Authentication basics
Authentication verifies the authenticity of the ID specified by a user. The positive authentication result is user authorization, i. e., Creatio grants the user permissions to resources they can use to solve their problems.
Restrict user permissions to objects, records, and columns required for the corresponding integration to work. We recommend creating a specific user for integration and giving the required permissions. If you give unnecessary permissions to the integration user, you put Creatio at security risk. We do not recommend giving the integration user permission to execute the Can manage configuration elements (CanManageSolution
code) system operation or Supervisor user permissions.
Learn more about authentication: Authentication (Wikipedia).
Authenticate all external requests to Creatio web services.
Authentication types
Creatio supports the following authentication types:
- Anonymous authentication
- Basic authentication
- Cookie-based authentication (Forms authentication)
- Authentication based on the OAuth 2.0 open authorization protocol. Learn more: OAuth 2.0 setup procedure (user documentation).
We recommend using OAuth 2.0 authentication to integrate external services with Creatio. If you decide to use Forms authentication, add the cookies received in response from the AuthService.svc
web service in any subsequent requests to Creatio.
Disable protection against CSRF attacks
CSRF (Cross Site Request Forgery) is a type of an attack on website visitors. CSRF attacks are based on HTTP protocol disadvantages. Protection is enabled by default, but you can disable it.
We recommend disabling protection against CSRF attacks only when you use basic authentication. If needed, you can disable CSRF protection for a single service or several methods of different services. If you disable CSRF protection for all services, you put Creatio at security risk.
You can disable protection against CSRF attacks for the following service types:
- all Creatio services
- single Creatio service
- several methods of different Creatio services
Disable protection against CSRF attacks for all services
-
Open the
Web.Config
file in the Creatio root directory. -
Set the
UseCsrfToken
setting tofalse
.Web.Config file<add value="false" key="UseCsrfToken" />
-
Repeat the setup in the
..\Terrasoft.WebApp\Web.Config
file.
Disable protection against CSRF attacks for a single service
-
Open the
Web.Config
file in the Creatio root directory. -
Set the service name to the
DisableCsrfTokenValidationForPaths
setting.Web.Config file<add key="DisableCsrfTokenValidationForPaths" value="/ServiceModel/ MsgUtilService.svc" />
Disable protection against CSRF attacks for several methods of different services
-
Open the
Web.Config
file in the Creatio root directory. -
List the method names in the
DisableCsrfTokenValidationForPaths
setting.Web.Config file<add key="DisableCsrfTokenValidationForPaths" value="/MsgUtilService.svc/Ping,/AuthService.svc/Login" />
See also
OAuth 2.0 setup procedure (user documentation)
Resources
Authentication basics (Wikipedia)