This article provides information about the area DocuWare Configuration > Security.
In this section you define the security settings for your DocuWare organization. Every setting has a status of Enabled or Disabled. If a setting is Enabled, it potentially increases the security of your organization.
Login security
A password policy restricts users from using insecure passwords.
Specify the minimum requirements for all users' passwords:
Minimum password length
Required characters
Password validity period
Notification period before password expires
Maximum number of failed logins
Duration how long an account is locked after the maximum number of failed logins
Read the note about the new password policy, which is activated by default for all new DocuWare organizations created from version 7.12 onward. The default password policy does not apply to organizations created before version 7.12.
Two-step verification
With Docuware 7.13 and later, DocuWare administrators can activate and deactivate two-step verification for all users in the organization. With DocuWare 7.14 and later, it is possible to require two-step verification for all users.
If the two-step verification is activated, users need to enter their username, password, and a verification code to log in to DocuWare. DocuWare uses time-bound one-time passwords (TOTP) as verification codes. The TOTP standard is supported by most authenticator apps on mobile phones.
How a one-time password works
A one-time password (OTP) is a numeric or alphanumeric code that can be used only once to verify a user’s identity. Unlike a static password, an OTP is generated on demand, typically by an authenticator app or hardware token, using a secret key that is shared with DocuWare. The most common variant, the time-based one-time password (TOTP) combines this secret with the current time to produce a six-digit code that changes every 30 seconds. Because each code is valid for only a brief interval and the secret never leaves the user’s device, OTPs greatly reduce the risk of replay attacks, credential theft, and phishing. When a user enters the OTP during login, DocuWare runs the same algorithm and time reference to verify the code; if they match, access is granted.
In DocuWare, an OTP is called “verification code” to stay consistent with the feature name “two-step verification”.
The available options depend on whether two-step verification is enabled or required:
Enable two-step verification for all users
When the Enable…. option is activated, all users have the option to configure two-step verification for their individual account. This is called an opt-in model. If you want to enforce users or groups of users to use two-step verification, see the option require two-step verification for all users.
User configuration: Each user can activate two-step verification in their DocuWare profile: DocuWare Web Client > Profile & Settings > Security tab. Users will also need to use an authenticator app — see next point.
Authenticator app: To log in to DocuWare with two-step verification, users need a TOTP-compatible authenticator app on their mobile device. DocuWare supports a range of widely used authenticator apps, including Microsoft Authenticator, Google Authenticator, and Duo Mobile.
Two-step verification disabled: When two-step verification is switched off here in the security settings, users can no longer sign in with two-step verification; only username and password are required. DocuWare sends no automatic notification, so users will simply notice that the second factor is no longer requested.
If the administrator later turns two-step verification on again, every user must set up the authenticator app from scratch, again without any system message. Sudden toggling of this setting causes confusion and unnecessary support calls. Disable it only when absolutely necessary and inform users in advance.
Require two-step verification for all users
When the Require… option is activated additionally to the Enable… option, then every user must authenticate with a verification code at each login. It is not possible to log in without a valid verification code. Please read the rollout-guide at the end of this chapter before requiring two-step verification for all users.
User configuration: Users who have not yet set up two-step verification are prompted to do so at their next login: After entering their username and password, DocuWare presents a QR code which they need to scan with their authenticator app to complete the setup. From that point on, every login requires a verification code after entering the correct username and password.
Authenticator app: To log in to DocuWare with two-step verification, users need a TOTP-compatible authenticator app on their mobile device. DocuWare supports a range of widely used authenticator apps, including Microsoft Authenticator, Google Authenticator, and Duo Mobile.
Two-step verification no longer required: If you remove the requirement, then users who have already activated two-step verification will keep it active. Users who have not yet set it up are no longer prompted to do so, but they still have the option to activate it.
If you disable two-step verification for the organization while it is also required, DocuWare will first remove the requirement and then disable two-step verification. Therefore, two corresponding warning dialogs appear in sequence.
