Versions Compared

Version Old Version 2 New Version Current
Changes made by

Arto Vainiolehto

ubisebastian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The second factor method here can be any of

Note that prior to SSO 9.1.0 it was possible to use only password as the first factor method.

Prerequisite

  1. SAML method or OpenID Connect method to be used as the first factor method.

  2. OTP Printout, TOTP, SMS OTP or OpenID Connect CIBA method to be used as the second factor method.

  3. Management API - SSO enabled to be able to link second factor method to first factor method.

...

  1. Configure the SAML/OIDC identity provider linked to the first factor method to return an attribute/claim which can be used for finding the directory user.

  2. Link the first factor method to the Directory Service used for registered users.

    Code Block
    PUT /method/oidc.1/$link/directory/Ubilogin%20Directory

    1. Must be the same Directory Service as used with the second factor method.

  3. Create a Directory User Mapping for the first factor method for mapping unregistered users to registered users.

    Code Block
    PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping

PUT /inboundMappingPolicy/ubiloginDirectoryUserMapping/$link/method/oidc.1

POSTPUT /inboundMappingPolicyinboundDirectoryMapping/ubiloginDirectoryUserMapping/mapping
 type=inboundDirectoryMappingcondition=method:phone_number=*
 mappingURL=ldap:///cn=Ubilogin,dc=test??sub?(&(objectclass=ubiloginUser)(mobile=%7Bsubject:username%7D%7Bmethod:phone_number%7D))

    1. In the example above mappingURL uses filter (mobile={subjectmethod:usernamephone_number}) to search directory user by mobile attribute using the sub claim value of id_token (for OIDC methods) or attribute phone_number.

    2. If the mapping value is provided as value of NameID element in SAML Assertion ( for SAML methods). If the mapping value is provided in another claim or attribute, such as phone_number, a SAML method then filter (mobile={attributesubject:phone_numberusername}) could be used instead.

  4. Link the second factor method as the next factor method for the first factor method.

    Code Block
    PUT /method/oidc.1/$link/nextFactor/method/totp.1

    1. Not possible to set with Management UI.

  5. Link the second factor method to the application site and set it as an allowed method for the application.

    Code Block
    PUT /site/demosite/$link/method/totp.1

PUT /application/demosite/demoapp/$link/method/totp.1
 enabled=true

...