The Home page of the Web Interface site includes a number of items that serve as entry points to individual sections of the Web Interface. Each item occupies a clickable area on the Home page, and includes the caption (name of the item), text describing the item and a picture providing a graphical illustration of the item. Clicking an item displays a page that is identified by a certain property of the item (this property is referred to as “URL to open”).
You can add, modify, re-arrange, and remove items on the Home page. A point-and-click interface helps you manage the items, providing flexible options to customize the Home page.
The changes you make to the Home page affect every user of the Web Interface site. For example, when you remove an item from the Home page, the item is not displayed to any user of the Web Interface site.
To customize the Home page
-
On the Home page of the Web Interface site, click Customization.
-
Click Customization Tasks; then, click Customize Home Page in the right pane.
-
In the list of items, click to select the item you want to change, then use command buttons to make changes.
The following table provides an overview of changes you can make
Table 2: Home page customization tasks
Add an item to the Home page. |
Click Add. Type a name for the new item and the URL of the page you want the new item to open. Optionally, type any text to display in the item area, and change the picture for the item. Then, click OK. |
Change the position of an item on the Home page. |
Select the item and click the Up or Down arrow button. |
Change the name or description text of an item. |
Select the item and click Properties. Then, type the name or description text you want, then click OK. |
Change the picture to be displayed in the item area. |
Select the item and click Properties. Under the Picture to display label, click Change. Type the path and name of the picture file, or click Browse to select and open the picture file. Then, click OK. |
Hide an item so that it does not appear on the Web Interface pages. |
Select the item and click Hide. (To display an item that is hidden, select the item and click Unhide.) |
By adding a home page item, you can customize the Web Interface to integrate custom applications together with the Web Interface pages. The Advanced properties section in the dialog box for managing a home page item provides the Open the URL in a frame option for this purpose.
With the Open the URL in a frame option, a home page item can be configured to open a Web application so that the application’s pages are embedded in a standard Web Interface page. When this option is selected, the page identified by the URL to open property of the home page item is embedded in a Web Interface page instead of being displayed in place of the Web Interface page in the Web browser window.
The Advanced properties section also provides the ability to configure a home page item so that a number of optional parameters are automatically appended to the query string of the URL when the user clicks the item. This enables the Web Interface to pass certain data to the Web application associated with the home page item. You can modify parameter names. The parameter values are generated by the Web Interface when the user clicks the home page item. The following table summarizes the available parameters.
Table 3: Query string parameters
DN |
Distinguished Name (DN) of the user account of the Web Interface user. Example: DN=CN%3dAaron%20Beh%20Santos%2cOU%3dEmployees%2cDC%3dDomain%2cDC%3dCompany%2cDC%3dCom |
IdentificationDomain |
DNS name of the Active Directory domain that holds the user account of the Web Interface user. Example: IdentificationDomain=domain.company.com |
IdentificationAccount |
Pre-Windows 2000 name (sAMAccountName) of the user account of the Web Interface user. Example: IdentificationAccount=ASantos |
LCID |
Hex code of the locale identifier specific to the Web Interface language selected by the Web Interface user. Example: LCID=409 |
IsDsAdmin |
“True” or “False” depending on whether or not the Web Interface user is assigned to the Active Roles Admin role and thus has administrative rights on Active Roles. Example: IsDsAdmin=False |
CurrentLanguage |
Locale name specific to the Web Interface language selected by the Web Interface user. Example:
CurrentLanguage=en-US |
PortalHomePage |
URL of the Home page of the Web Interface site you are customizing. Example: PortalHomePage=http://Server/ARServerSelfService |
TaskID |
The identifier of the Web Interface command used to open the URL. Example: TaskID=d8371ae8-1215-40ac-b0c4-391c3225a426 |
By default, Web Interface users connect to the Web Interface using an HTTP transport, which does not encrypt the data transferred from a web browser to the Web Interface. To use a secure transport for transferring data to the Web Interface, One Identity recommends using an HTTPS transport.
The secure hypertext transfer protocol (HTTPS) uses Secure Sockets Layer (SSL) provided by the web server for data encryption. For instructions on how to enable SSL on your web server, see How to Set Up SSL on IIS 7 or later in the Microsoft IIS documentation.
Any Web Interface instance is prone to security issues, such as Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS ) attacks. To prevent and protect the Web Interface against such attacks, you can also configure CSRF and XSS protection.
-
Cross-Site Request Forgery (CSRF) attacks can force users to run unwanted actions on the Active Roles web application in which they are currently authenticated. To prevent CSRF requests , configure Active Roles to use anti-forgery protections.
-
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To prevent against such attacks, any script that is sent to Active Roles must be validated for malicious content before accepting and running the script. To perform the script validation, enable XSS for Active Roles.
To configure a key-value pair for a Web Interface site in IIS
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select <Settings>.
-
Click on the button corresponding (Count=*), and click Add in the right pane.
-
Enter the following values:
-
Key: <keyname>
-
Value: <value>
-
Close the window, then under the Actions menu in the right pane, click Apply .
-
To apply your changes in Active Roles, restart the app pool.
To prevent Cross-Site Request Forgery (CSRF) requests, the Active Roles Web Interface uses anti-forgery protection. This protection is enabled by default: if you must modify it for any reason (for example, to specify any exceptions), perform the following steps.
NOTE: If CSRF is enabled, then with the exception of the Web Interface Home page:
To modify Cross-Site Request Forgery settings for a Web Interface site
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>.
-
To modify the existing CSFR settings, add the following script:
<add key ="EnableAntiForgery" value="true"/> <!--Key to enable or disable anti-forgery , Values= true or false -->
<add key="IgnoreValidation" value="choosecolumns,savetofile,customizeform,default,2fauth,formmap"/>
-
Close the window, then under the Actions menu in the right pane, click Apply .
-
To apply your changes in Active Roles, restart the app pool.
Cross-Site Scripting (XSS) protection allows Active Roles to determine whether a request contains potentially dangerous content. This protection is enabled by default in the Active Roles Web Interface, but you can disable or modify it via the Internet Information Services (IIS) Manager application of the operating system.
NOTE: One Identity strongly recommends to:
To disable Cross-Site Scripting protection for the Web Interface
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>.
-
To disable XSS, set the value of the following script to "false":
<add key="EnableRequestValidation" value="false"/>
-
In the Section drop-down, select system.web > <pages />, then set the following key:
validateRequest="false"
-
Close the window, then under the Actions menu in the right pane, click Apply.
-
To apply your changes in Active Roles, restart the app pool.
To modify Cross-Site Scripting settings for the Web Interface
-
In the operating system, launch Internet Information Services (IIS) Manager.
-
Under the Connections node, navigate to <computer-name> > Sites > Default Web Site, then select the Web Interface site you want to configure. The default sites are ARWebAdmin, ARWebHelpDesk and ARWebHelpService.
-
In the center pane, double-click Configuration Editor. Then, from the Section drop-down, select web.config > <appSettings>, and find the following script:
<add key="IgnoreForValidation" value="hiddenxml,homepagestruct,txtconditionsforoperationsinreadableform"/>
-
For environments that also use Microsoft Lync Server or Skype for Business Server, add the following exceptions to the existing value:
dialplanpolicytextbox,voicepolicytextbox,edsva-lync-conferencingpolicy,edsva-lync-clientversionpolicy,edsva-lync-pinpolicy,edsva-lync-externalaccesspolicy,edsva-lync-archivingpolicy,edsva-lync-locationpolicy,edsva-lync-mobilitypolicy,edsva-lync-persistentchatpolicy,edsva-lync-clientpolicy