This article provides information about the area DocuWare Configuration > Security.
Here, you define the security settings for your DocuWare organization. Every setting has a status of ‘enabled’ or ‘disabled’. If a setting is ‘enabled’, it potentially increases the security of your organization.
Login security
Password Policy
A password policy restricts users from using insecure passwords. Here, you specify the minimum requirements for all users' passwords:
Minimum password length
Required characters
Password validity period
Notification period before password expires
Maximum number of failed logins
Duration how long an account is locked after the maximum number of failed logins
Read the note about the new password policy, which is activated by default for all new DocuWare organizations created from version 7.12 onward. The default password policy does not apply to organizations created before version 7.12.
Session timeout
In case of inactivity, a user can be automatically logged out of DocuWare Client and DocuWare Configuration. If no input is made within a certain time, the user first receives a notification with an appropriate message before being logged out and redirected to the login window.
If the timeout is exceeded, the user is logged out of all DocuWare Client browser windows and out of DocuWare Configuration. Clicking anywhere in a browser tab will cause the timer to count down from the beginning. Automatic DocuWare Client activities such as notifications do not reset the timer. Unsaved changes are discarded when you log out.
This setting applies to all users in the organization.
In DocuWare Forms, automatic logout only takes effect for non-public forms. Public forms do not require a real login and are therefore exempt from the timeout.
Single Sign on
When the Single-Sign-on feature is activated, users can access DocuWare using their corporate username and password.
To enable single sign-on in DocuWare, link your DocuWare organization with an external identity provider. If the external identity provider supports two-factor authentication, it can also enhance security during the DocuWare login process.
The connection interface to the external identity provider is the DocuWare Identity Service. The login procedure is as follows: The client authenticates with the external provider, which then issues a token for the DocuWare Identity Service. This token remains in the browser until it either expires or the browser cache is cleared. Once the token expires, the user must log in again to obtain a new token.
DocuWare can be connected to any identity providers that comply with the "Open ID Connect" protocol.
Explore examples on how to set up the connection to an Identity Provider.
Automatically assign existing users at login
With this option, DocuWare automatically links the users with the user accounts of the identity provider the first time they log in. This has the advantage that DocuWare users do not necessarily have to be created via the user synchronization app in order to use single sign-on. You can also import users manually or via an interface.
Microsoft as identity provider: If you use Microsoft Azure Entra, the same user name and e-mail address must be stored in Azure Entra and in DocuWare, for example:
Microsoft Azure Entra: peggy.jenkins@peters-engineering.net
DocuWare: peggy.jenkins oder peggy.jenkins@peters-engineering.net
Other Identity Provider: This option must generally be enabled for Single Sign-On to be available. In addition, it is also required here that the user name in DocuWare matches the front part of the user name at the external provider:
User name at the Identity Provider: peggy.jenkins@petersengineering.com
DocuWare user name: peggy.jenkins
When a user first logs into DocuWare using Okta Single Sign-On, for example, the corresponding DocuWare user is identified by the username. Once users are mapped in both systems, the DocuWare user is recognized by its external object ID. This means that even if the user name no longer matches, the user will still be recognized,
Enforce single sign-on user authentication for all users
With single sign-on enforced, manual login with DocuWare credentials is restricted to specifically designated users or roles—for instance, when local applications need to directly access the DocuWare API.
Single sign-on enforcement is achievable with identity providers that support Open ID Connect and is accessible for both DocuWare Cloud and the on-premises edition.
Note
Test your single sign-on configuration before enforcing it - in case single-sign on fails, all users might be locked out. Exclude at least one organization administrator from enforced single sign-on to allow them access to DocuWare even if there problems with single-sign on.
Restrict public access
In DocuWare 7.11 and below,, this section was referred to as Guest login. In DocuWare version 7.12, it has been updated to Restrict public access.
Guest login enables everybody with network access to your organization (the 'guest') to enter DocuWare without providing any credentials. The permissions granted to the guest user align with those of the DocuWare user designated as the guest. Depending on these permissions, 'guests' might be able to severely harm your system.
If you turn off Restrict public access, you can set the guest user option, which will appear on the DocuWare login page.
Risk
If you turn off Restrict public access you make your DocuWare system available to external users who do not verify their identity using a username and password. This introduces a security risk. Please consider carefully if you want to deactivate this security setting.
File types
File types entered in Restricted file types are blocked for archiving in DocuWare. Enable one of the lists to block the file types included or create a new list. The restrictions apply to all file cabinets of the organization.
The restricted file type lists are also available as an allow list and a blocking list for the configuration of the full-text.
External connections
Secure external URL locations
This functionality enhances the security of URLs stored as index data within documents. It ensures that URLs are only clickable if they direct to pre-approved, secure locations, thereby mitigating the risk of malicious URLs that may have been embedded prior to the document's storage in DocuWare.
To mark a location as secure, it must be added to this allow list. Add all relevant domains or URLs here, without “https://”. Once a domain is embedded in this allow list, all its associated subdomains and pages are also considered secure by default.