...
The main view of authorization policy is presented in Figure 1.
|
|---|
| Figure 1: Authorization Policy main view |
| Object | Description | ||
|---|---|---|---|
| Ubilogin 2.x/3.0 backwards compatible | Authorization Policy was changed in Ubisecure SSO version 3.1. Please see Identity Server 2021.3 Release Notes for more information.
| ||
| Single-Value Attributes | Single-value constraint fails for the defined attribute if more than one distinct value is assigned | ||
| Required Attributes | The required constraint fails for the defined attribute if no value is assigned |
The components of the authorization policy consist of Single-Value and Required constraints. The constraints function is an aid for the application designer and legacy application compatibility. For example, if an application requires a mandatory attribute with the user information, for example email address, this check can be performed already by Ubisecure SSO. Similarly, if an application does not support multiple roles, this can be verified to ensure that only one role is sent during the authorization process. Thus, additional data validation at the application level is avoided.
...
The Roles view presents a simplified view into the authorization policy where the Site Manager is allowed to manage group – role associations. See the Figure 2.
|
|---|
| Figure 2: Authorization roles |
| Object | Description |
|---|---|
| Group | Click Group or System name to edit group object |
| Update | Edit role field and click Update to update group – role association |
| Add | Click Add… to create a new association. By default the name of the group is used for the role name. You can change the role name. Any number of associations can be created. A single group may be associated with any number of roles. |
| Remove | Select group check box and click Remove to remove group – role association. |
Attributes
The Attributes view (see Figure 3) presents a more advanced view into the authorization policy.
|
|---|
| Figure 3: Authorization Policy Attributes editor |
In this view it is possible to associate groups and attributes of any name. The attribute value assigned to an attribute is entered as an attribute value.
| Attribute | Description |
|---|---|
| Group | Group to whom the policy item is linked to. |
| Site | Top level site of the policy item group. |
| Scope | Scope of the policy item. If set, the specified scope value, or one of the values in case of multiple values, must be present in the authentication request for the policy item to be evaluated. Note that this can only be used with OpenID Connect, OAuth 2.0 and Mobile Connect applications. Other application integration protocols don't support attribute scopes, so for them policy items with scope anything other than empty value will not be evaluated. Empty value means that the policy item is evaluated regardless of scope. Multiple values can be separated by a space. |
| Name | Name of the authorization attribute. |
| Value | Attribute value. See the syntax below. |
| Name Format | SAML attribute name format, used in the SAML message. Usually not needed. |
| Friendly Name | SAML attribute friendly name, used in the SAML message. Usually not needed. |
| Update | Update the edited fields |
| Add | Add new group – authorization association for to this authorization policy |
| Remove | Remove the selected group – authorization association(s) |
| Note |
|---|
Attributes with following names cannot be overwritten with an authorization policy for OpenID Connect and OAuth2 applications.
|
...
text:<string>→ the value is <string>user:<name>
→ the value is evaluated by reading the attribute <name> from the user's directory object. For example,user:uidwould return the value of the uid attribute.user:<name>;binary
→ LDAP binary option mechanism (http://www.rfc-editor.org/rfc/rfc2251.txt , Authentication and authorization process - SSO and Management customization - SSO → Disabling Context Menu items). The attribute <name> is returned to web applications as Base64 coded string. For example,user:objectGuid;binarywould return value such assFy0xj0cXU6QpjsQRCzG5Q==.method:<name>
→ the value is evaluated by reading the attribute <name> assigned by the authentication method component. The availability of method attributes depends on the authentication method implementation.
...
For more information, refer to Expression language API - SSO.
|
|---|
| Note |
|---|
Note: In the image above, there's the expression that sets the attribute's name to "role", so an attribute with name "Update NameID and add role 'manager'" would not be defined. Instead, the name of the policy item group is used here as a human-readable description. |
...
This view shows the web applications where this authorization policy is assigned.
|
| Figure 4: The list of applications that the selected authorization policy is applied to |
| Object | Description |
|---|---|
| Add | Add a group to the selected authorization policy |
| Remove | Remove the selected application(s) from this authorization policy |
A single authorization policy may be assigned with any number of applications. A single application can be associated with one or zero authorization policies.