Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Here are some additional features that require system setup to use.
Loading...
Loading...
This page contains information on how to leverage Active Directory groups within Cinchy.
Cinchy Groups are containers that contain Users and other Groups within them as members, and used to provision access controls throughout the platform. Cinchy Groups enable centralized administration for access controls.
Groups are defined in the "Groups" table within the Cinchy domain. By default this table can only be managed by members of the Cinchy Administrators group. Each group has the following attributes:
Name - Group name, this must be unique across all groups within the system
Users - Users which are members of the group
User Groups - Groups which are members of the group
Owners - Users which are able to administer the membership of this group. By default Owners are also members of the group (i.e. they do not need to also be added into Users).
Owner Groups - Groups whose members are able to administer the membership of this group. By default, members of Owner Groups are also members of the group (i.e. they do not need to also be added into Users or User Groups).
Group Type - Either "Cinchy Group" or "AD Group". If this is a "Cinchy Group", this means that membership is maintained directly in Cinchy. If this is an "AD Group", then a sync process will be leveraged to maintain the membership and overwrite the Users.
Create a new record within the Groups Table with the same name as the AD Group (use the cn attribute).
Set the Group Type = "AD Group".
Update the Name attribute of the existing group record to match the AD Group (use the cn attribute).
Set the Group Type to "AD Group".
AD Groups defined in Cinchy have their members sync'ed from AD through a batch process that leverages the Cinchy Command-line-interface (CLI).
The sync operation performs the following high-level steps:
Fetches all Cinchy registered AD Groups using a Saved Query.
Retrieves the usernames of all members for each AD Group. The default attribute for username that is retrieved is "userPrincipalName", but configurable as part of the sync process.
For each AD Group, loads the users that are both a member in AD and exist in the Cinchy Users table (matched on the Username) into the "Users" attribute of the Cinchy Groups table.
Cinchy CLI Model must be installed in your instance of Cinchy, steps are mentioned here
An instance of the Cinchy CLI must be available to execute the sync
A task scheduler is required to perform the sync on a regular basis (e.g. Autosys)
Create a new query within Cinchy with the below CQL to fetch all AD Groups from the Groups table. The domain & name assigned to the query will be referenced in the subsequent step.
Copy the below XML into a text editor of your choice and update the attributes listed in the table below the XML to align to your environment specific settings. Once complete, create an entry with the config in your Data Sync Configurations table (part of the Cinchy CLI model).
If the userPrincipalName attribute in Active Directory does not match what you expect to have as the Username in the Cinchy Users table (e.g. if the SAML token as part of your SSO integration returns a different ID), then you must replaceuserPrincipalNamein the XML config with the expected attribute.
The userPrincipalName appears twice in the XML, once in the LDAPDataSource Columns and once in the CinchyTableTarget ColumnMappings.
The below CLI command (see here for additional information on the syncdata command) should be used to execute the sync. Update the command parameters (described in the table below) with your environment specific settings. Execution of this command can be scheduled at your desired frequency using your scheduler of choice.
The user account credentials provided in above CLI syncdata command must have View/Edit access to Cinchy Groups table.
This page walks through the integration of an Identity Provider with Cinchy via SAML Authentication
Cinchy supports integration with any Identity Provider that issues SAML tokens (e.g. Active Directory Federation Services) for authenticating users. It follows an SP Initiated SSO pattern where the SP will Redirect to the IdP and the IdP must submit the SAML Response via an HTTP Post to the SP Assertion Consumer Service. Below is a diagram outlining the flow when a non-authenticated user attempt to access a Cinchy resource.
Cinchy must be registered with the Identity Provider. As part of that process you'll supply the Assertion Consumer Service URL, choose a client identifier for the Cinchy application, and generate a metadata XML file.
The Assertion Consumer Service URL for Cinchy is the base URL for the CinchySSO application followed by "/{AcsURLModule}/Acs" e.g. https://myCinchyServer/CinchySSO/identity/AuthServices/Acs. {AcsURLModule} value needs to be defined in appsettings.json file
To enable SAML authentication within Cinchy, follow the below steps:
You can find the necessary metadata XML from the applicable identity provider you're using the login against. Place the metadata file in the deployment directory of the CinchySSO web application.
