Login screens - SSO

Ubisecure SSO includes several login screens that can be customized using the methods described in this page. The login screens are not visually customized separately but they are still described briefly in this page because they are also present in the CSS design package and the texts are screen specific. The screenshots include the text customization keys in place of the actual default texts.

Jump to a specific login screen by clicking a link:

Note: Some of the login screen screenshots read "Identify and authorize. Enable secure business" as a header. The parameterized fields for the header are HEADER_TEXT1 and HEADER_TEXT2

Menu screen

The menu screen is the default starting screen of the sign in process. By default it contains an Intro box, Help box and depending on the authentication methods available it will also contain either a Login box or an External box.
Parameterized fields:

  • MENU_INTRO_TEXT
    • {0} → url (host) of the service the user is trying to access
    • NOTE: This field is used by default
  • MENU_INTRO2_TEXT
    • {0} → url (host) of the service the user is trying to access
    • {1} → name of the service the user is trying to access (Client name is read from agent metadata – OAuth2/SAML2)
    • NOTE: This field is used only if agent metadata contains client name. For OAuth2 agents, the name is set in the client_name value of the metadata. For SAML2 agents, the name is set in the mdui:DisplayName value of the metadata.

Figure 1. Menu Screen with Text Keys

StepUp screen

The step-up screen is used for selecting a suitable authentication method when the normal password authentication method is not strong enough for the service in question.

Figure 2. StepUp Screen with Text Keys

TOTP screen

The TOTP screen is used for giving the one-time password from the TOTP Authenticator application when using the TOTP authentication method.

Figure 3. TOTP Screen with Text Keys

OTP screen

The OTP screen is used for giving the one-time password from the OTP list when using the OTP authentication method.
Parameterized fields:

  • OTP_LOGIN_SEQUENCE
    • {0} → Identifier of the requested one-time password
  • OTP_LOGIN_SEQUENCE_NAME
    • {0} → Identifier of the currently active OTP list
  • OTP_LOGIN_NEXT_SEQUENCE_NAME
    • {0} → Identifer of the currently passive OTP list
  • OTP_LOGIN_REMAINING_PASSWORD_AMOUNT
    • This field has multiple options and some of it is controlled by otpWarnLimit method configuration string. See chapter "Additional Configurations" in OTP Printout authentication method - SSO
    • {0}
      • Number of remaining one-time password in the active OTP list when remaining is less than otpWarnLimit
      • No text when remaining is above otpWarnLimit or otpWarnLimit is not set
      • Informs that there aren't any remaining passwords when all passwords have been used or the user doesn't have any OTP lists associated

Figure 4. OTP Screen with Text Keys

OTP expiring screen

The OTP Expiring screen is used when user logs in with a One-time Password which is expiring.

Figure 5. OTP Expiring Screen with Text Keys

OTP print screen

The OTP Print screen is used for printing and activating new One-time Password lists.
Parameterized fields:

  • OTP_PRINT_LIST_TEXT
    • {0} → OTP List ID


Figure 6.1. OTP Print Screen with Text Keys 

Parameterized fields:

  • OTP_PRINT_LIST_CLOSE
    • {0} → Close


Figure 6.2. OTP Print Screen showing the printable OTP list

SMS screen

The SMS screen is used for giving the one-time password sent to the user's mobile phone when using the SMS OTP authentication method.

Figure 7. SMS Screen with Text Keys

SMS unregistered screen – insert phone number

The SMS screen is used for giving the one-time password sent to the user's mobile phone when using the SMS OTP authentication method.

Figure 8 SMS unregistered phone number entry screen with text keys


Figure 9 SMS unregistered one time password entry screen with text keys

SMTP unregistered screen – insert phone email

The SMTP screen is used for giving the one-time password sent to the user's mobile phone when using the SMTP OTP authentication method.

Figure 10 SMTP unregistered phone number entry screen with text keys 


Figure 11 SMTP unregistered phone number entry screen with text keys


Figure 12 SMTP unregistered one time password entry screen with text keys

Password screen

The password screen may also be a starting screen of the sign in process. It is used as the starting screen when only the password authentication method is available.

  • PASSWORD_INTRO_TEXT
    • {0} → url of the service the user is trying to access
  • PASSWORD_INTRO2_TEXT
    • {0} → url (host) of the service the user is trying to access
    • {1} → name of the service the user is trying to access (Client name is read from agent metadata – oAuth2/SAML2)
  • NOTE: This field is used only if agent metadata contains client name metadata

Figure 13. Password Screen with Text Keys

Password expiring screen

The password expiring screen is used for giving the user the opportunity to change the password that will expire in the near future.

Figure 14. Password Expiring Screen with Text Keys

Password expired screen

The password expired screen is used for forcing the user to change a password that has been expired before giving the user access to the requested service.

Figure 15. Password Expired Screen with Text Keys

ETSI MSS Mobile PKI unregistered screen

The unregistered mobile PKI screen is used for asking user's mobile phone number and spam prevention code are requested for MPKI authentication.

Figure 16. Mobile PKI Unregistered Screen with Text Keys


Note that "MPKI_LOGIN_TEXT_NOSPAMCODE" is used instead of "MPKI_LOGIN_TEXT" if first login without spamcode has failed – when method configuration parameter "spamcode_required" is set to "false". In that case also the spamcode is not asked, and the text field "MPKI_UNREGISTERED_NOSPAMCODE" is not used/visible.

