Security & Authentication Configuration

Authentication Settings (System-level)

Authentication Method
Used for all global pages and as default authentication for newly created projects
For details on each authentication method, see the REDCap Community website's authentication page, which describes them and lists how to install, configure, and enable each in REDCap.
Need help troubleshooting your LDAP configuration?

Two-Factor Authentication (recommended for improved security)

Enabling two-factor authentication (also known as 2-step login) can provide greater security with regard to users logging in to the system. While the standard login process consists of entering a username and password, two-factor authentication provides a second step after the initial login, such as entering a 6-digit verification code received via SMS text message, via email, or generated using the Google Authenticator app on their mobile device, or responding to a phone call or a push notification (for Duo app only). Two-factor authentication can be set up and enabled using the settings below, which govern how and when users will be required to go through the 2-step login process.
Two-Factor Authentication
Require 2-step verification when users log in to REDCap.
Two-factor settings:
Enforce two-factor authentication only for certain IP addresses?
You can enforce two-factor on all users OR enforce it on all users except for those within a specified IP address range. For example, if you know the IP ranges of computers on your institution's local network or VPN, then you can enforce two-factor only for users accessing REDCap from outside your institution.
IP address exceptions: You may enter IPv4 address ranges in either wildcard format with asterisks OR as a range with hyphen. IPv6 subnet masks may be used also. All ranges must be separated by commas. Example: 1.2.3.*, 1.2.3.0-1.2.3.255, 21DA:00D3:0000:2F3B::/64
Also include all private network IP addresses in the IP exceptions (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255)
Authentication interval: Trust a device's two-factor login for X days?
If enabled, a user performing two-factor login will be given the option to have their device/computer be remembered for X days during which they will not have to perform two-factor login but only log in with their username/password.
Days, 0 = Disabled   (Use decimals for partial days)
(Optional) Secondary authentication interval for specific IP address ranges
If desired, you can set an alternative authentication interval for devices in certain IP ranges. For example, you may want to set the interval to 30 days for users on a semi-secure network but set it to 1 day for users not on a secure network at all. You can set the interval to X days that the user's device will be trusted if within a given IP range.
Days, 0 = Disabled   (Use decimals for partial days)
Apply the authentication interval above to these IP ranges only:

You may enter IPv4 address ranges in either wildcard format with asterisks OR as a range with hyphen. IPv6 subnet masks may be used also. All ranges must be separated by commas. Example: 1.2.3.*, 1.2.3.0-1.2.3.255, 21DA:00D3:0000:2F3B::/64
Two-factor login options:
(Optional) Enable the Google/Microsoft Authenticator app option for two-factor authentication?
If enabled, the 'Google Authenticator/Microsoft Authenticator' option can be used for two-factor auth, in which the user can obtain the 6-digit verification code from the Google Authenticator or Microsoft Authenticator app on their mobile device.
NOTE: Before using the app for two-factor auth, the user must first set up the Google Authenticator app or Microsoft Authenticator using the instructions and QR code on their Profile page.
(Optional) Enable the email option for two-factor authentication?
If enabled, the email option can be used for two-factor auth, in which the user can obtain the 6-digit verification code via their primary email that is registered in their REDCap account.
NOTE: The email will originate from your administrator account andrejs@webresearch.lv
In most cases, it is good to leave this option enabled as a last resort for users just in case they are not able to use any of the other options for whatever reason.
(Optional) Enable the Twilio SMS option for two-factor authentication?
If enabled, the 'SMS' option can be used for two-factor auth, in which an SMS text message containing the 6-digit verification code can be sent to a user's mobile device using the Twilio web service.
Test the service:   
Note: In order to use the Twilio service, the REDCap web server must be able to make outbound HTTP/HTTPS requests to the following URL: https://api.twilio.com. For more information on Twilio, see https://www.twilio.com.
Twilio configuration settings
Before using this feature, you must first set up a Twilio account and obtain the required info below. How do I do this?
Twilio Account SID
Twilio Auth Token Show auth token
Twilio phone number
Alternate Twilio phone number for Voice Call verification option only (optional)
(If provided, Voice Call verification will be made from this number, whereas SMS verification will come from the first phone number above. If left blank, the first phone number above will be used for both SMS and Voice Call verification.)
(Optional) Enable the Duo for two-factor authentication?
If enabled, the 'Duo' option can be used for two-factor auth, in which the Duo mobile app or website is utilized for completing the login process.
Duo configuration settings
Before using this feature, you must first set up a Duo account and obtain the required info below. How do I do this?
Duo Integration key
Duo Secret key Show secret key
Duo API hostname

