Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Tomi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.3

...

Table of Content Zone

Table of Contents
maxLevel1
excludeContents

Methods (Server) (Home Home Global Method Global Method Settings) represent the authentication methods of Ubisecure SSO. This view differs from the methods views in sites and is only available for the System Administrator. Site Managers have no access to this Global Method settings configuration view.

...

  • Update
    By selecting the authentication method check box and clicking Update System Administrator can enable or disable the selected methods in Ubisecure SSO.
  • New Method…
    By clicking the the New Method… button button System Administrator can add new authentication methods to the system.
  • Authentication Method
    By clicking each type of authentication method the System Administrator can configure the selected authentication method. The configuration view consists of the following sub menus: Main, [authentication method type], Mappings, Sites, Applications, Groups

...

  • Password
  • External Password (LDAP, AD and SQL)
  • Mobile Phone (SMS)
  • Mobile Phone Unregistered (SMS, without password)
  • Unregistered SMTP (email, without password)
  • OTP Printout
  • SPI Mobile PKI ("Mobiilivarmenne" in Finland with using pre-registered account information)
  • Unregistered MPKI
  • TUPAS 2 (Finland)
  • SAML Authentication Provider
  • Authentication Provider (Ubisecure Protocol)
  • OpenID
  • OAuth 2.0Backchannel Authentication Adapter

Additional methods are used to configure discovery service settings:

...

  • SAML 2 Class Reference
    Defines the URI of the authentication method class.
    This field is optional. Some federation networks or third-party products may require a value. It is used in the SAML protocol messages to refer a group of authentication methods that share similar properties. This value is not unique to each authentication method – the same value may be assigned to many similar methods.This value is used in response messages to set the AuthnContextClassRef value of the AuthnContext element of the AuthStatement. Authentication Context Classes are defined in Section 4.3 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf

    This value is also used to determine which methods satisfy a requested authentication context class (RequestedAuthnContext) in an incoming AuthnRequest. This is used to determine which method or methods will be available to the user for login.
    Typical class references used include

    Code Block
    languagetext
    urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered
urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard
urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

     Selection Selection of the appropriate class reference depends on many configuration factors and deployment profile guidelines.

  • By default, if no value is set, the AuthnContext element of the AuthStatement will not contain AuthnContextClassRef value.
  • OpenID Connect Authentication Context Class Reference
    Defines the value of the OpenID Connect The Authentication Context Class. This field is optional. It is used in the OpenID Connect protocol messages to refer a group of authentication methods that share similar properties. This value is not unique to each authentication method and the same value may be assigned to many similar methods.This value is used in userinfo response message and idtoken to set the value of acr claim.
    This value is also used to determine which methods satisfy a requested acr_values in an incoming authorization request. This is used to determine which method or methods will be available to the user for login.
  • Format
    Set or assert the value of the attribute Format in SAML message NameID element.
  • set formatname → Sets the value to formatname
  • assert formatname → Assert that the value is formatname and in case it’s not, the authentication is denied.
    • any → For internal methods, use the default valueThis setting is used for claims transformation and validation. Generally these are not required and may be left blank. It can be used for interoperability with connected applications that expect NameID format value to be in a certain format and to enforce compliance with federation profiles.
    Technically this sets or confirms the value of the attribute Format in SAML message NameID element.
    • set value → Overwrites the Format value received from an authentication to Format specified. For example, if the assertion received from a third-party authenticator contains a NameID Format value Transient, it can be changed to unspecified.
      • Note, NameID Format value can also be overwritten at the application level by using an Authorization Policy containing expression language statement: ${nameID.value( user.cn ).format(‘x509subjectname’)}
    • assert value → Verify that the value of the attribute Format is equal to the specified value. If the value is something else, the authentication is denied and the user is shown an error message.
      • Example: If the connected application requires that the NameID format to be email address format, and will fail if not, set "assert emailAddress" to check the value and fail if not does not match "emailAddress".
    • any → For built-in authentication methods, use the default value for the attribute Format. For external/proxy methods, use the Format value in the received NameID/username. (Default This is the default behaviour when Format field is empty)
    Where formatname value can be one of: 
    • unspecified - The interpretation of the content of the element is left to individual implementations.
    • transient - Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated as an opaque and temporary value by the relying party.
    • persistent - Indicates that the content of the element is a persistent opaque identifier for a principal that is specific to an identity provider and a service provider or affiliation of service providers.
    • emailAddress - Indicates that the content of the element is in the form of an email address, specifically "addr-spec" as defined in IETF RFC 2822 Section 3.4.1. An addr-spec has the form local-part@domain. Note that an addr-spec has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by "<" and ">".
    • X509SubjectName - Indicates that the content of the element is in the form specified for the contents of the <ds:X509SubjectName> element in the XML Signature Recommendation. Implementors should note that the XML Signature specification specifies encoding rules for X.509 subject names that differ from the rules given in IETF RFC 2253.
    • WindowsDomainQualifiedName - Indicates that the content of the element is a Windows domain qualified name. A Windows domain qualified user name is a string of the form "DomainName\UserName". The domain name and "\" separator MAY be omitted.
    • encrypted - The special Format value urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted indicates that the resulting assertion(s) MUST contain  contain elements instead of plaintext. The underlying name identifier's unencrypted form can be of any type supported by the identity provider for the requested subject. See SAML Core 3.4.1.1.
    • kerberos - Indicates that the content of the element is in the form of a Kerberos principal name using the format name[/instance]@REALM. The syntax, format and characters allowed for the name, instance, and realm are described in IETF RFC 1510.
    • entity - Indicates that the content of the element is the identifier of an entity that provides SAML-based services (such as a SAML authority, requester, or responder) or is a participant in SAML profiles (such as a service provider supporting the browser SSO profile).
    Empty value is equal to modifier any.
    Note that using this feature to set the Format attribute of the NameID does not assert validate that NameID conforms the specifications explained above. For example, the format of a NameID containing an email address as its content can be set to X509SubjectName here, even though it does not conform the specification of X509SubjectName.

