or How to create an SSO session using an existing application session
or How to create a link to choose the authentication method on behalf of a a user
Info |
---|
This page is incomplete in some areas. Please contact Ubisecure Support or Sales Engineering for more information if required. |
Use Cases
Use case A: A user already has a session with an application and has been authenticated using some existing technique. How can that user be logged into the Ubisecure SSO system to enable single sign-on to other applications?
Use case B: Customer support need to log in to the system as the end-user, in order to help them solve a problem or to see the same view that the user sees. The customer support user already has a session with an application and has been authenticated using some existing technique. How can that user be logged into the Ubisecure SSO system as a different user to enable single sign-on to other applications?
Use case C: A user has been authenticated using non-browser based API, such as OAuth password grant. Because no browser is used, there is no session cookie created that would allow the user to perform browser-based single sign-on to another application.
In each of the above cases, it is possible to create a new browser-based SSO session using a technique called SAML unsolicited response. Ubisecure provides libraries and examples for Java and powershell to create a new SAML response based on existing information at hand.
...
Create a SAML identity provider configuration by running the following script containing base URL. Please note that the java command must be found in PATH to run this script.
Listing 3. Create SAML configuration
Code Block |
---|
cd /d "C:\Program Files\Ubisecure\httpheaderap" java -jar webapp\WEB-INF\lib\ubisaml2.jar Generate https://example.com/samlap -o webapp\WEB-INF\uap -y -disable SingleLogoutService |
...
- Select the Application
- Select the Methods tab
- Select the check box for the SAML AP Example method
- Press Update
IDP Initiated SSO using SAML2
An unsolicited SSO can be done by sending a valid SAML response message to the address:
...
Code Block |
---|
https://sso.example.com/uas/saml2/SessionRelayService?entityID=https://sso.example.com/uas/saml2/names/ac/saml.companyx.1&RelayState=/uas/saml2/SessionRelayService?entityID=urn:uuid:6c524df0-4625-32a8-87ef-705b3523e4b2%26RelayState=/app/protected |
WS-Federation Passive Requester Profile
...
Because the WS-Federation request is not signed and is thus easily spoofed by any party, the integrated application should check and compare each value of the response to ensure it met the requested parameters.
OAuth2 Applications
For OAuth2 applications, use the Authorization Request URL to initiate the process and acr_values to select the desired authentication method.
Code Block |
---|
https://sso.example.com/uas/oauth2/authorization?response_type=code&scope=openid&client_id=2001221477 &redirect_uri=https://client.example.com/response&state=40e1bfc0-4587-4859-be08-a58e3fffa37a&max_age=0&prompt=login&display=popup&ui_locales=en&acr_values=2&login_hint=user@example.com |
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...