Master settings
info
Cloud
To configure a master setting, you must contact our support team by submitting a request through the form available on the Omada Service Desk.
Expand the available lists that contain the overview of available master settings:
Authentication
| Interface Name | Key | Description |
|---|---|---|
| Identity username property system names | IdentUserNameProps | The master setting can be populated with system names of Identity properties which can be used as user names when logging on to the ES. The list is comma-separated. For CIAM the value can be LIVEID, GOOGLEID, FACEBOOKID, LINKEDINID. |
| OpenID Claim Types | OpenIDClaimTypes | Comma separated list of claim types to search for in a JWT token to derive the username. The first one with a value will be returned. For Microsoft Entra ID v1, it should be upn for users from the directory and email for liveid users. For Google, it should be email. For general-purpose authorization system, it can be sub or given_name. For Microsoft Entra ID v2.0 tokens it should be azp. It can also be preferred_username. |
| Qualified username | QualifiedUserName | When set to False (default), the username used in authentication is the account without the domain prefix (DOM\cso) or email domain postfix (cso@dom.com).When set to True, the username is the username as presented by the authentication system, for example, DOM\cso or cso@dom.com. |
| Qualified username legacy | QualifiedUsernameLegacy | When enabled, usernames presented as an email address (e.g., cso@dom.com) during the authentication are transformed to the legacy format, e.g., dom\cso. This setting only takes effect when the QualifiedUsername setting is set to false. |
| SAML name ID policy format | SAMLNameIDPolicyFormat | The NameID format in the SAML request. For AzureAD it should be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress For ForgeRock, it should be urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified For PingFederate and Okta, it can be one or the other. |
| SAML request ID cookie name | SAMLRequestIdCookieName | The name of the SAML request id cookie. |
| Session cookie name | SessionCookieName | The name of the session cookie. |
| Use secure session cookies | SecureSessionCookie | Disabling secure session cookies compromises security and can only be done on non-production environments. This setting is by default set to True. Together with the correct setting of IIS to use HTTPS. it allows Omada Identity cookies to have the Secure flag. |
| Customer name on-prem | CustomerLogon | The customer’s name. If specified, this customer name is always used during login. On non-integrated authentication schemes in the application, the user should provide this as the Domain name, for example, Omada\Administrator. |
| Domain logon name on-prem | DomainNameLogon | The domain name login. Use the domain as the customer during login. This property must only be set to True when you use Windows Authentication to identify the instance of Enterprise Server. For all other scenarios, it must be set to False. |
| Host header logon on-prem | HostHeaderLogon | Host header logon. Use the host header of the request as the customer. You must only set this setting to True when you are using HostHeader to identify the instance of Enterprise Server. For all other scenarios, it must be set to False. If you are logging in anonymously, it should be set to False as a default. You must also configure The HostHeader on the IIS and DNS servers. |
| OpenID nonce cookie name on-prem | OpenIDNonceCookieName | The name of the OpenID nonce cookie. |
Environment
| Interface Name | Key | Description |
|---|---|---|
| Enable SignalR SQL Scale out option | EnableSignalRSqlScaleOut | The SignalR component uses the SQL database for scaling out. |
| Enable SignalR ServiceBus Scale out option | EnableSignalRServiceBusScaleOut | The SignalR component uses the Azure ServiceBus for scaling out. |
| Event Hub Connection String | EventHubConnectionString | Connection string to Azure Event Hub, including name of the Event Hub |
| Is the environment an OIS SaaS environment | IsOISaaS | Is true if the environment is a SaaS environment. |
| SignalR Azure ServiceBus Connection String | SignalRServiceBusConnectionString | Connection string to the Azure ServiceBus using be SignalR scale out option. |
note
If you want to use the SignalR ServiceBus ScaleOut option with Azure Managed Identity Authentication, you then must use the SignalRServiceBusConnectionString master setting, that is,
Endpoint=sb://<servicebusname>.servicebus.windows.net/;Authentication=Managed Identity;Audience=https://servicebus.azure.net
For more information on authentication and authorization of an application with Microsoft Entra ID, refer to the Microsoft Azure documentation.
