...
Register the CIDFederationManagerFactory as an ubiloginService Instance.
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 1. LDIF block creating the CustomerID Federation Service |
|---|
|
dn: cn=CustomerID Federation,cn=Services,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: ubiloginService
objectClass: top
cn: CustomerID Federation
ubiloginClassname: com.ubisecure.customerid.federation.CIDFederationManagerFactory
ubiloginServiceInputParameter: subject
ubiloginTitle: CustomerID Federation |
...
Configure a User Mapping Table
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 2. LDIF block creating a User Mapping Table for Ubisecure CustomerID |
|---|
|
dn: cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ubiloginLDAPURLUserMappingTable
cn: CustomerID User Mapping |
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 3. LDIF block creating a Ubisecure CustomerID specific Ubilogin Service User Mapping Entry |
|---|
|
dn: cn=44a5a6c3-706e-419f-adf8-d31f182bcffa,cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: ubiloginServiceUserMappingEntry
objectClass: ubiloginServiceReference
objectClass: top
ubiloginServiceDN: cn=CustomerID Federation,cn=Services,ou=System,cn=Ubilogin,dc=example,dc=com
ubiloginServiceInputParameter: subject ${nameID}
cn: 44a5a6c3-706e-419f-adf8-d31f182bcffa |
...
| Note |
|---|
NOTE: Federation Manager Template definition is needed in the eidm.policy if federation is used when logging into CustomerID. However this will be added to the policy automatically so the below LDIF example doesn´t need to be imported manually. It is presented here only for informational and troubleshooting purposes. If you want to use federation when logging into other services, you need to do a similar modification to the policies those services use. |
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 4. LDIF block defining a Federation Manager Template |
|---|
|
dn: cn=eidm.policy,ou=eIDM Services,cn=Ubilogin,dc=example,dc=com
changeType: modify
replace: ubiloginConfString
ubiloginConfString: FederationManager.TemplateName federation
- |
...
Modify Authentication Method(s) with Federation Capabilities
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 5. Modifying tupas.test.1 method to offer federation |
|---|
|
dn: cn=tupas.test.1,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: modify
replace: ubiloginLDAPURLUserMappingTableDN
ubiloginLDAPURLUserMappingTableDN: cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
-
changetype: modify
replace: ubiloginDirectoryServiceDN
ubiloginDirectoryServiceDN: cn=CustomerID Directory,cn=Services,ou=System,cn=Ubilogin,dc=example,dc=com
- |
...
It is worth repeating, that the SAML 2.0 definitions hold no semantics in the context of account linking, but can be useful when deciphering how the NameID is formed by default and deciding how to form federation links. In the example below a common authentication domain for TUPAS is configured by modifying the NameID formation.
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 6. LDIF block creating a specialized Ubilogin Service User Mapping Entry |
|---|
|
dn: cn=44a5a6c3-706e-419f-adf8-d31f182bcffa,cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: ubiloginServiceUserMappingEntry
objectClass: ubiloginServiceReference
objectClass: top
ubiloginServiceDN: cn=CustomerID Federation,cn=Services,ou=System,cn=Ubilogin,dc=example,dc=com
ubiloginServiceInputParameter: subject ${nameID.format('hetu').nameQualifier ('tupas.group').spNameQualifier('tupas.group').spProvidedID(method.CUSTID).value(method.CUSTID)} |
...
- Log on to SSO Management application with administrative privileges
- Locate workflow.policy by navigating to eIDM Services and select Authorization
- Click Add button, navigate to eIDM Groups, choose the PendingTupasUsers group and click Ok
- specify a descriptive name to the new attribute, e.g. setNameID
- click Show values and enter the same nameID expression as earlier, omitting the label
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 7. Authorization policy setNameID() attribute's example value |
|---|
|
${nameID.format('hetu').nameQualifier ('tupas.group').spNameQualifier('tupas.group').spProvidedID(method.CUSTID).value(method.CUSTID)} |
...
|
|---|
| Figure 1 workflow.policy modifications |
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 8. Authorization policy setNameID() with references to original NameID, read from the username object |
|---|
|
${nameID.format('hetu').value(method.CUSTID).spProvidedID(username.spProvidedID).spNameQualifier(username.spNameQualifier).nameQualifier(username.nameQualifier)} |
...
This use case may arise from various business requirements. For example, two authentication methods are required to work in a common domain and a third one in a separate or maybe some common domain authentication methods supply the same identifying attribute with different names. In these cases it is required to register specialized User Mapping Tables for each authentication method.
In the example below, the previously defined specialized Ubilogin Service Mapping Entry has been registered to the method tupas.test.1 using an LDIF like below:
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 9. Modifying tupas.test.1 method to offer federation |
|---|
|
dn: cn=tupas.test.1,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: modify
replace: ubiloginLDAPURLUserMappingTableDN
ubiloginLDAPURLUserMappingTableDN: cn=CustomerID User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
- |
Now, a third authentication method - let's call it myidp.test.1 - is required to operate with a different federation configuration, so following LDIFs need to be imported.
