Backchannel Authentication Adapter - SSO
Introduction
This documentation describes the requirements and tasks for installing and configuring Ubisecure Backchannel Authentication Adapter (UBAA) authentication method in Ubisecure SSO.
The result of the installation described in this document is a working UBAA authentication method.
Ubisecure Backchannel Authentication Adapter Overview
The protocol used by UBAA is based on the specification openid-connect-modrna-client-initiated-backchannel-authentication-1_0 .
The picture below shows the authentication sequence, in which the authentication starts from a user agent, which sends an authentication request to SSO. SSO then initiates the authentication with UBAA by sending Backchannel Authentication Request.
- SSO sends Backchannel Authentication Request to the UBAA.
- UBAA sends Authentication Request to a 3rd party Authentication Provider.
- The 3rd party AP handles the authentication by pushing an authentication request to the user's mobile device.
- After the authentication is successful, the 3rd party AP returns the Authentication Response.
- SSO receives id_token as Token Response for the latest Token Request.Â
- Note that while the authentication request was being processed during steps 2 to 5, SSO Server kept polling the UBAA for the authentication status and received status authentication_pending until now.
- SSO responds with the authentication result.
Before Installation
System requirements
- Ubisecure SSO 8.3 or later
- Ubisecure Authentication Adapter
Installation of the Authentication Adapter is not covered in this document. Also please note that Ubisecure SSO requires the UBAA instance to be accessible from the SSO server instance, because the authentication is based on backchannel communication between the SSO and the Authentication Adapter.
Installation
This chapter goes through the installation process for UBAA in SSO Management.
Preparation
For installation, you need to get the following from the UBAA:
- Authentication Adapter Metadata
- Standard URL path is
/.well-known/openid-configuration
, for examplehttps://ap.example.com:8443/ciba/.well-known/openid-configuration
- Standard URL path is
- Authentication Adapter JWKS
- URL for this is advertised in
jwks_uri
claim in the Provider Metadata.
- URL for this is advertised in
- Client Identifier -
client_id
Creating the Authentication Method
Create a new Authentication Method in the Authentication methods page and select Backchannel Authentication Adapter as the Method Type. After finishing you should end up in the method's configuration page. You can go there by clicking the method in the list.
Under the Backchannel Authentication Adapter tab:
- Insert
client_id
in the Client Identifier field. - Insert
private_key_jwt
in the Token Endpoint Authentication Method field. - Press the Update button.
- Upload the Authentication Adapter Metadata.
- Press the Upload button next to label "Provider Metadata:".
- Paste the Authentication Adapter Metadata JSON string in the field or upload the file containing it.
- Press OK.
- Upload the Authentication Adapter JWKS.
- Press the Upload button next to label "Provider JWKS:".
- Paste the Authentication Adapter JWKS string in the field or upload the file containing it.
- Press OK.
Under the Main tab:
- Tick Enabled.
- Press the Update button.