This article provides information about the area DocuWare Configuration > Security.
In this section you define the security settings for your DocuWare organization. Every setting has a status of Enabled or Disabled. If a setting is Enabled, it potentially increases the security of your organization.
Login security
Password Policy
A password policy restricts users from using insecure passwords.
Specify the minimum requirements for all users' passwords:
Minimum password length
Required characters
Password validity period
Notification period before password expires
Maximum number of failed logins
Duration how long an account is locked after the maximum number of failed logins
Read the note about the new password policy, which is activated by default for all new DocuWare organizations created from version 7.12 onward. The default password policy does not apply to organizations created before version 7.12.
Two-step verification
With Docuware 7.13 and later, DocuWare administrators can activate and deactivate Two-step verification for ALL users in the organization.
Two-step verification enabled:
All users have the option to configure two-step verification for their individual account. This is called the opt-in model.
User configuration: Each user can activate the two-step verification in their DocuWare profile: DocuWare Web Client > Profile & Settings > Security tab. Users will also need to use an authenticator app - see next point.
Authenticator app: To log in to Docuware with two-step verification users will need a TOTP compatible authenticator app on their mobile device. DocuWare supports a range of widely-used authenticator apps, including Microsoft Authenticator, Google Authenticator, and Duo Mobile.
How a one time password works
A one-time password (OTP) is a numeric or alphanumeric code that can be used only once to verify a user’s identity. Unlike a static password, an OTP is generated on demand—typically by an authenticator app or hardware token—using a secret key that is shared with DocuWare. The most common variant, the time-based one-time password (TOPT) combines this secret with the current time to produce a six-digit code that changes every 30 seconds. Because each code is valid for only a brief interval and the secret never leaves the user’s device, OTPs greatly reduce the risk of replay attacks, credential theft, and phishing. When a user enters the OTP during login, DocuWare runs the same algorithm and time reference to verify the code; if they match, access is granted.
No enforcement: DocuWare does not provide an option to enforce two-step verification for all users of an organization.
Tracking two-factor-verification
Check which users are using two factor configuration. Switch to Docuware Configurations > General > User Management > Users. For users who have configured two-step verification, the option 2SV has been activated.
Track the login of a specific user to a particualar time in DocuWare Configurations > Audit Reports.
Two-step verification disabled:
When two-step-verification is switched off, users can no longer sign in with two-step verification; only username and password are required. DocuWare sends no automatic notification, so users will simply notice that the second factor is no longer requested.
If the administrator later turns two-step verification on again, every user must set up the authenticator app from scratch, again without any system message.
Sudden toggling of this setting therefore causes confusion and unnecessary support calls. Disable it only when absolutely necessary and inform users in advance.
What to do if the user has lost the mobile phone?
If the mobile phone of a DocuWare user is lost, it is not possible to login into DocuWare. In this case the DocuWare administrator may deactivate the two-step verification in DocuWare Configurations > User management, so that the user can login to DocuWare with username and password.
Session timeout
In case of inactivity, a user can be automatically logged out of DocuWare Client and DocuWare Configuration. If no input is made within a certain time, the user first receives a notification with an appropriate message before being logged out and redirected to the login window.
If the timeout is exceeded, the user is logged out of all DocuWare Client browser windows and out of DocuWare Configuration. Clicking anywhere in a browser tab will cause the timer to count down from the beginning. Automatic DocuWare Client activities such as notifications do not reset the timer. Unsaved changes are discarded when you log out.
This setting applies to all users in the organization.
In DocuWare Forms, automatic logout only takes effect for non-public forms. Public forms do not require a real login and are therefore exempt from the timeout.
Single sign-on
Single sign-on (SSO) allows users to access DocuWare using their corporate credentials, so they do not need to remember separate DocuWare usernames and passwords. This functionality simplifies the login experience and can improve security by utilizing the authentication methods of the corporate identity provider, such as two-factor authentication.
To enable single sign-on in DocuWare, you must integrate your DocuWare organization with an external identity provider. You need to have access to the identity provider to perform the integration.
