# Identity Server AppSettings.json > The `appsettings.json` file (`C:\Program Files (x86)\UiPath\Orchestrator\Identity`) contains the out-of-the-box configuration settings for Identity Server. A second, identical file, `appsettings.Production.json`, is the one that contains **your specific** Identity Server settings. The `appsettings.json` file (`C:\Program Files (x86)\UiPath\Orchestrator\Identity`) contains the out-of-the-box configuration settings for Identity Server. A second, identical file, `appsettings.Production.json`, is the one that contains **your specific** Identity Server settings. :::important * To configure Identity Server to your liking, you should modify the `appsettings.Production.json` file. This file overrides any pre-existent settings within `appsettings.json` after each installation process. * If you use versions 2023.4 and up, and have modified `applicationhost.config` by adding `X-Content-Type-Options`, you must remove it from the Identity `appsettings.Production.json` file. See the following example: ``` <?xml version="1.0" encoding="utf-8"?> <configuration> <location path="." inheritInChildApplications="false"> <system.webServer> <httpProtocol> <customHeaders> <remove name="X-Powered-By" /> <!-- <add name="X-Content-Type-Options" value="nosniff" /> --> </customHeaders> ``` ::: :::note It is recommended that only administrators change the values of these parameters. Additionally, it is recommended that you shut down the IIS server in order to modify `appsettings.Production.json` settings under any circumstances. Parameters that are not documented in this page should not be changed. All parameters are **case sensitive**. ::: ## Settings Priority Settings can be configured in multiple places. Here are the priorities used by Identity Server when determining the value of a setting, listed from high (1) to low (3): 1. Value within the `appsettings.Production.json` file 2. Value within the `appsettings.json` file 3. Default value set in the code. Used only if a specific setting can't be found within `appsettings.Production.json` or `appsettings.json`. ## Settings The `appsettings.json` file has an internal structure composed of multiple JSON sections separated by a comma. ### Connection Strings The `ConnectionStrings` section is used to store the Identity Server database connection string. This value is populated by the installer. This setting has values within `appsettings.Production.json` and `appsettings.json`. ``` "ConnectionStrings": { "DefaultConnection": "Server=.\\sqlexpress;Database=IdentityServer;User ID=;Password=;" } ``` ### Encryption The `EncryptionSettings` section is used to store [tenant encryption keys](https://docs.uipath.com/orchestrator/standalone/2022.10/user-guide/setting-up-encryption-key-per-tenant). The values are automatically migrated from Orchestrator's `UiPath.Orchestrator.dll.config` during installation. This setting has values within `appsettings.Production.json` and `appsettings.json`. ``` "EncryptionSettings": { "EncryptionKey": "3wkO1hkaXLwR9LZoRZIueIxG3GIEB/YMDZUWhD9AR8g=" } ``` Identity Server can be configured to use a local key (see above) or an Azure Key Vault (see below), just like Orchestrator. ``` "EncryptionSettings": { "MultiTenantEncryptionKeyProvider": "AzureKeyVault", "EncryptionKeyPerTenant": true, "AzureKeyVaultAddress": "keyVaultAddress", "AzureKeyVaultCertificateThumbprint": "keyvaultCertificateThumbprint", "AzureKeyVaultClientId" : "azureClientId" }, ``` * `MultiTenantEncryptionKeyProvider` - Indicates in which key management application to store the encryption keys generated per tenant from Orchestrator. By default, the setting has `ConfigFileKey` value within the code. The accepted values are `AzureKeyVault` and `ConfigFileKey`. During Identity Server installation, the value is copied from UiPath.Orchestrator.dll.config `EncryptionKeyPerTenant.KeyProvider` setting. The following Identity Server keys match the Orchestrator keys within `UiPath.Orchestrator.dll.config`'s [SecureAppSettings](https://docs.uipath.com/orchestrator/standalone/2024.10/installation-guide/uipath-orchestrator-dll-config#secureappsettings) section: | Identity Server Key | Orchestrator Key | | --- | --- | | `EncryptionKeyPerTenant` | `EncryptionKeyPerTenant.Enabled` | | `AzureKeyVaultAddress` | `Azure.KeyVault.VaultAddress` | | `AzureKeyVaultCertificateThumbprint` | `Azure.KeyVault.CertificateThumbprint` | | `AzureKeyVaultClientId` | `Azure.KeyVault.ClientId` | | `AzureKeyVaultDirectoryId` | `Azure.KeyVault.DirectoryId` | | `MultiTenantEncryptionKeyProvider` | `EncryptionKeyPerTenant.KeyProvider` | :::important If [CertificatesStoreLocation](https://docs.uipath.com/orchestrator/standalone/2024.10/installation-guide/uipath-orchestrator-dll-config#uipathorchestratordllconfig) parameter in `UiPath.Orchestrator.dll.config` is set to `LocalMachine`, make sure that `AzureKeyVaultCertificateStoreLocation` in `appsettings.Production.json` has the same value. ::: :::important If you change the [Encryption