If you are using Azure AD for this process, you can find your metadata XML by following these steps.
If you are using GSuite for this process, you can find your metadata XML by following steps 1-6 here.
If you are using ADFS for this process, you can find your metadata XML at the following link, inputting your own information for <your.AD.server>: https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xml
If you are using Okta for this process, you can find your metadata XML by following these steps.
If you are using Auth0 for this process, you can find your metadata XML by following these steps.
If you are using PingIdentity for this process, you can find your metadata XML by following these steps.
2. Update the value of the below app settings in the CinchySSO appsettings.json file.
SAMLClientEntityId - The client identifier chosen when registering with the Identity Provider
SAMLIDPEntityId - The entityID from the Identity Provider metadata XML
SAMLMetadataXmlPath - The full path to the metadata XML file
AcsURLModule - This parameter is needs to be configured as per your SAML ACS URL.
Example ACS URL: "https:///CinchySSO/identity/AuthServices/Acs"
Example parameter value: "/identity/AuthServices"
3. The following parameters pertain to signed SAML IdP requests. Within the IDPSSODescriptor tag of the metadata is the below WantAuthnRequestSigned attribute:
If the value for this attribute is set to "true" then your Identity Provider is expecting the request to be "Signed". In this case, please enter the following parameters:
SAMLSignCertificatePath - This parameter needs to be the path for the PFX file of the certificate. This must match the same certificate in your identity provider.
SAMLSignCertificatePassword - This parameter is the password for the above mentioned PFX file. You may choose to encrypt it or not.
SAMLSignCertificateMinAlgorithm - This parameter is optional and only needed for PFX files that are generated at different algorithm levels.
The possible options for this parameter are:
SHA1
SHA256
SHA384
SHA512
http://www.w3.org/2000/09/xmldsig#rsa-sha1
http://www.w3.org/2000/09/xmldsig#rsa-sha256
http://www.w3.org/2000/09/xmldsig#rsa-sha384
http://www.w3.org/2000/09/xmldsig#rsa-sha512
4. If the Identity Provider is configured for the request to be encrypted please provide a PFX file, with a non-empty password, for the below attributes:
SAMLEncryptedCertificatePath - This parameter needs to be the path for the PFX file of the certificate. This must match the same certificate in your identity provider.
SAMLEncryptedCertificatePassword - This parameter is the password for the above mentioned PFX file.
When configuring the Identity Provider, the only required claim is a user name identifier. If you plan to enable automatic user creation, then additional claims must be added to the configuration. Click here for more information.
Once SSO is enabled, the next time a user arrives at the Cinchy login screen they will see an additional button "Single Sign-On". Before a user is able to login through the SSO flow, the user must be set up in Cinchy with the appropriate authentication configuration. See the User Management section below for instructions on how to perform this setup.
Users in Cinchy are maintained within the Users table in the Cinchy domain. Each user in the system is configured with 1 of 3 Authentication Methods:
Cinchy User Account - These are users that are created and managed directly in the Cinchy application. They log into Cinchy by entering their username and password on the login screen.
Non Interactive - These accounts are intended for application use.
Single Sign-On - These users authenticate through the SSO Identity Provider (configured using the steps above). They log into Cinchy by clicking the "Login with Single Sign-On" link on the login screen.
Create a new record within the Users table with the Authentication Method set to "Single Sign-On".
The password field in the Users table is mandatory. For Single Sign-On users, the value entered is ignored. You can input "n/a".
Change the Authentication Method of the existing user to "Single Sign-On".
Once a user is configured for SSO, they can then click the "Login with Single Sign-On" link on the login page and that will then take them through the Identity Provider's authentication flow and bring them into Cinchy.
If a user successfully authenticates with the Identity Provider but has not been set up in the Users table, then they will see the following error message - " You are not a registered user in Cinchy . Please contact your Cinchy administrator." To avoid the manual step to add new users, you can consider enabling Automatic User Creation.
Once SSO has been enabled on your instance of Cinchy, by default, any user that does not exist in the Cinchy Users table will not be able to login regardless if they are authenticated by the Identity Provider.
Enabling Automatic User Creation means that upon login, if the Identity Provider authorizes the user, an entry for this user will automatically be created in the Cinchy Users table if one does not already exist. This means that any SSO authenticated user is guaranteed to be able to access the platform.
