...

<?xml version="1.0" encoding="utf-8"?>
<AnyTimeProfileDefinition xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	
	<!-- Configure how Offline is installed -->
	<InstallSettings />
	
	<!-- Configure how Offline is uninstalled -->
	<UninstallSettings />
	
	<!-- Use basic username/password to authenticate -->
	<CertificateSettings />
	
	<!-- Use an X.509 certificate from user machine to authenticate -->
	<CertificateSettings />
	
	<!-- Use an external provider with OAuth2 Device Grant support to authenticate -->
	<OAuth2DeviceSettings />
</AnyTimeProfileDefinition>

...

Below is an example of how it looks like for KLA:

<!-- File: anytime.setup.config -->
<ProgramEntryDefinition>
  <Id>Signifikant_Offline</Id>
  <DisplayName>KLA VFI 2.0</DisplayName>
  <Publisher>Signifikant</Publisher>
  <DisplayVersion>2.0</DisplayVersion>
  <UrlInfoAbout>https://signifikant.se</UrlInfoAbout>
  <InstallLocation>C:\ProgramData\Signifikant\Assert AnyTime</InstallLocation>
  <UninstallString>"C:\ProgramData\Signifikant\Assert AnyTime\AssertAnyTime.Uninstall.exe"</UninstallString>
</ProgramEntryDefinition>

...

Configure how the Offline app authenticates against the Synchronization API.

Basic authentication

This was the original way of authenticating with Offline.

<BasicAuthSettings enabled="true">
  <Username>Foo</Username>
  <Password>Bar</Password>
</BasicAuthSettings>

The BasicAuthSettings replaces the old SynchronizationLogin settings

<!-- These are old settings that do not work anymore, dont use -->
<SynchronizationLoginEnabled>false</SynchronizationLoginEnabled>
<SynchronizationLogin>Foo</SynchronizationLogin>
<SynchronizationPassword>Bar</SynchronizationPassword>

Certificate-based authentication

Used to authenticate using an X.509 certiifcate installed on the user’s machine.

<CertificateSettings enabled="true">
  <StoreName>My</StoreName>
  <StoreLocation>CurrentUser</StoreLocation>
  <Issuer>kla-tencor</Issuer>
  <SubjectEmailDomains>kla-tencor.com,kla.com</SubjectEmailDomains>
</CertificateSettings>

Let’s go over the five different settings:

...

enabled: If true, the configured certificate will be used for authentication, otherwise, it will use the default basic authentication method (username/password)

Settings:

• StoreName: Specific value used to find the certificate on the user’s machine. If it’s a personal certificate, then the store name will be My.

• StoreLocation: This is also used to find the certificate. In case of a user certificate, the location will be CurrentUser.

• Issuer: The Certificate Authority (CA) responsible for issuing the certificate.

• SubjectEmailDomains: A list of comma-separated domains that can suffix the user email

...

<OAuth2DeviceSettings enabled="true">
  <ClientId>MY_CLIENT_ID</ClientId>
  <DeviceAuthorizationEndpoint>MY_DEVICE_AUTH_ENDPOINT</DeviceAuthorizationEndpoint>
  <TokenEndpoint>MY_TOKEN_AUTH_ENDPOINT</TokenEndpoint>
  <!-- Scopes are separated by spaces, offline_access should be included to allow usage of refresh tokens -->
  <Scope>MY_API_SCOPE offline_access</Scope>
  <RetryDelay>3000</RetryDelay>
  <MaxRetryCount>200</MaxRetryCount> 
</OAuth2DeviceSettings>

Settings:

• ClientId: Client ID of the app. See: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

• DeviceAuthorizationEndpoint: Endpoint to get the device and user codes (OAuth 2.0 /devicecode)

• TokenEndpoint: Endpoint to get the OAuth 2.0 tokens (access, refresh, etc.)

• Scope: Scope of the device auth. See: https://www.rfc-editor.org/rfc/rfc6749#section-3.3

• RetryDelay: Time to wait (in milliseconds) between attempts to get OAuth 2.0 tokens from auth server.

• MaxRetryCount: Maximum number of attempts to get OAuth 2.0 tokens from the auth server.

Miscellaneous settings

These settings should be placed at the root of the file (under AnyTimeProfileDefinition and can be used to configure a variety of things:

<ApplicationTitle>KLA VFI</ApplicationTitle>
<ApplicationIconPath>Profile\KLA.ico</ApplicationIconPath>

<PreSynchronizationEnabled>true</PreSynchronizationEnabled>
<PermissionsSynchronizationEnabled>true</PermissionsSynchronizationEnabled>
<SynchronizationLoginEnabled>false</SynchronizationLoginEnabled>

<SynchronizationLogin />
<SynchronizationPassword />

<StopIISExpressAtExit>false</StopIISExpressAtExit>
<MandatoryLanguage>en-US</MandatoryLanguage>
<ExternalDataSupplyer>false</ExternalDataSupplyer>

<!-- Settings to wait for IIS site to restart after sync before the app safely crashes -->
<MaxConnectionAttempts>50</MaxConnectionAttempts>
<WaitTimeBetweenConnectionAttempts>5000</WaitTimeBetweenConnectionAttempts>

<RequiredReachableHost>https://vfi.kla-tencor.com</RequiredReachableHost>

Settings:

• ApplicationTitle: Text displayed in the application title bar

• ApplicationIconPath: Path of the icon file (must be .ico) used for the application

• PreSynchronizationEnabled

• PermissionsSynchronizationEnabled

• StopIISExpressAtExit: Whether IIS Express should be stopped when closing the desktop application

• MandatoryLanguage: A comma-seperated list of languages that should be installed in the application

• ExternalDataSupplyer: Should only be used for debugging

• MaxConnectionAttempts: Max number of attempts to reach the local WebViewer server after IIS restart before failing

• WaitTimeBetweenConnectionAttempts: Wait time (in milliseconds) between each attempt to reach the local WebViewer server

• RequiredReachableHost: Used for restricting OAuth2 authentication to happen only if the host is reachable. If empty, the restriction is skipped.