Versions Compared

Old Version 10

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Keith Uber

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


or How to create an SSO session using an existing application session
or How to create a link to choose the authentication method on behalf of a a user


Info

This page is incomplete in some areas. Please contact Ubisecure Support or Sales Engineering for more information if required.

Use Cases

Use case A: A user already has a session with an application and has been authenticated using some existing technique. How can that user be logged into the Ubisecure SSO system to enable single sign-on to other applications?

Use case B: Customer support need to log in to the system as the end-user, in order to help them solve a problem or to see the same view that the user sees. The customer support user already has a session with an application and has been authenticated using some existing technique. How can that user be logged into the Ubisecure SSO system as a different user to enable single sign-on to other applications?

Use case C: A user has been authenticated using non-browser based API, such as OAuth password grant. Because no browser is used, there is no session cookie created that would allow the user to perform browser-based single sign-on to another application.

In each of the above cases, it is possible to create a new browser-based SSO session using a technique called SAML unsolicited response. Ubisecure provides libraries and examples for Java and powershell to create a new SAML response based on existing information at hand.

...


Create a SAML identity provider configuration by running the following script containing base URL. Please note that the java command must be found in PATH to run this script.

Listing 3. Create SAML configuration

Code Block
cd /d "C:\Program Files\Ubisecure\httpheaderap"
java -jar webapp\WEB-INF\lib\ubisaml2.jar Generate https://example.com/samlap -o webapp\WEB-INF\uap -y -disable SingleLogoutService

...

  1. Select the Application
  2. Select the Methods tab
  3. Select the check box for the SAML AP Example method
  4. Press Update

IDP Initiated SSO using SAML2


An unsolicited SSO can be done by sending a valid SAML response message to the address:

...

Code Block
https://sso.example.com/uas/saml2/SessionRelayService?entityID=https://sso.example.com/uas/saml2/names/ac/saml.companyx.1&RelayState=/uas/saml2/SessionRelayService?entityID=urn:uuid:6c524df0-4625-32a8-87ef-705b3523e4b2%26RelayState=/app/protected

WS-Federation Passive Requester Profile

The WS-Federation Passive Requester Profile is used for initiating a login request. A request is formed at the PassiveRequestorService endpoint:

...


Because the WS-Federation request is not signed and is thus easily spoofed by any party, the integrated application should check and compare each value of the response to ensure it met the requested parameters.

OAuth2 Applications

For OAuth2 applications, use the Authorization Request URL to initiate the process and acr_values to select the desired authentication method.

info
Code Block
https://sso.example.com/uas/oauth2/authorization?response_type=code&scope=openid&client_id=2001221477
&redirect_uri=https://client.example.com/response&state=40e1bfc0-4587-4859-be08-a58e3fffa37a&max_age=0&prompt=login&display=popup&ui_locales=en&acr_values=2&login_hint=user@example.com

 Filter by label (Content by label)
showLabelsfalse
max5
spacesKNB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("unsoliticed","sso") and type = "page" and space = "KNB"
labelssso unsoliticed
...