Introduction

NOTE: Ubisecure product names were unified in autumn 2011. All products which started with term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is used also when referring to old software versions which started with term "Ubilogin" at the time of their release.

Ubisecure SSO Server is a standards based Identity Provider (IDP). One of the roles of an Identity Provider is to enable federation of user identities from one independent domain to another. Federation is a term used to describe a functionality which transfers a user between two separate IDPs.

Ubisecure SSO provides SAML and WS-Federation protocols for identity federation. This page describes how to integrate another domain to a Ubisecure identity domain using SAML 2.0 protocol. This page will describe how to create an IDP Proxy authentication method that will authenticate users from another domain for SPs in the Ubisecure identity domain.

The process of creating a trust relationship from another domain to Ubisecure SSO Server follows the procedure described in the SSO Management documentation, where the other domain is treated as a SAML Service Provider.


Figure 1. Trust relationships between 2 domains

Installation

This chapter goes through the necessary steps to make Ubisecure SSO Server trust another SAML Identity Provider and to configure the IDP Proxy authentication method.

Configuring Ubisecure Authentication Server as a Trusting Party

Add the trust relationship to the Ubisecure Directory

The IDP Proxy authentication method is added to the Ubisecure Directory by importing a LDIF file. Replace the dn and cn attributes with the name of the IDP Proxy instance and use the following script to import the LDIF to Ubisecure Directory. Note that for the least, you have to change the last part of the distinguished name from dc=localhost to the distinguished name of your local Ubisecure Directory.

You can find an example LDIF excerpt at the end of ubilogin/ldap/methods.ldif under the title SAML Federation.

Listing 1. Sample contents of idp-proxy.ldif

#
# SAML Federation
#
 
dn: cn=saml.idp.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost
changetype: add
cn: saml.idp.1
objectClass: top
objectClass: ubiloginAuthMethod
ubiloginAuthMethodType: SAML
ubiloginClassname: ubilogin.method.provider.saml2.AssertionConsumerMethod
ubiloginEnabled: FALSE
ubiloginTitle: Remote IDP

Listing 2. Windows

cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap"adam\import.cmd idp-proxy.ldif

Listing 3. Linux

cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap
openldap/import.sh idp-proxy.ldif

Import the Identity Provider metadata

Log into Ubisecure Server Management with System Administrator privileges. Navigate to the Server Authentication Methods view. Open the settings of the IDP Proxy method you just installed and choose the SAML view. Click Upload SAML Metadata and either upload the Identity Providers metadata file or copy and paste the metadata.

Export the SAML service provider metadata

Click Download SAML Metadata to download the Service Provider metadata and save it for configuring Ubisecure SSO Server as Service Provider for Identity Provider in the other identity domain.

Once you have configured your Identity Provider to accept SAML authentication requests from Ubisecure SSO Server, the IDP Proxy method has been set up.

ExplicitUnspecifiedAuthnContextClassRef

Forces value urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified to AuthnContextClassRef in an outbound SAML2 Authentication Response. This is regardless of what might have been received in an inbound SAML2 Authentication Response. This improves compatibility with third-party applications and third-party identity providers which send different values than expected.

In all cases, negotiation between connected parties for agreed values for AuthnContextClassRef should be the first approach.

Compatibility Flags

There are various compatibility flags that can be used with SAML2 Authentication Methods.


Figure 2. SAML authentication method with SendAssertionConsumerServiceURL feature enabled

SendAssertionConsumerServiceURL

Forces sending AssertionConsumerServiceURL. Some services require this optional element.

FinnishTrustNetwork

Forces sending the Finnish Trust Network SAML 2.0 Protocol Profile version 1.0 compliant SAML2 Extension ftn.

Note that only the information listed below is included in the element:

- UI locale of the login page

An example of the included Extensions element is shown below.

SAML2 Extension for FTN

<samlp:Extensions>
  <ftn xmlns="http://ftn.ficora.fi/2017/req_ext">
    <lg>fi</lg>
  </ftn>
</samlp:Extensions>

Browser not supported