In addition to creating a user record, if AD Groups are configured within Cinchy, then the authenticated user will automatically be added to any Cinchy mapped AD Groups where they are a member. See AD Group Integration for additional information on how to define AD Groups in Cinchy.
See below for details on how to enable Automatic User Creation.
Users that are automatically added will not be allowed to create or modify tables and queries. To provision this access, Can Design Tables and Can Design Queries must be checked on the User record in the Cinchy Users table.
The Identity Provider configuration must include the following claims in addition to the base configuration in the SAML token response:
First Name
Last Name
In order to enable automatic group assignment for newly created users (applicable if you plan on using AD Groups), then also include an attribute that captures the groups that this user is a member of (e.g. memberOf field in AD)
Enabling automatic user creation requires the following changes to the appsettings.json file in the CinchySSO web application.
Add "ExternalClaimName" attribute values under "ExternalIdentityClaimSection" in appsettings.json file. Do not add the value for "MemberOf" if you don't want to enable automatic group assignment .
The ExternalClaimName value must be updated to create a mapping between the attribute name in the SAML response and the required field. (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname is the name in the SAML response for the FirstName field)
The following outlines the configuration required in Active Directory Federation Services (ADFS) to enable Single Sign-On (SSO).
On your ADFS Server, Open AD FS Management.
Righ-click on Relying Party Trusts and select Add Relying Party Trust. This will launch the Add Relying Party Trust Wizard.
Select Claims aware. Click Start.
Choose Enter data about the relying party manually. Click Next.
Enter a Display Name of your choice.
Do not choose any certificates.
Select Enable support for the SAML 2.0 SSO Web SSO protocol.
Enter your login URL in the following format:
Choose an Identifier and click Next until you are complete.
Right-click on the Relying Party Trust you just created (look for the Display Name) and click Edit Claim Issuance Policy.
Click on the Add Rule... and choose Claim Rule as Send LDAP Attributes as Claims.
Add Claim rule name, choose Active Directory under Attribute store and map LDAP attribute to outgoing claim types:
4. Click Finish.
5. Click on Edit Rule...
6. Click on View Rule Language and copy out the Claim URLs for the claims defined. This information will be needed in a later step to configure your Cinchy appsettings.json. This will look something like this:
7. Click Ok to save the rule.
8. Right-click on your Relying Party Trust again and click Properties.
9. Go to the Advanced tab and set the secure hash algorithm to SHA-256
Everything below is case sensitive and must match whatever is specified in your SAML IdP configuration.
Open https://<your.AD.server>/FederationMetadata/2007-06/FederationMetadata.xml in a browser and save the XML file in the cinchysso folder.
Open IIS Manager and create an HTTPS binding on the Cinchy site (if necessary).
Go to sso site and bind HTTPS with it. Make sure to use the same port as the login URL above if specified.
You will need the Rule Language URLs you copied out from the ADFS Configuration above. Using the same example as above, we would get the following (replace with your own URLs).
Add the 3 following lines to your web.config within the appSettings section:
If you are syncing someone with a lot of ADFS groups, the server may reject the request for the header being too large. If you are able to login as a user with a few groups in ADFS but run into an error with users with a lot of ADFS groups (regardless of if those ADFS groups are in Cinchy), you will need to make 2 changes.
In your CinchySSO app settings, you will also need to increase the max size of the request header.
For more details on the app settings see the app settings section of Configuring ADFS.
Rather than traditional code-centric applications which creates data silos, you can build application experiences on the Cinchy platform which looks and feels like regular applications, but persists its data on the data fabric autonomously, rather than managing its own persistence.
Once you deploy your UI, API and logic, you will need to create an integrated client to leverage the data fabric for persistence and controls. If you would like a link to your experience from the data fabric, you will need to create an Experience in the Applets table. See to see how to set up both.
The Cinchy Platform also comes with a built-in Experience called My Data Network, this is a tool to help you visualize your data through its connections. You can read more about, or create your own on your own data.
Migration prerequisites when upgrading to Cinchy 2.x and later versions from 1.x
As "Integrated Apps" table will get modified to "Applets" table after 2.0 upgrade, please save "Integrated Apps" table data by running a select statement on this table. This data will be required to populate new table named "Integrated Clients" after deployment.
