Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Ubisecure Password application is included in the Ubisecure SSO installation package. During a standard installation the software is partially installed. The application is not ready for use without explicit activation and further configuration.

...

Info

Starting from SSO 8.9.0 the IDP metadata is automatically updated from the IDP metadata endpoint once every 60 seconds. The metadata file metadata.xml is used as the initial metadata, which is used only whenever the metadata endpoint cannot be accessed when the application is trying to read the metadata for the first time after boot. After the metadata gets successfully updated from the metadata endpoint, the initial metadata is no longer used for anything. It's still recommended to keep metadata.xml up-to-date, especially when the signing and/or encryption keys change, but it's not required.


Image Modified

Figure 1. Select SAML 2.0 to save IDP metadata file.

Then generate the SP identity and metadata. Use your public visible hostname in the Generate command URL parameter.

...

In Ubisecure Server Management, select System → Password.  If there are no applications under Password, select first New Application and enter name Password and select OK. After Password is visible in the list, then select it and by clicking Activate. Upload the generated ubilogin-sso/password.xml file from the pop-up window. After setting everything, the window should look following: 

Image Modified

Figure 2. Select Activate to upload SAML Metadata of the Password application

Configure Mail Settings

Ubisecure Password application uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.

Code Block
languagetext
themeDefault
    <context-param>
        <param-name>mail.smtp.host</param-name>
        <param-value>smtp-gw.example.com</param-value>
    </context-param>
    <context-param>
        <param-name>mail.smtp.from</param-name>
        <param-value>password@example.com</param-value>

    </context-param>

OR

If the SMTP server requires further values, such as authentication credentials, configure tomcat server mail/Session ( ubilogin -sso\ubilogin\config\tomcat\conf\context.xml ) like below. (In this case, the configuration instruction above can be ignored). 

Code Block
languagetext
themeDefault
<?xml version='1.0' encoding='utf-8'?>
<Context reloadable="false" useHttpOnly="true" swallowOutput="true">
    <Manager pathname="" />
    <Resource name="mail/Session"
       auth="Container"
       type="javax.mail.Session"
        mail.smtp.host="host"
              mail.from="example@example.com"
              mail.user="example"
              mail.smtp.port="465"
              mail.smtp.auth="true"
              mail.smtp.user="example"
              password="password"
              mail.smtp.starttls.enable="true"
              mail.smtp.socketFactory.class="javax.net.ssl.SSLSocketFactory"/>
</Context>

...

Code Block
languagetext
themeDefault
<context-param>
        <param-name>mail-session</param-name>
        <param-value>mail/Session</param-value>
    </context-param>    
       
    <resource-ref>
        <res-ref-name>mail/Session</res-ref-name>
        <res-type>javax.mail.Session</res-type>
        <res-auth>Container</res-auth>

    </resource-ref>

...

As an optional step, you can enable debug logging by adding a value in the  ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file.

...

languagetext
themeDefault

debug logging following the instructions in Password application logging.

Let user define password during password reset

It is possible to let user enter an own password in accordance with password policy settings by supplying the argument policy.password.resetWithUserDefinedPwd=true, to the authentication method's configuration string.

Image Modified

Hide information about user account status

...

Select Groups → Password Users→ Dynamic Members → Add →  Service(Ubilogin Directory , Select Template(All users) → OK

Image Modified

Figure 3. Password Users group controls access to the Password application

Password reset with AD

The minimum length for the system generated password must be specified in the method's configuration string settings. The default length is 6 characters, which may be less than group policy defined minimum lengths.

Image Modified

Figure 4. Method configuration for policy.password.length=8

Future changes to password length policies in AD must be updated manually to this value.

...

The password change application is found at the address:
https://idp.example.com/password/change

Image Modified

Figure 5. Password reset

Selecting the authentication method

...

Use the above links within user applications, or include links to these activities from the login UI. Instructions for adding links to the login UI are found in Login screens - SSO .

Image Modified

Figure 6. Example links added to login UI help box

Ubisecure Password application uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.

Security consideration

LDAPS should always be used for the connection to the user repository where a password reset is done.

See Configuring the connection for basic LDAP integration - SSO for LDAP connection configuration.