The SSO configuration dialog has slightly changed with DocuWare 7.13. Also, there is a Test button added. If you are running DocuWare version 7.12 or earlier, you may notice that some elements are located in different places and that you cannot test your configuration before saving it. The configuration options themselves, however, have not changed.
DocuWare supports several types of identity providers - see below. Each DocuWare organization can connect to only one external identity provider.
Microsoft Entra ID
Microsoft Entra ID, formerly known as Azure Active Directory, is a comprehensive identity and access management solution that provides secure access to applications and resources for organizations of all sizes.
Open ID Connect (OIDC)
OpenID Connect (OIDC) is an open standard that is widely used for implementing single sign-on (SSO) across various applications and services. Most professional identity providers support OIDC.
Read more information about using an OIDC compatible external identity provider.
Read more about a sample configuration using Okta.
Microsoft Active Directory Federation Services (ADFS)
Microsoft Active Directory Federation Services (AD FS) is a single sign-on (SSO) solution that enables organizations to provide authenticated access to applications and systems across organizational boundaries.
Note: Microsoft recommends using Microsoft Entra ID instead of ADFS (source) and might deprecate this feature in the future.
Restrict public access
In DocuWare 7.11 and below, this section was referred to as Guest login. In DocuWare version 7.12, it has been updated to Restrict public access.
Guest login enables everybody with network access to your organization (the 'guest') to enter DocuWare without providing any credentials. The permissions granted to the guest user align with those of the DocuWare user designated as the guest. Depending on these permissions, 'guests' might be able to severely harm your system.
If you turn off Restrict public access, you can set the guest user option, which will appear on the DocuWare login page.
Risk
If you turn off Restrict public access you make your DocuWare system available to external users who do not verify their identity using a username and password. This introduces a security risk. Consider carefully if you want to deactivate this security setting.
File types
File types entered in Restricted file types are blocked for archiving in DocuWare. Enable one of the lists to block the file types included or create a new list. The restrictions apply to all file cabinets of the organization.
The restricted file type lists are also available as an allow list and a blocking list for the configuration of the full-text.
External connections
Secure external URL locations
This functionality enhances the security of URLs stored as index data within documents. It ensures that URLs are only clickable if they direct to pre-approved, secure locations, thereby mitigating the risk of malicious URLs that may have been embedded prior to the document's storage in DocuWare.
To mark a location as secure, it must be added to this allow list. Add all relevant domains or URLs here, without “https://”. Once a domain is embedded in this allow list, all its associated subdomains and pages are also considered secure by default.
Portal integration
With DocuWare 7.13, the section Portal integration (formerly in “Central Gateway”) is embedded in the DocuWare Configurations > Security settings.
Portal integration section is only visibile for organization administrators of DocuWare Cloud.
Only domains you add here will be able to access DocuWare resources of your organization. For example, if a DocuWare search dialog should be embedded in your web portal, so that customers may search documents in DocuWare, the domain of your web portal must be added here. If a domain is not listed here, its web portal will be blocked from embedding these elements like forms, result lists, dialogs and others.
Find more details about URL Integration in Introduction URL integration.
Enter domains as 'https://subdomain.webseite.com' or 'http://subdomain.website.com'.
IP-based access control
With DocuWare 7.13, the section IP-based access control (formerly in “Central Gateway”) is embedded in the DocuWare Configurations > Security settings.
IP-based access control section is only visibile for organization administrators of DocuWare Cloud.
Users may only access a DocuWare Cloud organization via the IP addresses entered in the central gateway. This allows organizations for example to control which devices can access their services, preventing unauthorized access.
Enter specific IP addresses or ranges of IP addresses from which the DocuWare Cloud services should be accessible. For example, you can restrict access so that only employees connecting from your corporate network can use DocuWare.
As long as no IP address is listed here, all IP addresses have access to the DocuWare Cloud Organization.
However, if one IP address is entered, the access control takes effect and only the addresses specified here have access to the Cloud Organization.
Currently DocuWare supports Internet Protocol Version 4 (IPv4).
Domain and IP address control reduces the the risks of an attack by ensuring that only desired data traffic enters the network. Security is improved by preventing unauthorized or malicious websites from making requests on behalf of your users.