Disabling UsernameUserMappingIdentityFactory
UsernameUserMapping is a legacy feature, which allows unregistered users to be mapped as UbiloginDirectory users based on the username of the unregistered user. As the same use case can be implemented with Directory User Mappings, which has much more flexibility in the configuration, UsernameUserMapping is nowadays considered to be deprecated.
The feature causes an extra LDAP search on UbiloginDirectory to be performed during each login with an unregistered authentication method. Disabling UsernameUserMappingIdentityFactory prevents this search to be performed. Disabling UsernameUserMappingIdentityFactory is recommended in 8.4.1 and later versions, unless UsernameUserMapping feature is actually in use.
In 8.4.X and older versions UsernameUserMappingIdentityFactory is enabled by default, but in upcoming versions it will be disabled by default and needs to be explicitly enabled using the flag EnableUsernameUserMapping if needed.
How to examine if UsernameUserMapping is in use
One option is to check the diag logs for entries that contain text "UsernameUserMappingIdentityFactory.createIdentities". The problem is that for the entries to be logged, the diag.identity log needs to be set to debug level. Another more robust option is to check for UsernameUserMapping configuration objects directly from UbiloginDirectory. Both methods are described below.
If UsernameUserMapping is in use and it's not possible to disable it without preventing users from logging in, then it's possible to add EnableUsernameUserMapping in the server compatibility flags to retain backwards compatibility in upcoming versions.
However, as the feature is deprecated and may be removed at some point in the future, it is advisable to migrate to use, for example, Directory User Mappings instead. If questions about this arise, please contact Ubisecure Support and state that the question is about disabling UsernameUserMapping.
Checking for the diag log entries written during UsernameUserMapping
When the search performed during UsernameUserMapping returns a result (and diag.identity log is set to debug level) the following diag log entry is written. If there is even one log entry similar to this one, then UsernameUserMapping is in use.
2019-11-27 12:15:05,932 identity UsernameUserMappingIdentityFactory.createIdentities:Identity[UBILOGIN&tupas.op.1&<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="ldap:///cn=Ubilogin,dc=test">CN=User1,OU=test,CN=Ubilogin,DC=test</saml:NameID>]
When the search performed during UsernameUserMapping returns no results (and diag.identity log is set to debug level) the following diag log entry is written. If there are only log entries similar to this and none similar to the one above, then UsernameUserMapping is not in use.
019-11-14 10:19:16,661 identity UsernameUserMappingIdentityFactory.createIdentities login.InvalidUserException: The user was not found at ubilogin.directory.Locator.inner_findUbiloginAuthMapping(Locator.java:242) at ubilogin.directory.Locator.access$200(Locator.java:32) at ubilogin.directory.Locator$3.get(Locator.java:216) at ubilogin.directory.Locator$3.get(Locator.java:213) at com.ubisecure.util.cache.ExpiringCache.get(ExpiringCache.java:64) at ubilogin.directory.Locator.findUbiloginAuthMapping(Locator.java:211) at attributes.identity.UsernameUserMappingIdentityFactory.searchUbiloginIdentityByAuthMapping(UsernameUserMappingIdentityFactory.java:75) at attributes.identity.UsernameUserMappingIdentityFactory.createIdentities(UsernameUserMappingIdentityFactory.java:58) at ubilogin.UbiloginIdentityFactory.createIdentities(UbiloginIdentityFactory.java:127) at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.updateSession(UbiloginAuthenticationRequest.java:513) at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:533) at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.agentMethodService(ReturnServlet.java:128) at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.service(ReturnServlet.java:179) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.ubisecure.saml2.trace.TraceServlet.doFilter(TraceServlet.java:58) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at servlet.ContextFilter.doFilter(ContextFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.ubisecure.util.filter.ProxyFilter.doFilter(ProxyFilter.java:185) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.ubisecure.util.filter.SetEncodingFilter.doFilter(SetEncodingFilter.java:54) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:185) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Checking for UsernameUserMapping configuration objects in UbiloginDirectory
The best way to find out if UsernameUserMapping feature is in use is to check if UbiloginDirectory contains any objects, whose objectClass=ubiloginAuthMethod
and have some value set in the attribute ubiloginAuthMapping
. This can be done for example by running the following command in terminal. If it prints nothing, then it's certain that the feature is not in use and DisableUsernameUserMapping can safely be set in the server compatibility flags.
ubilogin/ldap/openldap/export.sh -LLL "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))"
ubilogin\ldap\adam\export.cmd -r "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))" >nul & type export.ldif
Configuration
The configuration is done using one of the following flags, which can be set in the server compatibility flags.
DisableUsernameUserMapping
UsernameUserMappingIdentityFactory is disabled for all authentication methods.
EnableUsernameUserMapping
UsernameUserMappingIdentityFactory is enabled for all authentication methods.
Example 1: Set DisableUsernameUserMapping for the server using SSO Management UI.
- Select "Server" tab.
- Add DisableUsernameUserMapping to Server Compatibility Flags.
- Press Update