Management UI Traditional Directory User Mappings - SSO

Owned by Former user (Deleted)
2018-10-05
5 min read

Directory user mapping is a mechanism for mapping users that have been authenticated by third-party identity providers dynamically to one or more user accounts in different LDAP directories. As a result of successful mapping, run-time Ubisecure or directory identities are created and made available to be used by the agent application in a single sign-on session.

Users that have been identified by a third party are called unregistered users. For example, if an external strong authentication method is used (e.g., a certificate based method), the identifier returned is the subject from the user certificate, which may not exactly match the user id (uid) in the Ubisecure Directory or another integrated directory. For this reason, mapping is performed to match the identifier(s) returned by the identity provider to one or more fields in the user account. After this match is performed, the applicable agents will have access to both sets of user data (limited only by the Authorization Policy used).

In order to be able to use an external authentication method with directory user mappings, following configurations are required for the authentication method:

  • Add the method to the directory that are used for the mapping, for example in tab Services → CustomerID Directory → Connected Methods
  • Add the method to the site(s) where the users are located, for example in tab eIDM Users → Site Methods

A directory user mapping is configured using extended LDAP URL syntax, which provides a capability to create search filters with values of arbitrary method attributes. In addition, it is possible to define search preconditions based on attribute values.


Figure 1: Directory User Mappings list

Directory User Mappings (Home, Directory User Mappings) presents a list of directory user mapping tables.

  • New Mapping
    Create a new directory user mapping table
  • Delete Mapping
    Delete selected directory user mapping tables
  • Directory user mapping table 
  • The Directory user mapping table configuration view is opened by clicking a name of directory user mapping table in the list.

Main View

Figure 2: Directory User Mappings main view
  • Name
    Name of the directory user mapping table
  • Description
    Description of the directory user mapping table
  • Update
    Update the modified description
  • New
    Create a new directory user mapping table
  • Delete
    Delete the directory user mapping table
  • Rename
    Rename the directory user mapping table

User Mappings View

Figure 3: User Mappings view

The User Mappings view shows the contents of a directory user mapping table. Each entry of a directory user mapping table consists of an optional precondition and an LDAP search url. A Directory User Mapping may contain many entries, for example to map users from different branches of an LDAP to based on different attributes, or to match users to different user repositories based on method attributes or authentication methods used.

  • Directory User Mapping Entry
    Click a directory user mapping entry to edit values

  • Add
    Create a new directory user mapping entry

    Figure 4: Adding a new Directory User Mapping
  • Remove
    Remove selected directory user mapping entries

Directory User Mapping edit view is presented below.

Figure 5: Directory User Mapping edit view

If a precondition exists, it must be evaluated successfully before the LDAP search is performed. The syntax of precondition follows the precondition syntax of method attribute mapping with an exception in attribute names: attribute name is defined with prefix:name notation, where prefix may be one of the following:

  • method
     Attribute name refers to the method attributes. Refer to the authentication method documentation for a list of available attributes for specific authentication methods.
  • subject
    Attribute name refers to the subject attributes. Subject attributes are following:
    • format
      Format of username
    • username
      Actual username string

    • namequalifier
      Namequalifier specifying the username namespace

The LDAP URL section of the directory user mapping edit view has following fields:

  • Select
    The drop-down list contains all enabled pre-configured directories from the Server → Services. Select the directory to which the user should be mapped. Selection of this item will complete the Server and Distinguished Name fields.
  • Server
    The base address of the LDAP server in URI format. For example: ldap://localhost/. The special value ldap:/// defines the LDAP server of the Ubisecure Directory . This value is completed after service selection.
  • Distinguished Name
    The name of a directory object. This value is completed after service selection. To optimize the query, reduce the scope of the hierarchy if it is known that matches will be found in only a certain particular branch of the LDAP directory.
  • Scope
    Search scope. One of base, one, or sub.
    • Base
      The object defined by the Distinguished Name value only. The user object to be mapped must be found at this level.
    • One
      Exactly one level below the object defined by the Distinguished Name. The user object to be mapped must be found at this level.
    • Sub
      Descendants of the object defined by the Distinguished Name, including the object itself. The user object to be mapped can be at any level below the object defined by the Distinguished Name.

  • Filter
    LDAP search filter expression.
    The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Attribute names enclosed in curly braces are replaced with corresponding attribute values before the search. The syntax of attribute names follows the same prefix:name notation as the precondition syntax. An attribute must have exactly one single value or else the search fails.
    Example: 

    (&(objectclass=ubiloginUser)(mobile={method:mobile}))

    The example above will match an LDAP user with objectclass equal to ubiloginUser and mobile attribute that matches the mobile attribute that was received from the authentication method.
    The example shown in Figure 5 above will match an LDAP user with objectclass equal to ubiloginUser and description attribute that matches the custid attribute that was received from the authentication method. The mapping will only be performed if the custid method attribute contains a value.
    After configuration is complete and OK has been pressed, the user mappings view (example Figure 3) shows the full LDAP query that will be executed to perform the mapping. Symbols %7D and %7B represent curly braces containing variables that will be replaced at runtime execution. 

Methods View

Figure 6: Methods view

The Methods view shows the list of available authentication methods. Selected methods are assigned with the current directory user mapping table. Each method may be assigned with at most one directory user mapping table at a time. Therefore, assigning a mapping table for a method replaces the previous assignment.

  • Update
    Assign the directory user mapping table with selected authentication methods

Ubisecure Privacy Policy & Cookie Statement