Registration verification to use other external methods than TUPAS - CustomerID

The verification step in registrations can support also other external authentication methods than TUPAS methods. However the use of other external authentication methods requires somewhat more extensive configuration efforts than using merely TUPAS methods, which for historical reasons are supported a little better out of the box. The configuration for TUPAS methods also provides a good example how to configure other external authentication methods.

First of all you need to add the external authentication methods into Ubisecure SSO either by using the Ubisecure SSO Management or the LDIF import files provided by Ubisecure SSO installation.

Create new authentication method using Ubisecure SSO Management.

Go to Method s and press New Method…. Then you need to fill in a Title, Name, Method type and select Directory as CustomerID Directory. Click OK.

Next tick enabled under status and click Update.
When configuring Ubisecure CustomerID side you should add the created external methods to the methods.external property in the eidm2.properties file. Example: 

methods.external = external.1

The protection.properties file should have a suitable configuration to be used in the verification step of the registration. Example:

protection.1.methods = external.1
protection.1.sso.template = default
protection.1.customeriduseronly = false

The registration configuration in eidm2.properties file should point to the above protection configuration. Example:

registration.1 = external
registration.1.enabled = true
registration.1.inviteonly = false
registration.1.verification.protection.configuration = 1
...

Restart Ubisecure CustomerId:

net stop CustomerID
net start CustomerID

Initialize Ubisecure CustomerID internal database and repository by running the following commands:

cd "C:\Program Files\Ubisecure\customerid\tools\"
init-customerid-data-storages.cmd

Then jump back to Ubisecure SSO Management and create a group like the PendingTupasUser for the new authentication methods. That is done using Ubisecure SSO Management. Go to eIDM Groups -> Groups and press New Group…. Then you need to fill in a name and a description for the new group.

Then press OK and the new group will be generated. You should define group membership to be based on the external authentication methods you created previously. So go the Methods tab of the group and select your external authentication methods. Then press Update.
When you have the group in order it needs to be allowed for the workflow application object. So go to Home>eIDM Services>Applications>workflow>Allowed To and select Add…. In the popup select eIDM Groups and then the group you just created. Then press OK. The group will be added to the allowed groups for the application object.

Finally you should configure the authorization policy used by the workflow application object to contain those attributes you wish to convey to the registration from the external authentication methods. So go to Home>eIDM Services>Authorization>workflow.policy>Attributes and add all the required attribute names. The naming policy is such that user attributes need to have the user. prefix and organization attributes need to have the organization. prefix.