Security configuration: options

The content of the HTTP-header X-Frame-Options. This is set on all rendered pages and is used to avoid clickjacking attacks. By default, only pages with the same origin can use the rendered pages in a frame.

• True: A user can only open one session.

• False (default): A user can open multiple sessions.

• True: The Office research integration is always allowed guest access via REST, regardless of the general Guest access setting.

• False (default): The general Guest access setting is kept.

Note Currently, The Office research integration is only available when Collibra Data Intelligence Cloud is publicly available, which is why this override setting is necessary.

Text widgets can contain full HTML. However, this means an attacker could potentially execute an XSS attack by injecting malicious HTML. For more information, see the Troubleshooting section.

• True: Potentially dangerous HTML elements are removed from text attributes when you save the text field.

• False (default): No HTML elements are removed from text attributes when you save the text field.

• True: Anyone that can access the URL, has viewing rights to the system.
• False (default): The user is asked to sign in before having access to any data.

• True: Schema fields are shown during an introspection.
• False (default): Schema fields are hidden during an introspection.

• True: The LDAP integration is enabled.
• False (default): The LDAP integration is disabled.

• True (default): LDAP data is synchronized with Collibra when an initial data set is bootstrapped.
• False: LDAP data is synchronized with Collibra only when the LDAP synchronization job is triggered.

The page size that is used when retrieving users during synchronization.

The default value is 500. You can set it to 0 to disable paging.

Note This is a global setting. If you are working with multiple LDAP servers, only the value for the main server is taken into account.

The page size that is used when retrieving groups.

You can set it to 0 to disable paging.

Note This is a global setting. If you are working with multiple LDAP servers, only the value for the main server is taken into account.

Specifies the time limit in milliseconds for all LDAP searches.

The default value is 120,000.

You can set it to 0 to disable the time limit.

• True (default): The synchronization job is enabled.
• False: The synchronization job is disabled.

The schedule to perform an LDAP synchronization (CRON).

The default value for this setting is daily at midnight.

If you create an invalid Cron pattern, Collibra Data Intelligence Cloud stops responding.

The middle name field of the LDAP directory, this is usually givenName.

The language and locale of the user. It has to contain a language code and may contain a country code.

• The language has to be an ISO language code.
• The country has to be an ISO country code.

Examples: pl, en_US, nl_BE.

The LDAP property that defines to which groups the user belongs. If there is a group entry in the LDAP directory, use the Group field mapping settings.

An additional email list.

The name of the group to use in the application.

The Collibra parameters to map with your LDAP server parameters.

The filter that specifies which users are imported by the synchronization job. The users have to be the same as, or a subset of, the Authentication user LDAP filter.

If you provide no value for this setting, the same filter as specified for the Authentication user LDAP filter setting is used. That allows you to synchronize only the users that have to have access to the application, even if they have not logged in yet. Users in the Authentication user LDAP filter are synchronized each time they authenticate and are only available after the first sign-in to the application. This is the default setting.

The authentication mechanism for authenticating users on the LDAP servers.

• True: The LDAP context is destroyed immediately. When using TLS, some servers require the connection to be shut down by the client before the LDAP context is destroyed.
• False (default): The LDAP context is not destroyed immediately.

Specifies what to do with referrals. Possible values:

Note If you are experiencing slow searches on Microsoft Active Directory with the follow value for the Referral setting, try using the Global Catalog as Active Directory domain controller. The Global Catalog enables searching for Active Directory objects in any domain in the forest without the need for subordinate referrals. This can dramatically speed up searching. However, the Global Catalog only contains a subset of the attributes of an object. This solution is only viable if the attributes requested for the search results are stored in the global catalog. Note that the Global Catalog is accessible on port 3268/3269, not the standard 389/636 LDAP ports.

The minimum length of passwords.

The default minimum length is 12.

The maximum length of passwords.

The default maximum length is 1,024.

• True (default): Passwords have to contain one or more digits.
• False: Passwords do not have to contain digits.

