Skip to main content
Skip table of contents

System Settings

On this page, within the Single Sign On menu, view information about the overall system settings for the Cloud SSO app.

OpenID / OAuth2 Settings

Signing Key Algorithm

Select the desired signing key type for JWT tokens generated from OpenID Connect sign-ins.

RS256 is the required (and preferred) key type according to the OpenID Connect standard. Others are compatible but not required by the OIDC spec.


Key Size

Hash Strength



​512-bit Alphanumeric Symmetric Key (HMAC signed)


​Symmetric key mode. Each Client App has its own independent JWT signing key.


2048-bit RSA Key


Asymmetric key mode. A public and private keypair are generated and shared amongst all client apps within your SSO domain / account.


4096-bit RSA Key


Asymmetric key mode. A public and private keypair are generated and shared amongst all client apps within your SSO domain / account.

Changing your signing key setting will immediately regenerate your public and private keys and update your JWKS endpoint. There is no way to recover previous keys at this time.

X.509 Public Key and RSA Private Key

These keys are generated automatically whenever the Signing Key Algorithm setting changes.

If you choose HS512 as your signing key type, these fields will be blank, as public/private keypairs are not used for symmetric (HMAC) key types.

Do not share your private key with anyone. Third-party apps and vendors DO NOT need your private key in order to complete SSO flows.

If you accidentally share or make your private key public, you can regenerate a new keypair by switching the signing algorithm setting to a different value, saving the page, and then changing the setting back, saving one more time.

Allow Implicit Auth Flow

Implicit auth flow is typically used when implementing a connected SSO app via JavaScript. Implicit flow has certain security considerations, so do not enable this feature unless requested to by a third party you are integrating with. Confirm with the third party that they are not able to utilize code flow, which is preferred over implcit flow.

Allow Alternate Profile Auth

Allows the OAuth2 access token to be passed via the query string to the userinfo endpoint (e.g. /openid/userinfo?access_token=xxxxxxxxxx). Only required by certain third parties. Leave off unless your third party provides documentation that requires this to be on.

Send SSO Domain As Issuer

Certain SP's will check the issuer property to verify that it matches your SSO base domain.

For backwards compatibility, when this setting is disabled (the default), the issuer is always sent as:

If this setting is enabled, then the issuer will be set to your own custom domain, e.g.:

Reauthorization Grace Period

Reauthorization, or re-consent, occurs after a period of time in which the user is prompted to allow the third party application to access their profile information.

You may set a value, in months, from 2 to 120.

Certain websites don't prompt users to reauthorize connected apps, such as Facebook. Others do after a period of time.

If you would like to have users re-consent with the third party, a recommended value is between 6-12 months.

If you would like to disable re-consent, set this value to 120.

Maintenance and Access

Maintenance Mode

This setting allows the SSO site to be brought down for maintenance. This setting takes effect immediately.

ALL SSO integrations (Client Apps) will stop working if maintenance mode is enabled. Use with caution.

If enabled, all endpoints will return error code HTTP 503 Maintenance. For API calls, a JSON error message is returned. For user-facing pages, a message is displayed to the user.

You may customize the HTML on the maintenance page by using the Maintenance Mode HTML Content field. This field optionally supports HTML. The content inside this field is automatically centered on the page, and the text is centered inside its parent <div> . If using HTML, ensure HTML tags are correct and error-free.

No Access Page Content

If you would like to customize the out-of-the-box "No Access" page, in the lower-right corner of the Branding section, there are two fields for this, No Access Header and No Access HTML Body.

The header must be plain text, but the body can contain limited HTML formatting.

The No Access body is wrapped in a <div> automatically, so you do not need to include any block-level elements such as a div or p tag if you don't want to.

The No Access page is rendered like this by default:

  1. The No Access Header is printed here.

  2. The No Access HTML Body is printed here (wrapped in a <div>).

  3. The current user's username is added to the page, so if the user takes a screenshot of this page and sends it in for support, their username is visible.

iMIS Identity Settings

Select one of the following iMIS identity setting tabs.

Select iMIS EMS / 2017 if you are on iMIS 2017, iMIS 20/20 Advance, iMIS EMS, or iMIS Professional ("100").

Select Legacy (Forms Auth) if you are on iMIS 2017 and are self-hosted or have full control over your environment (i.e. you are able to work with Forms Auth and Machine Key settings for iMIS).

Identity Mode: iMIS EMS / 2017

Separate Settings

There are two sections on the iMIS Cloud tab, one for OpenID Application and one for SAML Application.

If you are only using one SSO protocol, please only fill out the appropriate section. For example, if you are only using SAML, you will need to enter your iMIS client application settings into the SAML Application section. You may leave the OpenID Application section blank.

If you are using both SSO protocols at the same time, you will need to set up two separate iMIS client application records, one for SAML and one for OpenID. The Endpoint Info page contains the correct callback URL for each technology.

iMIS Client Application

Select the configured client application from the dropdown.

iMIS Client Secret

Enter the client secret that was also entered into the RiSE configuration for this client application.

If you forgot your client secret, you can reset it to a new value from within RiSE, and then enter the same value here.


Enter the fully qualified path to the RiSE page where the SSO iPart was configured for this client application.

Note that the RiSE page must be publicly visible, and restricted to "Authenticated Users", e.g. place it behind the login page so users must log in first before accessing it.

Identity Mode: Legacy (Forms Auth)

Legacy Deprecation Warning

These settings are intended for existing customers, for legacy purposes only.

New customers should not use this configuration. Instead, configure Cloud SSO using the newer RiSE / iMIS EMS mode above.

Cookie / Forms Authentication Settings

Cookie Name

Specify the name of your iMIS Forms Authentication cookie. Note that this value should match what is in the iMIS web.config file.

Cookie Domain

Specify the domain that the cookie is enabled for. This value is typically (including the leading . character). Note that this value should match what is in the iMIS web.config file.

Cookie Path

Specify the cookie path of your iMIS Forms Authentication cookie. This value is almost always /. Note that this value should match what is in the iMIS web.config file.

Machine Validation Key

Specify the validationKey value from the <machineKey> element in your iMIS web.config file.

Machine Decryption Key

Specify the decryptionKey value from the <machineKey> element in your iMIS web.config file.

Compatibility Warning

If you have the app setting aspnet:UseLegacyFormsAuthenticationTicketCompatibility enabled in your iMIS web.config file, you will need to first disable it before using the Cloud SSO app.

These items are optional.

Create Account URL

Optional. If a fully-qualified URL is specified, a "Create Account" link will be added to the sign-in page.

Forgot Password URL

Optional. If a fully-qualified URL is specified, a "Forgot Password" link will be added to the sign-in page.

Branding and Styling

In iMIS Cloud mode, even though users do not see the branded sign-in page, these settings are still used to display a branded OAuth2 Consent screen to each user. Please fill out this section regardless of the iMIS Identity mode chosen above.

The following items are customizable on the sign-in page that is presented to your users:

  • Logo (96x96, 8 KB or less, PNG or JPG)

  • General Text Color

  • Page Background Color

  • Text Box Text Color

  • Text Box Background Color

  • Text Box Border Color

  • Button Text Color

  • Button Background Color

A preview of the sign-in screen will render to the right of the branding section. As color values are updated on the left, the preview will reflect these changes instantaneously.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.