Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

Using REST Directory User Mapping for JIT provisioning

Overview

REST Directory User Mapping is an extension to the Directory User Mapping feature in Ubisecure SSO.

Where Directory User Mapping is implemented by LDAP URL patterns the REST Directory User Mapping calls a REST service that performs the actual mapping from one or more identity attributes to a directory user account.

REST service description

The request to the REST service is configured using a URL pattern with EL expression input parameters.

...

As of Ubisecure SSO version 6.6 it is only possible to describe a HTTP GET request.

URL pattern

Example URL pattern:

Code Block
languagetext
ubiloginServiceTemplate: http://services.example.com/mapping?from=$\{inparam1}

Input parameters

Example input parameter:

Code Block
languagetext
ubiloginServiceInputParameter: inparam1 ${method.aname}

...

Code Block
languagetext
GET http://services.example.com/mapping?from=extuser1234 HTTP/1.1

Output parameters

Example output parameter:

...

The directory.uniqueid is a special well known output parameter name. The value of this parameter is used to look up a Directory account for mapping.

Just In Time provisioning – JIT

To implement JIT provisioning the REST service must provide a get-or-create model.

Get-or-create

The REST service first looks for an existing account. If a valid account is found then the service generates a success response with this account's uniqueid.

If no valid account is found then the REST service creates a new account and generates a success response with the new account's uniqueid.

User attributes

Any number of user attributes may be passed to the JIT service to allow provisioning of user profile details such as first name, last name, e-mail etc.

...

It is up to the JIT service implementation to perform any validation and sanity checks of the user attributes.

JIT Updates

When mapping to an existing directory account the JIT REST service may also choose to check and update attributes of the existing account.

Configuration – example

At this time no Management User Interface exists for managing REST services. The configuration entries need to be created using LDIF scripts or using a LDAP editor.

Directory User Mapping object

Use Ubisecure SSO Management to create a Directory User Mapping object. This example uses name mapping. Bind this mapping object to your external authentication method. Also make sure a Directory is selected for the authentication method. In this example Ubilogin Directory is used.

...

Code Block
languagetext
cn=mapping,cn=Server,ou=System,cn=Ubilogin,dc=localhost

Service object

The service object describes the REST URL pattern and output parameters

...

This service expects a input parameter named inparam1. The service returns an output parameter directory.uniqueid with the text value of the XML root element named uniqueid.

Service User Mapping Entry object

Create a service user mapping entry object as a child of the mapping object that was created previously. The name of this object is not significant.

...