Follow the order of the guide. Issue all of the following commands in Windows command prompt using the Administrator user account.
...
- Access the URL UAS_URL/ubilogin in a browser
- Create a new Service in Services tab (Select Home → Services → New Service...)
- Title: CustomerID SQL
- Directory type: SQL
- Click OK
- Edit following information:
- Service URL:
jdbc:postgresql://host:port/customeriddb – replacing hostname and port number as needed using database.host and database.port settings from customerid\application\win32.config - Username:
Use database.user value from customerid\application\win32.config. This value is usually customerid_user Credentials:
Use database.password value from customerid\application\win32.configNote NOTE: If there are escape characters ("\") in the database.password value, remove them before copying the value to the Credentials field.
Configuration:
Enter the following text in the Configuration String text area:
validationQuery= SELECT 1Figure 2, SQL Configuration
- Service URL:
- Click Update
Restart Ubisecure SSO
Code Block language text theme RDark net stop UbiloginServer net start UbiloginServer
...
- Access the URL UAS_URL/ubilogin in a browser
- Create a new Service in Services tab (Select Home → Services → New Service...)
- Title:
CustomerID Directory - Directory type:
Ubilogin Directory or Active Directory
Select Active Directory only when external AD is used for CustomerID user storage. Typically Ubilogin Directory is used.
- Title:
- Click OK
Append one of the following two configurations to the existing text in the "Configuration String" field, depending if UbiloginDirectory or Active Directory is used for CustomerID user data storage: Typically Ubilogin Directory is used.
Ubilogin Directory:Code Block language text theme RDark policy.password.encoding={SSHA} directory=ldap:///{LDAP root} policy.password.protocol=UbiloginDirectory password-name=password.2Active Directory:
Code Block language text theme RDark java.naming.ldap.attributes.binary=objectGUID policy.password.protocol=ActiveDirectoryDs password-name=password.2
For detailed instructions concerning these settings see Ubisecure SSO Installation and Upgrade document. You can check the value of {LDAP root} for example from the jndi.properties file situated in the %PROGRAMFILES%\Ubisecure\customerid\application\custom folder. The value is the LDAP root part of the java.naming.provider.url property. Example:
Code Block language text theme RDark java.naming.provider.url = ldap://localhost:389/cn=Ubilogin,dc=test
For clustered Ubisecure SSO you will need the following following settings in the CustomerID Directory settings in the Ubisecure SSO Home → Services tab → CustomerID Directory → Configuration String
Code Block language text theme RDark com.ubisecure.util.ldap.server.list=<ldap://server1:port/> <ldap://server2:port/> com.ubisecure.util.ldap.failover.type=single-master (default is multi-master) com.sun.jndi.ldap.connect.timeout=15000 (in milliseconds) com.sun.jndi.ldap.read.timeout=15000 (in milliseconds) com.ubisecure.util.ldap.maxage=120000 (in milliseconds) com.ubisecure.util.ldap.auth.pool.max=8
- Click Update
Restart Ubisecure SSO from command line
Code Block language text theme RDark net stop UbiloginServer net start UbiloginServer
Ubisecure CustomerID SSO Adapter Installation
See ww- CustomerID HA SSO Adapter Installation in Windows
...
- Password method
- Set title:
CustomerID Password - Name:
password.2 - Select method type:
SPI Password - Set directory to:
CustomerID Directory
- By default user logs in using the login attribute (which is uid in Ubisecure Directory and sAMAccountName in Active Directory). If you want the user to login using email address, you must add directory.account.login=mail to the configuration string. You must also add general.login.attribute=mail to eidm2.properties. Create eidm2.properties text file under
%PROGRAMFILES%\Ubisecure\customerid\application\custom - Set the optional policy.password.expiring configuration string to show a warning to users during login of a pending password expiry. The value is number of minutes. 10080 is one week. This number should be increased accordingly if users rarely use the system.
- Select Enabled
- Press Update
- Set title:
- SMS method
- Set title. Title will be shown in the user interface during login.
SMS - Name:
ubikey.sms.1 - Select method type:
SPI Mobile Phone Set directory to:
CustomerID DirectoryFigure 4. SMS method
- Set title. Title will be shown in the user interface during login.
- By default user logs in using the login attribute (which is uid in Ubisecure Directory and sAMAccountName in Active Directory). If you want user to login using email address, you must add directory.account.login=mail to the configuration string. You must also add general.login.attribute=mail to eidm2.properties. Create
eidm2.propertiestext file under%PROGRAMFILES%\Ubisecure\customerid\application\custom - You need to define the password-name configuration string. It should contain the name of the used password method (usually password.2).
You need to define the smsUrl configuration string. It should contain the URL of the SMS server.
Figure 5, SMS URL - If Active Directory is used as the main user repository for Ubisecure CustomerID then you need to define the methodUserGroupDN configuration string. It points to the AD group which defines those users that are allowed to use SMS authentication. The relative name of the correct group is ActiveSMSUser. The whole DN is installation specific. Typically Active Directory is not used as the main user repository for Ubisecure CustomerID.
- Select Enabled
- Press Update
- By default user logs in using the login attribute (which is uid in Ubisecure Directory and sAMAccountName in Active Directory). If you want user to login using email address, you must add directory.account.login=mail to the configuration string. You must also add general.login.attribute=mail to eidm2.properties. Create
- OTP Printout method
- Set title: Title will be shown in the user interface during login.
One Time Password - Set name:
ubikey.otp.1 - Select method type:
SPI Ubikey OTP Printout - Set directory to:
CustomerID Directory
- By default users log in using the login attribute (which is uid in Ubisecure Directory and sAMAccountName in Active Directory). If you want users to login using their email addresses, you must add directory.account.login=mail to the configuration string. You must also add general.login.attribute=mail to
eidm2.properties. Create eidm2.properties text file under%PROGRAMFILES%\Ubisecure\customerid\application\custom - You need to define the password-name configuration string. It should contain the name of the used password method (usually password.2).
If Active Directory is used as the main user repository then you need to define the userCredentialsTableDN configuration string. It defines the name of the OTP table object in Ubisecure Directory. OTP Printout authentication method information is stored in Ubisecure Directory for all Active Directory users who use the OTP Printout method and that information will be stored under the OTP table. Typically Active Directory is not used as the main user repository for Ubisecure CustomerID.
Figure 6, OTP Printout Method, configuration string parameters will be shown after next part
- Set title: Title will be shown in the user interface during login.
...
Restart Ubisecure SSO by running the following commands:
Code Block language text theme RDark net stop UbiloginServer net start UbiloginServer
Restart Ubisecure CustomerID by running the following commands:
Code Block language text theme RDark net stop wildfly net start wildfly
Note NOTE: Stopping the Ubisecure CustomerID service using the mentioned command may not succeed in Windows if your firewall settings block access to WildFly management.
Go to ww- CustomerID HA Example User Data Import in Windows to import the example admin user.
...