Please run below Update statement for updating "Integrated App" to "Applet" under "Launcher Objects" table
Install .net core Hosting bundle Version 2.1 -
Install .Net Framework 4.7.2 on the server
Create a new application pool with configuration as "No managed Code" and "Integrated" in IIS manager.
Take backup - Cinchy DB, Cinchy Web and Cinchy SSO
Deploy binaries
Assign newly created application pool in Pre-Deployment steps to the Cinchy SSO application
Configure appsettings.json file under Cinchy SSO as described below, most of these configurations can be taken from the web.config of previous version of Cinchy SSO
Below configurations are only required for External login authentication, otherwise can be left as blank
SAMLSSOServiceURL - Configure service endpoint for SAML authentication.
AcsURLModule - This parameter is needs to be configured as per your SAML ACS URL. For example, if your ACS URL looks like this - "https:///CinchySSO/identity/AuthServices/Acs", then the value of this parameter should be "/identity/AuthServices"
In Cinchy SSO, Log folder will required to be configured under log4net.config and web.config files. Please make sure that Identity under which application pool is running must have access to logs and certificate folder as configured.
In Cinchy Web application web.config file, modify "StsAuthorityUri" parameter to remove "identity" keyword from the URL.
URL will modify from "https://<your server URL>/SiteName/CinchySSO/identity" to "https://<your server URL>/sitename/cinchysso"
Please make sure the sitename and cinchysso is in lower case
Login to Cinchy and follow these below steps to update Launcher Objects table-
Go to Design Table
Update "Integrated App" link column name to "Applet".
Update "Type" choice column's choice from "Integrated App" to "Applet"
"Integrated Clients" table would be required to be populated from the data taken from "Integrated Apps" table in pre-deployment steps as shown in below table
Please check off Query permissions under Design controls of "Users" table for "All Users" row.
Upload your organization logo on Admin screen - https://<your server URL>/Cinchy/Admin/Index
On your SQL Server 2012+ instance, create a new database named Cinchy (or any other name you prefer). If you choose an alternate name, in the remaining instructions wherever the database name is referenced, replace the word Cinchy with the name you chose.
A single user account with db_owner privileges is required for the Cinchy application to connect to the database. If you choose to use Windows Authentication instead of SQL Server Authentication, the account that is granted access must be the same account under which the IIS Application Pool runs.
On the Windows Server machine, launch an instance of PowerShell as Administrator.
Run the below commands to create the application pool and set its properties.
If you chose to use Windows Authentication in the database or want to run the application under a different user account, execute the below commands to change the application pool identity.
You may use an alternate application pool name (i.e. instead of Cinchy) if you prefer.
Unzip the application package on your C drive. This will create 2 directories, C:\Cinchy and C:\CinchySSO. Ensure your application pool accounts has read and execute access to these directories (default accounts are IIS AppPool\CinchyWeb and IIS AppPool\CinchySSO).
Run the below commands in the Administrator instance of PowerShell to create directories for the application logs. Ensure your application pool account has write access to these directories.
Open the C:\CinchySSO\appsettings.json file in a text editor and update the values below.
Under AppSettings section, update the values outlined in the table. Wherever you see <base url> in the value, replace this with the actual protocol (i.e. http or https) and the domain name (or ip address) you plan to use. e.g. if you're using https with the domain app.cinchy.co, <base url> should be replaced with https://app.cinchy.co
4.18.0+ includes session expiration based on the CinchyAccessTokenLifetime. So for the default of "0.00:30:00", this means that if you have been inactive in Cinchy for 30 minutes, your session will expire and you will need to log in again.
Under the "ConnectionStrings" section you'll see
The "SqlServer" value needs to be set for the application to connect to the database. If you're using SQL Server Authentication you can use the below as a reference and update the Server, User Id, and Password properties. If you chose a different database name earlier, you'll need to update that as well.
If you're using Windows Authentication, then use the below as a reference and update the Server property (and Database if required).
Under the "ExternalIdentityClaimSection" section you'll see, these values are used for SAML SSO. If you are not using SSO, keep these values as blank
The log folder is required to be configured under log4net.config and web.config files. Please make sure the identity under which the application pool is running has access to the log and certificate folders as configured.
