==Privacy and Security Policies==
Within your system you will need to setup Privacy and Security Policies. You will set these polices up for several language and country combinations. Typically a privacy policy will say what type of information you collect, why it is collected, how it is collected , what you will use the information for, who will have access to the information, how users will be notified of changes to the policy and who to contact regarding privacy concerns. Learn more about [[Configuring_Privacy,_Confidentiality_and_Other_Policies|Configuring Privacy and Security Policies]]
The login page will have a button called Privacy & Security Policies in the main panel below the email and password inputs.
If you have chosen a date for Enforce User Acceptance the user will be brought directly to your policies upon login.
=Configuration - Advanced=
==ReCAPTCHA Security==
Login pages will automatically enable Google reCAPTCHA functionality in order to ensure security standards. In order to modify or disable this setting, go to '''Global Settings > Security '''and scroll down to the bottom of the page.
:: [[File:Recaptcha.png|800px|border]]
==Error Message==
In order to display an '''Error Message '''when an incorrect login username or password is provided, simply include the following variable into the Login Screen HTML: '''@errmsg@'''
The system will always save a list of all invalid logins. See how to access this list [[Login Page#Invalid Login Audit|here]].
==Popup Blocker Check==
The login page can be configured to check whether users have a pop-up blocker enabled; it will enable a suggestion to the user that they disable their pop-up blocker for the SmartSimple system.
The source code of the login page will include a code for a pop-up blocker warning message, but by default this will be disabled.
[[Image:PBWarning1.png|1200px|border]]
To enable the warning message, simply remove the text '''disabled="disabled" '''from the source code, then click '''Save '''at the bottom.
[[Image:PBWarning2.png|1100px|border]]
Any users that are using a browser with a pop-up blocker enabled will consequently see the following alert message on their screen when they access the login page:
:: [[Image:PBWarning3.png|300px|border]]
==JavaScript==
The following [[JavaScript]] can be added to the login page for further customization.
===Forgot Password===
: '''HTML: '''Forgot your password? Please click .
: '''JavaScript: '''
<pre>function passwdwin(){
window.open('/s_requestpassword.jsp', 'pwdwin',
'left=200,top=200,toolbar=0,width=300,height=214,directories=no,status=no,
scrollbars=no,resizable=no,menubar=no,alwaysRaised=yes');
}</pre>
The system-generated email sent to the user after selecting the '''Forgot Password '''option can be configured from [[Email#Email Templates for User Activation and Password|Email Templates for User Activation and Password]].
===Branch-Specific Forgot Password===
This functionality can be used when a user exists in the system multiple times with the same email address, but against different branches (organizations). The configuration means that only the password for the user account ''under a specific branch ''will be updated.
: '''HTML: '''Forgot your password? Please click .
* Where ''12345 ''is the [[Companyid]].
: '''JavaScript: '''
<pre>function passwdwin(branch) {
window.open('/s_requestpassword.jsp?branchid='+branch,'pwdin','left=200,top=200,toolbar=0,width=300,height=214,directories=no,
status=no,scrollbars=no,resizable=no,menubar=no,alwaysRaised=yes');
} </pre>
A login page can be configured with multiple '''Forgot Password '''links, each including a different companyid as the parameter. Alternatively, you can create multiple login pages with a single link/companyid included on each page.
When the user clicks on the '''Forgot Password '''link, enters their password, and submits it, then the underlying code will search for the entered email address in the company and all of its sub-organizations. It will then email the password for that branch-specific user account.
* The email sent can then be configured with [[Sslogic]] to tailor the content of the email to the specific branch.
* The error message displayed on this page when an invalid email is entered can be altered using the [[Language Library]].
==Alternate Login Pages==
The '''Alternate '''tab from the Login Page list view is used to view and create multiple custom login pages for various groups of users within the same system. It uses virtual alias to mask their instance [[URL]].
When you click the '''+ '''icon at the top of the '''Alternate '''tab to create a '''New Alternate Login Page, '''you will be brought to the following form:
:: [[File:Alternate login pages.png|800px|border]]
{| class="wikitable"
|-
||'''Login Page Name'''
||Name of the virtual alias login page
|-
||'''Description'''
||Description of the virtual alias login page
|-
||'''Scope Organization'''
||Lookup that allows the virtual alias login page to be restricted to users in the selected organization
|-
||'''Virtual Folder Name'''
||User adds a name such as "grants," and then you can direct different users to appropriate logins
|-
||'''Web Alias'''
||User enters the alias they want - for example, "gms" - instead of the instance-defined alias
|-
||'''Persistent Cookies'''
||Enable or disable persistent cookies. Rather than having to log into SmartSimple each time you open your web browser, a "cookie" can be installed on your computer that will automatically authenticate you, allowing you to bypass the login screen and having to re-enter your credentials.
