Management customization - SSO
- Tomi Pelttari
Ubisecure SSO Management can be customized by enabling confirmation prompt on delete or remove operations and by disabling context menu items.
Disabling context menu items
Context menus can be disabled for Site Managers. Disabling context menus does not affect to System Administrators view. System Administrators have access to all entities in Ubisecure SSO Management application.
Context menu can be disabled on a Site scoped basis. This means, that when Context Menu items are disabled for a particular Site, the changes will also take effect recursively to all child objects in the Site hierarchy. Also, definitions will stack, which means that definitions declared for a parent site will also apply to the site's children, even when they have their own definitions.
Disabling Context Menu items makes it possible to restrict functionality on a single Site or a set of Sites. For example, it is possible to dedicate a site for user management tasks only and have all of the excess functionality removed by defining a ruleset definition for that site.
Figure 1, Figure 2Â and Figure 3Â illustrate the final result of a customized context menu ruleset.
|
|---|
| Figure 1: This Organization Site has only the Site, Group and Users context menus enabled. Only groups and users can be managed at this level. |
|
|---|
| Figure 2: This Group's Site has only the Site and Groups context menus enabled. Only groups can be managed at this level. |
|
|---|
| Figure 3: This user's site has only the Site and Users context menus enabled. Only users can be managed at this level. |
Defining a ruleset
Rulesets are configured by means of properties files in XML format, where each entry consists of the Site's Distinguished Name as the key and the restricted Context Menu item identifiers as whitespace delimited values.
Context Menu displayed | Identifier |
|---|---|
Site Administrators | site/managedby |
Applications | site/agents |
Groups | site/groups |
Users | site/users |
Mappings | site/mappings |
Authorization Policies | site/attributes |
Site Methods | site/methods |
Table 1. Context Menu Items of the Site object
Context Menu displayed | Identifier |
|---|---|
Users | group/users |
Groups | group/groups |
Dynamic Members | group/memberurl |
Attribute Members | group/attributemembers |
Member Of | group/memberof |
Allowed Applications | group/agents |
Allowed Methods | group/methods |
Authorization | group/attributes |
Table 2. Context Menu Items of the Group object
Context Menu displayed | Identifier |
|---|---|
Users | mapping/users |
Applications | mapping/agents |
Table 3. Context Menu Items of the Mappings object
Context Menu displayed | Identifier |
|---|---|
Methods | user/methods |
Member Of | user/memberof |
Mappings | user/mappings |
Table 4. Context Menu Items of the User object
Rulesets can only be defined, when it is known what Distinguished Name the target site has – or will have. In an LDAP directory tree, all Site objects are of the objectClass Organizational Unit (OU). The root of Ubisecure Directory is the Common Name (CN) "Ubilogin", followed by a number of Domain Components (DC), which are derived from the uas.url configuration parameter in win32.config file (or unix.config file.)
A Ruleset Example
If the uas.url parameter is in the form of "uas.url=http://www.example.com:8443", then the root of Ubisecure Directory is "cn=Ubilogin,dc=www,dc=example,dc=com".
If a new Site is created in the Site hierarchy called "Sample Site", the distinguished name would be "ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com".
Creating a new Site below the Sample Site, called Users, would have a distinguished name of "ou=Users,ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com". Hiding of the Applications and Methods items from the Context Menu for this Site's main view and additionally hiding the "Dynamic Members" item from the configuration of this Site's group objects is possible by placing the following ruleset.xml file in the UBISECURE_HOME/ubilogin/WEB-INF folder:
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd"> <properties> <entry key="ou=Users,ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com"> site/agents site/methods group/memberurl </entry> </properties>
Furthermore, the changes will come into effect when the application is redeployed to the application server using the update command.
cd /d %UBISECURE_HOME%\config\tomcat update.cmd
cd $UBISECURE_HOME\ubilogin\config\tomcat ./update.sh
Enabling Confirmation Prompt on Delete or Remove Operations
It is possible to have Ubisecure SSO Management, as a precaution to accidental removal, display a confirmation dialog every time object or attribute deletion or removal is initiated. This feature is enabled by opening the ubilogin.properties file from the UBISECURE_HOME/ubilogin/WEB-INF folder and setting the following value:
com.ubisecure.ubilogin.admin.ui.prompt_on_delete=true
This setting will come to effect when the settings are merged into the Ubisecure SSO applications and the application is redeployed to the application server.
Excluding Top-Level Sites from Site Navigator
Top level sites can be explicitly excluded from site navigator from all users including system administrator. This is practical in cases, where the site contains so many sub items (users, applications, groups, etc) that it slows the Management application down.
com.ubisecure.ubilogin.admin.ui.excluded-sites = eIDM Users, eIDM Mandates
Limiting the Number of Results Shown in Lists
The number of results shown in lists of users, groups and applications can be limited to a certain value or disabled.
# list size limit (default is 1500, use 0 to disable limit) com.ubisecure.ubilogin.admin.ui.size-limit = 1500