Under the log4net.config, you'll see a RollingLogFileAppender section, and within that you need to update the value of <file> tag as below
Under web.config, update "stdoutLogFile" value to "C:\CinchyLogs\CinchySSO\stdout" under "aspNetCore" tag. Also, update the value of "ASPNETCORE_ENVIRONMENT" to "Production".
Open the C:\Cinchy\Web.config file in a text editor and update the sections outlined below.
Under the <connectionStrings> section you'll see
Replace this with the same connection string value you set in the C:\CinchySSO\appsettings.json file.
Under the <appSettings> section, update the values outlined in the table. Wherever you see <base url> in the value, replace this with the actual protocol (i.e. http or https) and the domain name (or ip address) you plan to use. e.g. if you're using https with the domain app.cinchy.co, <base url> should be replaced with https://app.cinchy.co
For StsAuthorityUri - Please make sure the sitename and cinchysso is in lower case. The same URL will be used for Applet's authority config.
Under the <log4net> section you'll see a RollingLogFileAppender, and within that is the following line
Replace the value attribute with the target log file location:
Under the <elmah> section you'll see
Replace the logPath attribute with the target error log location:
In the Administrator instance of PowerShell, execute the below commands to create the IIS applications and enable anonymous authentication (required to allow authentication to be handled by the application).
To enable HTTPS, the server certificate must be loaded and the standard IIS configuration completed at the Web Site level to add the binding.
Access the <base url>/Cinchy (e.g. http://app.cinchy.co/Cinchy) through Google Chrome. The login screen should appear. The default username is admin and the password is cinchy. You will be prompted to change your password the first time you log in.
Requires CLI v4.7+
Cinchy performs maintenance tasks through the CLI. This currently includes the data erasure and data compression deletions.
To schedule maintenance from 2am to 5am every day, use a scheduling program to run the command above at 2am every day with the -t parameter set to 180 (3 hours = 180 minutes).
To avoid users from having to access the application at a url that contains /Cinchy, you can use a downloadable IIS extension called URL Rewrite to remap requests hitting the <base url> to <base url>/Cinchy. The extension is available .
XML Tag
Attribute
Content
LDAPDataSource
ldapserver
The LDAP server url
(e.g. LDAP:\\activedirectoryserver.domain.com)
LDAPDataSource
username
The encrypted username to authenticate with the AD server
(generated using the CLI's encrypt command -
dotnet Cinchy.CLI.dll encrypt -t "Domain/username").
LDAPDataSource
password
The encrypted password to authenticate with the AD server
(generated using the CLI's encrypt command -
dotnet Cinchy.CLI.dll encrypt -t "password").
LDAPDataSource -> Filter
Domain Name
The domain of the Saved Query that retrieves AD Groups
LDAPDataSource -> Filter
Query Name
The name of the Saved Query that retrieves AD Groups
Options
Description
-s, --server
Required. The full path to the Cinchy server without the protocol
(e.g. cinchy.co/Cinchy).
-u, --userid
Required. The user id to login to Cinchy.
This account must have access to edit the Groups table
-p, --password
Required. The encrypted password of the specified user
(generated using the CLI's encrypt command -
dotnet Cinchy.CLI.dll encrypt -t "password").
-m, --model
Required. The Cinchy model to use for retrieval of batch configuration information and persistence of the execution log.
-d, --tempdirectory
Required. The path to a directory that the CLI can use for storing temporary files to support the sync (e.g. partitioned data).
LDAP Attribute
Outgoing Claim Type
Comments
User-Principal-Name
Name ID
SAM-Account-Name
sub
subwill need to be typed manually, make sure it does not autocomplete to something else like subject.
Given-Name
Given Name
Necessary for Automatic User Creation
Surname
Surname
Necessary for Automatic User Creation
E-Mail-Address
E-Mail Address
Necessary for Automatic User Creation
Is-Member-Of-DL
Role
Necessary for Automatic User Creation
Attribute
Value
CinchyLoginRedirectUri
https://<cinchy-sso-URL>/Account/LoginRedirect
CinchyPostLogoutRedirectUri
https://<Cinchy-Web-URL>
CertificatePath
<Path to cinchysso>\\cinchyidentitysrv.pfx
SAMLClientEntityId
Relying party identifier from Relying Party Trust above
SAMLIDPEntityId
http://<AD-Server>/adfs/services/trust
Your FederationMetadata.xml will have this near the beginning. Note that this is the entityID, not the ID.
