Versions Compared

Version Old Version 1 New Version 2
Changes made by

Arto Vainiolehto

Arto Vainiolehto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The second factor method here can be any of

Note that prior to SSO 9.1.0 it was possible to use only password as the first factor method.

...

  1. SAML method or OpenID Connect method to be used as the first factor method.

  2. OTP Printout, TOTP, SMS OTP or OpenID Connect CIBA method to be used as the second factor method.

  3. Management API - SSO enabled to be able to link second factor method to first factor method.

...

  1. Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.

  2. Link the first factor method to the Directory Service used for registered users.

    Code Block
    PUT /method/oidc.1/$link/directory/Ubilogin%20Directory

    1. Must be the same Directory Service as used with the second factor method.

  3. Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.

    Code Block
    PUT /inboundMappingPolicy/directoryUserMappingubiloginDirectoryUserMapping

PUT /inboundMappingPolicy/directoryUserMappingubiloginDirectoryUserMapping/$link/method/oidc.1

POST /inboundMappingPolicy/directoryUserMappingubiloginDirectoryUserMapping
 type=inboundDirectoryMapping
 mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(mobile=%7Bsubject:username%7D)

    1. In the example above mappingURL uses filter (mobile={subject:username}) to search directory user by mobile attribute using the sub claim from OpenID Connect of id_token (for OIDC methodmethods) or value of NameID element from in SAML Assertion (for SAML methodmethods).

    2. If the mapping value is sent provided in another claim or attribute, such as phone_number, then filter (mobile={attribute:phone_number}) could be used instead.

  4. Link the second factor method as the next factor method for the first factor method.

    Code Block
    PUT /method/oidc.1/$link/nextFactor/method/totp.1

    1. Not possible to set with Management UI.

  5. Link the second factor method to the application site and set it as an allowed method for the application.

    Code Block
    PUT /site/demosite/$link/method/totp.1

PUT /application/demosite/demoapp/$link/method/totp.1
 enabled=true

...