Company Idle Timeout (minutes)

This is the time allowed in minutes before a user’s session ends because of inactivity. If the value for this field is blank, the interactive session timeout setting is determined by the System Default Idle Timeout value. The default value for the system default idle timeout value is usually 60 minutes. You can view the current System Default Idle Timeout setting on the Company Profile page. This value is visible when you edit the Company Profile page. It is recommended that you enter a value between 10 minutes and 90 minutes.

The Company Idle Timeout (minutes) setting can also determine the time that is allowed before a noninteractive session, such as a Web services session, ends due to inactivity, as follows:

• If the Company Idle Timeout (minutes) field is set to 10 minutes or less, then the setting applies to noninteractive sessions as well as interactive sessions.
• If the Company Idle Timeout (minutes) field is set to any value that is more than 10 minutes, then the setting does not determine the idle timeout interval for noninteractive sessions. In this case, the idle timeout interval for noninteractive sessions is 10 minutes by default.
• If the Company Idle Timeout (minutes) field is left blank, then the setting does not determine the idle timeout interval for noninteractive sessions. In this case, the idle timeout interval for noninteractive sessions is 10 minutes by default, and the System Default Idle Timeout value determines the idle timeout interval for interactive sessions.

Company Idle Timeout Warning (minutes)

The time in minutes before a warning message appears to the user, prior to the user’s session expiring. If the user clicks OK on this warning message, then the idle timeout interval timer is reset. However, if the user does not click OK, then the user’s session times out after the specified idle timeout interval.

The value for the Company Idle Timeout Warning (minutes) field must be between 1 and the value indicated in the Company Idle Timeout (minutes) field. If you enter 0 as a value, then a warning message is not displayed.

NOTE: The page mask that appears when the warning message is displayed does not provide a security mechanism.

Authentication Type

Displays which authentication types are allowed for your company. This value can only be assigned by Customer Care. Your company administrator cannot change this value. The following values are possible:

• User ID/Password Only - All users must sign in using their Oracle CRM On Demand User ID and password.
• Single Sign-On Only - All users must sign in using your company's single sign-on mechanism. Oracle CRM On Demand User IDs and passwords are not accepted.
• User ID/PWD or Single Sign-On - Either User ID and password for Oracle CRM On Demand, or single sign-on can be used to sign in to Oracle CRM On Demand.

  NOTE: If the User ID/PWD or Single Sign-On value is selected, then your company's policies for passwords in Oracle CRM On Demand continue to be enforced. So, when a user's password in Oracle CRM On Demand expires, Oracle CRM On Demand prompts the user to change the password, even if the user signs in using Single Sign-On. All other policies for passwords in Oracle CRM On Demand are also enforced, such as the minimum length of the password, the required complexity of the password, and so on. Oracle CRM On Demand does not manage the passwords that are used for Single Sign-On.

  Authentication type can be set for each user by the company administrator on the User Profile page. If the user's value is empty, then the company-level setting is used for that user.

External Identifier for Single Sign-On

Unique company identifier assigned by Customer Care when Single Sign-On is configured for the company. This value cannot be changed by the company administrator, although External Identifiers may be set for each user on the User Profile page.

Sign In Page for UserID/Pwd Authentications

The URL to a company-specific custom Sign In page, which replaces the default Oracle CRM On Demand Sign In page. Typically, the page is hosted on a company Web server. The URL must be fully qualified - (the URL must begin with http:// or https://).

This page is displayed after a user signs out or the user's session ends because of inactivity. It is the company's responsibility to direct their users to sign in initially using this page, rather than the default Oracle CRM On Demand page.

Sign In Page for SSO Authentications

The URL to a company-specific custom Sign In page, which is displayed after a user signs out, or the user's session ends due to inactivity if the user signed in to Oracle CRM On Demand originally, using Single Sign-On. Typically, the page is hosted on a company Web server - for example the company's Single Sign-On portal. The URL must be fully qualified (begin with http:// or https://).

It is the company's responsibility to direct users to sign in initially, using their SSO Sign In page, rather than the default Oracle CRM On Demand page. If a user who has signed in using SSO signs out and this setting is blank, a generic page is displayed with the message "You have been signed out."

ITS URL for SSO Authentications

The SAML Intersite Transfer Service URL that is used for signing in to Oracle CRM On Demand. The company administrator sets this value. Contact Oracle CRM On Demand Customer Care to obtain an SSO worksheet that contains instructions for setting the ITS URL.

IP Address Restrictions Enabled

See Restricting Use to IP Addresses.

Cross-Site Request Forgery Protection Enabled

Enables a feature that prevents cross-site request forgery attacks. When this check box is selected, users who create custom code that interacts with Oracle CRM On Demand might require a security token to be included as a hidden parameter in their code. For more information about cross-site request forgery protection, see About Cross-Site Request Forgery Protection.

This check box is selected by default when your company is set up to use Oracle CRM On Demand, and you cannot change the setting.

Enable IFRAME embedding

For security reasons, this check box is deselected by default and must be selected only when required. By selecting this check box, you allow users to embed Oracle CRM On Demand pages in an iFRAME on another site’s Web page. If users try to embed Oracle CRM On Demand in an iFRAME on another site’s Web page, and this check box is deselected, the Oracle CRM On Demand page expands so that it becomes the parent page. You must select this setting if you want to use the Oracle CRM On Demand Reports widget. This setting does not affect other Oracle CRM On Demand widgets that you embed in desktop applications.

How to handle pages that may contain Cross Site Scripting (XSS)

Controls the behavior of the cross-site scripting (XSS) protection available in some Web browsers to prevent reflected XSS attacks. You use this setting to determine how your Web browser handles pages that contain XSS. The following values are possible:

• Block. If XSS is detected by the Web browser, then the Web page is not displayed. This is the default and the recommended value.
• Correct. If XSS is detected by the Web browser, then Oracle CRM On Demand blocks the attack by making the smallest modification possible to the returned Web page.
• Do Nothing. This setting provides no XSS protection. The Web browser will not try to detect XSS, or will ignore any detection of XSS, in the Web page. It is recommended that you do not use this setting.
• Browser Default. This setting uses the Web browser's default XSS protection level, which might be configurable, and the level of XSS protection might vary from one vendor to another.

Convert URL Text Values to Links

By selecting this check box, address fields and text field values with the field type of Text (Short) or Text (Long) that start with http:// or https:// are automatically converted to Web links. In addition, any URL field values on the Attachment Detail page that start with http:// or https:// are also automatically converted to Web links. For security reasons, this check box is deselected by default and must be selected only when required.