AdminUI configuration is set using environment variables. These can be setup in different forms, including a web.config
file, a docker-compose.yml
file or Azure appsettings.
Note: In Azure or IIS environments variables are nested with either __ (Linux environments) or : (Windows environments). E.g: DataProtection:Persistence:Type
Running AdminUI On a Different Port
If you need to configure the ports for the website you can add the following section to your appsettings.json file:
"Kestrel": {
"Endpoints": {
"Http": {
//Your new Url Here
"Url": "http://localhost:5020"
}
}
}
If you would like to see all possible config options for the Kestrel property you can find them here.
AdminUI Configuration Settings
Note: In AdminUI 4.2.0 and 5.1.0 onwards, the env.js file is no longer used for configuration and changes do not need to be made to this file. It can be removed if you choose.
AuthorityUrl
The IdentityServer installation protecting AdminUIUiUrl
The AdminUI websiteAzureAppServiceLogging (optional)
Used for debugging - see the enable logging page for more details.AdminUIClientSecret
The AdminUI client shared secret value in plain textDbProvider
Supported types and their values are:SqlServer
MySql
(Note: AdminUI requires the MySQL settinglower_case_table_names
to befalse
)PostgreSql
IdentityConnectionString
The connection string for the Identity database (Users, Claim Types, Roles etc.)IdentityServerConnectionString
The connection string for the IdentityServer database (Clients, Resources, Persited Grants etc.)OperationalConnectionString
(Optional) The connection string for the Persisted Grants DbContext. If not supplied, AdminUI will use theIdentityServerConnectionString
DataProtectionConnectionString
(Optional) The connection string for the DataProtectionKey DbContext. If not supplied, AdminUI will use theIdentityServerConnectionString
. Only needs configuring if you are using a database to store protection keys.RequireHttpsMetadata
Whentrue
ensures IdentityServer discovery endpoint uses TLS. Should be true for productionLicenseKey
A valid license key for AdminUIAdminUIClientSecret
The AdminUI client shared secret value in plain textTargetIdentityServer4
(Deprecated from version 7.0) If set totrue
, AdminUI will target IdentityServer4 schema. If set to false, AdminUI will target Duende IdentityServer schema. Defaults tofalse
.DisableBootstrap
Iftrue
, bootstrapping will not run on app startup. More information about bootstrapping can be found here. Defaults tofalse
.ServeUi
Iftrue
, SPA will be served by AdminUI using packaged static files. Defaults totrue
.PasswordPolicy
RequireDigit
Defaults totrue
RequireLowercase
Defaults totrue
RequireNonAlphanumeric
Defaults totrue
RequireUppercase
Defaults totrue
RequiredLength
Defaults to6
RequiredUniqueChars
Defaults to1
UsernamePolicy
AllowedUserNameCharacters
- Defaults toabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+
RequireUniqueEmail
- Defaults totrue
AuditRecordsConnectionString
The database connection string for AdminUI audits, if missing will default to theIdentityServerConnectionString
AuditRecordsCulture
Language used for generation of audit records, if missing or invalid will default to Englishen-GB
. Supported languages are:de
Germanzh-TW
Chinese (Traditional)zh-CN
Chinese (Simplified)es
Spanishfr
French
AuditReadActions
Defaults totrue
. Iffalse
, no audit records will be generated for read actions (e.g when a user views resources though AdminUI)LoggingMinimumLevel
Defaults toinfo
. Supported logging levels aredebug
info
warning
error
critical
LoggingOutputTemplate
Defaults to[{Timestamp:dd-MM-yyyy HH:mm:ss} {Level}] {Message}{NewLine}{Exception}
. For more infomation see the serilog docs.AddUserPassword
Defaults tofalse
. Iftrue
, allows for setting a users password on creation (this is for demo purposes only, do not use in production), see more hereAzureAppServiceLogging (optional)
Used for debugging the API - see the enable logging page for more details.FeatureFlags
DefaultUserValidation
- Defaults tofalse
. If set to true AdminUI will not prompt you to remove the default user if present.EnableEnforcerAuthorization
- Defaults tofalse
. If set to true will use the Enforcer authorization engine for more fine grained access control. More info can be found in our 6.3 release articleEnableSharedScopes
- Defaults tofalse
. If set totrue
AdminUI will allow scopes to be shared between protected resources.EnableSessionManagement
- Defaults totrue
. Allows the management of the IdentityServer Duende session management feature. If set tofalse
AdminUI will not show the SessionManagment tables when viewing or editing users.EnableDynamicAuthentication
- Defaults toDuende
. Allows the management of Dynamic Authentication through AdminUI. Options areDisabled
Dynamic Authentication is disabled.Duende
Duende IdentityServer Dynamic Authentication is enabled.