Exclude users and roles: If certain accounts or roles should be exempt from this requirement, add them to the exclusion list. Typical candidates for exclusions are service accounts. Please refer to the two-step verification rollout guide for more details.
Changing the phone or authenticator app: Users can initiate a reconfiguration under DocuWare Web Client > Profile & Settings > Security tab. This removes the link to the old device and starts the setup process for a new one.
Important: guest login and two-step verification
Guest login is not subject to two-step verification or single sign-on (SSO), even if these methods are enforced for the designated guest user account. Read more on guest login and two-step verification.
Monitor two-step verification adoption and usage
After you enable two-step verification for your organization, a corresponding column is added in the Users list in the User Management. This column shows which users have already activated two-step verification, so you can track adoption across your organization.
Track the login of a specific user to a particular time in DocuWare Configurations > Audit Reports.
How-to guide for a safe rollout of two-step verification
Step 1: Ensure administrator redundancy
Before enabling two-step verification, verify that at least two organization administrator accounts exist, each with an independent second factor, e.g., separate phones or hardware tokens. For on-premises installations, verify also that there are two system administrators, each with an independent second factor.
If only one administrator account exists: Create a second administrator account now. Set up its second factor on an independent device (e.g., a hardware token or a separate phone) and store it in a secure location (e.g., a locked safe). This ensures access to DocuWare if the primary administrator loses the phone.
Step 2: Identify service accounts
Compile a list of all service accounts and automated integrations that authenticate against DocuWare. These accounts cannot perform interactive two-step verification and must be excluded throughout the entire process.
Step 3: Identify the pilot group
Compile a list of all user profiles in DocuWare. Select one profile as the pilot group — ideally a small, technically confident group (e.g., IT staff).
Step 4: Communicate the change
Notify all users before requiring two-step verification:
What is changing: two-step verification will be required at login
When it takes effect: specific date per group, pilot group first, others to follow
What users need to do: have their phone or authentication device ready at next login; they will be guided through setup
Where to get help: support contact for issues
Step 5: Require two-step verification for the pilot group
Open Configurations > Security > Two-step verification
Select Require two-step verification for all users
Add all profiles and service accounts to the exclusions list, so only the pilot group is not excluded.
Before you start, make sure that there are at least two administrators (see step 1).
Do not proceed until the pilot phase is confirmed successful.
Step 6: Gradual rollout
Once the pilot phase is successful, progressively remove profiles from the exclusion list — one profile (or a few) at a time:
1. Remove the next profile from the exclusion list and save
2. Verify that the affected users can log in and set up two-step verification successfully
3. Address any issues before continuing
4. Repeat until all profiles are removed from the exclusion list
After the final step, only service accounts should remain excluded.
What to do if the user has lost the mobile phone?
If a DocuWare user has lost the mobile phone, the user cannot login into DocuWare. The DocuWare login dialogs asks the user to contact their administrator.The administrator’s options to react depend on the organization’s security settings.
Case 1: two-step verification is enabled, but not required for the organization
In this case the DocuWare administrator may deactivate the two-step verification in DocuWare Configurations > User management > user xxx by deselecting the checkbox Two-step verification, so that the user can login to DocuWare with username and password.
.png)
Case 2: two-step verification is required for the organization
The DocuWare administrator cannot deactivate the two-step verification for this user because this would violate the corporate security policy. The administrator may send a reset link in DocuWare Configurations > User management > user xxx:
.png)
The link will deactivate the previous two-step verification for the user and prompts to configure a new phone or authenticator app. It is not possible for the user to log in without a verification code.
Session timeout
In case of inactivity, a user can be automatically logged out of DocuWare Client and DocuWare Configuration. If no input is made within a certain time, the user first receives a notification with an appropriate message before being logged out and redirected to the login window.
If the timeout is exceeded, the user is logged out of all DocuWare Client browser windows and out of DocuWare Configuration. Clicking anywhere in a browser tab will cause the timer to count down from the beginning. Automatic DocuWare Client activities such as notifications do not reset the timer. Unsaved changes are discarded when you log out.
