Backchannel Authentication Adapter - SSO

Introduction

This documentation describes the requirements and tasks for installing and configuring Ubisecure Backchannel Authentication Adapter (UBAA) authentication method in Ubisecure SSO.

The result of the installation described in this document is a working UBAA authentication method.

Ubisecure Backchannel Authentication Adapter Overview

The protocol used by UBAA is based on the specification openid-connect-modrna-client-initiated-backchannel-authentication-1_0 .

The picture below shows the authentication sequence, in which the authentication starts from a user agent, which sends an authentication request to SSO. SSO then initiates the authentication with UBAA by sending Backchannel Authentication Request.

  1. SSO sends Backchannel Authentication Request to the UBAA.
  2. UBAA sends Authentication Request to a 3rd party Authentication Provider.
  3. The 3rd party AP handles the authentication by pushing an authentication request to the user's mobile device.
  4. After the authentication is successful, the 3rd party AP returns the Authentication Response.
  5. SSO receives id_token as Token Response for the latest Token Request. 
    1. Note that while the authentication request was being processed during steps 2 to 5, SSO Server kept polling the UBAA for the authentication status and received status authentication_pending until now.
  6. SSO responds with the authentication result.

Before Installation

System requirements

  • Ubisecure SSO 8.3 or later
  • Ubisecure Authentication Adapter

Installation of the Authentication Adapter is not covered in this document. Also please note that Ubisecure SSO requires the UBAA instance to be accessible from the SSO server instance, because the authentication is based on backchannel communication between the SSO and the Authentication Adapter.

Installation

This chapter goes through the installation process for UBAA in SSO Management.

Preparation

For installation, you need to get the following from the UBAA:

  • Authentication Adapter Metadata
    • Standard URL path is /.well-known/openid-configuration, for example https://ap.example.com:8443/ciba/.well-known/openid-configuration
  • Authentication Adapter JWKS
    • URL for this is advertised in jwks_uri claim in the Provider Metadata.
  • Client Identifier - client_id

Creating the Authentication Method

Create a new Authentication Method in the Authentication methods page and select Backchannel Authentication Adapter as the Method Type. After finishing you should end up in the method's configuration page. You can go there by clicking the method in the list.

Under the Backchannel Authentication Adapter tab:

  1. Insert client_id in the Client Identifier field.
  2. Insert private_key_jwt in the Token Endpoint Authentication Method field.
  3. Press the Update button.
  4. Upload the Authentication Adapter Metadata.
    1. Press the Upload button next to label "Provider Metadata:".
    2. Paste the Authentication Adapter Metadata JSON string in the field or upload the file containing it.
    3. Press OK.
  5. Upload the Authentication Adapter JWKS.
    1. Press the Upload button next to label "Provider JWKS:".
    2. Paste the Authentication Adapter JWKS string in the field or upload the file containing it.
    3. Press OK.

Under the Main tab:

  1. Tick Enabled.
  2. Press the Update button.