Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Tomi Pelttari

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

...

In future, terminating the linking will be possible by the end user or REST interface.


Preventing Disabled Users from Logging in With User Driven Federation

When using UDF, the user account status in the local user directory is checked only during the initial authentication before the mapping is stored in the Federation Table. If user decides to accept the storing, account statuses are not checked for subsequent federations. This means that any user, that have been disabled in the local directory after they authenticated for User Driven Federation, can successfully login when they are federating with their remote account.

This can be prevented by configuring the applications Authorization Policy so that it ensures the user is authorized only if the account is enabled.

Note that this CustomerID documentation contains also similar instruction in the document CustomerID User Driven Federation , that applies for CustomerID users. If you are using CustomerID then it's recommended to follow the instructions there.

  1. Define an attribute "enabled", whose value is "true" if the user is not disabled, and null if the user is disabled.
    1. Active Directory: ${(user.userAccountControl.getFirst() % 4) > 1 ? null : 'true'}
    2. Ubilogin Directory: ${(user.ubiloginEnabled == 'true' ? 'true' : null}
    3. SQL Directory:  ${(user.enabled == 'true' ? 'true' : null}
      1. The SQL Schema needs to be defined so that the UbiloginAuthorizer view returns value "true" for attribute "enabled" when the user is enabled.
    Image Added

  2. Set the attribute "enabled" as Required Attribute in the Authorization Policy.
    Image Added