Login Settings (not applicable to Shibboleth authentication)

Auto logout time Minutes, 0 = timer off
Users will get a two-minute warning before they are automatically logged out if they do not have any activity in REDCap after this amount of time.
Login Logo
URL for custom logo to be displayed when user logs in to REDCap (max width: 750 pixels)
Custom login text
Custom text to display on the login page (It will appear above the login form, and if a login logo is used, it will appear immediately below the logo.)
Number of failed login attempts before user is locked out for a specified amount of time, which is set below. 0 = Disabled
Amount of time user will be locked out after having failed login attempts exceeding the limit set above. Minutes, 0 = Disabled
Login Page: Disable autocomplete feature in user's browser for username/password fields on REDCap login page?
NOTE: Disabling autocomplete increases security during login, especially for public computer usage.

Additional Table-based Authentication Settings:
Password recovery custom text
Set custom text that is displayed when a user enters an INVALID username when attempting to recover their password.
NOTE: Using custom text can be very helpful if you are using 'LDAP & Table-based' authentication in case LDAP users mistakenly attempt to reset their password, which is not possible using REDCap, and thus you may provide a link to direct them to the correct place to reset their LDAP password, for example.

Expand 
If left blank, the following text will be displayed instead:
"The username cannot be reset due to one of the following reasons: 1) It is not a valid REDCap username, 2) You have not yet set up a security question for your REDCap account, or 3) The password for this user is not able to be reset in REDCap because it can only be reset using an outside resource at your institution."
Enforce password re-use limit?
If set to 'Yes', it will not allow users to use their 5 most recent passwords as the value of a new password.
Force users to change their password after a specified number of days. Days, 0 = Disabled
Users will be prompted to change their password before the expiration occurs.
Password Minimum Length
Value entered should be integer (between 6 and 99).
If left blank, will default to the value 9.
Password Complexity
NOTE: Allowed special characters includes the following:
!@#$%^&*()/_+|~=’,-*+:\";?. (excluding ><\ )

Additional Google OAuth2 Authentication Settings:

Google OAuth2 setup instructions:
In order to use Google OAuth2 authentication, you must 1) go to the Google Developers Console and create a new project on that webpage (you may name the project whatever you wish (e.g. "REDCap Auth"). Note: You may want to avoid logging in to that page using your personal Google account since you will be creating Google API credentials used by REDCap at your institution. 2.) Once you have created the new project on the Google Developers Console webpage, select 'Credentials' under the 'APIs & auth' section on the left-hand menu. On the Credentials page under the OAuth section, click the button to create a new Client ID, and select the 'web application' as the application type. On the next screen, all you have to provide is the Product Name (e.g., 'REDCap'), and click the Save button. You may leave the 'Authorized JavaScript Origins' box blank (it is not needed here), but be sure to enter the following URL into the 'Authorized Redirect URIs' text box (ending both with and without a backslash): https://webresearch.id.lv/redcap/ 3.) Once the Client ID has been created, it will auto-generate a Client ID name and a Client Secret. Copy those values into the text fields below so that REDCap may use them to authenticate with Google.
Google API Client ID
Google API Client Secret

Additional OAuth2 Azure AD Authentication Settings:

The following 4 fields are for configuring the Azure Active Directory OAuth2 integration. Information about the client id and client secret can be found here: (https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet).
Azure AD API Client ID
Azure AD API Client Secret
AD attribute to use for REDCap username
'userPrincipalName' will use the user's email address as their REDCap username, whereas the username with 'samAccountName' will often look something like 'pharris', for example.
Primary Admin
The first time this user logs in, they will be given full admin privileges.
Secondary Admin
Same as above, just a backup admin. The first time this user logs in, they will be given full admin privileges.

