Versions Compared

Version Old Version 3 New Version Current
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

AD Password Method

The AD password authentication method allows you to authenticate with username and password when the credentials are stored in Active Directory. LDAPS is used to access the Active Directory. The authentication method also allows the user to change an expiring or expired password. The same Ubisecure SSO Server can connect to multiple AD directories.

...

  1. Select Home → Global Method Settings (see Figure 1)
  2. Select New Method…
  3. Complete the Add New Method dialog
    1. Title: A human readable name describing this method. Shown in the management user interface and possibly in the end user interface if no localization is available
    2. Name: A unique system reference to this directory. This is used by administrators to identify this authentication method. Typically values are for example: password.ad, password.ad.prod, password.ad.test, password.customer1
    3. Method Type: Select SPI Password
      1. Method Class: This will be automatically filled in.
    4. Directory: Select the AD directory made in the previous step.

  4. Press OK

    Figure 1. Adding an AD Password Method

  5. The method configuration screen is shown, see Figure 2.

  6. SAML Authentication Context and SAML NameID Policy related configurations are described in the SSO Management documentation. Changes to these settings are typically not required.
  7. Tick Enabled to enable the method
  8. Hidden will remove this method from any system generated authentication method selection menus. This is described in more detail in the SSO Management. By default this is unselected.
  9. Limit Method Visibility specifies to which IP netmask ranges this method will be shown in any system generated authentication method selection menus. Leave blank to show to all IP address. For AD password methods in a corporate environment, typically this is set to the netmask of domain users. This is described in more detail in the SSO Management documentation. By default this is unselected.
  10. The Account Lockout Policy settings are ignored for AD installations. All account policy changes are performed in the Active Directory Group Policy settings of Windows.
  11. Further configuration can be made using the Configuration String settings. Default settings are adequate for most installations. Possible configurations are described below.

  12. Press Update to record the settings.

    Figure 2. Configuring AD Password Method

    Code Block
    languagetext
    titleListing 1. Example Configuration string settings that can be used on the authentication method level if not already defined in the Directory Service (AD Directory)
    directory.account.login=mail
policy.password.protocol=ActiveDirectoryLds
policy.password.expiring=36000
    • Configuration string settings
        • policy.password.expiring → Most of the password policy settings are defined only in Active Directory. However the AD authentication method LDAP object has a separate policy setting for controlling the pre-expiration password change option. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. 36000 means warning will occur 25 days prior to expiration. OPTIONAL.
        • directory.account.login→ Specifies the name of the user attribute to be used for the username lookup. Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.
          For example, to allow an AD user to login using their email address as the username, set this value to mail.
          For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile. OPTIONAL.
          By default, samAccountName is used. Other typical values include:
          • uid
          • samAccountName
          • mobile
          • mail
        • policy.password.protocol → he password protocol that should be used for this integration. Possible values are: ActiveDirectory, ActiveDirectoryLds, ActiveDirectoryDs. Default value is ActiveDirectoryDs. OPTIONAL.

  13. The SPI Password tab is not used for AD Integration. Password encoding is configured in Active Directory. This value is ignored.

  14. The Sites tab lists which sites may use this method. To activate the method for a site:
    1. Open a site from the Site Navigator
    2. Select the Site Methods tab
    3. Press Add Method…
    4. Select the newly created AD Method and press OK (See Figure 3)

    5. The AD Method is now added to the site, and the site is visible from the AD Method's Sites tab (see Figure 4)

      Figure 3. Activating the AD Password Method for a site

      Figure 4. The AD Password Method can only be in the Sites shown in sites tab

  15. The Groups tab lists which Ubilogin groups users of this method will be assigned to. Group Members settings are described in more detail in the SSO Management documentation. These settings are made from within the Methods tab of Groups.

AD OTP Method

The Active Directory One-Time-Password authentication method allows you to authenticate with username, password and a one-time-password. The password is stored in Active Directory and the one-time-password list is stored in Ubisecure Directory.

...

    • OTP Window Size → This configuration option defines the look-ahead window for acceptable passwords. If this option is set to 1 then only entering the next unused one-time password will result in a successful validation. MANDATORY.
    • OTP Length in Digits → This configuration option defines the default length of the one-time password. MANDATORY.
    • OTP List Length → This configuration option defines the default list length for the one-time passwords. This is the number of passwords in a single password list. MANDATORY.
    • Mail Session JNDI Name → This configuration option specifies the application server specific mail session configuration. Email is used optionally for sending OTP lists to users. OPTIONAL.

Configuration String Settings

The following settings must be made in the Configuration String section. An example of values is shown in Listing 2 and visible in the user interface in Figure 6.

...

Code Block
languagetext
titleListing 2. Example configuration string settings for OTP printout
policy.password.expiring=36000 
password-name=password.ad.1 
directory.account.login=mail

AD SMS Method

The Active Directory SMS Password authentication method allows you to authenticate with username, password and a one-time password sent to a mobile phone. The password used is stored in Active Directory.

...

{challenge} will be replaced with a localized message containing the OTP. The message text can be configured using the SMS_TEXT key. Refer to SSO UI Customization to Login UI customization - SSO for more information.

The gateway must return a HTTP status code of 200 upon successful sending of the SMS.

Figure 10. Configuring SMS Gateway

Configuration String Settings

The following settings must be made in the Configuration String section. An example of values is shown in Listing 3 and visible in the user interface in Figure 9.

...

Code Block
languagetext
titleListing 3. Example configuration string settings for SMS
policy.password.expiring=36000 
password-name=password.ad.1 
directory.account.login=mail

Checking the Installation of Authentication Methods

After the service and methods have been installed, check from the diagnostics log if the added service and authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory or available through the Log Viewer application. Below is a successful initialization.

Code Block
languagetext
titleListing 4. Example lines from uas3_diag.log
2011-07-01 10:29:29,010 tech ActiveDirectory: root=dc=ad,dc=example,dc=com
2011-07-01 10:29:29,011 init password.ad.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started

Using the Authentication Methods

Enable AD methods for sites

Before enabling AD Methods for an application, the methods must be enabled for the site where they will be used. Use the Ubisecure Management application with an Administrator account:

  1. Select Site Navigator → (Site Name) → Site Methods
  2. Select Add Method…
  3. Select the desired methods.

Enable AD methods for the Application

To enable AD Methods for an application use the Ubisecure Management application with an Administrator or Site Manager account:

  1. Select Site Navigator → (Site Name) → Applications
  2. Select Application
  3. Select the Allowed Methods tab.
  4. Tick the desired methods
  5. Press Update.

Testing login

Now you can use the selected Web Applications and test the authentication using credentials found in Active Directory.

...

Figure 11. Login using AD username and password

Multiple AD or password method configuration

If two password methods are enabled for the same agent, then a domain drop down will appear. The user can select their domain from the list. This drop down can be avoided by using Limit Method Visibility to present the correct domain to the correct user group based on IP address range.

...