| Info |
|---|
Last reviewed: 2018-02-02 |
Contents
| Table of Content Zone | ||||||
|---|---|---|---|---|---|---|
|
...
- Update
By selecting the authentication method check box and clicking Update System Administrator can enable or disable the selected methods in Ubisecure SSO. - New Method…
By clicking the New Method… button System Administrator can add new authentication methods to the system. - Authentication Method
By clicking each type of authentication method the System Administrator can configure the selected authentication method. The configuration view consists of the following sub menus: Main, \ [authentication method type\], Mappings, Sites, Applications, Groups
...
Please refer to additional method installation guides for specific configuration instructions.
Main view
|
|---|
| Figure 2: Configuring password authentication method |
...
- SAML 2 Class Reference
Defines the URI of the authentication method class.
This field is optional. Some federation networks or third-party products may require a value. It is used in the SAML protocol messages to refer a group of authentication methods that share similar properties. This value is not unique to each authentication method – the same value may be assigned to many similar methods.This value is used in response messages to set the AuthnContextClassRef value of the AuthnContext element of the AuthStatement. Authentication Context Classes are defined in Section 4.3 of the Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0 http://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdfThis value is also used to determine which methods satisfy a requested authentication context class (RequestedAuthnContext) in an incoming AuthnRequest. This is used to determine which method or methods will be available to the user for login.
Typical class references used includeCode Block language text theme RDark urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport urn:oasis:names:tc:SAML:2.0:ac:classes:X509 urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
Selection of the appropriate class reference depends on many configuration factors and deployment profile guidelines.
...
- Enabled
Enable or disable the authentication method in Ubisecure SSO. - Hidden
Hide this authentication method. The authentication method is never visible in the authentication method selection menu. The method can only be selected when requested by a Web Application. Limit Method Visibility
Set the visibility for this authentication method by a list of network addresses separated by a space character ' '. The method is visible in the menu only if the client's network address is within any of the defined networks. If this field is empty, the method is visible to users from all network addresses. Example:Code Block language text theme RDark 192.168.1.0/255.255.255.0 10.1.1.0/255.255.255.0
→ The method is visible only if the client's network address is in either of the two private networks
Some authentication method types such as Password, OTP Printout and Mobile Phone have also the following configuration fields for Account Lockout Policy.
- Lockout Threshold (attempts)
Specify the number of tries that a user gets to enter in an incorrect password before the account becomes locked out for the time specified below. The default value is five attempts, if the field is left empty. (default value 5) - Lockout Duration (minutes)
Specify the number of minutes a locked out account remains locked out before automatically becoming unlocked. You can specify that the account will be locked out until a System Administrator or a Site Manager explicitly unlocks it by setting the value to 0. (default value 20min) - Configuration String
Name-value properties that can be used to configure method settings that do not have a user interface yet.
Mappings View
The names of the method attribute mapping and directory user mapping tables assigned to the method are shown in the Mappings context window. Refer to the chapters below for more information about assigning and unassigning the mapping tables to the methods.
- Method Attribute Mapping Table
Name of a method attribute mapping table assigned to the method. Attribute mapping table may be accessed by clicking the name. If an attribute mapping table is assigned to the method, only the mapped attributes are available for authorization policies and web applications. If no attribute mapping table is assigned, all method attributes are available. - Directory User Mapping Table
Name of a directory user mapping table assigned to the method. Directory user mapping table may be accessed by clicking the name. - SOSO Configuration
Name of a SOSO configuration assigned to the method. SOSO configuration may be accessed by clicking the name.
Sites View
|
|---|
| Figure 3: Sites view in Ubisecure methods configuration |
...
- Remove
Select the Sites' check box and click Remove to remove this authentication from the selected Ubisecure Sites
Applications View
|
|---|
| Figure 4: Applications view in Ubisecure SSO methods configuration |
...
- Remove
Select the Applications' check box and click Remove to remove this authentication from the selected Ubisecure Applications
Groups View
|
|---|
| Figure 5: Groups view in Ubisecure SSO methods configuration |
...
- Remove
Select the Groups' check box and click Remove to remove this authentication from the selected Ubisecure Groups
Authentication Method Types
The next chapters present the specific configurations for each authentication method type.
SPI Password
The Password authentication method validates users against the current system's Ubisecure Directory . Ubisecure SSO maintains the password expiry and lockout policy based on the Lockout Threshold and Lockout Duration settings in the Main tab.
...