SAMLMetadataXmlPath
<Path to cinchysso>\\FederationMetadata.xml
This is the location where you placed the FederationMetadata.xml in step 1.
SAMLSSOServiceURL
In Domain controller, in-service endpoints, look for type Saml 2, URL path: https://<AD-Server>/Saml2/Acs
Same as the login URL provided to the wizard in the ADFS Configuration
AcsURLModule
/Saml2
MaxRequestHeadersTotalSize
Integer
Bytes to set the max request header to. If the default (likely 32kb) does not work, you may have to set this larger to accommodate a large number of groups.
MaxRequestBufferSize
Integer
This should be equal or larger than your header's total size above.
MaxRequestBodySize
Integer
If any of these values are -1 they will use the default. It is not necessary to change the body size.
Web.config (Previous location) | appsettings.json (New Location) |
appsettings -> SAMLClientEntityId | AppSettings -> SAMLClientEntityId |
appsettings -> SAMLIDPEntityId | AppSettings -> SAMLIDPEntityId |
appsettings -> SAMLMetadataXmlPath | AppSettings -> SAMLMetadataXmlPath |
ExternalIdentityClaimSection -> FirstName -> ExternalClaimName | ExternalIdentityClaim -> FirstName -> ExternalClaimName |
ExternalIdentityClaimSection -> LastName -> ExternalClaimName | ExternalIdentityClaim -> LastName -> ExternalClaimName |
ExternalIdentityClaimSection -> Email -> ExternalClaimName | ExternalIdentityClaim -> Email -> ExternalClaimName |
ExternalIdentityClaimSection -> MemberOf -> ExternalClaimName | ExternalIdentityClaim -> MemberOf -> ExternalClaimName |
Integrated Apps (Old Table) | Integrated Client |
Id | Client Id |
Login Redirect Url | Permitted Login Redirect URLs |
Logout Redirect Url | Permitted Logout Redirect URLs |
Key | Value |
CinchyLoginRedirectUri | <base url>/Cinchy/Account/LoginRedirect |
CinchyPostLogoutRedirectUri | <base url>/Cinchy |
CertificatePath | C:\\CinchySSO\\cinchyidentitysrv.pfx |
StsPublicOriginUri | Base URL used by the .well-known discovery. If left blank will match the request URL. <base url>/cinchysso |
IssuerUrl | The URL of the issuer. This value defaults to the StsPublicOriginUrl and will be used as the issuer of tokens issued by CinchySSO. <base url>/cinchysso |
CinchyAccessTokenLifetime | Duration for the Cinchy Access Token. Timespan, defaults to "0.00:30:00" |
Key | Value |
ExternalIdentityClaim -> FirstName -> ExternalClaimName |
ExternalIdentityClaim -> LastName -> ExternalClaimName |
ExternalIdentityClaim -> Email -> ExternalClaimName |
ExternalIdentityClaim -> MemberOf -> ExternalClaimName |
Key | Value |
SSOLogPath | C:\CinchyLogs\CinchySSO\log.txt |
UseHttps | true or false (based on whether you are using https in your base url) |
StsAuthorityUri | Should match the StsPublicOriginUri value specified in the SSO appsettings above. <base url>/cinchysso |
StsRedirectUri | <base url>/Cinchy/Account/LoginRedirect |
Web.config (Previous location) | appsettings.json (New Location) |
appsettings -> CinchyLoginRedirectUri | AppSettings -> CinchyLoginRedirectUri |
appsettings -> CinchyPostLogoutRedirectUri | AppSettings -> CinchyPostLogoutRedirectUri |
appsettings -> CertPath | AppSettings -> CertificatePath |
connectionStrings -> SqlServer | ConnectionStrings -> SqlServer |
Parameter | Value |
-s | Server, i.e. Cinchy Base URL (ex. cinchy.com/Cinchy/) |
-u | Username, this will need to be an account that is part of the Cinchy Administrators group |
-p | Encrypted password (you can encrypt your password by using |
-t | Set a maintenance time window in minutes. Maintenance tasks will stop executing after the allotted time frame. This allows you to run this during an allotted maintenance window. |
-h | This flag must be added if you are accessing Cinchy over https. |
Key | Value |
SAMLClientEntityId | Client Entity Id |
SAMLIDPEntityId | Identity Provider Entity Id |
SAMLMetadataXmlPath | Identity Provider metadata XML file path |
SAMLSSOServiceURL | Configure service endpoint for SAML authentication |
AcsURLModule |
The legacy standalone applet is no longer supported. For instructions on the standalone applet version, see Setup Data Network Visualizer in v2.2.0.