• True (default): Passwords have to contain one or more non-alphanumeric (special) characters.
• False: Passwords do not have to contain non-alphanumeric characters.

• True (default): Passwords have to contain one or more upper-case characters.
• False: Passwords do not have to contain upper-case characters.

• True (default): Passwords have to contain one or more lower-case characters.
• False: Passwords do not have to contain lower-case characters.

• True (default): Passwords cannot be the username.
• False: Passwords can be the username.

The number of months before users have to change their passwords.

Set it to 0 if users never have to change their passwords.

The default interval is 6 months.

The number of consecutive failed login attempts that are allowed before the user account is disabled.

Set it to 0 for unlimited attempts.

The default is 3 login failures.

The number of previous passwords users cannot reuse. The default is 1: the user cannot change his password to what it currently is.

Set this to 0 to allow using the same password.

The number of minutes that a link to reset a password remains valid. Beyond this time, the user has to request a new password reset link.

The default value is 60 minutes.

The minimum value is 15 minutes, the maximum value is 1,440 minutes (24 hours).

• True: The validity of a request is checked with a CSRF token.
• False (default): The validity of a request is not checked with a CSRF token.

• True: The HTTP referrer header is used to identify the origin of the request.
• False (default): The HTTP referrer header is not used to identify the origin of the request. It is recommended to leave this option disabled.

The SSO mode of Collibra.

The possible values are:

• SAML_ATTRIBUTES
• SAML_LDAP
• SSO_HEADER
• SSO_HEADER_LDAP
• DISABLED

The name of the header to be checked. The contents of this header is used for the search query, which is SSO_HEADER = username.

The value of the actual query depends on DN and possibly Attribute.

If the SSO mode is SSO_HEADER_LDAP or SAML_LDAP, this field determines whether the distinguished name (DN) or attribute is used:

• True: The header has to contain the distinguished name (DN) of the user in the LDAP.
• False (default): The header has to contain the value of Attribute.

If the SSO mode is DISABLED, SSO_HEADER or SAML_ATTRIBUTES, this field is ignored.

This field is only used if the SSO mode is SSO_HEADER_LDAP or SAML_LDAP, and if DN is False.

If the above criteria are met, the LDAP has to contain this value.

If users try to sign in via SSO, they still need a user account in Collibra. You can either create the user accounts automatically when they sign in, or create the user accounts manually or via LDAP synchronization

• True: User accounts are not created automatically.
• False (default): User accounts are created automatically.

When SSO is enabled, a user can still navigate to the /signin page and try to log in via that page. However, you can disable that page.

• True: Users cannot access the Collibra signin page.
• False (default): Users can access the Collibra signin page

The entity ID inside the metadata to be referenced.

Note A metadata file can describe multiple entity IDs, make sure to use in the entity ID from the correct metadata file.

The mappings of attributes in the SAML response. The values are used as keys to look for in the SAML response.

Examples of attribute fields are first name, last name, address information, phone numbers and so on.

The mapping for the user's first name.

This attribute is optional. The value can be empty.

The mapping for the user's last name.

This attribute is optional. The value can be empty.

The mapping for the user's email address.

This attribute is optional for existing users, but mandatory for new users.

Warning If the email address is invalid when you synchronize, the user is deactivated and the user information is not updated.

The mapping (attribute) which indicates to which Collibra groups the user should be added. If the groups don't exist yet, they will be created. This attribute can have multiple values (groups) or the groups can be sent as a comma-separated list of groups.

If passing groups in this attribute, you must set Groups DGC Managed to False.

Option to configure that groups should be managed by Collibra, or that groups should be set by the SAML assertion (SAML+Attributes mode).

This option is only relevant if Mode is SAML_ATTRIBUTES.

• True: The groups are fully managed by Collibra. In the UI the admin has the option to assign groups to users, without it being overwritten by SAML.
• False (default): The groups are managed by the SAML assertions. In this case the groups are managed by the SAML IDP. Be sure to configure the Group attribute in the Attribute Fields section.