Additional Shibboleth Authentication Settings:
Shibboleth Username Login Field
Name of the server variable that contains the user's username that Shibboleth defines in PHP (e.g. $_SERVER['REMOTE_USER'])
URL for Shibboleth Logout Page
(Full URL with qualifiers)

Shibboleth & Table Splash Page Customization:
Documentation on How to Configure Shibboleth & Table Options
Default login method
Table login selection title
Clickable text to use table-based login

Shibboleth Login Options
Shibboleth login selection title
Clickable text to use Shibboleth login
Shibboleth login descriptive text
Descriptive text displayed with Shibboleth login
Shibboleth Link Image URL
URL for image to be displayed to link to server's Shibboleth login
URL for Shibboleth SP Session Initiator
If left blank, will default to the value stored in $_SERVER['Shib-Handler']
Additional IdP Controls

AAF Settings
Access Url
Mandatory field for AAF authentication
Aud URL
Mandatory field for AAF authentication
Iss URL
Mandatory field for AAF authentication
Local identifier
This value in the aaf edupersonscopedaffiliation field identifies a local
Can locals create projects ?
Display users on email ?
Which field as username ?
Which AAF field will identify username ?

Additional SAMS Authentication Settings:
URL for SAMS Logout Page
(Full URL with qualifiers)

Other Security Settings:
Domain allowlist for cross-domain HTTP access control (optional)
By default, for flexibility purposes, AJAX requests (via JavaScript) can be made to REDCap from any domain/URL. If you wish to restrict this so that only certain domains can make cross-domain AJAX requests to REDCap, then you will need to set the domain name of all allowed access control origins (i.e., the domain of the URLs) in the text box to the right. If the text box is left blank (default), then any domain will be able to make cross-domain AJAX requests to REDCap. Restricting access control to specific domains is generally considered to make REDCap more secure to prevent against possible Cross-Site Scripting attacks by malicious users.

Leave blank to allow cross-domain access from any domain. Only enter the domain name (not a full URL) with each domain on a separate line.
Example:
http://example.com
http://www.mysite.edu
Clickjacking prevention
By default, a REDCap page can be embedded in an iframe on a page on any website. In some cases, this is useful, such as embedding surveys into other websites, but there is potential for abuse in which some malicious users may try to trick other users using a technique called clickjacking. If you wish to restrict this so that other websites cannot embed REDCap pages (in order to prevent clickjacking), then you set the option above. If you set it to 'Allow...', then any domain on the web will be able to embed a REDCap page (assuming this REDCap installation is publicly available to the web). Restricting access control from external websites is generally considered to make REDCap more secure to prevent against possible clickjacking attacks by malicious users. Technical note: Setting this to 'Prevent...' will force the HTTP header 'X-Frame-Options: SAMEORIGIN' to be added.


The 'SMS' option for two-factor authentication utilizes a third-party web service called Twilio. To use this feature, you must have a Twilio account, which must be funded with money (since there is a cost for each SMS message sent). Before you begin the setup steps for Twilio SMS on this page, you must 1) set up your own Twilio account at www.twilio.com. Once your Twilio account has been created, you must 2) fund your account with some money (using the Billing page in Twilio) and then 3) purchase a phone number to be used for this REDCap project (see the Numbers page in Twilio).

Once a phone number has been purchased for the account, obtain the Account SID and Auth Token for your account (see the API Credentials section on the main Account Settings page), and then enter the Account SID, the Auth Token, and the phone number into the 'Twilio configuration settings' on this page. And as a final measure, click the 'Test Twilio credentials' button, which will verify the credentials entered to ensure that they will work and send SMS messages successfully.
The 'Duo' option for two-factor authentication utilizes a third-party web service called Duo. To use this feature, you must have a Duo account. Before you begin the setup steps for Duo on this page, you must 1) set up a Duo account at https://admin.duosecurity.com. Once your Duo account has been created, you must 2) go to the Duo Admin Panel and create a new Application (see the Applications item on the left-hand menu of that page) if you do not already have an application created, 3) set the application type as 'Web SDK', and 4) give it a name (e.g., 'REDCap production') and save it.

Once the application has been created for the account, obtain the Integration key, Secret key, and API hostname for that application. Then enter those values into the 'Duo configuration settings' on this page and save them.