Page Comparison

...

Currently the user account status in the local user directory is checked only during the initial authentication before the mapping is stored in the Federation Table. If user decides to accept the storing, account statuses are not checked for subsequent federations. This means that any user, that have been disabled in the local directory after they authenticated for User Driven Federation, can successfully login when they are federating with their remote account. This can be prevented by configuring the applications Authorization Policy so that it ensures the user is authorized only if the account is enabled. The procedure is described in UDF documentation page.

8.2.19 and 8.2.24 only: Access blocked to SSO with HTTP-POST for users that use Chrome

SSO blocks all POST requests sent using Chrome browser, that originate from a website, whose second level domain name differs from SSO's. The workaround for this is to comment out the <filter-mapping> having <filter-name> org.apache.catalina.filters.CorsFilter#disabled in file ubilogin-sso/ubilogin/webapps/uas/WEB-INF/web.xml.

<!-- THESE LINES ARE COMMENTED OUT
<filter-mapping>
    <filter-name>org.apache.catalina.filters.CorsFilter#disabled</filter-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.conversation.logout.UbiloginLogoutConversationServlet</servlet-name>
    <servlet-name>com.ubisecure.saml2.trace.TraceServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.InfoServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.saml2.SessionRelayServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.v0.MainServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.conversation.authn.AuthnConversationServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.saml2.SingleSignOnServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.saml2.ServiceProviderServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.DiscoveryResponseServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.LandingPageServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.wsf.PassiveRequestorServlet</servlet-name>
    <servlet-name>SSO_ECP</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.oauth2.AuthorizationServlet</servlet-name>
    <servlet-name>com.ubisecure.ubilogin.sso.ui.servlet.tupas.TupasIdentificationServlet</servlet-name>
    <servlet-name>servlet.saml2.NamesServlet</servlet-name>
</filter-mapping>
-->

After editing the file you must run ubilogin-sso/ubilogin/config/tomcat/update.[sh|cmd]

Versions Compared

Old Version 8

New Version 9

Key

8.2.19 and 8.2.24 only: Access blocked to SSO with HTTP-POST for users that use Chrome