Management UI Mappings - SSO
Mappings are used to manually map a Ubisecure user's user id to a user id required by an application. For example, if user "John Doe" in Ubisecure SSO requires access to various existing applications. In his CRM application, the name must be in the form "jdoe", and in a legacy ERP application his name is "u44342".
|
|---|
| Figure 1: User Mappings |
An example of mappings defined for a user across multiple applications is shown in Figure 1. From the example, when user3 accesses the:
- CRM application, their identity will be sent in LDAP DN format
- HR application, their identity will be sent in email address format
- ERP application, their identity will be sent in windows DOMAIN\shortname format
Once a table of mappings has been defined, it may be assigned to one or more Web Applications.
It is also possible to perform user name mappings using the Authorization Policy function. Use an Authorization Policy to use an existing user attribute as a username (for example, email address or employee number), or even use a common user name for all users of a specific group. Please refer to page Authorization for more information.
The first view of Mappings (Figure 2) presents all mapping tables in the selected site.
|
|---|
| Figure 2. Mapping tables on the selected site |
- Mapping item
Click mapping name, site or description to edit the mapping. - New Mapping
Create a new mapping. - Delete Mapping / Check box
Select mappings with checkboxes and click "Delete Mapping" to delete the selected mappings.
Mapping
The main view of a mapping object is presented in Figure 3.
|
|---|
| Figure 3: The main view of a mapping object |
- Name
Descriptive identifier for this Mapping configuration - NameID Format
- Ubisecure User Mapping
Execute a manual user mapping as specified in the Users tab. The mapped value will be sent as the NameID. - Persistent ID (XML ID format)
Send a Persistent ID to the target application. - Persistent ID (UUID format)
Send a Persistent ID to the target application. - Transient ID
Send a Transient ID to the target application. - OAuth Refresh Token
Send an OAuth Refresh Token to the target application.
- Ubisecure User Mapping
- Affiliation ID (SPNameQualifier)
Set SPNameQualifier of SAML assertions to selected Applications. Optional. In most cases leave blank. - Platform
This field is for administrators to keep notes related to this configuration. This field is informative only and does not affect system functionality. Optional. - Description
This field is for administrators to keep notes related to this configuration. Complete a meaningful description explaining who has made the configuration and why. Reference other system documentation if appropriate. This field is informative only and does not affect system functionality. Optional. - Update
Update the edited fields - New
Create a new mapping table - Delete
Delete this mapping table - Rename
Rename this mapping table
Users
The Users view (Figure 4) presents all user mappings in this mapping table. In this example, the user named user3 will have the name "CN=John Smith,OU=CRM Users,CN=crm,DC=example,DC=com" when accessing the Applications of the mapping (specified in Figure 5). Without a name policy, by default, the user's location in the Ubisecure Directory is sent as the NameID.
The mapped name can be in any format expected by the target application: LDAP distinguished name, windows shortname, email address. Different users can also be mapped to the same user in the target system.
|
|---|
| Figure 4: User mapping(s) in this mapping table |
- User
Click user Name or Site to edit the user object - Mapped name / Update
Edit this field to provide a different user name for the selected agent(s). Click "Update" to save changes. - Add
Add a new user mapping. - Remove
Remove the selected user mapping(s)
Multiple users can be added using the "Add…" function. All added names can then be edited in a convenient list format.
Applications
The Applications view (Figure 5) specifies with which applications the mapped name(s) will be used.
If you link mapping to more than one application, then all these applications will receive the same persistentId. Generally each application should have its own persistentId mapping.
In the example, the CRM mapping will be used by the test and production CRM applications, as well as the CRM Help System.
|
|---|
| Figure 5: The list of agents that the mapped names will be provided for |
- Application
Click the application name, site, status or type to open and edit the application configuration - Add
Add a new application to the selected mapping table - Remove
Remove the selected application(s) from this mapping table