External directory integration - SSO

Introduction

NOTE: Ubisecure product names were unified in autumn 2011. All products which started with the term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is also used when referring to old software versions which started with term "Ubilogin" at the time of their release.

This page introduces the Ubisecure External Directory Integration feature and the different alternative ways to implement it. There is a separate page for each implementation alternative that describes the installation and configuration of the specific alternative.

The different alternatives for user directory integrations are:

  • Ubisecure's built-in UbiloginDirectory
  • Basic LDAP Integration
  • Schema Enhanced LDAP Integration
  • Active Directory Integration
  • SQL Integration

In Ubisecure terminology, the chosen directory may also be called the External Directory because in each Ubisecure Single Sign-On installation there usually is only a single integration alternative implemented.
UbiloginDirectory refers to Ubisecure SSO's own LDAP, which contains both configuration and local user information.

The concept

External Directory Integration is a very powerful feature and certainly welcome in most network domains, where user management is already centralized within Active Directory, LDAP or SQL. Ubisecure Authentication Server has read-only or read/write LDAP/LDAPS/JDBC connection with the external directory. In AD and Basic LDAP cases there is no need for LDAP schema changes in the external directory. However, a schema enhancement will enable configurable password policies if they are required.

Figure 1. Ubisecure External Directory Integration architecture overview

Password policies

Passwords are an inherently weak method of authentication. Password security can be improved by using password policies to govern their use. Ubisecure SSO implements password policies and benefits from password policies of connected third-party directories where possible.

Password policies

  • help to prevent password guessing
    • accounts will be locked after a given number of incorrect attempts
    • support is minimized by locking the account for a specified time period, after which the lock is removed. This attempts to also reduce malicious denial of service of a specific user account by guessing passwords incorrectly and causing a lockout.
  • help to ensure strong passwords are used
    • password length rules ensure that passwords are of a certain minimum length
    • password complexity rules ensure that passwords are adequately complex (contain special characters, numbers and symbols)
  • ensure that passwords are changed regularly
    • to prevent a compromised password from being misused for long time period, users must change their passwords at regular intervals
  • ensure that passwords are not reused or recycled
    • a history of past password hashes can be maintained to prevent the same password from being reused. The number of passwords in the history is configurable
    • limitations on how quickly a password can be changed after it has been set prevent the above rule from being easily circumvented


The balance between information security and usability is a matter of policy. The above parameters are configurable to find a policy to match the needs of the implementation.

Where passwords alone are inadequate, the same username and passwords can be combined with two factor authentication (SMS, OTP or Mobile PKI). Different parts of a system can be set to require strong or weak authentication. Authentication methods can be classified and ordered according to strength.

Implementation alternatives

Below is a description of each implementation alternative to the External Directory Integration feature. It is also possible to use multiple alternatives or multiple external directory sources with the same alternative.

Ubisecure basic LDAP integration

The most basic implementation alternative is Ubisecure Basic LDAP Integration. In this case the Ubisecure SSO Server does not need writing permissions to the external directory and no schema changes are necessary. The connection to the external directory is either LDAP or LDAPS. LDAP Simple bind is used when verifying the user credentials.

Ubisecure Basic LDAP Integration implementation alternative does not support any password policies. If password policies are required then this alternative is not suitable.

Ubisecure schema enhanced LDAP integration

The Ubisecure Schema Enhanced LDAP Integration implementation alternative improves the Ubisecure Basic LDAP Integration implementation alternative with password policies. To enable this improvement a schema enhancement will be required for the external directory. The Ubisecure SSO Server will also start writing to the external directory in this alternative. The connection to the external directory is either LDAP or LDAPS.

External directory password policies allow the administrator to specify a maximum number of bad logins, validity periods for external accounts, password maximum age, and other configurations.
Password policy allows two changes to the UAS functions:

  1. Passwords of external directory users can be set to expire and users can change their passwords from UAS according to configured policies, like minimum length and complexity.
  2. User accounts can be locked for a predefined time interval after a certain amount of failed logins.
  3. User accounts can be set to enable and disable at predefined dates and times.

