Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

A template may contain the methodmenu.rules property. That property defines the file that contains the actual method hiding rules. Those rules are described in this chapter. The idea behind these method hiding rules is that some methods are not shown when the web agent application is in a certain site. Single sign-on would still be possible with the hidden methods, but they could not be used for initial authentication with the specific agentapplication. Because method hiding is defined recursively and some sites might require exceptions to that, it is possible to override method hiding using these rules. You may specify as many rules as you like.

...

Example: show: tupas.alandsbanken.1, tupas.op.1

Authentication Method Hiding Rules Use Case Example

One application for method hiding rules is in a centralized hub-and-spoke SSO environment, where commercial external authentication services are used with Ubisecure Server acting as an IDP proxy. The Finnish Banking sector authentication service, Tupas, is an example of an external authentication service that charges per transaction. Service credentials stored in the TUPAS configuration settings identify the service that pays for the authentication event.

In order to divide the cost of the authentication transaction, the SSO service may agree that the service which first invokes external authentication pays for the authentication, but other services are free to benefit from the created SSO session and will not be charged for the event.

In order to link this login source event to the authentication method, the following structure is created:

...

Each service signs an individual contract with each bank and their service credentials are stored in the Tupas configuration settings of Ubisecure SSO Management.

The agent application for Service A has all of the banks enabled in the Agents → Methods ApplicationsAllowed Methods tab (tupas.bank1.1tupas.bank2.1tupas.bank1.2tupas.bank2.2) but has the Service B banks hidden (tupas.bank1.2tupas.bank2.2) using the methodhidingrules file. 

The agent application for Service B has all of the banks enabled in the Agents → Methods ApplicationsAllowed Methods tab (tupas.bank1.1tupas.bank2.1tupas.bank1.2tupas.bank2.2) but has the Service A banks hidden (tupas.bank1.1tupas.bank2.1) using the methodhidingrules file.

Code Block
languagetextthemeRDark
dn: ou=Service A,ou=Services,cn=Ubisecure,dc=com,dc=example
visible: tupas.bank1.1, tupas.bank2.1 
dn: ou= Service B,ou=Services,cn=Ubisecure,dc=com,dc=example
visible: tupas.bank1.2, tupas.bank2.2

The above example ensures that the external bank authentication is invoked using the service credentials of the first service used. Authentication methods that are hidden are still available for use by single sign-on.

If all of the above banks are configured with the same logo and textual description, the end user will see the same menu regardless of the underlying configuration.

Below is an example of a methodimage.index file for the described use case:

Code Block
languagetextthemeRDark
tupas.bank1.1  = logo_bank1.gif
tupas.bank1.2 = logo_bank1.gif
tupas.bank2.1  = logo_bank2.gif
tupas.bank2.2 = logo_bank2.gif

...