Page Comparison

...

1. Select Home → Global Method Settings (see Figure 1)
2. Select New Method…
3. Complete the Add New Method dialog
   1. Title: A human readable name describing this method. Shown in the management user interface and possibly in the end user interface if no localization is available
   2. Name: A unique system reference to this directory. This is used by administrators to identify this authentication method. Typically values are for example: password.ad, password.ad.prod, password.ad.test, password.customer1
   3. Method Type: Select SPI Password
      1. Method Class: This will be automatically filled in.
   4. Directory: Select the AD directory made in the previous step.

4. Press OK

   Figure 1. Adding an AD Password Method

   
   

5. The method configuration screen is shown, see Figure 2.

6. SAML Authentication Context and SAML NameID Policy related configurations are described in the SSO Management documentation. Changes to these settings are typically not required.
7. Tick Enabled to enable the method
8. Hidden will remove this method from any system generated authentication method selection menus. This is described in more detail in the SSO Management. By default this is unselected.
9. Limit Method Visibility specifies to which IP netmask ranges this method will be shown in any system generated authentication method selection menus. Leave blank to show to all IP address. For AD password methods in a corporate environment, typically this is set to the netmask of domain users. This is described in more detail in the SSO Management documentation. By default this is unselected.
10. The Account Lockout Policy settings are ignored for AD installations. All account policy changes are performed in the Active Directory Group Policy settings of Windows.
11. Further configuration can be made using the Configuration String settings. Default settings are adequate for most installations. Possible configurations are described below.

12. Press Update to record the settings.

    Figure 2. Configuring AD Password Method

    
    

    Code Block
    language text theme RDark title Listing 1. Example Configuration string settings that can be used on the authentication method level if not already defined in the Directory Service (AD Directory)
    directory.account.login=mail policy.password.protocol=ActiveDirectoryLds policy.password.expiring=36000

    
    

    • Configuration string settings
      • policy.password.expiring → Most of the password policy settings are defined only in Active Directory. However the AD authentication method LDAP object has a separate policy setting for controlling the pre-expiration password change option. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. 36000 means warning will occur 25 days prior to expiration. OPTIONAL.
      • directory.account.login→ Specifies the name of the user attribute to be used for the username lookup. Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.
        For example, to allow an AD user to login using their email address as the username, set this value to mail.
        For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile. OPTIONAL.
        By default, samAccountName is used. Other typical values include:
        • uid
        • samAccountName
        • mobile
        • mail
          
      • policy.password.protocol → he password protocol that should be used for this integration. Possible values are: ActiveDirectory, ActiveDirectoryLds, ActiveDirectoryDs. Default value is ActiveDirectoryDs. OPTIONAL.

13. The SPI Password tab is not used for AD Integration. Password encoding is configured in Active Directory. This value is ignored.

14. The Sites tab lists which sites may use this method. To activate the method for a site:
    1. Open a site from the Site Navigator
    2. Select the Site Methods tab
    3. Press Add Method…
    4. Select the newly created AD Method and press OK (See Figure 3)

    5. The AD Method is now added to the site, and the site is visible from the AD Method's Sites tab (see Figure 4)

       Figure 3. Activating the AD Password Method for a site

       
       

       Figure 4. The AD Password Method can only be in the Sites shown in sites tab

       
       

15. The Groups tab lists which Ubilogin groups users of this method will be assigned to. Group Members settings are described in more detail in the SSO Management documentation. These settings are made from within the Methods tab of Groups.

...

1. Select Home → Global Method Settings (see Figure 5)
2. Select New Method…
3. Complete the Add New Method dialog
   1. Title: A human readable name describing this method. Shown in the management user interface and possibly in the end user interface if no localization is available.
   2. Name: A unique system reference to this directory. This is used by administrators to identify this authentication method. Typically values are for example: otp.ad.1, otp.ad.prod, otp.ad.test, otp.customer1, ubikey.otp.1
   3. Method Type: Select SPI Ubikey OTP Printout
      1. Method Class: This will be automatically filled in.
   4. Directory: Select the AD directory made in the previous step.

4. Press OK

   Figure 5. Adding an AD OTP Printout Method

   
   

5. The method configuration screen is shown, see Figure 6.

6. SAML Authentication Context and SAML NameID Policy related configurations are described in the SSO Management. Changes to these settings are typically not required.
7. Tick Enabled to enable the method
8. Hidden will remove this method from any system generated authentication method selection menus. This is described in more detail in the SSO Management documentation. By default this is unselected.
9. Limit Method Visibility specifies to which IP netmask ranges this method will be shown in any system generated authentication method selection menus. Leave blank to show to all IP address. For AD password methods in a corporate environment, typically this is set to the netmask of domain users. This is described in more detail in the SSO Management documentation. By default this is unselected.
10. The Account Lockout Policy settings here apply to the OTP code entry part of the login process.
    1. Lockout Threshold (attempts): How many times an incorrect OTP number can be entered before the account is locked.
    2. Lockout Duration (minutes): How many minutes an account is locked for, if the lockout threshold is exceeded. You can specify that the account will be locked out until a System Administrator or a Site Manager explicitly unlocks it by setting the value to 0.

