Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

...

Users that have been identified by a third party are called unregistered users. For example, if an external strong authentication method is used (e.g., a certificate based method), the identifier returned is the subject from the user certificate, which may not exactly match the user id (uid) in the Ubisecure Directory or another integrated directory. For this reason, mapping is performed to match the identifier(s) returned by the identity provider to one or more fields in the user account. After this match is performed, the applicable agents will have access to both sets of user data (limited only by the Authorization Policy used).This

In order to be able to use an external authentication method with directory user mappings, following configurations are required for the authentication method:

  • Add the method to the directory that are used for the mapping, for example in tab Services → CustomerID Directory → Connected Methods
  • Add the method to the site(s) where the users are located, for example in tab eIDM Users → Site Methods

A directory user mapping is configured using extended LDAP URL syntax, which provides a capability to create search filters with values of arbitrary method attributes. In addition, it is possible to define search preconditions based on attribute values.

...

  • New Mapping
    Create a new directory user mapping table
  • Delete Mapping
    Delete selected directory user mapping tables
  • Directory user mapping table 
  • The Directory user mapping table configuration view is opened by clicking a name of directory user mapping table in the list.

Main View

Figure 2: Directory User Mappings main view
  • Name
    Name of the directory user mapping table
  • Description
    Description of the directory user mapping table
  • Update
    Update the modified description
  • New
    Create a new directory user mapping table
  • Delete
    Delete the directory user mapping table
  • Rename
    Rename the directory user mapping table

User Mappings View

Figure 3: User Mappings view

...

  • Select
    The drop-down list contains all enabled pre-configured directories from the Server → Services. Select the directory to which the user should be mapped. Selection of this item will complete the Server and Distinguished Name fields.
  • Server
    The base address of the LDAP server in URI format. For example: ldap://localhost/. The special value ldap:/// defines the LDAP server of the Ubisecure Directory . This value is completed after service selection.
  • Distinguished Name
    The name of a directory object. This value is completed after service selection. To optimize the query, reduce the scope of the hierarchy if it is known that matches will be found in only a certain particular branch of the LDAP directory.
  • Scope
    Search scope. One of base, one, or sub.
    • Base
      The object defined by the Distinguished Name value only. The user object to be mapped must be found at this level.
    • One
      Exactly one level below the object defined by the Distinguished Name. The user object to be mapped must be found at this level.
    • Sub
      Descendants of the object defined by the Distinguished Name, including the object itself. The user object to be mapped can be at any level below the object defined by the Distinguished Name.

  • Filter
    LDAP search filter expression.
    The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Attribute names enclosed in curly braces are replaced with corresponding attribute values before the search. The syntax of attribute names follows the same prefix:name notation as the precondition syntax. An attribute must have exactly one single value or else the search fails.
    Example: 

    Code Block
    languagetext
    (&(objectclass=ubiloginUser)(mobile={method:mobile}))

    The example above will match an LDAP user with objectclass equal to ubiloginUser and mobile attribute that matches the mobile attribute that was received from the authentication method.
    The example shown in Figure 5 above will match an LDAP user with objectclass equal to ubiloginUser and description attribute that matches the custid attribute that was received from the authentication method. The mapping will only be performed if the custid method attribute contains a value.
    After configuration is complete and OK has been pressed, the user mappings view (example Figure 3) shows the full LDAP query that will be executed to perform the mapping. Symbols %7D and %7B represent curly braces containing variables that will be replaced at runtime execution. 

Methods View

Figure 6: Methods view

The Methods view shows the list of available authentication methods. Selected methods are assigned with the current directory user mapping table. Each method may be assigned with at most one directory user mapping table at a time. Therefore, assigning a mapping table for a method replaces the previous assignment.

...