Mapping certificate identity to Ubisecure Identity - SSO

Owned by ubisebastian
2021-01-19
4 min read

It is possible to directly map a certificate identity to a local identity in either the Ubisecure Directory or an external LDAP directory. By mapping a certificate identity, the user becomes a registered user which enables fine-grained access control on a per-user basis.
Use of the function requires that each mapped user is a registered user according to the software license agreement.

Creating Directory User Mapping Entries

To map the users, first create a Directory User mapping. The screenshots Figure 1, Figure 2 and Figure 3 illustrate a mapping for HST card users.

Figure 1. A list of the Directory User Mappings. In this chapter there is one entry, labeled 'HST ID', to be used for mapping HST card identities to registered users.

Figure 2. A view of the User Mappings under the Directory User Mapping 'HST ID'. Figure 3 displays the entry in full.

Figure 3 and Figure 4 display two possible directory user mapping entries. The meaning of each field is explained below. Please refer also to the Management user interface - SSO for Directory User Mapping instructions.
If a precondition exists, it must be evaluated successfully before the LDAP search is performed. The syntax of precondition follows the precondition syntax of method attribute mapping with an exception in attribute names: attribute name is defined with prefix:name notation, where prefix may be one of the following:

  • method
    Attribute name refers to the method attributes. Refer to the authentication method documentation for a list of available attributes for specific authentication methods.
  • subject
    Attribute name refers to the subject attributes. Subject attributes are following:
    • format
      Format of username
    • username
      Actual username string
    • namequalifier
      Namequalifier specifying the username namespace

The LDAP URL section of the directory user mapping edit view has following fields:

  • Server
     The base address of the LDAP server in URI format. Example: ldap://localhost/. The special value ldap:/// defines the LDAP server of the Ubisecure Directory.
  • Distinguished Name
    The name of a directory object
  • Scope
    Search scope. One of base, one, or sub.
    • Base
      The object defined by the Distinguished Name value only.
    • One
      Exactly one level below the object defined by the Distinguished Name.
    • Sub
      Descendants of the object defined by the Distinguished Name, including the object itself.
  • Filter
    LDAP search filter expression. Example: (&(objectclass=ubiloginUser)(mobile={method:mobile})) The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Attribute names enclosed in curly braces are replaced with corresponding attribute values before the search. The syntax of attribute names follows the same prefix:name notation as the precondition syntax. An attribute must have exactly one single value or else the search fails.

Figure 3. The editing view of the new Directory User Mapping entry. In this example, we map the certificate policy attribute 'username' to the user attribute 'sn'.

Figure 4. Another possible Directory User Mapping entry where we map the 'satu' attribute provided by the certificate policy to the user's Organization attribute. By doing this, we are utilizing the easily accessible Organization attribute for storing the 'satu' number of the user.

Figure 5. A view of a user configured to work with the mapping entry in Figure 4. In this example, the Organization field contains the user's SATU, which is used to link the information from the card's certificate to this user.

Ensure that the Directory User Mapping is enabled for the appropriate authentication methods. Directory User Mapping is only performed for the authentication methods which have been selected under the methods tab. In Figure 6, pki.ubilogin.1 is enabled. When authenticates using this methods, the mapping will be performed. In this way, a mapping template is created, and the same mapping may be reused for similar authentication methods where appropriate.

Figure 6. Ensure that the Directory User Mapping is enabled for the appropriate authentication methods.

Figure 7. The active Directory User Mappings for the authentication method will be displayed in the Mappings tab of that authentication method.

Figure 8. The SAML configuration of the certificate authentication method. The Directory LDAP URL should point to the Ubilogin Directory server. The ldap:/// shown indicates localhost.

Ubisecure Privacy Policy & Cookie Statement