The Data Network Visualizer now ships with Cinchy as a system applet called My Data Network. It uses the user's entitlements for viewable tables and linked columns. You will find the My Data Network data experience in the Marketplace:
My Data Network is another way to view and navigate the data you have access to within Cinchy.
Each node represents a table you have access to within Cinchy, and each edge is one link between two tables. The size of the table is determined by the number of links referencing that table. The timeline on the bottom allows you to check out your data network at a point in the past and look at the evolution of your network.
When you click on a node, you will see its description in the top right hand corner. You can click the Open button to navigate to the table.
If you want to create your own custom data network visualizer, see Custom Data Network Visualizer
Instructions on how to set up your own custom data network visualization.
The nodes query defines the nodes in the network.
The edges query defines the relationships between the nodes.
Node groups are an optional query you can provide to group your nodes.
If no start or end date is specified, the data network is just shown as is. If there's a start or end date, the other CQLs need to have a @date parameter and that will be used to render the data network at a point in time.
You can use @date between [Modified] and [Replaced] with a version history query to see data at a point in time. You can also simply use @date > [Created] if it's an additive system.
This CQL should return a date value as 'startDate'.
This CQL should return a date value as 'endDate'.
To use slicers, you need to define the slicers in the [Slicers] column and add the additional attributes to the nodes query.
Attribute is the column name from the nodes query, displayName is what shows up in the visualizer.
All the information above is entered into the [Cinchy].[Networks] table. To access the network, go to
<Cinchy URL>/Cinchy/apps/datanetworkvisualizer?network=<NAME>
Alternatively you can go to My Data Network and then add ?network=<NAME> to the end of it.
It is highly recommended to add a new applet for each custom data network visualizer for ease of access.
For ease of testing, save the following as saved queries and then in the Networks table simply add exec [Domain].[Saved Query Name] as the CQLs.
System Properties is a table within Cinchy for managing system properties, such as default time zones, system lockout durations, password expirations, password properties, password attempts allowed etc.
The Default of the Systems Properties table is set up as follows:
Please note that this table is case sensitive.
The System Properties requirements can be changed by an admin user simply by editing the 'Value' columns where applicable:
Users can set their own time zones in their user profile. If a user does not set one up, the system default time zone will take effect. If this property does not exist or is invalid, the default time zone will default to UTC.
The minimum password length is 8 characters and it will default to 8 if an invalid value is provided. However, this number can be changed in the 'Value' column to require users to have longer or shorter passwords.
This property specifies whether symbols are required in a user's password. The 'Value' 0 means symbols are not required and 1 means they are required.
This property specifies whether numbers are required in a user's password. The 'Value' 0 means numbers are not required and 1 means they are required.
For a new password policy to take effect, you can set all user's Password Expiration Timestamp to yesterday. They will need to change their password the next time they attempt to log in.
This property specifies how many days until a password expires. Defaults to 90 but can be set to be shorter or longer by changing the number in the 'Value' column.
This property specifies how many bad password attempts a user can make before they are locked out of the system. The default is 3 but this can be set to be more or less attempts by changing the number in the 'Value' column.
This property specifies how long a user is locked out of the system once they've run out of bad password attempts. The default is 15min but this can be set to be shorter or longer by changing the number in the 'Value' column.
Note that an administrator can also go into the 'Users' table to manually unlock a user by clearing the Locked Timestamp.
This is a property, defaulted to 0, that is simply responsible for showing this warning when a data owner is setting up Data Erasure or Data Compression on a table. It is the administrator's responsibility to set up a scheduled maintenance job for performing compression and erasure, and then to change the property to 1 so that the warning no longer appears.