This setting applies to all users in the organization.
In DocuWare Forms, automatic logout only takes effect for non-public forms. Public forms do not require a real login and are therefore exempt from the timeout.
Single sign-on
Single sign-on (SSO) allows users to access DocuWare using their corporate credentials, so they do not need to remember separate DocuWare usernames and passwords. This functionality simplifies the login experience and can improve security by utilizing the authentication methods of the corporate identity provider, such as two-factor authentication.
To enable single sign-on in DocuWare, you must integrate your DocuWare organization with an external identity provider. You need to have access to the identity provider to perform the integration.
The SSO configuration dialog has slightly changed with DocuWare 7.13. Also, there is a Test button added. If you are running DocuWare version 7.12 or earlier, you may notice that some elements are located in different places and that you cannot test your configuration before saving it. The configuration options themselves, however, have not changed.
DocuWare supports several types of identity providers - see below. Each DocuWare organization can connect to only one external identity provider.
Microsoft Entra ID
Microsoft Entra ID, formerly known as Azure Active Directory, is a comprehensive identity and access management solution that provides secure access to applications and resources for organizations of all sizes.
Open ID Connect (OIDC)
OpenID Connect (OIDC) is an open standard that is widely used for implementing single sign-on (SSO) across various applications and services. Most professional identity providers support OIDC.
Read more information about using an OIDC compatible external identity provider.
Read more about a sample configuration using Okta.
Microsoft Active Directory Federation Services (ADFS)
Microsoft Active Directory Federation Services (AD FS) is a single sign-on (SSO) solution that enables organizations to provide authenticated access to applications and systems across organizational boundaries.
Note: Microsoft recommends using Microsoft Entra ID instead of ADFS (source) and might deprecate this feature in the future.
Enforce single sign-on
This setting controls whether users can still sign in with their DocuWare credentials or must authenticate exclusively through the external identity provider (IdP).
Disabled: Users may choose either method—DocuWare username/password or the external Identity Provider.
Enabled: All users must authenticate via the external identity provider. DocuWare credentials are blocked unless the user or role is added to the exclusion list. Administrators can use this list to let specific accounts bypass SSO.
The exclusions list becomes visibile as soon you activate the Enforce Single sign-on option:.png)
Important: Test the SSO setup before enforcing it
Test the SSO setup thoroughly before enforcing it. If the connection fails, every user—including organization administrators—could be locked out.
How-to guide for a safe rollout of Enforce Single Sign-On
When you as an administrator configure Signle sign-on (SSO) in DocuWare you have two options to roll the feature out to the users:
Optional SSO – Users may sign in with their DocuWare username/password or via SSO.
Enforced SSO – Activate Enforce single sign-on authentication for all users. Users must authenticate through the external identity provider (IdP) unless they belong to an exclusion list.
Follow the three steps below to activate enforced SSO:
Step 1 – Enable SSO and test it
1. In DocuWare Configurations > Security, set up your identity provider. But leave “Enforce SSO” unchecked for now.
2. Ask several internal users to log in via SSO to confirm the setup.
3. If you import users with DocuWare User Sync or User Provisioning, verify those accounts can also log in via SSO.
4. Ensure every organization administrator can authenticate via SSO. Keep at least one admin in mind for the exclusion list (see Step 2).
Step 2 – Identify accounts to exclude
Typical accounts for exclusions are
• External users (e.g., partners or customers) not managed by the IdP
• Service accounts used by external applications
• Accounts running internal DocuWare jobs (not required from DocuWare 7.13 onward)
• Any other accounts that must stay password-based (e.g., no internet access)
How to find them:
1. Go to DocuWare Configurations > User Management and click Export users as CSV.
2. Open the file in Excel and look for e-mail domains outside your company; these are likely external users.
3. Review integrations and workflows to locate service accounts.
Step 3 – Roll out enforced SSO
1. Enable Enforce single sign-on authentication for all users.
2. Add all users or roles to the exclusion list so nobody is locked out.
3. Over the next days or weeks, remove exclusions in stages, confirming each group can log in via SSO.
4. When finished, leave only the accounts identified in Step 2 on the exclusion list.
5. Keep at least one administrator account excluded as a safety net.
Always test the SSO connection after any change. If the IdP becomes unavailable and no exclusions exist, all users—including admins—could be locked out.
