Security Settings
Security settings manage login security, session policies, and edge provisioning behaviour for the SecureLink platform.
Navigate to Admin > System Settings > Security.
Keycloak connection parameters (Realm URL, Client ID, Client Secret, JWKS endpoint) are configured via environment variables on the API server, not through this UI.
Login Security
This section is visible to SuperAdmins only. It surfaces the live Keycloak realm configuration so you can see what is being enforced and tune brute-force protection without logging into the Keycloak admin console directly.
Password Policy
A read-only display of the realm's password policy. The rules shown here are enforced on every new password operation (sign-up, password change, password reset). Possible rules include:
- Minimum / maximum character length
- Required uppercase and lowercase letters
- Required digits and special characters
- Restriction against using the username or email in the password
- Password history (cannot reuse the last N passwords)
To change password policy requirements, update the Keycloak realm's Password Policy configuration in the Keycloak admin console. Changes take effect immediately for all new password operations.
Account Lockout (Brute-Force Protection)
Configures Keycloak's brute-force detection. Changes here are written back to the realm immediately.
| Field | Description |
|---|---|
| Enable brute-force detection | Toggle to turn account lockout on or off |
| Failures before lockout | Number of consecutive failed sign-in attempts before the account is locked |
| Permanent lockout | If enabled, locked accounts stay locked until an admin uses the Unlock action on the user row. If disabled, lockout expires automatically |
| Max lockout duration (seconds) | Maximum time (in seconds) a temporary lockout can last. Only shown when permanent lockout is off |
| Wait increment between failures (seconds) | How much additional wait time is added after each consecutive failure |
Click Save login security to apply changes.
When brute-force protection is enabled and an account is locked, a SuperAdmin can clear the lockout immediately using the Unlock button on that user's row in Admin > Users. See Admin Users — User row actions.
Session Management
Controls VSN+ session token lifetime and idle behaviour. These settings apply to all users on this orchestrator (or to the tenant, when modified by a TenantAdmin).
| Setting | Description |
|---|---|
| Session Timeout (minutes) | How long a session stays valid from the moment it is created |
| Idle Timeout (minutes) | How long a session stays valid without any API activity |
| Remember Me Duration (days) | Session lifetime when the user checks "Keep me signed in for 30 days" at sign-in (default: 30 days) |
| Max Concurrent Sessions | Maximum number of active sessions per user |
| Force Logout on Password Change | When enabled, all existing sessions for a user are revoked when their password changes |
Click Save Changes to apply.
The default session duration (without remember-me) is controlled by the VSN_SESSION_DURATION_HOURS environment variable on the API server (default: 8 hours).
Edge Provisioning
The Auto-Approve New Edges toggle controls whether edge devices that register with a valid deployment token are approved automatically. When disabled, an administrator must manually approve each new edge before it can receive configuration.
Click Save Changes to apply.