- Password encoding
Define the name of the one-way hashing algorithm that is used to store passwords in the Directory Service used by the password Authentication Method.- Supported values: {SSHA512}, {SHA512}, {SSHA384}, {SHA384}, {SSHA256}, {SHA256}, {SSHA}, {SHA}, {PKCS5S2}, {PBKDF2}, {MD4}, {PLAIN}
- An empty value means that the default password encoding of the Directory Service is used. For example, for SQL it is {SSHA} and for Ubisecure Directory it is {SSHA}. Please consult the specific Directory Integration guide for the default password encoding.
- For Active Directory integrations, the encryption configuration of the Active Directory instance is used explicitly and the value set here is not used.
Password Policy Enhancements
It is possible to tighten password policy further by using any of following settings in the Configuration String section:
...
- policy.password.expiring
Time in minutes before password starts to expire. When this threshold is exceeded, the user will be notified of impending password expiration and password change is offeredTime in minutes before password max-age is reached. When this threshold is exceeded, the user will be notified of impending password expiration.
External Password
External Password authentication method has been deprecated and replaced by the SPI Password method. Use directory.account.login property to configure the attribute by which users are identified in the external directory. Link the SPI Password method to some directory service that configures a connection to an external directory.
External Password methods are described in more depth in the guide SSO External Directory Integration. Please refer also to the following individual guides:
Authentication Provider
The Authentication Provider authentication method type is used for configuring the Windows Single Sign-On authentication method, which uses Windows Authentication Provider software component.
The configuration window for Authentication Provider type authentication method is presented in Figure 7.
...
Please refer to page Windows Authentication Provider for more details on installing and configuring the Windows authentication method.
SPI Mobile Phone
The configuration window for Mobile phone type of authentication method is presented below.
...
- SSO External Directory Integration
- SSO Active Directory Integrationintegration
- SSO Basic basic LDAP Integrationintegration
- SSO Schema Enhanced enhanced LDAP Integrationintegration
- SSO SQL Integrationintegration
Mobile Phone Unregistered
The configuration window for Mobile phone unregistered type of authentication method is presented below. Configuration parameters in the bottom of the page.
...
Please refer to SSO Installation Appendix - SMS for installing and configuring the Mobile Phone unregistered authentication method.
SMTP Unregistered
The configuration window for SMTP unregistered type of authentication method is presented below. Configuration parameters in the bottom of the page.
...
Please refer to Appendix - Unregistered SMTP Authentication Method for installing and configuring the unregistered SMTP authentication method.
Ubisecure OTP Printout
The configuration window for Ubisecure OTP Printout authentication method is presented below.
...
Tupas 2
The configuration window for Tupas 2 type of authentication method is presented below.
...
Please refer to Installing the TUPAS Authentication Methodauthentication method for instructions on installing and configuring the Tupas 2 authentication method.
OpenID
The configuration window for OpenID Relying Party type of authentication method is presented below.
...
...
Discovery Service
The configuration window for Discovery Services is presented below. Configuration is made in the Configuration String setting. Both external SAML Discovery Services (also known as Where Are You From or WAYF services) and Common Domain Cookie discovery are supported. Service Discovery is part of Ubisecure Trust.
...
Please refer to the pages
- Trust Installation Appendix - External DiscoveryTrust
- Installation Appendix - Common Domain Cookie Discovery
for instructions on installing and configuring the Discovery Services methods.
SAML
The SAML method permits configuration of a SAML Service Provider in an SAML Identity Provider Proxy configuration. The SAML Method permits an identity from a third-party system to be used on the local system. The SAML Method when used for federation a third-party system is part of the Ubisecure Trust product.
The configuration window for the SAML method type is presented below.
|
|---|
| Figure 14: Configuring a SAML authentication method |
Please refer to the page SSO Installation Appendix - page SAML IDP Proxy for instructions on installing and configuring the SAML methods. Users will access Web Applications configured on this Ubisecure SSO by logging in to a third-party IDP Server first.
The opposite direction, in other words, adding a SAML Service Provider Application to this Ubisecure SSO, is described in page Manage Applications - SSO Management.
OAuth 2.0
The OAuth 2.0 method permits configuration to Ubisecure SSO to act as a OAuth 2.0 Client in a OAuth 2.0 based use case configuration, eg to to enable external authentication based on authentication of users by certain social media services.
The The Ubisecure OAuth 2.0 Client is currently implemented specifically to enable authentication for users of certain social media services and the protocols are implemented from this standpoint. For more information please refer to the OAuth2 OAuth 2.0 and OpenID Connect 1.0 pages
Deleting a Method
In order to delete an authentication method, it needs to be disabled first. Once disabled, the method can be deleted by clicking delete button in the configuration window.
...