...

  • Enabled
    Enable or disable the authentication method in Ubisecure SSO.
  • Hidden
    Hide this authentication method. The authentication method is never visible in the authentication method selection menu. The method can only be selected when requested by a Web Application.

  • Limit Method Visibility
    Set the visibility for this authentication method by a list of network addresses separated by a space character ' '. The method is visible in the menu only if the client's network address is within any of the defined networks. If this field is empty, the method is visible to users from all network addresses. Example: 

    Code Block
    languagetext
    192.168.1.0/255.255.255.0 10.1.1.0/255.255.255.0

    → The → The method is visible only if the client's network address is in either of the two private networks
    Some authentication method types such as Password, OTP Printout and Mobile Phone have also the following configuration fields for Account Lockout Policy.

...

  • Password encoding
    Define the name of the one-way hashing algorithm that is used to store passwords in the Directory Service used by the password Authentication Method.
    • Supported values:   {SSHA512}, {SHA512}, {SSHA384}, {SHA384}, {SSHA256}, {SHA256}, {SSHA}, {SHA}, {PKCS5S2}, {PBKDF2}, {MD4}, {PLAIN}
    • An empty value means that the default password encoding of the Directory Service is used. For example, for SQL it is is {SSHA} and and for Ubisecure Directory it is is {SSHA}. Please consult the specific Directory Integration guide for the default password encoding.
    • For Active Directory integrations, the encryption configuration of the Active Directory instance is used explicitly and the value set here is not used.

...

The Authentication Provider authentication method type is used for configuring the Windows Single Sign-On authentication method, which uses Windows Authentication Provider software component.
The configuration window for Authentication Provider type authentication method is presented in Figure 7 Figure 7.

Figure 7: Configuring Authentication Provider type of authentication method

Please refer to page Windows Authentication Provider - SSO for for more details on installing and configuring the Windows authentication method.

...

Please refer to SSO Installation Appendix - SMS for for installing and configuring the Mobile Phone authentication method. If Mobile Phone method is used in conjunction with an external directory, please refer to one of the following guides:

...

Please refer to Appendix - Unregistered SMTP Authentication Method for for installing and configuring the unregistered SMTP authentication method.

...


Please refer to OTP Printout authentication method - SSO for for installing and configuring the Ubisecure OTP Printout authentication method. If Ubisecure OTP is used in conjunction with an external directory, please refer one of the following guides:

...

Figure 14: Configuring a SAML authentication method

Please refer to the page SAML IDP Proxy - SSOfor instructions on installing and configuring the SAML methods. Users will access Web Applications configured on this Ubisecure SSO by logging in to a third-party IDP Server first.

...

The OAuth 2.0 method permits configuration to Ubisecure SSO to act as a OAuth 2.0 Client in a OAuth 2.0 based use case configuration, eg to to enable external authentication based on authentication of users by certain social media services.The Ubisecure OAuth 2.0 Client is currently implemented specifically to enable authentication for users of authentication of users by certain social media services and the protocols are implemented from this standpoint. For more information please refer to the OAuth2 - SSO pages.

Backchannel Authentication Adapter

The Backchannel Authentication Adapter method is used for integrations with Ubisecure Backchannel Authentication Adapters (UBAA), such as BankID Authentication Adapter.

In the Backchannel Authentication Adapter tab you can change the Client Identifier (client_id) and Token Endpoint Authentication Method, and upload the Provider Metadata and Provider JWKS (JSON Web Key Set).

Image Removed

For more information on installing the Ubisecure Backchannel Authentication Adapter, please refer to Backchannel Authentication Adapter - SSO..

The The Ubisecure OAuth 2.0 Client is currently implemented specifically to enable authentication for users of certain social media services and the protocols are implemented from this standpoint. For more information please refer to the OAuth2 - SSO pages

Deleting a Method

In order to delete an authentication method, it needs to be disabled first. Once disabled, the method can be deleted by clicking Delete delete button in the configuration window.

...