Key](https://docs.uipath.com/orchestrator/standalone/2024.10/installation-guide/uipath-orchestrator-dll-config#secureappsettings) or the [Azure Key Vault](https://docs.uipath.com/orchestrator/standalone/2024.10/installation-guide/uipath-orchestrator-dll-config#password-vault) settings inside Orchestrator’s `UiPath.Orchestrator.dll.config`, you must also update Identity Server's `appsettings.Production.json` with the same values. ::: ### Logging The `Logging` section configures the log level for each component used by Identity Server. This is a generic logging configuration. Find more information [here](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/logging/?view=aspnetcore-3.1#configuration). This section has values within `appsettings.json`. ``` "Logging": { "LogLevel": { "Default": "Trace", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } } ``` Identity Server provides some defaults for a few major components like `Microsoft` and `Microsoft.Hosting.Lifetime`. ### NLog The `NLog` section is used to define how information is logged in Identity Server via NLog targets, just like in Orchestrator. This section has values within `appsettings.json`. ``` json "NLog": { "IncludeScopes": true, "throwConfigExceptions": false, "targets": { "EventLog": { "type": "EventLog", "source": "IdentityService", "layout": "${longdate} ${logger} ${message}${onexception:${newline}${exception:maxInnerExceptionLevel=10:format=shortType,message,stacktrace:separator=*:innerExceptionSeparator= }}" } }, "rules": [ { "logger": "*", "minLevel": "Info", "writeTo": "EventLog" } ] }, ``` By default, NLog is configured to write logs to ApplicationEvents. Read [here](https://github.com/NLog/NLog.Extensions.Logging/wiki/NLog-configuration-with-appsettings.json) more information about how to configure NLog using a JSON section. ### App Settings The `AppSettings` section is Identity Server's main configuration section. This section has values within `appsettings.Production.json` and `appsettings.json`. * `IdentityServerAddress` - Represents the audience that Identity Server checks when validating the token used to call Identity Server API. During installation, this field is automatically populated inside the `appsettings.Production.json` with Identity Server's address. **Do not modify this value** because it will break Orchestrator data propagation. This setting has values within `appsettings.Production.json` and `appsettings.json`. :::note Make sure to provide a lowercase URL as a value for `IdentityServerAddress`; otherwise, an error occurs. ::: * `Saml2ValidCertificateOnly` - If set to `true`, it doesn't allow the use of invalid certificates when configuring SAML2. By default, the setting has `true` value within the code. * `EnablePII` - When set to `true`, the exceptions contain sensitive information (for example, the URL address of the external identity provider, or the address of Identity Server, etc.) By default, the setting has `false` value within `appsettings.json` and the code. * `HideErrorCodesInUi` - Control whether or not login error codes are displayed in the UI. This parameter is not displayed by default. The default value is `false`. Set it to `true` to hide login error codes from the UI. For example, `"HideErrorCodesInUi": true`. * `CookieValidationInterval` - Represents the time interval (in seconds) after which the cookie is checked to see if the user and the tenant are still active, and if the user has not logged in another browser. The value within `appsetttings.Production.json` is automatically migrated from Orchestrator, which has the same setting. By default, the value is set to `60` seconds within `appsettings.Production.json` and the code. * `CookieExpireMinutes` - Represents the time interval (in minutes) after which the Identity Server cookie expires. The value within `appsetttings.Production.json` is automatically migrated from Orchestrator, which has the same setting. By default, the value is set to `30` minutes within `appsettings.Production.json` and the code. * `OrchestratorUrl` - Represents the URL of the Orchestrator. This is where Identity Server redirects you when you click the Orchestrator icon within Identity Management Portal's Hub menu. The value is set during installation within `appsettings.Production.json`. :::note Make sure to provide a lowercase URL as a value for `OrchestratorUrl`; otherwise, an error occurs. ::: ``` "AppSettings": { "IdentityServerAddress": "https://myIdentity.domain.local/identity", "EnablePII": false, "HideErrorCodesInUi": true, "CookieExpireMinutes": 30, "OrchestratorUrl": "https://myOrchestratorURL.domain.local" } } ``` ### Localization The `LocalizationSettings` section has the following default values within the code: ``` "LocalizationSettings": { "EnabledLanguages": "en,ja,de,es,es-MX,fr,ko,pt,pt-BR,ru,tr,zh-CN" } ``` * `EnabledLanguages` - Lists the languages available in Identity Server. It is used to limit the number of available languages. ### Load Balancer The `LoadBalancerSettings` section has the following default values within `appsettings.Production.json` and the code: ``` "LoadBalancerSettings": { "RedisConnectionString": "", "SlidingExpirationTimeInSeconds": 600 } ``` The values within `appsetttings.Production.json` are automatically migrated from Orchestrator's `UiPath.Orchestrator.dll.config` in case of a multi-node upgrade. If Redis is not configured inside Orchestrator, then `appsettings.Production.json` will contain this setting. * `RedisConnectionString` - Can only be used if `LoadBalancer.UseRedis` is set to `true`. A connection string that enables you to set up your Redis server, which contains the URL of the server, the password, and port used with Redis. It is also possible to enable SSL encrypted connections between the Orchestrator nodes and the Redis service. For more information, please click [here](https://stackexchange.github.io/StackExchange.Redis/Configuration.html). Examples: + with SSL enabled - `"RedisConnectionString": A"DOCWREDIS02:6379,password=12345678,ssl=true"` + without SSL enabled - `"RedisConnectionString": "DOCWREDIS02:6379,password=12345678"` * `SlidingExpirationTimeInSeconds` - Controls the sliding expiration time of an item inside the cache. This expiration time applies for both Redis Cache and InMemory Cache (this is the default when Redis is not available). ### Redis Settings The `RedisSettings` section controls which caches are enabled. * `UseRedisStoreCache` - Set its value to `true` to enable Redis caching of OAuth client data. This helps prevent performance issues when using Interactive Sign In to connect a large number of robots in a short amount of time. This cache uses the same Redis connection string specified in the `LoadBalancerSettings`. The `UseRedisStoreCache` setting is not displayed by default. :::note This is not recommended if you are using the **External Applications** feature since this setting caches clients, and updates to External Applications will not be reflected. ::: * `UseRedisStoreClientCache` - Set its value to `true` to enable Redis caching for first-party clients (UiPath applications) or third-party clients (external applications). If you have a large-scale deployment, it is recommended to enable this flag. ### Signing Credential The `SigningCredentialSettings` section describes the location of the certificate used to sign the tokens generated by the Identity Server. The values of the settings in this section are populated by the installer based on your input. The settings can be configured to allow the reading of the certificate from a certificate store or from Azure Key Vault. #### Certificate Rotation Settings `ValidationKeys` - Use to indicate your second certificate's `Name`, `Location`, and `NameType`. This is required for certificate rotation. :::note For security reasons, the signing certificate must have a 2048-bit public key. Make sure the certificate is valid, unexpired, and Identity Server has access to the private key. Refer to [Certificate Rotation](https://docs.uipath.com/orchestrator/standalone/2024.10/installation-guide/orchestrator-is-prerequisites-for-installation#prerequisites-for-installation) for more on the adjustments you need to make to the `SigningCredentialSettings` section to ensure that you always use a certificate within its validity period. ::: #### Example of Certificate Store Location Settings Here's a classic configuration for finding a certificate inside the certificate store: ``` "SigningCredentialSettings": { "StoreLocation": { "Name": "30f3c11e676fc8eb1f9dd4e330f3ce668d796796", "Location": "LocalMachine", "NameType": "Thumbprint" } ``` In this example, `Name` represents a Thumbprint value. We do not recommend using other values for `Location` and `NameType`. #### Example of Azure Key Vault Location Settings ``` "SigningCredentialSettings": { "AzureKeyVaultLocation": { "KeyName": "key_name_534553553" } ``` In this example, `KeyName` represents the key to search for inside Azure Key Vault. ### Authorization * `RestrictBasicAuthentication` - Enables you to control if users can log in to an Orchestrator instance using basic authentication credentials. This setting is not displayed by default in `appsettings.Production.json`. The following values are available: + `true` - Users cannot log in using basic authentication credentials. + `false` - Users can log in using basic authentication credentials. This is the default value. * `EnableBasicAuthenticationForHostTenant` - Enables you to control if a host admin can log in to the host tenant of an Orchestrator instance using basic authentication credentials. This setting is not displayed by default in the `appsettings.Production.json` file. The following values are available: + `true` - The host admin can log in using basic authentication credentials. This is the default value. + `false` - The host admin cannot log in using basic authentication credentials. This parameter bypasses the `RestrictBasicAuthentication` parameter, meaning that if you set `EnableBasicAuthenticationForHostTenant` to `true` and `RestrictBasicAuthentication` to `true`, you can only log in with basic authentication credentials at the host level.