Authentication basics
Authentication verifies the authenticity of the ID specified by a user. The positive authentication result is user authorization, i. e., Creatio grants the user permissions to resources they can use to solve their problems.
Restrict user permissions to objects, records, and columns required for the corresponding integration to work. We recommend creating a specific user for integration and giving the required permissions. If you give unnecessary permissions to the integration user, you put Creatio at security risk. We do not recommend giving the integration user permission to execute the Can manage configuration elements (CanManageSolution code) system operation or Supervisor user permissions.
Learn more about authentication on Wikipedia.
Authenticate all external requests to Creatio web services.
Authentication types
Creatio supports the following authentication types:
- Anonymous authentication
- Basic authentication
- Cookie-based authentication (Forms authentication)
- Authentication based on the OAuth 2.0 open authorization protocol. Learn more in a separate article: Set up OAuth 2.0 authorization for integrated applications.
We recommend using Forms authentication to integrate external services with Creatio. Forms authentication is implemented via the AuthService.svc web service. Use the cookies received in response from the AuthService.svc web service in the subsequent requests to Creatio.
View examples that use authentication cookies in separate articles: OData, DataService.
Disable protection against CSRF attacks
CSRF (Cross Site Request Forgery) is a type of an attack on website visitors. CSRF attacks are based on HTTP protocol disadvantages. Protection is enabled by default, but you can disable it.
We recommend disabling protection against CSRF attacks only when you use basic authentication. If needed, you can disable CSRF protection for a single service or several methods of different services. If you disable CSRF protection for all services, you put Creatio at security risk.
You can disable protection against CSRF attacks for the following service types:
- all Creatio services
- single Creatio service
- several methods of different Creatio services
Disable protection against CSRF attacks for all services
-
Open the
Web.Configfile in the Creatio root directory. -
Set the
UseCsrfTokensetting tofalse.Web.Config file<add value="false" key="UseCsrfToken" /> -
Repeat the setup in the
...\Terrasoft.WebApp\Web.Configfile.
Disable protection against CSRF attacks for a single service
-
Open the
Web.Configfile in the Creatio root directory. -
Set the service name to the
DisableCsrfTokenValidationForPathssetting.Web.Config file<add key="DisableCsrfTokenValidationForPaths" value="/ServiceModel/ MsgUtilService.svc" />
Disable protection against CSRF attacks for several methods of different services
-
Open the
Web.Configfile in the Creatio root directory. -
List the method names in the
DisableCsrfTokenValidationForPathssetting.Web.Config file<add key="DisableCsrfTokenValidationForPaths" value="/MsgUtilService.svc/Ping,/AuthService.svc/Login" />
See also
Set up the Identity Service (user documentation)