External discovery - SSO

Introduction

About this page

NOTE: Ubisecure product names were unified in autumn 2011. All products which started with term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is used also when referring to old software versions which started with term "Ubilogin" at the time of their release.

This page describes the requirements and tasks for installing the External Discovery in an Ubisecure Trust. The result of the installation described in this page is a working environment which uses an External Discovery service in a Ubisecure system.

The Installation - SSO Guide contains instructions for installing the Ubisecure SSO Server.

Overview

In a configuration, where you have many SSO Servers (or Identity Providers/IdPs) in your federation network, it may be difficult to achieve a smooth SSO experience. That is because there may not be any reliable technique to determine the home organization of the user.

In this case, a list of the trusted IDPs can be shown to the user, using Ubisecure's built-in IDP discovery service.

Most federation networks provide and maintain a central discovery service. It works in a similar way, but provides a consistent user experience across various SPs. Ubisecure SSO can forward discovery requests to third-party discovery services, process the response containing the selected IDP and forward an authentication requested to that IDP.

The process is described in Figure 1.

  1. A user attempts to access an internet service protected by a SAML SP.
  2. The user is redirected to Ubisecure SSO configured as a SAML IDP Proxy.
  3. Typically the user is redirected immediately to step 4. If more than one authentication technique is configured, the user can choose. For example, if both federated users as well as local users can access the SP, a login screen may be shown.
  4. The user is redirected to the third-party discovery service.
  5. The user makes a selection from the list (or the selection is made automatically using various techniques).
  6. The user is redirected to back to Ubisecure SSO.
  7. Ubisecure SSO sends an authentication request to the IDP selected by the user.

Figure 1. External Discovery process flow

Figure 2 below contains an example third-party discovery service.

Figure 2. Example third-party discovery service


Installing the external discovery

Before installation

System requirements

Required information

  • The URL of the discovery service of the federation network

Requirements for production use

  • All IdPs that might send responses from the External Discovery Service must be configured in Ubisecure SSO in order to use the External Discovery Service. Typically this is done automatically in a Federation Network.

Installation of external discovery

To install External Discovery:

  1. Open the Ubisecure Management application. (Please note that your Ubisecure Server Management view may have different content than shown in the sample pictures, depending on the Ubisecure SSO configuration and your user rights.)
  2. Go to Home → Global Method Settings → New Method…
  3. Complete the following details in the Add New Method pop-up (see Figure 3):
    1. Title: Enter human readable name (Typically the name of Federation Network)
      This name is used by default in the user interface if no localization is available.
    2. Name: Enter unique method name. e.g. discovery.federationnetworkname
    3. Method Type: Select Discovery from the drop down menu.
    4. Method Class: The Class is automatically entered from the previous selection.

      Figure 3. Adding External Discovery Method
  4. Click OK. The Main tab of the External Discovery method will be shown. Add the following two lines to the Configuration String field. 

    DiscoveryService: The URL to the third-party discovery service 
    isPassive: Set to false for third-party discovery services, to permit interactive selection

    Example: 

    DiscoveryService = https://anydomain.com/ExternalDiscoveryService
    IsPassive = false

    Ensure that the Enabled checkbox under Status section is selected.
    Ensure that the Hidden checkbox under Status section is NOT selected.
    Click the Update button.

    Figure 4. Configuring the External Discovery authentication method settings
  5. Start adding a new authentication method by selecting the site (in the sample picture System) → Site Methods → Add Method.

    Figure 5. Adding a new authentication method for a site
  6. Select Method window opens.
    Select the checkbox of the desired authentication method (in this case External Discovery) and click OK.
  7. Add a new authentication method to a web application.
    Select Application and click on an agent name (in this example Test Agent) in the Site Applications list.

    Figure 6. Selecting a web agent
  8. Ubisecure Web Agent view opens.
    Select Allowed Methods from the top menu.
    Select the checkbox of the desired authentication method (in this case External Discovery) and click Update.
    Note that all IDPs should also be added as valid authentication methods for the agent. IDPs that are accessed through the Discovery Service should be set to Hidden. Hidden authentication methods will not show in the Ubisecure IDP selection screen.
  9. You can now test that the authentication method functions by going to the Ubisecure application you selected (for example, https://test.example.com:8443/testagent ) and selecting the method you created under "Sign in using a provider".

    Figure 7. Signing in using the External Discovery
  10. Clicking on the External Discovery button will redirect the browser to the third-party discovery service for IDP selection. After selection, the user will be returned to the UAS server which will generate an authentication request to the selected IDP.If External Discovery is the only non-hidden authentication method enabled for an agent, it will be selected automatically. The screen in Figure 7 will not be shown.