Contents
| Table of Content Zone | ||||||
|---|---|---|---|---|---|---|
|
...
Please refer to additional method installation guides for specific configuration instructions.
Main view
|
|---|
| Figure 2: Configuring password authentication method |
...
- Lockout Threshold (attempts)
Specify the number of tries that a user gets to enter in an incorrect password before the account becomes locked out for the time specified below. The default value is five attempts, if the field is left empty. (default value 5) - Lockout Duration (minutes)
Specify the number of minutes a locked out account remains locked out before automatically becoming unlocked. You can specify that the account will be locked out until a System Administrator or a Site Manager explicitly unlocks it by setting the value to 0. (default value 20min) - Configuration String
Name-value properties that can be used to configure method settings that do not have a user interface yet.
Mappings View
The names of the method attribute mapping and directory user mapping tables assigned to the method are shown in the Mappings context window. Refer to the chapters below for more information about assigning and unassigning the mapping tables to the methods.
- Method Attribute Mapping Table
Name of a method attribute mapping table assigned to the method. Attribute mapping table may be accessed by clicking the name. If an attribute mapping table is assigned to the method, only the mapped attributes are available for authorization policies and web applications. If no attribute mapping table is assigned, all method attributes are available. - Directory User Mapping Table
Name of a directory user mapping table assigned to the method. Directory user mapping table may be accessed by clicking the name. - SOSO Configuration
Name of a SOSO configuration assigned to the method. SOSO configuration may be accessed by clicking the name.
Sites View
|
|---|
| Figure 3: Sites view in Ubisecure methods configuration |
...
- Remove
Select the Sites' check box and click Remove to remove this authentication from the selected Ubisecure Sites
Applications View
|
|---|
| Figure 4: Applications view in Ubisecure SSO methods configuration |
...
- Remove
Select the Applications' check box and click Remove to remove this authentication from the selected Ubisecure Applications
Groups View
|
|---|
| Figure 5: Groups view in Ubisecure SSO methods configuration |
...
- Remove
Select the Groups' check box and click Remove to remove this authentication from the selected Ubisecure Groups
Authentication Method Types
The next chapters present the specific configurations for each authentication method type.
SPI Password
The Password authentication method validates users against the current system's Ubisecure Directory . Ubisecure SSO maintains the password expiry and lockout policy based on the Lockout Threshold and Lockout Duration settings in the Main tab.
...
- Password encoding
Define the name of the one-way hashing algorithm that is used to store passwords in the Directory Service used by the password Authentication Method.- Supported values: {SSHA512}, {SHA512}, {SSHA384}, {SHA384}, {SSHA256}, {SHA256}, {SSHA}, {SHA}, {PKCS5S2}, {PBKDF2}, {MD4}, {PLAIN}
- An empty value means that the default password encoding of the Directory Service is used. For example, for SQL it is {SSHA} and for Ubisecure Directory it is {SSHA}. Please consult the specific Directory Integration guide for the default password encoding.
- For Active Directory integrations, the encryption configuration of the Active Directory instance is used explicitly and the value set here is not used.
Password Policy Enhancements
It is possible to tighten password policy further by using any of following settings in the Configuration String section:
...
- policy.password.expiring
Time in minutes before password starts to expire. When this threshold is exceeded, the user will be notified of impending password expiration and password change is offeredTime in minutes before password max-age is reached. When this threshold is exceeded, the user will be notified of impending password expiration.
External Password
External Password authentication method has been deprecated and replaced by the SPI Password method. Use directory.account.login property to configure the attribute by which users are identified in the external directory. Link the SPI Password method to some directory service that configures a connection to an external directory.
External Password methods are described in more depth in the guide SSO External Directory Integration. Please refer also to the following individual guides:
Authentication Provider
The Authentication Provider authentication method type is used for configuring the Windows Single Sign-On authentication method, which uses Windows Authentication Provider software component.
The configuration window for Authentication Provider type authentication method is presented in Figure 7.
...
Please refer to page Windows Authentication Provider for more details on installing and configuring the Windows authentication method.
SPI Mobile Phone
The configuration window for Mobile phone type of authentication method is presented below.
...
- SSO External Directory Integration
- SSO Active Directory Integrationintegration
- SSO Basic basic LDAP Integrationintegration
- SSO Schema Enhanced enhanced LDAP Integrationintegration
- SSO SQL Integrationintegration
Mobile Phone Unregistered
The configuration window for Mobile phone unregistered type of authentication method is presented below. Configuration parameters in the bottom of the page.
...
Please refer to SSO Installation Appendix - SMS for installing and configuring the Mobile Phone unregistered authentication method.
SMTP Unregistered
The configuration window for SMTP unregistered type of authentication method is presented below. Configuration parameters in the bottom of the page.
...
Please refer to Appendix - Unregistered SMTP Authentication Method for installing and configuring the unregistered SMTP authentication method.
Ubisecure OTP Printout
The configuration window for Ubisecure OTP Printout authentication method is presented below.
...
Tupas 2
The configuration window for Tupas 2 type of authentication method is presented below.
...
Please refer to Installing the TUPAS Authentication Methodauthentication method for instructions on installing and configuring the Tupas 2 authentication method.
Discovery Service
The configuration window for Discovery Services is presented below. Configuration is made in the Configuration String setting. Both external SAML Discovery Services (also known as Where Are You From or WAYF services) and Common Domain Cookie discovery are supported. Service Discovery is part of Ubisecure Trust.
...
for instructions on installing and configuring the Discovery Services methods.
SAML
The SAML method permits configuration of a SAML Service Provider in an SAML Identity Provider Proxy configuration. The SAML Method permits an identity from a third-party system to be used on the local system. The SAML Method when used for federation a third-party system is part of the Ubisecure Trust product.
The configuration window for the SAML method type is presented below.
...
The opposite direction, in other words, adding a SAML Service Provider Application to this Ubisecure SSO, is described in page Applications - SSO Management - Applications.
OAuth 2.0
The OAuth 2.0 method permits configuration to Ubisecure SSO to act as a OAuth 2.0 Client in a OAuth 2.0 based use case configuration, eg to to enable external authentication based on authentication of users by certain social media services.
The The Ubisecure OAuth 2.0 Client is currently implemented specifically to enable authentication for users of certain social media services and the protocols are implemented from this standpoint. For more information please refer to the OAuth 2.0 and OpenID Connect 1.0 pages
Deleting a Method
In order to delete an authentication method, it needs to be disabled first. Once disabled, the method can be deleted by clicking delete button in the configuration window.
...