...
First install the UAS SAML metadata by selecting the [SAML 2.0] link on the Ubisecure Server Management front page. Save the metadata file in the directory
ubilogin-sso/ubilogin/webapps/password/WEB-INF/saml2/sp/metadata.
|
|---|
| Figure 2. Select SAML 2.0 to save IDP metadata file. |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
ubilogin-sso> java/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Generate https://idp.example.com/password/spsso -y -o ubilogin/webapps/password/WEB-INF/saml2/sp ubilogin-sso> java/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Metadata ubilogin/webapps/password/WEB-INF/saml2/sp -f password.xml |
In Ubisecure Server Management, select System → Password → Agents Applications → Password → Activate. Then upload the generated ubilogin-sso/password.xml file.
|
|---|
| Figure 3. Select Activate to upload SAML Metadata of the Password application |
Configure Mail Settings
...
Ubisecure Password uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<context-param>
<param-name>mail.smtp.host</param-name>
<param-value>smtp-gw.example.com</param-value>
</context-param>
<context-param>
<param-name>mail.smtp.from</param-name>
<param-value>password@example.com</param-value>
</context-param> |
...
- In Ubisecure Server Management, navigate to the Password site: select System → Password
- Add the password.ad.1 authentication method to the site: select Site Methods → Add… → password.ad.1 → OK
- Add AD users to the Password Users group by using the dynamic members functionality. (The following configuration is just an example. You will probably have a more detailed definition for the included users.)
...
- Server: ldaps://ad.example.com/
- Distinguished Name: dc=ad,dc=example,dc=com
- Attributes: <empty>
- Scope: sub
- Filter: (objectClass=person)
- Extensions: <empty>
See Figure 20 4 and Figure 21 5 below for examples.
|
|---|
Figure 4. The group Password Users defines which users can change their password |
|
|---|
Figure 5. Add AD Users to the Password Users group using Group Dynamic Members |
- Enable password.ad.1 authentication method for the Password web agent:select the site Password → Agents → Password → Applications → Password → Allowed Methods → password.ad.1 → Update
...
Remove the file ubilogin-sso/tomcat/conf/Ubilogin/idp.example.com/password.xml. Then run update the update:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd |
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop /usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh /usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start |
...
All user interface text, including text used in emails sent to users are configured in the resource files of the application using a text editor. The keys are self-explanatory and default texts are provided.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
ubilogin\webapps\password\WEB-INF\classes\resources_en.properties ubilogin\webapps\password\WEB-INF\classes\resources_fi.properties ubilogin\webapps\password\WEB-INF\classes\resources_sv.properties |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop /usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh /usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
https://idp.example.com/password/change?locale=fi |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
https://idp.example.com/password/reset?method=password.ad.1&locale=fi |
Links can be added to the Ubisecure SSO user interface using the *LINKS settings described in the Login UI customization - SSO UI Customizationdocumentation.
Password Application Audit Log
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
ubilogin/tomcat/log/locahost.YYYY-MM-DD.log |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
INFO: [INFO] Audit 2012-02-23T13:29:36.191Z [195.197.211.20] mail-fail 23423 reset.account.not-found 23.2.2012 15:29:47 org.apache.catalina.core.ApplicationContext log INFO: [INFO] Audit 2012-02-23T13:29:47.574Z [195.197.211.20] mail-fail CN=Keith Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com reset.mail.invalid 23.2.2012 15:29:57 org.apache.catalina.core.ApplicationContext log INFO: [INFO] Audit 2012-02-23T13:29:56.596Z [195.197.211.20] mail-sent CN=Keith Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com keith.uber@ubisecure.com 23.2.2012 15:34:11 org.apache.catalina.core.ApplicationContext log INFO: [INFO] Audit 2012-02-23T13:34:11.083Z [195.197.211.20] reset-success CN=Keith Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com |