Versions Compared

Old Version 1

changes.mady.by.user John Jellema

Saved on

compared with

New Version Current

changes.mady.by.user Keith Uber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added missing AuthnRequestValidate

Web Applications represent the applications and services that use Ubisecure SSO for authentication and access management.

...

FieldDescription
General
Technical NameWeb Application's name in Ubisecure SSO.
Application TypeThe type of this application.
Web addressThe Web Application's IP-address or URL. This field is informative.
PlatformWeb Application platform such as Java, .NET, IIS, Apache or Notes/Domino. This field is informative.
Template Names

If you have set your own login layout for this Web Application specify the template name here. The corresponding name must be found in the custom/templates.index file. See Login user interface customization - SSO for more information on template use.If left blank, a default template is used.Multiple templates can be specified using whitespace as a separator. The first template listed will be used as the default template. Other templates are available to SAML SP applications implementing template request functionality defined in the API. A SAML SP application cannot request an application that is not listed in this whitelist.

In versions prior to 6.3, this field is called "UAS JSP Template" and only one template name is permitted.

DescriptionDescribe the Web Application or service behind it. This field is informative.
Contact
E-mailThis field is informative
Status
EnabledEnable or disable the Web Application
Authentication Session TimeoutSpecify the number of minutes of inactivity after which a user session times out. After the timeout, re-authentication is required. Timeouts are discussed in detail in the Timeout configuration - SSO.The timeout value shown here applies to Ubilogin Web Application integrations using the Ubilogin Ticket Protocol activator file. For SAML SP integrations, this value is indicative only. In both cases, the setting may be overridden in the application or SAML SP settings on the machine where the Web Application is used. These overrides will not be reflected in this value.Note that the value specified for Ubisecure SSO can also override this setting. User session timeout value is determined by the smallest of the following values:
  • Ubisecure SSO timeout
  • Timeout values of those Web Applications that has been used in user session
Single Sign-out Settings
ForceReauthenticationForce authentication regardless of existence of the SSO session. Use this to always prevent single Sign On and force a new login event before accessing the application.
Prevent SSO after useAuthentication valid only once. Use this to require a new login event after accessing this application.
Authorization
Authorization PolicyAuthorization Policies that are used with this Web Application
Name MappingMappings that are used with this Web Application
Refresh Token Table (OAuth2 only)Refresh token table that is used with this Web Application
ID and Activation
Web Application IDWeb Application identification information. This value is generated automatically for Web Applications or retrieved automatically from the uploaded SAML2 metadata file.
Activate Web ApplicationFor Web Application integrations using the Ubilogin Ticket Protocol, this button will activate the Web Application and generate a Web Application Activator file. The Web Application Activator file must be transferred securely to the target service. For SAML SP integrations using the SAML2 protocol, this button will activate the Web Application as a SAML SP and enable uploading of the SAML SP metadata. SAML SP metadata can also be copy and pasted into the form which opens after pressing this button.
Compatibility (Not for Ubilogin Web Agent)
Application Compatibility Flags


Expand
  • EncryptEmbedCertificate  
    XML Encryption: embed recipient encryption certificate with encrypted message.
  • HttpPostResponseSign
     HTTP-Post: Response is not signed. The enclosed Assertion is signed
  • SoapResponseSign
     SOAP, SOAP/Artifact: Response is not signed
  • EncryptAES256
    XML Encryption: Use AES-256 algorithm while encrypting, default is AES-128
  • TokenTypeSAML11
    Use SAML 1.1 Token Type (interop w. Sharepoint) (WS-Federation only)
  • SubjectConfirmationDataRecipient
    SubjectConfirmationData/@Recipient: leave Recipient unassigned (interop w. WIF)
  • AuthenticationContextDeclarationReference
    AuthenticationContext/DeclarationReference: leave DeclarationReference unassigned (interop w. WIF)
  • AssertionSignCertificate
    Response/Assertion: always sign SAML Assertion and embed signer certificate with signature (interop w. Salesforce)
  • ExplicitNotBeforeCondition
    Response/Assertion: sets explicitly the current time as notBefore condition into SAML Assertion, provided that AuthnRequest doesn't define notBefore condition (interop w. Salesforce)
  • ExplicitUnspecifiedAuthnContextClassRef
    Response: adds explicitly the unspecified value to AuthnContextClassRef.
  • AuthnStatementSessionNotOnOrAfter
    AuthnStatement: leave SessionNotOnOrAfter unassigned
  • AuthnRequestValidate
    AuthnRequest signature is NOT required. This allows receipt and processing of unsigned SAML requests. The registered SP metadata must not contain a <KeyDescriptor use="signing"> element.


Redirect URI validation policy
(OAuth2 and Tupas only)		Specifies the policy on how the redirect URI passed in an authentication request (redirect_uri in OAuth2 and A01Y_RETLINK/A01Y_REJLINK/A01Y_CANLINK in Tupas) are validated against the pre-registered URIs of the client (redirect_uri/redirect_uris in the client metadata in OAuth2 and Tupas).
  • exact: The redirect URI must match exactly a preregistered URI of the client. Specifically, if the redirect URI contains a query part, the query part must also be present in the preregistered URI as well - otherwise they don't match.
  • ignorequery: The query part of the redirect URI is removed and the resulting URI (without a query part) must match a pre-registered URI of the client. Note that the pre-registered URI also must not contain a query part.

...