11. Set the password method to use with this OTP method in the Configuration string section. Note that this is not mandatory if the password method name has already been set in the used Directory Service (AD Directory). 

    Code Block
    language text theme RDark
    password-name=password.ad.1

    Further configuration can be made using the Configuration String settings described below.

12. Press Update to record the settings. Some settings are updated to the Configuration String section.

...

• • password-name → This configuration parameter contains the name of the password method that is used by the OTP method. MANDATORY (if not set in the used Directory Service).
  • policy.password.expiring → As the AD OTP authentication method uses the AD password authentication method, configuration options can also be defined for the password authentication part. So the password expiry warning can be defined here as well. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL.
  • directory.account.login → Specifies the name of the user attribute to be used for the username lookup. OPTIONAL. Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.
    For example, to allow an AD user to login using their email address as the username, set this value to mail.
    For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile.
    By default, SAMAccountName is used. Other typical values include:
    • uid
    • samAccountName
    • mobile
    • mail

policy.password.expiring=36000 
password-name=password.ad.1 
directory.account.login=mail

...

The Active Directory SMS Password authentication method allows you to authenticate with username, password and a one-time password sent to a mobile phone. The password used is stored in Active Directory.

This authentication method is not installed by default and must be added to Ubisecure Management application.

To add the AD SMS Method, use the Ubisecure Management application with an Administrator account:

1. Select Home → Global Method Settings (see Figure 8)
2. Select New Method…
3. Complete the Add New Method dialog
   1. Title: A human readable name describing this method. Shown in the management user interface and possibly in the end user interface if no localization is available.
   2. Name: A unique system reference to this directory. This is used by administrators to identify this authentication method. Typically values are for example sms.ad.1, sms.ad.prod, sms.ad.test, sms.customer1
   3. Method Type: Select SPI Mobile Phone
      1. Method Class: This will be automatically filled in.
   4. Directory: Select the previously created AD directory from the Services menu.

4. Press OK

   Figure 8. Adding an AD SMS Method

   
   

5. The method configuration screen is shown, see Figure 9.

6. SAML Authentication Context and SAML NameID Policy related configurations are described in the SSO Management documentation. Changes to these settings are typically not required.
7. Tick Enabled to enable the method
8. Hidden will remove this method from any system generated authentication method selection menus. This is described in more detail in the SSO Management documentation. By default this is unselected.
9. Limit Method Visibility specifies to which IP netmask ranges this method will be shown in any system generated authentication method selection menus. Leave blank to show to all IP address. For AD password methods in a corporate environment, typically this is set to the netmask of domain users. This is described in more detail in the SSO Management documentation. By default this is unselected.
10. The Account Lockout Policy settings here apply to the OTP code entry part of the login process.
    1. Lockout Threshold (attempts): How many times an incorrect OTP number can be entered before the account is locked.
    2. Lockout Duration (minutes): How many minutes an account is locked for, if the lockout threshold is exceeded. You can specify that the account will be locked out until a System Administrator or a Site Manager explicitly unlocks it by setting the value to 0.

11. Set the password method to use with this SMS method in the Configuration string section. Note that this is not mandatory if the password method name has already been set in the used Directory Service (AD Directory). 

    Code Block
    language text theme RDark
    password-name=password.ad.1

    Further configuration can be made using the Configuration String settings described below.

    
    

12. Press Update to record the settings. Some settings are updated to the Configuration String section.

    Figure 9. Configuring AD SMS Printout Method

    
    

Select the SPI Mobile Phone tab to set the SMS gateway option as seen in Figure 13. This value depends on your SMS gateway. An example is shown here:

http://localhost:7080/smsgateway/sendsms?to={mobile}&content={challenge}

...

{mobile} will be replaced with the user mobile phone number as visible in AD.

{challenge} will be replaced with a localized message containing the OTP. The message text can be configured using the SMS_TEXT key. Refer to SSO UI Customization for more information.

...

• • password-name → This configuration parameter contains the name of the password method that is used by the SMS method. MANDATORY (if not set in the used Directory Service).
  • policy.password.expiring → As the AD SMS authentication method uses the AD password authentication method, configuration options can also be defined for the password authentication part. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL.
  • directory.account.login → Specifies the name of the user attribute to be used for the username lookup. OPTIONAL.
    Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.
    For example, to allow an AD user to login using their email address as the username, set this value to mail.
    For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile.
    By default, SAMAccountName is used. Other typical values include:
    • uid
    • samAccountName
    • mobile
    • mail

policy.password.expiring=36000 
password-name=password.ad.1 
directory.account.login=mail

...

After the service and methods have been installed, check from the diagnostics log if the added service and authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory or available through the Log Viewer application. Below is a successful initialization.

2011-07-01 10:29:29,010 tech ActiveDirectory: root=dc=ad,dc=example,dc=com
2011-07-01 10:29:29,011 init password.ad.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started

...

Before enabling AD Methods for an agentapplication, the methods must be enabled for the site where they will be used. Use the Ubisecure Management application with an Administrator account:

...