Ubisecure Active Directory integration

The Ubisecure Active Directory Integration implementation alternative is an Active Directory specific implementation that enables password policies without schema changes when the Active Directory default schema is used. In this case the Ubisecure SSO Server requires a read/write access to the Active Directory that is implemented with an LDAPS connection.

When using this implementation alternative most of the password policy settings are configured on the Active Directory side and not to the authentication method in the Ubisecure SSO Server.

Ubisecure SQL integration

The Ubisecure SQL Integration implementation alternative handles integrations to SQL-based databases. In this implementation alternative password policies are supported via Ubisecure specific tables or views in the SQL database. The read/write connection to the SQL database is done via JDBC.

SQL External Directory Integration supports checking of user's approval status of Terms of Service documents during login.

Feature comparison

Supported features by implementation alternative

UbiloginDirectory

Basic LDAP

Schema LDAP

Active Directory

SQL

Connection Protocol

LDAP

LDAP

LDAP

LDAPS

JDBC

Connection Type

Read/Write

Read-only

Read/Write

Read/Write

Read/Write

SSL

Optional

Optional

Optional

Mandatory

JDBC driver implements encryption

Changes to the External Directory structure required

No

No

Yes

No

Yes

Support for password strength policies

Yes

No 6

Yes

Yes

Yes

Password authentication method support

Yes

Yes

Yes

Yes

Yes

SMS authentication method support

Yes

Yes

Yes

Yes

Yes

MPKI authentication method support 3

Yes

Yes

Yes

Yes

Yes

OTP authentication method support

Yes

No 1

No 1

Yes

No 1

OTP List Server support

No 1

No 1

No 1

Yes

No 1

Password Change using Password Application

Yes

Yes

Yes

Yes

Yes

Password Reset by email using Password Application

Yes

Yes

Yes

Yes

Yes

Password expiration policy and ability to change password during login 4

Yes

No 2

Yes

Yes

Yes

Password Lockout policy support

Yes

Yes 5

Yes

Yes

Yes

Terms of Service Support

No 1

No

No 1

No 1

Yes

  1. support can be implemented on demand
  2. password will expire in external LDAP cases, but due to protocol limitations no notification of the pending expiry or expired password can occur.
  3. registered user use case – User enters first user name and password. If correct, user mobile phone number is retrieved from the user account of the directory used for authentication.
  4. In all cases, password validity time must be specified in the password policy settings.
  5. Requires that the LDAP directory in use is configured for account lockout over LDAP Bind. Configuration is made to external LDAP directory.
  6. due to technical protocol limitation

Authentication methods

The Ubisecure External Directory Integration feature enabled several types of authentication methods that utilize information found from the external directory.

Password method

The simplest external directory specific authentication method is the external directory password authentication method. Both the user login name and the user password are stored in the external directory and the user input is compared to those values. Format of user password storage is dependent on configuration settings.

Password policies are also supported in some of the implementation alternatives.

OTP method

A little more advanced type of external directory authentication method is the external directory one-time password authentication method. This authentication method utilizes basically the same information from the external directory as the password method because the user login name and password are first checked; in addition a one-time password is required before the user is granted access to the requested resource.

Usually this one-time password list is stored in Ubisecure Directory and not in the external directory in order to minimize the changes required in the external directory.

When the password list is initialized it can be sent to the user via email and this email address may be read from the external directory.

SMS method

The external directory SMS authentication method is quite similar to the OTP method because it also first checks the login name and password pair and then requires an additional one-time password. However in this case there is no predetermined one-time password list. A separate one-time password is generated for each authentication attempt and it is sent via SMS to the mobile phone of the user.

The external directory needs to contain the user login name, password and mobile phone number in order for this authentication method to work.

MPKI method

Mobile PKI method first requires the user to validate their username and password. If correct, the user MSISDN number is fetched from the user directory and used for the authentication request to the Mobile PKI provider. All username and password related checks and management tasks are performed before the authentication request is sent to the Mobile PKI provider.

Security considerations

Please note, that information exchanged with LDAP is transmitted by a protocol susceptible to security breaches. It is strongly advised to implement SSL encryption in the LDAP protocol when accessing confidential information.

For SQL integration, the JDBC driver implements data security. Refer to the JDBC driver provider for security configuration information.