Field that determines the value of the Entity ID parameter in the service provider metadata returned by Collibra. The default value is empty, in which case Collibra uses the value of the Base URL field.

Enter a custom value if the base URL does not match the audience configured in your SAML identity provider.

Warning The value of the audience restriction in the SAML response has to be exactly the same as the value of this field.

Note SSO does not work if the Service Provider Entity ID field contains the base URL with trailing forward slash (for example www.collibra.com/), and the audience of your IDP contains the base URL without a trailing forward slash (for example www.collibra.com).
Both values need to be exactly the same. In this case, you can resolve the issue by changing the value in the configuration of your IDP, or the value of this field. It does not matter whether both have a trailing forward slash or not, as long as they contain the same value.

• True: Authentication requests have to be signed.
• False (default): Authentication request don't have to be signed.

• True (default): The SP authentication request forces re-authentication.
• False: The SP authentication request does not force re-authentication.

• True: The reauthentication has to happen in the background.
• False (default): The reauthentication does not have to happen in the background.

This is only relevant if Force authn is True.

Name ID that is used in the SP authentication. The default value is urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

The Name ID value is mandatory.

• True (default): The IDP can create a name ID to fulfill the SP authentication request.
• False: The IDP cannot create a name ID to fulfill the SP authentication request.

• True: The validation of the client IP address in the assertion message is disabled.
• False (default): The validation of the client IP address in the assertion message is enabled.

Settings for the SAML requested authentication context. The IDP uses the authentication context to authenticate the user. By default, the authentication context mandates user/password authentication over HTTPS.

• True: The requested authentication context section is not sent in the SAML request.
• False (default): The requested authentication context section is sent in the SAML request.

The comparison type that is transmitted in the requested authentication context.

Possible values:

• minimum
• maximum
• better
• exact (default value)

For more information about the comparison type values, refer to the SAML specifications.

The list of class references in the requested authentication context. You can separate list items with the pipe character (|).

For more information about this list, refer to the SAML specifications.

The list of class declarations in the requested authentication context. You can separate list items with the pipe character (|).

For more information about this list, refer to the SAML specifications.

Enable the support for encrypted SAML responses.

• DISABLED: Collibra only accepts plain-text SAML responses.
• OPTIONAL: Collibra can handle both encrypted and plain-text SAML responses.
• FORCED: Collibra only accepts encrypted SAML responses.

Once OPTIONAL or FORCED is selected, the encryption key pair is generated and added to the Collibra SAML keystore. A self-signed certificate is generated and works in most situations. If your IdP rejects self-signed certificates, you will have to add a certificate that is signed by a trusted 3rd party.

• True: Redirect the user to a specific website after signing out.
• False (default): Redirect the user to the sign-in page after signing out.

The URL to retrieve public key information needed to verify the authenticity of JSON Web Tokens (JWTs), issued by an authorization server.

This setting is required to enable JWT authentication.

A case-insensitive comma-separated list of accepted JWT media types coming in the typ header parameter.

Leave blank if the authorization server does not provide a media type parameter.

The default values is at+jwt,jwt.

A comma-separated list of accepted JWT algorithms coming in the alg header parameter. See https://tools.ietf.org/html/rfc7518#section-3.1 for details.

Leave blank to accept all digital signature algorithms.

The accepted issuer coming in the iss JWT claim.

Leave blank if the authorization server does not provide an issuer claim.

A comma-separated list of accepted audience values for the aud claim.

The value for this field is a configuration setting in your authorization server, which identifies your Collibra environment as the intended recipient of the JWT.

Leave blank if the authorization server does not provide an audience claim.

The name of the JWT claim containing the principal's identity. See https://tools.ietf.org/html/rfc7519#section-4.1.2 for details.

Defaults to the standard subject claim, sub.

Change this setting only if your authorization server has other means of identifying the principal, for example, a client_id claim.

This setting is required if JWT authentication is enabled.