Authentication methods for SQL integration - SSO
- Tomi Pelttari
SQL password method
The SQL password authentication method allows you to authenticate with username and password when the credentials are stored in a relational database which can be accessed using SQL. The authentication method allows the user also to change an expiring or expired password.
The new authentication method needs to be added to Ubisecure SSO. Open Ubisecure Management with administrative privileges and navigate to Home → Global Method Settings. The new authentication method should be added there:
|
|---|
Add configuration string parameters:
policy.password.encoding=SSHA policy.lockout.threshold=5 policy.password.duration=20 policy.password.expiring=36000 policy.password.max-age=43200 policy.password.min-age=30 policy.password.history=5 policy.password.length=8 policy.password.complexity=true policy.password.charset=utf-8
| Configuration | Description |
|---|---|
policy.password.encoding | The password encoding algorithm. Default value is SSHA. OPTIONAL. Supported values: SSHA512, SHA512, SSHA384, SHA384, SSHA256, SHA256, SSHA, SHA, PKCS5S2, PBKDF2, MD4, BCRYPT, PLAIN |
| Settings controlling password threat management: | |
policy.lockout.threshold | The number of tries the user can try to enter the wrong password before the account is locked. The default value is 5 tries. OPTIONAL. |
policy.lockout.duration | The duration of account locking after too many bad tries in minutes. The default value is 20 minutes. Usually, a longer lockout duration is not recommended. OPTIONAL. |
| Settings controlling password renewal: | |
policy.password.expiring | If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL. |
policy.password.max-age | A maximum age for external directory password. User is forced to change password if his/her password is older than this. Setting value is in minutes. OPTIONAL. |
policy.password.min-age | The external directory password cannot be changed again before password minimum age has passed. Setting value is in minutes. OPTIONAL. |
policy.password.history | How many previous passwords the system remembers. The user can not change his/her password back to a previous one. OPTIONAL. |
| Settings controlling password strength: | |
policy.password.length | A minimum length for the new password. Setting value is a non negative number of characters. OPTIONAL. |
policy.password.complexity | If set to true, the user password has to have at least three of the possible character types: letters, capital letters, numbers, and other characters. OPTIONAL. |
policy.password.charset | Allowed password characters and character set used with password encoding. Use either ASCII or UTF-8, default is UTF-8. OPTIONAL. |
Finishing the installation of an authentication method and driver
To complete the authentication method installations you need to update the Ubisecure Server in Tomcat.
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop /usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh /usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start
After you have updated Ubisecure Server, check from the diagnostics log that the added authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory.
2010-05-25 09:31:28,332 tech INFO SQLDirectory: directory-spi-sql Microsoft SQL Server 9.00.4053 2010-05-25 09:31:28,332 init INFO password.sql.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started
Then you can use the Ubisecure Server Management application to enable the SQL specific authentication methods in a Web Application and test the authentication using credentials found in the SQL database.