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 10. LDIF block creating a new User Mapping Table |
|---|
|
dn: cn=MyIDP User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ubiloginLDAPURLUserMappingTable
cn: MyIDP User Mapping |
This authentication method would then operate in its own domain, so just rely on the NameID formed by default.
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 11. LDIF block creating a new Ubilogin Service User Mapping Entry |
|---|
|
dn: cn=12341234-706e-419f-adf8-d31f182bcffa,cn= MyIDP User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: add
objectClass: ubiloginServiceUserMappingEntry
objectClass: ubiloginServiceReference
objectClass: top
ubiloginServiceDN: cn=CustomerID Federation,cn=Services,ou=System,cn=Ubilogin,dc=example,dc=com
ubiloginServiceInputParameter: subject ${nameID}
cn: 12341234-706e-419f-adf8-d31f182bcffa |
Next, register the User Mapping Table to the authentication method myidp.test.1
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 12. Modifying myidp.test.1 method to offer federation |
|---|
|
dn: cn=myidp.test.1,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
changetype: modify
replace: ubiloginLDAPURLUserMappingTableDN
ubiloginLDAPURLUserMappingTableDN: cn=MyIDP User Mapping,cn=Server,ou=System,cn=Ubilogin,dc=example,dc=com
- |
Importing LDIF to Ubisecure Directory
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 13. Importing LDIF file to Ubisecure Directory (linux) |
|---|
|
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap
./import.sh /path/to/file.ldif |
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 14. Importing LDIF file to Ubisecure Directory (Windows) |
|---|
|
cd /D "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam"
import.cmd C:\path\to\file.ldif |
Language keys for User Driven Federation
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 15. UDF language keys in i18n/uas.properties |
|---|
|
CONFIRM_INTRO_TITLE = Create Account Link
CONFIRM_INTRO_TEXT = Before entering the requested service you can link your external identity with your existing user permanently.
CONFIRM_HELP_TITLE = Help
CONFIRM_HELP_TEXT = The account you used has not been linked to your existing account. Please save the link and continue to the service.
CONFIRM_HELP_LINKS =
CONFIRM_LOGIN_TITLE = Account Settings
CONFIRM_LOGIN_TEXT = Please select to remember the account link.
CONFIRM_LOGIN_PERSISTENT_TEXT = Remember this next time |
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 16. UDF language keys in i18n/errors.properties |
|---|
|
FEDERATION_MISSING = No federated account found |
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 17. UDF language keys in template/messages/federation.properties |
|---|
|
MENU_LOGIN_TITLE = Already have an account?
MENU_LOGIN_TEXT = Please enter your existing username and password.
MENU_HELP_TITLE = Help
MENU_HELP_TEXT = The account you used to log in hasn't been used before at this service. If you already have an existing local account, please sign in with your username and password above to link your account. Please sign in with your existing username and password or register a new account.
MENU_HELP_LINKS = <li><a href="javascript:view.navigate('register.account')">Register</a></li><li><a href="javascript:view.navigate('password.reset')">Password Reset</a></li>
PASSWORD_HELP_TITLE = Help
PASSWORD_HELP_TEXT = The account you used to log in hasn't been used before at this service. If you already have an existing local account, please sign in with your username and password above to link your account. If you don't have an account, please create one by registering. |
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 18. UDF configuration keys in template/default/federation.properties |
|---|
|
title = Ubisecure SSO
usemethodgroups = true
links = federation.links |
| Code Block |
|---|
| language | text |
|---|
| theme | RDark |
|---|
| title | Listing 19. UDF configuration keys in custom/template.index |
|---|
|
federation = templates/federation.properties |
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 20. UDF configuration keys in template/default/federation.links |
|---|
|
register.account.url = https://cid.example.com/eidm2/wf/protection/1
register.account.methods = password.1 password.2, tupas.test.1 |
The configuration above defines to which registration users should be redirected if it is desired for users to be able to create their user accounts on the fly. It is possible to widely use the configuration options detailed in Ubisecure CustomerID Configuration document, please refer therein for further documentation. If you want to utilize the attributes of the external authentication method in the registration or perform the authentication method linking automatically during registration, you should use a protection URL definition here instead of a direct registration URL. So instead of using for example: " https://cid.example.com/eidm2/wf/register/udf " you should use something like the following: " https://cid.example.com/eidm2/wf/protection/1 ". You then need to configure the protection so that it forwards to the correct registration.
| Code Block |
|---|
| language | text | theme | RDark |
|---|
| title | Listing 21. UDF configuration keys in protection.properties |
|---|
|
protection.1.methods = password.2, tupas.test.1
protection.1.sso.template = udf
protection.1.continue = https://cid.example.com/eidm2/wf/register/udf
protection.1.customeriduseronly = false |
...
