The authentication method configuration is done using Ubisecure SSO Management or the LDIF import files provided by Ubisecure SSO installation.
Create the Authentication Methods
Any required authentication methods used by users must now be created according to the general guidelines concerning creating authentication methods into Ubisecure SSO.
Typical methods include username and password, SMS OTP, One TIme Password Printout and third-party banking services (TUPAS). Add only the methods that will be used in the current installation:
Password method
- Set title:
CustomerID Password
- Name:
password.2
- Select method type:
SPI Password
Set directory to:
CustomerID Directory
By default user logs in using the login attribute (which is
uid
in Ubisecure Directory andsAMAccountName
in Active Directory). If you want the user to login using email address, you must adddirectory.account.login=mail
to the configuration string. You must also addgeneral.login.attribute=mail
toeidm2.properties
. Createeidm2.properties
text file under%PROGRAMFILES%\Ubisecure\customerid\application\custom
Set the optional
policy.password.expiring
configuration string to show a warning to users during login of a pending password expiry. The value is number of minutes. 10080 is one week. This number should be increased accordingly if users rarely use the system.- Select Enabled
- Press Update
SMS method
- Set title. Title will be shown in the user interface during login.
SMS
- Name:
ubikey.sms.1
- Select method type:
SPI Mobile Phone
Set directory to:
CustomerID Directory
Figure 4. SMS method
- By default user logs in using the login attribute (which is
uid
in Ubisecure Directory andsAMAccountName
in Active Directory). If you want user to login using email address, you must adddirectory.account.login=mail
to the configuration string. You must also addgeneral.login.attribute=mail
toeidm2.properties
. Createeidm2.properties
text file under%PROGRAMFILES%\Ubisecure\customerid\application\custom
- You need to define the
password-name
configuration string. It should contain the name of the used password method (usuallypassword.2
). You need to define the
smsUrl
configuration string. It should contain the URL of the SMS server.Figure 5, SMS URL - If Active Directory is used as the main user repository for Ubisecure CustomerID then you need to define the
methodUserGroupDN
configuration string. It points to the AD group which defines those users that are allowed to use SMS authentication. The relative name of the correct group isActiveSMSUser.
The whole DN is installation specific. Typically Active Directory is not used as the main user repository for Ubisecure CustomerID. - Select Enabled
- Press Update
OTP Printout method
- Set title: Title will be shown in the user interface during login.
One Time Password
- Set name:
ubikey.otp.1
- Select method type:
SPI Ubikey OTP Printout
Set directory to:
CustomerID Directory
- By default users log in using the login attribute (which is
uid
in Ubisecure Directory andsAMAccountName
in Active Directory). If you want users to login using their email addresses, you must adddirectory.account.login=mail
to the configuration string. You must also addgeneral.login.attribute=mail
toeidm2.properties
. Createeidm2.properties
text file under%PROGRAMFILES%\Ubisecure\customerid\application\custom
- You need to define the
password-name
configuration string. It should contain the name of the used password method (usuallypassword.2
). If Active Directory is used as the main user repository then you need to define the
userCredentialsTableDN
configuration string. It defines the name of the OTP table object in Ubisecure Directory. OTP Printout authentication method information is stored in Ubisecure Directory for all Active Directory users who use the OTP Printout method and that information will be stored under the OTP table. Typically Active Directory is not used as the main user repository for Ubisecure CustomerID.Figure 6, OTP Printout Method, configuration string parameters will be shown after next part
- Press Update
- Select the SPI Ubikey Printout tab
- You need to define the
otpWindow
configuration string if you want to define how many one-time passwords from the password list are checked against the given one-time password during one-time password validation. - You need to define the
otpDefaultLength
configuration string if you want to define the length of the one-time passwords. - You need to define the
otpDefaultListLength
configuration string if you want to define the amount of one-time passwords in a generated password list. For sending the OTP list from within the Ubisecure SSO Management application the
mailSessionJNDIName
configuration string must be set. In most cases, this field can be left blank as it is not required for self-service list management using Ubisecure CustomerID.Figure 7, OTP Printout Configuration Strings - Select Enabled
- Press Update
- You need to define the
TUPAS methods
- This is only required when using Finnish Bank Authentication Services
- When creating the TUPAS methods follow the separate TUPAS methods related documentation.
- Automatic creation for TUPAS test methods can be done with
%PROGRAMFILES%\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\import.cmd ..\methods\methods-tupas.ldif
command
Remember to enable all of the created authentication methods. This can be done by selecting the X at the top of the checkbox column to tick all boxes, and then press Update.
For more information concerning authentication method configuration check SSO Management - Authentication Methods.
Figure 8, All authentication methods are ticked as enabled |