Restrict public access
In DocuWare 7.11 and below, this section was referred to as Guest login. In DocuWare version 7.12, it has been updated to Restrict public access.
Guest login enables everybody with network access to your organization (the 'guest') to enter DocuWare without providing any credentials. The permissions granted to the guest user align with those of the DocuWare user designated as the guest. Depending on these permissions, 'guests' might be able to severely harm your system.
If you turn off Restrict public access, you can set the guest user option, which will appear on the DocuWare login page.
Important: Keep "Restrict public access" activated if possible
If you turn off Restrict public access you make your DocuWare system available to external users who do not verify their identity using a username and password. This introduces a security risk. Consider carefully if you want to deactivate this security setting.
Important: Guest login bypasses two-step verification and single sign-on
Guest login is not subject to two-step verification (2SV) or single sign-on (SSO), even if these methods are enforced for the designated guest user account. For example, if the user account "Elizabeth Cash" is configured as the guest login and Elizabeth Cash is required to use 2SV or SSO, anyone using the guest login still enters the system without a password, a second factor, or SSO authentication. The guest operates with all permissions assigned to Elizabeth Cash.
Before enabling guest login, verify that the designated user account has minimal permissions. Be aware that enforcing 2SV or SSO for the organization does not restrict guest access.
File types
File types entered in Restricted file types are blocked for archiving in DocuWare. Enable one of the lists to block the file types included or create a new list. The restrictions apply to all file cabinets of the organization.
The restricted file type lists are also available as an allow list and a blocking list for the configuration of the full-text.
External connections
Secure external URL locations
This functionality enhances the security of URLs stored as index data within documents. It ensures that URLs are only clickable if they direct to pre-approved, secure locations, thereby mitigating the risk of malicious URLs that may have been embedded prior to the document's storage in DocuWare.
To mark a location as secure, it must be added to this allow list. Add all relevant domains or URLs here, without “https://”. Once a domain is embedded in this allow list, all its associated subdomains and pages are also considered secure by default.
Portal integration
With DocuWare 7.13, the section Portal integration (formerly in “Central Gateway”) is embedded in the DocuWare Configurations > Security settings.
Portal integration section is only visibile for organization administrators of DocuWare Cloud.
Only domains you add here will be able to access DocuWare resources of your organization. For example, if a DocuWare search dialog should be embedded in your web portal, so that customers may search documents in DocuWare, the domain of your web portal must be added here. If a domain is not listed here, its web portal will be blocked from embedding these elements like forms, result lists, dialogs and others.
Find more details about URL Integration in Introduction URL integration.
Enter domains as 'https://subdomain.webseite.com' or 'http://subdomain.website.com'.
IP-based access control
With DocuWare 7.13, the section IP-based access control (formerly in “Central Gateway”) is embedded in the DocuWare Configurations > Security settings.
IP-based access control section is only visibile for organization administrators of DocuWare Cloud.
Users may only access a DocuWare Cloud organization via the IP addresses entered in the central gateway. This allows organizations for example to control which devices can access their services, preventing unauthorized access.
Enter specific IP addresses or ranges of IP addresses from which the DocuWare Cloud services should be accessible. For example, you can restrict access so that only employees connecting from your corporate network can use DocuWare.
As long as no IP address is listed here, all IP addresses have access to the DocuWare Cloud Organization.
However, if one IP address is entered, the access control takes effect and only the addresses specified here have access to the Cloud Organization.
Currently DocuWare supports Internet Protocol Version 4 (IPv4).
Domain and IP address control reduces the the risks of an attack by ensuring that only desired data traffic enters the network. Security is improved by preventing unauthorized or malicious websites from making requests on behalf of your users.