OperationalStoreSchemaName
(Optional) Changes schema name for the Operational Store. If you are planning to use this, read about custom database schema names.ConfigurationStoreSchemaName
(Optional) Changes schema name for the Configuration Store. If you are planning to use this, read about custom database schema names.DataProtection
Used for configuration of Cookie protection and peristence.Persistence
- The type of persistence can be FileSystem or Database, these require different setup as shown belowType
- FileSystemLocation
- Location to persist keys- OR
Type
- DatabaseDbProvider
Supported types and their values are:SqlServer
MySql
(Note: AdminUI requires the MySQL settinglower_case_table_names
to befalse
)PostgreSql
DataProtectionConnectionString
- The connection string for the data protection database
Protection
The certficate or keyvault that will protect the cookies. The two available types are KeyVault and Certifcate. A Certificate can be provided by location or by thumbprint.Type
- KeyVaultKeyIdentifier
- The Azure KeyVault certificate identifier used for key encryption.ClientId
- The Application Client IdVault
- The KeyVault public UriSecret
- (Optional) The client secret to use for authentication. Optional valid only for Azure hosted scenarios- OR
Type
- Certificate (To protect with certificate you can provide either a thumbprint or a location)CertificateType
- ThumbprintThumbprint
- The thumbprint of the certificate that is installed either for the user or the machine.- OR
CertificateType
- FileLocation
- The location on disk of the certificate. We recommend using a PFX file as private key access is necessary.Password
(Optional) - The password for the certificate
Filesystem data protection and persistence is intended for IIS installations - we recommend a using the KeyVault method for protection alongside a database for persistence and protection when installing AdminUI in Azure.
TargetIdentityServer4 Flag Deprecated from v7.0
The TargetIdentityServer4 flag in the API Configuration is used to determine what version of IdentityServer you want your AdminUI to target. If you're working with an IdentityServer4 database, you'll want to set this flag to true
. If you're working with a Duende IdentityServer database, you'll want to set this flag to false
.
This configuration setting will change how AdminUI displays certain entities such as Protected Resources, as well as if it will display certain views.
This setting will also change what migrations will be run by the migration tool.
Example Configurations
appsettings.json:
{
"UiUrl": "http://localhost:5000",
"AuthorityUrl": "https://localhost:5003",
"AzureAppServiceLogging": false,
"LoggingMinimumLevel": "Info",
"EFLoggingMinimumLevel": "Warning",
"DbProvider": "SqlServer",
"IdentityConnectionString": "Server=localhost;User Id=AdminUI;Password=Password123!;Database=IdentityExpressDb;",
"IdentityServerConnectionString": "Server=localhost;User Id=AdminUI;Password=Password123!;Database=IdentityExpressDb;",
"AuditRecordsConnectionString": "Server=localhost;User Id=AdminUI;Password=Password123!;Database=IdentityExpressDb;",
"DataProtectionConnectionString": "Server=localhost;User Id=AdminUI;Password=Password123!;Database=IdentityExpressDb;",
"RequireHttpsMetadata": false,
"LicenseKey": "",
"PasswordPolicy": {
"RequireDigit": true,
"RequireLowercase": true,
"RequireNonAlphanumeric": true,
"RequireUppercase": true,
"RequiredLength": 6,
"RequiredUniqueChars": 1
},
"UsernamePolicy": {
"AllowedUserNameCharacters": "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._@+",
"RequireUniqueEmail": false
},
"ReferenceTokens": {
"UseReferenceTokens": false,
"Secret": ""
},
"TargetIdentityServer4": false,
"DisableBootstrap": false,
"ServeUi": true,
"FeatureFlags": {
"DefaultUserValidation": true,
"AddUserPassword": false,
"EnableEnforcerAuthorization": false,
"EnableSharedScopes": false,
"EnableSessionManagement": true,
"EnableDynamicAuthentication": "Duende"
},
"DataProtection": {
"Persistence": {
"Type": "Database",
"DbProvider": "SqlServer",
"DataProtectionConnectionString": "Server=localhost;User Id=AdminUI;Password=Password123!;Database=IdentityExpressDb;"
},
"Protection": {
"Type": "Certificate",
"CertificateType": "Thumbprint",
"Thumbprint": "c09fb8e928ef97fbd2a78be9bfe99341a2175af4"
}
}
}
New settings model
From AdminUI 6.8 onwards there is a new way of configuring the settings for AdminUI that doesn't rely on reading configuration data from key-value pairs using configuration sources such as appsettings.json or environment variables.
The new way to define settings is via the new IAdminUISettings
interface:
public class MyAdminUISettings : IAdminUISettings {
public string DbProvider { get; set; }
...
}
This is how you can set it in Program.cs:
// Program.cs
var builder = WebApplication.CreateBuilder(args);
// Populate settings from anywhere you like
var settings = new MyAdminUISettings();
builder.Services.AddAdminUI(settings);
var app = builder.Build();
app.UseAdminUI();
app.Run();
If you prefer, we still support reading settings the old way by reading configuration data from key-value pairs using configuration sources such as appsettings.json or environment variables:
// Program.cs
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAdminUI(new AdminUISettings(builder.Configuration));
var app = builder.Build();
app.UseAdminUI();
app.Run();
Also for backwards compatibility, we still support the old version of AddAdminUI
that reads configuration data from key-value pairs using configuration sources such as appsettings.json or environment variables, but this will be deprecated in the future:
// Program.cs
var builder = WebApplication.CreateBuilder(args);
builder.Services
.AddAdminUI(
options =>
{
// Override default options here
}
);
var app = builder.Build();
app.UseAdminUI();
app.Run();