Directory user mapping is a mechanism for mapping users that have been authenticated by third-party identity providers dynamically to one or more user accounts in different LDAP directories. As a result of successful mapping, run-time Ubisecure or directory identities are created and made available to be used by the agent application in a single sign-on session.

Users that have been identified by a third party are called unregistered users. For example, if an external strong authentication method is used (e.g., a certificate based method), the identifier returned is the subject from the user certificate, which may not exactly match the user id (uid) in the Ubisecure Directory or another integrated directory. For this reason, mapping is performed to match the identifier(s) returned by the identity provider to one or more fields in the user account. After this match is performed, the applicable agents will have access to both sets of user data (limited only by the Authorization Policy used).

In order to be able to use an external authentication method with directory user mappings, following configurations are required for the authentication method:

Add the method to the directory that are used for the mapping, for example in tab Services → CustomerID Directory → Connected Methods
Add the method to the site(s) where the users are located, for example in tab eIDM Users → Site Methods

A directory user mapping is configured using extended LDAP URL syntax, which provides a capability to create search filters with values of arbitrary method attributes. In addition, it is possible to define search preconditions based on attribute values.


Figure 1: Directory User Mappings list

Directory User Mappings (Home, Directory User Mappings) presents a list of directory user mapping tables.

New Mapping
Create a new directory user mapping table
Delete Mapping
Delete selected directory user mapping tables
Directory user mapping table
The Directory user mapping table configuration view is opened by clicking a name of directory user mapping table in the list.

Main View


Figure 2: Directory User Mappings main view

Name
Name of the directory user mapping table
Description
Description of the directory user mapping table
Update
Update the modified description
New
Create a new directory user mapping table
Delete
Delete the directory user mapping table
Rename
Rename the directory user mapping table

User Mappings View


Figure 3: User Mappings view

The User Mappings view shows the contents of a directory user mapping table. Each entry of a directory user mapping table consists of an optional precondition and an LDAP search url. A Directory User Mapping may contain many entries, for example to map users from different branches of an LDAP to based on different attributes, or to match users to different user repositories based on method attributes or authentication methods used.

Directory User Mapping Entry
Click a directory user mapping entry to edit values
Add
Create a new directory user mapping entry
Figure 4: Adding a new Directory User Mapping

Remove
Remove selected directory user mapping entries

Directory User Mapping edit view is presented below.


Figure 5: Directory User Mapping edit view

If a precondition exists, it must be evaluated successfully before the LDAP search is performed. The syntax of precondition follows the precondition syntax of method attribute mapping with an exception in attribute names: attribute name is defined with prefix:name notation, where prefix may be one of the following:

method
Attribute name refers to the method attributes. Refer to the authentication method documentation for a list of available attributes for specific authentication methods.
subject
Attribute name refers to the subject attributes. Subject attributes are following:
- format
  Format of username

- username
  Actual username string

- namequalifier
  Namequalifier specifying the username namespace

The LDAP URL section of the directory user mapping edit view has following fields:

Select
The drop-down list contains all enabled pre-configured directories from the Server → Services. Select the directory to which the user should be mapped. Selection of this item will complete the Server and Distinguished Name fields.
Server
The base address of the LDAP server in URI format. For example: ldap://localhost/. The special value ldap:/// defines the LDAP server of the Ubisecure Directory . This value is completed after service selection.
Distinguished Name
The name of a directory object. This value is completed after service selection. To optimize the query, reduce the scope of the hierarchy if it is known that matches will be found in only a certain particular branch of the LDAP directory.
Scope
Search scope. One of base, one, or sub.
- Base
  The object defined by the Distinguished Name value only. The user object to be mapped must be found at this level.
- One
  Exactly one level below the object defined by the Distinguished Name. The user object to be mapped must be found at this level.
- Sub
  Descendants of the object defined by the Distinguished Name, including the object itself. The user object to be mapped can be at any level below the object defined by the Distinguished Name.
Filter
LDAP search filter expression.
The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Attribute names enclosed in curly braces are replaced with corresponding attribute values before the search. The syntax of attribute names follows the same prefix:name notation as the precondition syntax. An attribute must have exactly one single value or else the search fails.
Example:
```
(&(objectclass=ubiloginUser)(mobile={method:mobile}))
```
The example above will match an LDAP user with objectclass equal to ubiloginUser and mobile attribute that matches the mobile attribute that was received from the authentication method.
The example shown in Figure 5 above will match an LDAP user with objectclass equal to ubiloginUser and description attribute that matches the custid attribute that was received from the authentication method. The mapping will only be performed if the custid method attribute contains a value.
After configuration is complete and OK has been pressed, the user mappings view (example Figure 3) shows the full LDAP query that will be executed to perform the mapping. Symbols %7D and %7B represent curly braces containing variables that will be replaced at runtime execution.

Methods View


Figure 6: Methods view

The Methods view shows the list of available authentication methods. Selected methods are assigned with the current directory user mapping table. Each method may be assigned with at most one directory user mapping table at a time. Therefore, assigning a mapping table for a method replaces the previous assignment.

Update
Assign the directory user mapping table with selected authentication methods

Browser not supported