Indicium configuration
Configuration template (Indicium)
IndiciumPlease remove the parts you don't need before using this template.
You can validate the correctness of your json configuration through this website: https://jsonlint.com/.
{
"Logging": {
"pathFormat": "YourOwnName-{Date}.txt",
"IncludeScopes": false,
"ErrorLog": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Debug",
"Indicium": "Warning"
}
}
},
"MetaSourceConnection": {
"Server": "[server]",
"Database": "[iam_database]",
"PoolUserName": "[username]",
"PoolPassword": "[password]"
},
"HideMetaDataDocument": true,
"LoginOptions": {
"AllowLocalAccounts": true,
"AllowPasswordForget": true,
"AllowStaySignedIn": true,
"ApplicationRedirectURL": "<your value>"
},
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"DefaultTwoFactorTokenTemplate": "Your validation code is {twoFactorToken}.",
"TwoFactorTokenTemplates": {
"NL": "Uw validatiecode is {twoFactorToken}",
"ENG": "Your validation code is {twoFactorToken}."
}
},
"Agent": {
"Enabled": true
},
"Licensing": {
"ScheduleUpdate": true
},
"AllowedOrigins": [
"https://www.mydomain.com",
"https://www.otherdomain.com"
],
"ReverseProxy": {
"Enabled": true,
"TracingEnabled": true,
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto",
"XForwardedFor",
"All"
],
"CustomHeaders": {
"XForwardedHost": "CUSTOM-FORWARDED-HOST",
"XForwardedProto": "CUSTOM-FORWARDED-PROTO",
"XForwardedFor": "CUSTOM-FORWARDED-FOR"
},
"AllowedHosts": [
"www.example.com",
"*.example.com"
],
"KnownProxies": [
"10.60.0.185"
],
"KnownNetworks": [
"10.60.0.0/16"
],
"ExternalPathBase": "/"
},
"Applications": {
"Preload": [
"itst",
"23",
"does-not-exist"
],
"RemoveUnusedModelAfterHours": 72
},
"FileCache": {
"ClearLocalCacheOnStartup": true
}
}
Configuration template (Indicium Basic)
In accordance with our Lifecycle Policy, Indicium Basic has been declared End of Life as of Thinkwise Platform version 2023.2.
Please remove the parts you don't need before using this template.
You can validate the correctness of your json configuration through this website: https://jsonlint.com.
{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"MetaSourceConnection": {
"Server": "[server]",
"Database": "[iam_database]",
"PoolUserName": "[username]",
"PoolPassword": "[password]"
},
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"PasswordResetTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw wachtwoordherstelcode",
"Body": "Uw wachtwoordherstelcode is: <b>{resetToken}</b>"
},
"TwoFactorTokenTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw inlogcode",
"Body": "Uw validatiecode om in te loggen is: <b>{twoFactorToken}</b>"
}
},
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"TwoFactorTokenTemplate": "Uw validatiecode is {twoFactorToken}"
},
"AllowedOrigins": [
"https://www.mydomain.com",
"https://www.otherdomain.com"
],
}
Hide $metadata and OpenAPI specification
IndiciumIt is possible to hide the /$metadata and /openapi endpoints to limit the amount of information exposed by Indicium, since with these endpoints all
available entities for your application and all available operations for every entity can be retrieved, including the (optional) parameters.
Add the following property to the appsettings.json file:
{
"HideMetaDataDocument": true
}
Azure AD authentication (Indicium Basic)
Indicium BasicSince Indicium Basic doesn't have a login page, OpenID is not available. However, there is a solution for Azure AD authentication via an Azure SQL Database.
Azure SQL Database allows you to "create contained users mapped to Azure AD identities". In turn, Indicium Basic allows users to sign in with these contained users.
In IAM, the Authentication type for the corresponding user has to be 'External' (menu Authorization > Users > tab Form > tab User). This is the same as how a user is configured for Azure AD authentication via OpenID.
Email configuration on Azure
Sending emails from Azure requires some additional configuration. Azure blocks outbound email messages sent from any service in Azure that doesn't use an authenticated SMTP relay service, to protect Azure data center IP addresses from reputation abuse.
The most common SMTP relay service that is integrated with Microsoft Azure is SendGrid, which is free for up to 25,000 emails per month. The SendGrid SMTP API allows you to send emails using the Thinkwise SMTP connector, but you could also use their Web API with the Thinkwise HTTP connector.