|-
||'''Attach User Identifier'''
||
|-
||'''Encrypt URL'''
||Enable or disable the encryption of the URL
|-
||'''Redirect URL'''
||Enter URL for users to be redirected to upon successful login
|-
||'''Primary Role'''
||Select from the available system roles to choose the primary default role that a user will have when they log in from this alternate login page. This function is used to force the user to see the correct portal.
|-
||'''Login Type'''
||
Select from the drop-down for the three available options: All Users, Activated Users Only, No Access
|-
||'''User Field'''
||This is the field that will be used on the login page to uniquely identify the specific user when they log in. This is typically set to '''Email Address. '''
|-
||'''Password Field'''
||This is the field on the login page that will be used to capture the user password when they login.
|-
||'''Login Error Message'''
||This is the error message that will appear on the login page after a failed login attempt.
|-
||'''Login Page Content'''
||'''Insert Sample Template - '''Click this hyperlink to autopopulate the text window with a sample template for a login page. Otherwise, you can insert in your own customized content. You can use the '''HTML Editor '''button at the bottom in order to open a pop-up that displays the content as it will be shown to the user from the HTML.
|}
==Login Security Features==
Login security is related to the '''System Security '''section of your [[SmartSimple]] copy. In order to disable or enable certain security measures relating to the process of logging in and out of SmartSimple, follow these steps:
1. Click on the 9-square menu icon on the top right of your page.
:: {{Icon-Menu}}
2. Under the heading '''Configuration, '''select '''[[Global Settings]].'''
3. Click on the tab called '''Security.'''
4. Scroll down until you see the subheading '''System Security. '''
Many system security features will be listed, with a certain few pertaining to login and logout activity for users. These are outlined in red in the screenshot below, and each explained in greater detail in the subsections.
:: [[File:Login security.png|700px|border]]
For more information regarding aspects of system security not just related to logging in and out, please see our [[Security Settings]] page.
===Enable Logout===
Enabling this function will terminate the session and automatically log out the user when they navigate to a different website, close the browser, or click '''Logout. '''
===Disable External Login Shortcut===
This function will disable the use of external login shortcut from the URL. '''Because there are security implications to using the external login shortcut (see below), disabling the feature completely is a good preventative measure.'''
=====What is the External Login Shortcut?=====
This function allows you to ''bypass ''Login Page Scripting that you have added to the Login Page. However, this technique should only be used when it is completely necessary because there are numerous security implications:
* The URL being opened may be available to other users on the same machine on which you are browsing
* The URL retrieved from the remote machine may be logged elsewhere (i.e. Proxy Server history, DNS server)
* Your browser history may retain the URL, '''including your password'''
The conditions for when you should use this technique include:
* When the '''Login Page Scripting '''is not functioning correctly
* When you ''clone ''a copy of [[SmartSimple]] and the original copy contain a Login Script that prevents you from accessing the clone
<pre> Never create this technique as a browser shortcut because the username and the password are exposed. </pre>
To employ this method of accessing your SmartSimple [[instance]], you use the following type of URL:
: http://Alias.smartsimple.biz/exlogin.jsp?alias=alias&user=username&password=password
* '''exlogin.jsp '''is case-sensitive
===Disable Session Timeout Alert===
This function will disable both a 30-second alert and a re-login prompt for a Session Timeout (if Session Timeout is set).
In order to set Session Timeout, simply scroll up above to the heading '''Business Security. '''The last field box in that section will allow you to set ''x'' amount of minutes of inactivity before the user's session will automatically initiate Session Timeout.
:: [[File:Session timeout setting.png|600px|border]]
===Disable Login Token Check===
By disabling this feature, you allow the same user to be logged in from multiple sessions. This is a function primarily used only for load-testing purposes. It is strongly recommended that this feature is ''not ''set when going live.
==Invalid Login Audit==
In order to access a [[List View Overview|list]] of all invalid logins from your [[SmartSimple]] [[instance]], follow these steps:
1. Click on the 9-square menu icon on the top right of your page.
:: {{Icon-Menu}}
2. Under the heading '''Configuration, '''select '''Global Settings.'''
3. Click on the tab called '''Security.'''
4. Click on the hyperlink called '''Password and Activation Policies.'''
5. Click on the fourth tab labelled '''Invalid Login Audit.'''
The list of invalid logins will be displayed:
:: [[File:Invalid login audit.png|950px|border]]
The fields for invalid logins include '''IP Address, User Name '''(denoted as an email address), and the '''Time '''of the invalid login.
Using the Search fields on the top right, you are also able to apply [[Filters]] by time period ('''Year '''and '''Month''') and/or by username.
=Settings Explained=