Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2

Introduction

This documentation describes the how to install and configure User Driven Federation for Ubisecure SSO.

...

Note

NOTE: When following the instructions given in this manual, it is advisable to type the commands manually instead of copy/pasting them. This is because sometimes characters may be lost or modified in the copying process.

System Overview

To configure user driven federation:

  • Decide what is the local authentication method to be used
  • Decide what are the third-party authentication methods to be made available for linking
    • Core SSO engine
  • Decide which target applications (agents) will enable user driven federation to be used

System Software Requirements

  • Ubisecure SSO 7.1.0

Installation and Configuration

Tip

TIP: This guide assumes that both methods to be linked have been installed and are in working condition.

LDAP Directory Structure

Refer sso-udf.ldif
Replace with the SUFFIX value from Ubilogin/config/settings.cmd

Federation Service configuration 

  • Service name is "UbiloginFederationTable" (choose name freely) 
  • Expects a single input parameter "subject" (as-is, no transformation) 
Code Block
languagetext
dn: cn=UbiloginFederationTable,cn=Services,ou=System, 
objectClass: top 
objectClass: ubiloginService 
cn: UbiloginFederationTable 
ubiloginClassname: com.ubisecure.ubilogin.federation.spi.ldap.UbiloginFederationTableFactory 
ubiloginServiceInputParameter: subject

Federation Table 

One object of class ubiloginFederationTable must exist.

...

Code Block
languagetext
dn: cn=FederationTable,cn=UbiloginFederationTable,cn=Services,ou=System,
objectClass: top 
objectClass: ubiloginFederationTable 
cn: FederationTable

User Mapping Service configuration 

  • Mapping service name is "federation"
    • In a multi-tenant environment, multiple mappings could be configured with different names.
Code Block
languagetext
dn: cn=federation,cn=Server,ou=System,
objectClass: top 
objectClass: ubiloginLDAPURLUserMappingTable 
cn: federation

Federation Mapping entry 

  • Calls "UbiloginFederationTable" service 
  • Declares value of "subject" to expression ${nameID} 
  • Use subject ${nameID} for all persistent nameID formats
    • For transient NameIDs other common attributes can be used for linking.

...

It is worth noting that an identity owner of configured authentication method must not be able to freely modify his or her uniquely identifiable attribute in the authentication service – especially not to that of another user, otherwise if a federation link exists the malicious user could gain entry to somebody else's account.

Authentication Method Configuration 

Changes are required to the third-party Authentication Method. The third-party Authentication Method must:

...

Code Block
languagetext
dn: cn=openid.yahoo.1,cn=Server,ou=System,cn=Ubilogin,
ubiloginLDAPURLUserMappingTableDN: cn=federation,cn=Server,ou=System,

Application

For every application where user driven federation will be used, at least two authentication methods must be enabled (local and third-party).
An authorization policy must be defined for the agent. Once the authorization policy has been created, add the attribute:

...

In a multi-tenant environment, different applications could have different UI templates that are configured to match the instructions required for the chosen linkable IDPs.

User Interface Settings

Language keys for User Driven Federation

Code Block
languagetext
titleListing 1. UDF language keys in i18n/uas.properties
CONFIRM_INTRO_TITLE = Create Account Link
CONFIRM_INTRO_TEXT = Before entering the requested service you can link your external identity with your existing user permanently. 
CONFIRM_HELP_TITLE = Help
CONFIRM_HELP_TEXT = The account you used has not been linked to your existing account. Please save the link and continue to the service.
CONFIRM_HELP_LINKS = 
CONFIRM_LOGIN_TITLE = Account Settings
CONFIRM_LOGIN_TEXT = Please select to remember the account link.
CONFIRM_LOGIN_PERSISTENT_TEXT = Remember this next time

...


The configuration above defines to which registration users should be redirected if it is desired for users to be able to create their user accounts during the login process.

Verifying The Installation

To verify that Ubisecure SSO is installed or upgraded successfully:

  1. Attempt to access the target application.
  2. Two options should be available, local and remote.
  3. Local login should work and you will be granted access to the application.
  4. Logout and attempt to access the target agent again.
  5. Choose the third-party login method and login at third-party IDP.
  6. Upon return you will see an error message stating that you don't yet have a federation link for the third-party authentication method.
  7. Login once using the local account and mark that the link will be saved.
  8. Logout and attempt to access the target agent again using the third-party IDP.
  9. You will be granted access to the application without further prompting.

Terminating The Linking

One UbiloginFederationEntry is created for each account linked.

...

In future, terminating the linking will be possible by the end user or REST interface.

Preventing Disabled Users from Logging in With User Driven Federation

When using UDF, the user account status in the local user directory is checked only during the initial authentication before the mapping is stored in the Federation Table. If user decides to accept the storing, account statuses are not checked for subsequent federations. This means that any user, that have been disabled in the local directory after they authenticated for User Driven Federation, can successfully login when they are federating with their remote account.

...