Instructions on how to setup SendGrid in Azure and send emails using SMTP can be found here and here. Please consult the SendGrid documentation for more information.
Amazon SNS support
IndiciumAmazon Simple Notification Service (Amazon SNS) can be used to call Indicium's standard APIs (for example, tasks, tables, etc.).
In the Amazon SNS requests, the application/json Content-Type is used. This makes these requests compatible with the Indicium APIs.
Amazon SNS authentication
IndiciumIndicium supports authentication by Amazon SNS. This service can then send notifications to Indicium.
To use Amazon SNS for sending notifications, subscribe to Amazon SNS topics on one or more HTTPS endpoints. To confirm your subscription, navigate to the SubscribeURL, either with the HTTP Connector or manually from the browser.
The endpoint can, for example, be an Indicium Process Flow API endpoint. This way, you can create custom logic to handle the message. Please consult the Amazon documentation for full details on how to subscribe.
Two-factor authentication (2FA)
Indicium supports different kinds of two-factor authentication:
- TOTP
- SMS
The type of two-factor authentication you need can be configured per user in the Intelligent Application Manager.
TOTP two-factor authentication does not require any additional configuration in Indicium.
For Email and SMS two-factor authentication, it is required to configure the email and SMS settings in the appsettings.json file.
Email 2FA
Deprecated as of Thinkwise Platform version 2023.2. For Indicium, these settings are now available in IAM. See: Email settings.
To enable Email two-factor authentication, add the following template to the appsettings.json file and fill it out.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"DefaultTwoFactorTokenTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your login code",
"Body": "Your login validation code is: <b>{twoFactorToken}</b>"
},
"TwoFactorTokenTemplates": {
"NL": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw inlogcode",
"Body": "Uw validatiecode om in te loggen is: <b>{twoFactorToken}</b>"
},
"ENG": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your login code",
"Body": "Your login validation code is: <b>{twoFactorToken}</b>"
}
}
}
}
You can automate two-factor authentication through email links using the query string parameter twoFactorToken.
If you use this, the user can simply click on a hyperlink in the email to finish logging in.
The hyperlink has the following format:
<indicium_base_url>/account/ui/twoFactor?twoFactorToken={twoFactorToken}.
You can configure this hyperlink in the Email template, in the Body parameter of the TwoFactorTokenTemplates.
Example
"Body": "Click on the link below to log in:<br />
<indicium_base_url>/account/ui/twoFactor?twoFactorToken={twoFactorToken}"
Make sure to replace <indicium_base_url> with your Indicium base url.
Email 2FA (Indicium Basic)
In accordance with our Lifecycle Policy, Indicium Basic has been declared End of Life as of Thinkwise Platform version 2023.2.
To enable Email two-factor authentication, add the following template to the appsettings.json file and fill it out.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"TwoFactorTokenTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw inlogcode",
"Body": "Uw validatiecode om in te loggen is: <b>{twoFactorToken}</b>"
}
}
}
SMS 2FA
IndiciumSMS authentication is especially useful for users with old mobile devices and no internet.
To enable SMS two-factor authentication, add the following template to the appsettings.json file and fill it out.
{
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"DefaultTwoFactorTokenTemplate": "Your validation code is {twoFactorToken}.",
"TwoFactorTokenTemplates": {
"NL": "Uw validatiecode is {twoFactorToken}",
"ENG": "Your validation code is {twoFactorToken}."
}
}
}
Currently we only support Twilio to communicate as SMS provider.
SMS 2FA (Indicium Basic)
Indicium BasicSMS authentication is especially useful for users with old mobile devices and no internet.
To enable SMS two-factor authentication, add the following template to the appsettings.json file and fill it out.
{
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"TwoFactorTokenTemplate": "Uw validatiecode is {twoFactorToken}"
}
}
Currently we only support Twilio to communicate as SMS provider.
Title for authentication pages
IndiciumThe title for Indiciums authentication pages is set in IAM: menu Settings > Global settings > field Title.
If no title property is entered in IAM, the title 'Thinkwise Identity Provider' will be used.
Login screen
Enable setting, changing, and resetting passwords
Deprecated as of Thinkwise Platform version 2023.2. For Indicium, these settings are now available in IAM. See: Email settings.
