Page Comparison

...

Once created, select the Hidden checkbox and press update. This type of Authentication Method should not be selectable by the end-user, as the basic example supports only unsolicited response messages.

Choose the SAML tab and click Upload to upload the metadata of SAML AP generated in step XXX to the newly created SAML method. Select the XML file generated.

Choose the Main tab
Select Enable and press Update.

Open the settings of the authentication method you just installed and choose the SAML view. Click Upload SAML Metadata and either upload the metadata file samlap/metadata.xml created in section Exporting SAML identity provider metadata or copy and paste the metadata into the textarea shown.

Export the SAML service provider metadata

Click Download SAML Metadata to download the service provider metadata. This file must be saved to the application directory samlap/webapp/WEB-INF/uap/metadata using the filename sp-metadata.xml. In this case, the Ubisecure SSO server is operating in an SP role.

Enable the method for each site which contains agents applications that will use this method:

1. Select the site from the Site Navigator
2. Select the methods tab
3. Choose Add method...
4. Select the SAML AP Example method.

Enable the method for agent that application that will allow users authenticated by the custom SAML Authentication Provider to log in.

1. Select the AgentApplication
2. Select the Methods tab
3. Select the check box for the SAML AP Example method
4. Press Update

...

https://www.example.com/uas/saml2/SessionRelayService?entityID=urn:uuid:3A97e9cf6b-5218-4cb8b0b9-bab5d35e6c9b&RelayState=/insert/home/page/here&locale=sv

where:
-entityID has to be application agents objects entityID from Ubisecure SSO Management UI
-RelayState is relative address on target application server where browser is redirected(so called deep linking)
-locale is users used language

You can map this address to a nicer shorter URL using any other tools (by redirect).

SessionRelayService calls can also be chained:

https://sso.example.com/uas/saml2/SessionRelayService?entityID=https://sso.example.com/uas/saml2/names/ac/saml.companyx.1&RelayState=/uas/saml2/SessionRelayService?entityID=urn:uuid:6c524df0-4625-32a8-87ef-705b3523e4b2%26RelayState=/app/protected

WS-Federation Passive Requester Profile

The WS-Federation Passive Requester Profile is used for initiating a login request. A request is formed at the PassiveRequestorService endpoint:

https://www.example.com/uas/wsf/PassiveRequestorService?wa=wsignin1.0&wtrealm={entityID}

The available parameters are:

• wa is always ”wsignin1.0” (mandatory)
• wtrealm is the entityID of the target application (mandatory)
• wctx allows for the passing and return of RelayState (optional)
• wreply is not used by Ubisecure SSO (optional)
  • This OPTIONAL parameter specifies the URL to which responses will be sent. It must be a one of a list of pre-configured URL in the metadata.
• wauth
  • This OPTIONAL parameter indicates the REQUIRED authentication level.  It is equiavelent to SAML2 AuthnContextClassRef.
    • e.g. wauth=urn:oasis:names:tc:SAML:2.0:ac:classes:Password
• whr (optional) specifies the desired authentication method (equiavelent to SAML2 AuthnContextDeclRef). It can be specified in short form (method name) or long form (URI)
  • whr=password.1
  • whr=https://sso.example.com:8443/uas/saml2/names/ac/password.1
• wfresh (optional)

  • This optional parameter indicates the freshness requirements.  If specified, this indicates the desired maximum age of authentication specified in minutes. If specified as “0” it indicates a request for the IP/STS to re-prompt the user for authentication before issuing the token. This is equivalent to OAuth2 max_age or SAML2 NotOnOrBefore concepts.

• locale (optional)
  
  • locale=fi
• template (optional)
  
  • Set the user interface template
  • template=christmas

...

Because the WS-Federation request is not signed and is thus easily spoofed by any party, the integrated application should check and compare each value of the response to ensure it met the requested parameters.

OAuth2

...

Applications

For OAuth2 agentsapplications, use the Authorization Request URL to initiate the process and acr_values to select the desired authentication method.

...