secure as possible.

Registering Google Recaptcha on the platform

To register Google Recaptcha on the platform, log in to the senior X Platform with an administrator user. Go to Technology > Administration > Tenant Management > Configure, and on the tabPassword Policy, select the optionEnable Google Recaptcha customization. Add the site key and secret that you noted down, and clickTo save. To load the tenant customizations, insert the parameter &tenant=tenant_domain in the URL and it will be working.