Authentication methods for SQL integration - SSO

SQL password method

The SQL password authentication method allows you to authenticate with username and password when the credentials are stored in a relational database which can be accessed using SQL. The authentication method allows the user also to change an expiring or expired password.

The new authentication method needs to be added to Ubisecure SSO. Open Ubisecure Management with administrative privileges and navigate to Home → Global Method Settings. The new authentication method should be added there:

Add configuration string parameters:

policy.password.encoding=SSHA
policy.lockout.threshold=5
policy.lockout.duration=20
policy.password.expiring=36000
policy.password.max-age=43200
policy.password.min-age=30
policy.password.history=5
policy.password.length=8
policy.password.complexity=true
policy.password.charset=utf-8


ConfigurationDescription
policy.password.encoding

The password encoding algorithm. Default value is SSHA. OPTIONAL.

Supported values: BCRYPT, SSHA512, SHA512, SSHA384, SHA384, SSHA256, SHA256, SSHA, SHA, PKCS5S2, PBKDF2-SHA256, PBKDF2, MD4, PLAIN

Settings controlling password threat management:
policy.lockout.threshold The number of tries the user can try to enter the wrong password before the account is locked. The default value is 5 tries. OPTIONAL.
policy.lockout.duration The duration of account locking after too many bad tries in minutes. The default value is 20 minutes. Usually, a longer lockout duration is not recommended. OPTIONAL.
Settings controlling password renewal:
policy.password.expiring If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. OPTIONAL.
policy.password.max-age A maximum age for external directory password. User is forced to change password if his/her password is older than this. Setting value is in minutes. OPTIONAL.
policy.password.min-age The external directory password cannot be changed again before password minimum age has passed. Setting value is in minutes. OPTIONAL.
policy.password.history How many previous passwords the system remembers. The user can not change his/her password back to a previous one. OPTIONAL.
Settings controlling password strength:
policy.password.length A minimum length for the new password. Setting value is a non negative number of characters. OPTIONAL.
policy.password.complexity If set to true, the user password has to have at least three of the possible character types: letters, capital letters, numbers, and other characters. OPTIONAL.
policy.password.charset Allowed password characters and character set used with password encoding. Use either ASCII or UTF-8, default is UTF-8. OPTIONAL.

Finishing the installation of an authentication method and driver

To complete the authentication method installations you need to update the Ubisecure Server in Tomcat.

Listing 1. Update Ubisecure Server in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
Listing 2. Update Ubisecure Server in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start

After you have updated Ubisecure Server, check from the diagnostics log that the added authentication methods have started properly. The uas3_diag.yyyy-mm-dd.log file is found in the ubilogin-sso/ubilogin/logs directory.

Listing 3. Example lines from uas3_diag.log
2010-05-25 09:31:28,332 tech INFO SQLDirectory: directory-spi-sql Microsoft SQL Server 9.00.4053
2010-05-25 09:31:28,332 init INFO password.sql.1: ubilogin.method.provider.spi.DirectoryPasswordMethod: started

Then you can use the Ubisecure Server Management application to enable the SQL specific authentication methods in a Web Application and test the authentication using credentials found in the SQL database.