Misc
| Interface Name | Key | Description |
|---|---|---|
| Default portal page | RedirectURL | Can optionally be configured with a URL to an index page which will replace the main.aspx page. |
| Enable anonymous approval of mobile access requests | AnonMobileReqApprv | Allow users to access the portal anonymously with a token sent by mails, when approving requests for access. |
Monitoring
| Interface Name | Key | Description |
|---|---|---|
| Enable Application Insights | AppInsightsEnabled | Controls whether Application Insights is enabled. |
| Start performance counters | StartPerfCounters | When set to false, the OIS performance counters are not initialized. This can improve the startup time of the OIS windows services |
Passwords
| Interface Name | Key | Description |
|---|---|---|
| Max logon attempts | MaxLogonAttempts | Maximum number of failed logon attempts using the ES password before the user is inactivated. |
| Max password age | MaxPasswordAge | Maximum number of days between an ES authentication password change. |
| Password age warning | PasswordAgeWarning | Days before the password expiry where we issue a warning on the logon page. |
Password reset
| Interface Name | Key | Description |
|---|---|---|
| AD client | PWRADCLIENT | Enables user password verification via an AD client identified by the PWRADSYSTEMID customer setting. Exactly one password verification and one password reset client is required. |
| Azure AD client | PWRAZUREADCLIENT | Enables user password verification via an Microsoft Entra ID client identified by the PWRAZURESYSTEMID customer setting. Exactly one password verification and one password reset client is required. |
| Basic client | PWRBASICCLIENT | Enables user password reset and verification via Basic Client (local ES database). Exactly one password verification and one password reset client is required. |
 MIM client on-prem | PWRFIMCLIENT | Deprecated starting from the 15.0.3 on-prem release. Enable user password reset via MIM client identified by the PWRFIMMAUID customer setting. Exactly one password verification and one password reset client is required. |
| LDAP client | PWRLDAPCLIENT | Enables user password verification via LDAP client identified by the PWRLDAPSYSTEMID customer setting. Exactly one password verification and one password reset client is required. |
| OPS client | PWROPSCLIENT | Enables user password reset via the Omada Provisioning Service. Exactly one password verification and one password reset client is required. |
Security
| Interface Name | Key | Description |
|---|---|---|
| Enables verification of the request source origin | VerifyRequestOrigin | Enables or disables the verification of the request source origin to prevent Cross-Site Request Forgery. |
System
| Interface Name | Key | Description |
|---|---|---|
| Application version | AppVer | The major/minor version of the application. You should never modify this setting. The exact build version, for example, 14.0.0.42 is not shown here, but you can find the build version on the About page in Omada Identity. |
| Database patch version | DbVer | The database patch version. You should never modify this setting. The version is updated for every SQL script change. |
| DB locking scheme | LockMode | When the value is set to 1, access to the main object tables is serialized using a table lock. Under normal circumstances, Omada does not recommend enabling this lock mode. Possible values are: 0=Normal, 1=Serialized. |
Code methods on-prem
| Interface name | Key | Description |
|---|---|---|
| Temporary Directory | TempDir | Add a temporary directory required by the UtilityCodeAssembly.Main.SaveDataObjCSV() and SaveDataObjCSVExtended() Code Methods (see note below). |
The TempDir master setting is not installed by default, and can be added with the SQL statement.
INSERT INTO [tblMasterSetting]
([Key],[Name],[Description],[ValueStr],[ValueInt],[ValueDateTime],
[ValueBool],[Type])VALUES('TempDir','Temporary Directory','','C:\OmadaEnt_Temp',NULL,NULL,NULL,0)
The master setting can be populated with system names of Identity properties which can be used as user names when logging on to the ES. The list is comma-separated.
For CIAM the value can be LIVEID, GOOGLEID, FACEBOOKID, LINKEDINID.
Form and List Action view
The Forms and List Actions view allows you to perform action configuration using it. Here is what you can define:
- Action name and description
- Choose where the action button displays: List, Details Form, or both
- Decide on the action button location: Toolbar or Context Menu
- Set the order in which actions are executed
- Pick an action icon
- Action active flag
- Specify object types for which the action is available or not available
- Determine views where the action is available or not available
- Define the required user permissions to to data object for triggering action
- Identify the user groups authorized to trigger the action
Limitation
You can't attach a script that changes actions' behaviors or impacts users' permissions to a given action.