There is a new Cinchy table called Forbidden Passwords. This table comes with a prepopulated list of passwords from https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt
You can add more blocked passwords to this list as well, and users will not be able to set their password to it (this can be used to add your company's name, or to import other blocked password lists). The check against the list is case insensitive.
Like other password policies, this check occurs when your password changes, so to enforce this you will need to set all passwords to be expired.
How to enable and other information in relation to REST Encryption
Cinchy 2.0 has added the feature to encrypt data at rest. This means that you can encrypt data in the database such that users with access to view data in the database will see ciphertext in those columns. However, all users with authorized access to the data via Cinchy will see the data as plain text.
In order to use this feature, your database administrator will be need to create a database master key (see below for instructions).
Connect directly to the database Cinchy is currently using.
Run the below query to create your master key - password to be used should adhere to your organization's password policy.
You can now encrypt data via the user interface
After you have created your master key you can create a backup file of that key in case any data corruption occurs in future. You will need the password you used to create your master key in order to complete this operation.
Further documentation.
In the use case where you require to restore your master key due to data corruption use the command below to do so. You will need the password you used to create you master key in order to complete this operation.
Further documentation.
This parameter is needs to be configured as per your SAML ACS URL. For example, if your ACS URL looks like this - "", then the value of this parameter should be "/identity/AuthServices"
Column Name
Description
Client Id
A unique identifier for each client.
Client Name
A friendly name for the client to help users maintaining this record.
Grant Type
The OAuth 2.0 flow that will be used during authentication. "Implicit" should be selected for API calls.
Permitted Login Redirect URLs
Add all URLs of an Applet separated by semicolon which can initiate login
Permitted Logout Redirect URLs
Add all URLs of an Applet separated by semicolon which can be used as Post Logout URL
Permitted Scopes
The list of permitted OAuth scopes, please check all available options.
Access Token Lifetime (seconds)
The time after with the token expires. If left blank, the default is 3600 seconds.
Show Cinchy Login Screen
Uncheck if you want to have SSO as default authentication and skip the Cinchy login screen
Enabled
This checkbox is used to enable or disable a client
Guid
This is a calculated field that will auto-generate the client secret
Column Name
Value
Domain
Select a domain for the applet to belong to.
Name
This is the name that will display for the applet in My Network
Full Name
This is a calculated field Domain.Name
Icon
Select a system icon for the applet, this will show in My Network.
Icon Colour
Select a system color for the icon above.
Description
Similar to table or query description. This field is viewable and searchable in My Network.
Target Window
When someone clicks the applet, this is the default way it will open.
Existing Window (Redirect) - this will redirect the user in the current window
Existing Window (Embedded) - this will open the applet embedded in Cinchy, the Cinchy header will be visible
New Window - the applet will open in a new window/tab.
Application Url
This is the URL where the applet resides.
Users
Users who can see this applet in the marketplace.
Groups
Groups who can see this applet in the marketplace.
Integrated Client
The integrated client for the applet.
Guid
This is a calculated field that is automatically generated for the applet.
Parameter
Description
id
Id for the edge.
label
Label that shows up on the edge.
from
Originating node id.
to
Target node id. Can be the same as the from node, it will show a loop back into the same node.
showArrowTo
Set this to True if you want to show the direction of the relationship.
showArrowFrom
Generally should only be used for bi-directional relationships along with the arrow to.
Parameter
Description
sub network
Name for the group
color
Hex value for the color of the group
Parameter
Description
id
Id for the node. This will be used by the edges to define the relationships.
title
This is the text that is displayed when hovering on a node.
label
The label that is shown below the node.
value
The visual size of the node relative to other nodes.
mass
The gravitational pull of a node. Unless you really want to customize the visualizer, it is recommended to keep this the same value as the value.
group
Optionally you can associate a node with a group.
color
Optional hex code for the color of a node. The node will take the color of the group if a color is not specified for the node.
description
The description shows up in the top right hand corner when you click a node.
nodeURL
Page to display when you click the open button next to the description.
Property ID
Name
Value (Default)
2
Default Time Zone
Eastern Standard Time
12
Password Attempts Allowed
3
13
System Lockout Duration (minutes)
15
8
Minimum Password Length
8
9
Password Requires Symbols
1
10
Password Requires Numbers
1
11
Password Expiration (Days)
90
15
Maintenance Enabled
0