Indicium supports changing and resetting passwords for users with IAM authentication. Even if a user has not set a password yet, they can set it via email using the 'Forgot your password' link on the login page.
Password expiration is not enforced. This prevents the use of predictable passwords, since it is possible to re-use a more complex and saver password.
To change or reset a password, Indicium needs to be able to send emails to users. This requires some additional configuration.
See also Disable 'Forgot your password?' link on login page.
Make sure the users' email addresses are configured in IAM.
Add the following template to the appsettings.json file and fill it out.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"DefaultPasswordResetTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your password reset code",
"Body": "Your password reset code is: <b>{resetToken}</b>"
},
"PasswordResetTemplates": {
"NL": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw wachtwoordherstelcode",
"Body": "Uw wachtwoordherstelcode is: <b>{resetToken}</b>"
},
"ENG": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your password reset code",
"Body": "The code to reset your password is: <b>{resetToken}</b>"
}
}
}
}
You can automate resetting a password through a hyperlink by using the query string parameters username and resetToken.
If you use this, the user can simply click on a hyperlink in the email to reset their password.
The hyperlink has the following format:
<indicium_base_url>/account/ui/resetPassword?username={username}&resetToken={resetToken}.
You can configure this format in the Email template, in the Body parameter of the PasswordResetTemplates.
Example
"Body": "Click on the link below to reset your password: <br />
<indicium_base_url>/account/ui/resetPassword?username={username}&resetToken={resetToken}"
Replace <indicium_base_url> with your Indicium base url.
Enable changing and resetting passwords (Indicium Basic)
In accordance with our Lifecycle Policy, Indicium Basic has been declared End of Life as of Thinkwise Platform version 2023.2.
Indicium Basic supports changing and resetting passwords for users with IAM authentication.
Password expiration is not enforced. This prevents the use of predictable passwords, since it is possible to re-use a more complex and saver password.
To change or reset a password, Indicium needs to be able to send emails to users. This requires some additional configuration.
To enable the reset password feature, add the following template to the appsettings.json file and fill it out.
See also Disable 'Forgot your password?' link on login page.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"PasswordResetTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Reset password",
"Body": "The code to reset your password is: <b>{resetToken}</b>"
}
}
}
Make sure the users' email addresses are configured in IAM.
Disable 'Forgot your password?' link on login page
IndiciumYou can disable the 'Forgot your password?' link on the Indicium login page by adding the following JSON property to the appsettings.json file.
"LoginOptions": {
"AllowPasswordForget": false
}
When the AllowPasswordForget property is set to false, the 'Forgot your password?' link is disabled. Also, the 'Forgot your password?' page or API cannot be
used any longer.
Remove 'Stay signed in' option from login page
You can remove the 'Stay signed in' option from the Indicium login page by adding the following JSON property to the appsettings.json file.
"LoginOptions": {
"AllowStaySignedIn": false
}
When the AllowStaySignedIn property (default: true) is set to false, the 'Stay signed in' option is removed.
It will also remove the 'Remember my choice' option if multiple login options are available, for example, when OpenID providers are configured.
Return from the login screen to the application
You can set the value of the redirect button Return to the application in the file appsettings.json:
"LoginOptions":
{
"ApplicationRedirectURL": "<your value>"
}
Enable Cross-Origin Resource Sharing (CORS)
By default, a website only allows requests that come from the same origin (domain). If you host a website yourself and you want to allow requests from another origin, you can use Cross-Origin Resource Sharing.
This concept also applies to the Indicium Application Tier. To enable cross-origin requests, add the allowed origin(s) to the appsettings.json file:
{
"AllowedOrigins": [
"https://www.mydomain.com",
"https://www.otherdomain.com"
]
}
This is only available when Indicium runs in Development mode.
Global redirects for CORS requests in IAM
If CORS is enabled, and if Indicium is running on a different domain than the Universal GUI, you need to allow the client to redirect back to the domain where the Universal GUI is located. To whitelist global return URLs in IAM, see Client redirect in the IAM manual.
Preload application models during startup
IndiciumTo reduce the response times for users who are the first to access applications after a cold start or restart, you can specify application models that Indicium must try to preload from IAM during startup.
Keep in mind that:
- For applications containing system flows, this feature has little to no effect. The reason is that Indicium already implicitly loads applications containing system flows during startup, as it needs to know the model before it can execute the scheduled flows.