Figure 17. Mobile PKI unregistered screen asking for user's spamcode afer a failed attempt without it

Possible error messages:

  • LOGIN_CANCEL: User cancelled the authentication on the mobile phone.
  • LOGIN_EXPIRED: Authentication wasn't finished during the timeout period, which is set in configuration parameter ae.timeout.
  • INVALID_CREDENTIALS: Given spam prevention code is not correct.
  • USER_NOT_FOUND: Given phone number is not valid.
  • EXTERNAL_FAILURE: Unexpected failure occurs.

ETSI MSS Mobile PKI unregistered wait screen

Used when user has entered mobile phone number and spam prevention code, and MPKI authentication is to be waited for.
Parameterized fields:

  • MPKI_LOGIN_WAIT_TEXT
    • {0} → Progress in percents when waiting for mpki authentication


Figure 18. Mobile PKI Unregistered Wait Screen with Text Keys

Consent screen

Consent Screen can be shown if user consent is required for releasing user attributes to an application.
Parameterized fields:

  • CONSENT_INTRO_TEXT
    • {0} → Name of the service the user is trying to access
  • CONSENT_LOGIN_TEXT
    • {0} → Username of the user trying to access the service

Figure 19a. User Consent Screen with Text Keys

Consent With Scopes screen

Consent With Scopes screen can be shown if user consent is required for releasing user attributes to an OAuth 2.0 application and there are attributes with a scope associated.

Note that in the image below there are shown the text keys for two scope names example1 and example2, which are respectively SCOPE_EXAMPLE1_TITLE and SCOPE_EXAMPLE2_TITLE (see Scope name internationalization).  These keys are shown here only for demonstration purposes and will not be present in your environment, unless you have Authorization Policy Items with scopes "example1" and "example2" set, and OAuth 2.0 / OIDC request with scopes "example1" or "example2".

The key CONSENT_SCOPES_LOGIN_ACCEPT_TEXT can be used for setting a generic text shown every time regardless of requested scopes, which is located at the same level with the scope names. Generally there's no reason to show such text, so by default it's empty.

Parameterized fields:

  • CONSENT_INTRO_TEXT
    • {0} → Name of the service the user is trying to access
  • CONSENT_SCOPES_LOGIN_TEXT
    • {0} → Username of the user trying to access the service

Figure 19b. User Consent With Scopes screen with Text Keys

Proxy screen

The proxy screen is used as a backup when making an automated redirection to the authentication provider. The redirection can be made manually from this screen.


Figure 21. Proxy Screen with Text Keys

Error screen

The error screen is used for informing the user of certain kinds of errors that mean that the authentication process cannot be continued. In some cases the error screen may automatically redirect to the service if the error can also be transmitted to the service.


Figure 22. Error Screen with Text Keys

Exit screen

The exit screen is used as a backup when making an automated redirection to the service without a successful authentication. The redirection can be made manually from this screen.

Figure 23. Exit Screen with Text Keys

Success screen

The success screen is used as a backup when making an automated redirection to the service after a successful authentication has been performed. By the default this screen is shown very briefly and does not required that the user presses continue. The redirection can be made manually from this screen.

Figure 24. Success Screen with Text Keys

 Generally users are transferred to service automatically by using javascript. In some cases it maybe desirable to show further instructions or usage policies and require user to click a button. Please refer to page Templates - SSO.

Landing page screen

The landing page screen is used when a request has been made to the authentication server out of context. Usually this means that the user does not have a valid session to which the request would belong to.

Figure 25. Landing Page Screen with Text Keys

Logout screen

The logout screen is used for informing the user of the status of the logout procedure.

Figure 27. Logout Proceeding Screen with Text Keys

Figure 28. Logout Completed Screen with Text Keys

Logout error

The logout error screen is displayed in the event of single logout failure. If backchannel logout was used, the URLs of the applications that did not respond or rejected the logout request are listed on the screen to warn the user of logout failure. An example is that the application has stopped responding. In these cases the user should be instructed to close all browser windows to terminate any possible application sessions. LOGOUT_ERROR_HELP_TITLE = Help
LOGOUT_ERROR_HELP_TEXT = Single logout was not completed successfully. Please logout manually from all individual applications and close all browser windows.
LOGOUT_ERROR_HELP_LINKS =
LOGOUT_ERROR_LOGIN_TITLE = Logout failed
LOGOUT_ERROR_LOGIN_TEXT = Could not complete logout.  


Figure 29. Logout Error Screen with Text Keys

Accept terms

This screen will appear if the user has not accepted the current Terms of Use. The user cannot proceed until the checkbox is selected and the next button is pressed.
ACCEPT_TERMS_HELP_TITLE = Help
ACCEPT_TERMS_HELP_TEXT = You must accept Terms of Use before continuing.
ACCEPT_TERMS_HELP_LINKS =
ACCEPT_TERMS_TITLE = Accept terms
ACCEPT_TERMS_TEXT = Accept Terms of Use.
ACCEPT_TERMS_CHECKBOX_TITLE = Accept Terms of Use
ACCEPT_TERMS_NEXT = Continue


Figure 30. Accept Terms Screen with Text Keys