Skip to main content
Version: 8.2

Authentication basics

Level: intermediate

Authentication verifies the authenticity of the ID specified by a user. The positive authentication result is user authorization, i. e., Creatio grants the user permissions to resources they can use to solve their problems.

Important

Restrict user permissions to objects, records, and columns required for the corresponding integration to work. We recommend creating a specific user for integration and giving the required permissions. If you give unnecessary permissions to the integration user, you put Creatio at security risk. We do not recommend giving the integration user permission to execute the Can manage configuration elements (CanManageSolution code) system operation or Supervisor user permissions.

Learn more about authentication: Authentication (Wikipedia).

Authenticate all external requests to Creatio web services.

Authentication types

Creatio supports the following authentication types:

  • Anonymous authentication
  • Basic authentication
  • Cookie-based authentication (Forms authentication)
  • Authentication based on the OAuth 2.0 open authorization protocol. Learn more: OAuth 2.0 setup procedure (user documentation).

We recommend using OAuth 2.0 authentication to integrate external services with Creatio. If you decide to use Forms authentication, add the cookies received in response from the AuthService.svc web service in any subsequent requests to Creatio.

Disable protection against CSRF attacks

CSRF (Cross Site Request Forgery) is a type of an attack on website visitors. CSRF attacks are based on HTTP protocol disadvantages. Protection is enabled by default, but you can disable it.

Important

We recommend disabling protection against CSRF attacks only when you use basic authentication. If needed, you can disable CSRF protection for a single service or several methods of different services. If you disable CSRF protection for all services, you put Creatio at security risk.

You can disable protection against CSRF attacks for the following service types:

  • all Creatio services
  • single Creatio service
  • several methods of different Creatio services

Disable protection against CSRF attacks for all services

  1. Open the Web.Config file in the Creatio root directory.

  2. Set the UseCsrfToken setting to false.

    Web.Config file
    <add value="false" key="UseCsrfToken" />
  3. Repeat the setup in the ..\Terrasoft.WebApp\Web.Config file.

Disable protection against CSRF attacks for a single service

  1. Open the Web.Config file in the Creatio root directory.

  2. Set the service name to the DisableCsrfTokenValidationForPaths setting.

    Web.Config file
    <add key="DisableCsrfTokenValidationForPaths" value="/ServiceModel/ MsgUtilService.svc" />

Disable protection against CSRF attacks for several methods of different services

  1. Open the Web.Config file in the Creatio root directory.

  2. List the method names in the DisableCsrfTokenValidationForPaths setting.

    Web.Config file
    <add key="DisableCsrfTokenValidationForPaths" value="/MsgUtilService.svc/Ping,/AuthService.svc/Login" />

See also

OAuth 2.0 setup procedure (user documentation)

OData

DataService


Resources

Authentication basics (Wikipedia)