- Due to the way that Indicium handles loading models from Software Factory sources, this feature only works for models synced to IAM.
- If a new version of a preloaded model/application is synced to IAM, Indicium will not automatically preload the new version.
Example
Preloading application models can be configured in the appsettings.json configuration file under the Applications:Preload configuration key.
Specify either the ID or the alias of the applications that need to be preloaded.
Indicium will try to load these models for the specified applications during startup.
{
"Applications": {
"Preload": [
"itst",
"23",
"does-not-exist"
]
}
}
This process is also logged to the default Indicium log:
Example log file: preloading models and one fail
Periodic removal of idle application models from memory
IndiciumIndicium can periodically remove idle application models from memory. An application model is considered idle when:
- It has not received any API calls during the specified time.
- There has been no active system flow during the specified time.
- It has not been marked as a preloaded application model.
In the appsettings.json configuration file, the RemoveUnusedModelAfterHours configuration option specifies the period of time in hours after which the model
is removed.
Please note that "Applications" is the same configuration section as the "Applications" section mentioned in preloaded application model.
"Applications": {
"RemoveUnusedModelAfterHours": 72
}
The default (and recommended) value of this setting is 72 hours.
This may feel like a long time to keep idle application models in memory, but the goal is not to clear the memory as quickly and often as possible.
After all, it is a cache that serves an important purpose.
The performance-memory trade-off needs to be considered because once an application model is removed from memory and requested again through an API call,
it needs to be loaded from the database, which will be a performance hit on that API call.
The main goal of this feature is to ensure that Indicium instances that are rarely restarted, for example, because they are in use 24/7, don't gradually use more and more memory for 'dead' application models that have not been used for weeks. We recommend to lower this value only if all of the points below are true:
- Indicium is restarted rarely.
- Many applications are used for a short time within a short time.
- Indicium's memory usage is noticeably growing to several gigabytes within the 72-hours.
Log
Change logfile name
It is possible to edit the log file name and the path. This can be useful if you are running multiple instances of Indicium next to each other or if you do not like the current name.
To change a log file name, add the pathFormat to the Logging segment in Indicium's appsettings.json:
{
"pathFormat": "YourOwnName-{Date}.txt"
}
- Replace the content of
FileNamewith a name of your own choosing (YourOwnName). - If no
{Date}is specified, Indicium will add it. - If file extension
.txtis not specified, Indicium will add it.
Edit minimum log level
It is possible to edit the minimal log level. The default log level is 'Error'. This can be useful if you need more information.
The log level of other logging namespaces can be overridden by adding a key and value to the Logging:ErrorLog:LogLevel section. Some keys cannot be modified
and will always be set to level 'Information'.
{
"Logging": {
"ErrorLog": {
"LogLevel": {
// Log Information level messages to the error log.
"Default": "Information",
// Log Debug level messages if the namespace of the logger starts with 'Microsoft'.
"Microsoft": "Debug"
}
}
}
}
This process is also logged to the default Indicium log:
*Example log file: preloading models and one fail
Disable background operations
IndiciumIt is possible to disable all background operations managed by Indicium and IAM. At the moment, the only example of such a background operation is the scheduling of system flows.
The default value for background operations is true. To disable the background operations: set 'Agent:Enabled' to 'false' in the appsettings.json:
{
"Agent": {
// Skip registering this Indicium instance as an agent on IAM.
// Also disables adding all agent related services such as the scheduled system flow runner.
"Enabled": false
}
}
Disable scheduled license update checks
IndiciumIndicium performs a license check on startup and obtains, if necessary, an updated license. This check recurs periodically to keep the license valid. See Automatic license renewal.
To make Indicium perform this check only on startup, set Licensing:ScheduleUpdate to false in the appsettings.json.
{
"Licensing": {
// Only check and update (if necessary) the current license once on startup
// and skip scheduling further checks from being run in the background.
"ScheduleUpdate": false
}
}
File cache
ClearLocalCacheOnStartup - Optional. If not set or true, the local cache is cleared on startup.
Set it to false if multiple instances of Indicium share the same cache folder.
For example, when running multiple app service instances.
It prevents that one instance clears the cache while another one tries to access files in the cache.
"FileCache": {
"ClearLocalCacheOnStartup": true
}