Ubisecure Password method in AD integration - SSO

Ubisecure Password is a web application that provides a user interface for changing and resetting a password. It is included in the Ubisecure SSO Server installation package but needs to be activated before use.

The password reset application is shown below

Figure 1. Password Reset Application

The password change application requires user login using an existing authentication method.

Ubisecure Password requires that the AD password authentication method has been installed. Please make sure that the AD password authentication method works before proceeding to the Ubisecure Password installation.

Ubisecure Password SP activation

First install the UAS SAML metadata by selecting the [SAML 2.0] link on the Ubisecure Server Management front page. Save the metadata file in the directory
ubilogin-sso/ubilogin/webapps/password/WEB-INF/saml2/sp/metadata.

Figure 2. Select SAML 2.0 to save IDP metadata file.

Then generate the SP identity and metadata. Use your public visible hostname in the Generate command URL parameter.

Generate SAML SP identity and metadata (in Windows use '\' instead of '/')

Listing 2. Generate SAML SP identity and metadata (in Windows use '\' instead of '/')
ubilogin-sso> java/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Generate https://idp.example.com/password/spsso -y -o ubilogin/webapps/password/WEB-INF/saml2/sp
ubilogin-sso> java/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Metadata ubilogin/webapps/password/WEB-INF/saml2/sp -f password.xml

In Ubisecure Server Management, select System → Password → Applications → Password → Activate. Then upload the generated ubilogin-sso/password.xml file.

Figure 3. Select Activate to upload SAML Metadata of the Password application

Configure mail settings

Ubisecure Password uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.

Listing 3. Excerpt from ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml
    <context-param>
        <param-name>mail.smtp.host</param-name>
        <param-value>smtp-gw.example.com</param-value>
    </context-param>
    <context-param>
        <param-name>mail.smtp.from</param-name>
        <param-value>password@example.com</param-value>
    </context-param>


Enable access to Ubisecure Password

  • In Ubisecure Server Management, navigate to the Password site: select System → Password
  • Add the password.ad.1 authentication method to the site: select Site Methods → Add… → password.ad.1 → OK
  • Add AD users to the Password Users group by using the dynamic members functionality. (The following configuration is just an example. You will probably have a more detailed definition for the included users.)

Select Groups → Password Users→ Dynamic Members → Add

    • Server: ldaps://ad.example.com/
    • Distinguished Name: dc=ad,dc=example,dc=com
    • Attributes: <empty>
    • Scope: sub
    • Filter: (objectClass=person)
    • Extensions: <empty>


See Figure 4 and Figure 5 below for examples.

Figure 4. The group Password Users defines which users can change their password

Figure 5. Add AD Users to the Password Users group using Group Dynamic Members

  • Enable password.ad.1 authentication method for the Password web agent:select the site Password → Applications → Password → Allowed Methods → password.ad.1 → Update

Enable Password web application

Remove the file ubilogin-sso/tomcat/conf/Ubilogin/idp.example.com/password.xml. Then run update the update:

Listing 4. Update Ubisecure Server in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
Listing 5. Update Ubisecure Server in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start

Password application user interface customization

All user interface text, including text used in emails sent to users are configured in the resource files of the application using a text editor. The keys are self-explanatory and default texts are provided.

Listing 6. User interface and email message customization for Password application
ubilogin\webapps\password\WEB-INF\classes\resources_en.properties
ubilogin\webapps\password\WEB-INF\classes\resources_fi.properties
ubilogin\webapps\password\WEB-INF\classes\resources_sv.properties

The use of CSS style sheets is currently not supported. Further user interface style changes, including reference to style sheets requires minor modifications to the following files:
ubilogin\webapps\password\WEB-INF\jsp*
Any changes to the above files must be followed by the update command as described below:

Listing 7. Update Ubisecure Server in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd


Listing 8. Update Ubisecure Server in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start

Linking to the Password application

For password change, direct the user to the following link. Locale is optional but desirable.

https://idp.example.com/password/change?locale=fi


For password reset, you must specify in the link which method the user is resetting. Locale is optional but desirable.

https://idp.example.com/password/reset?method=password.ad.1&locale=fi

Links can be added to the Ubisecure SSO user interface using the *LINKS settings described in Login screens - SSO.

Password application audit log

The audit log is written by default to

ubilogin/tomcat/log/locahost.YYYY-MM-DD.log

The log records all password reset and change actions and failures.

Listing 9. Password change/reset audit log example
INFO: [INFO] Audit
2012-02-23T13:29:36.191Z [195.197.211.20] mail-fail 23423
reset.account.not-found

23.2.2012 15:29:47
org.apache.catalina.core.ApplicationContext log

INFO: [INFO] Audit
2012-02-23T13:29:47.574Z [195.197.211.20] mail-fail CN=Keith
Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com
reset.mail.invalid

23.2.2012 15:29:57
org.apache.catalina.core.ApplicationContext log

INFO: [INFO] Audit
2012-02-23T13:29:56.596Z [195.197.211.20] mail-sent CN=Keith
Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com
keith.uber@ubisecure.com

23.2.2012 15:34:11
org.apache.catalina.core.ApplicationContext log

INFO: [INFO] Audit
2012-02-23T13:34:11.083Z [195.197.211.20] reset-success CN=Keith
Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com