Windows single node installation - SSO

Owned by ubisebastian
Last updated: 2022-02-07 by Tomi Pelttari
4 min read

Steps

Issue all of the following commands in Windows using the Administrator user account.

Install all Windows updates before commencing.

When following the instructions given in this manual, it is advisable to type the commands manually instead of copy/pasting them. This is because sometimes characters may be lost or modified in the copying process.

Check Java and set system wide environment variables

Make sure you have Java installed and JAVA_HOME set according to the Installation requirements.

Unpack the Software

Unzip the Zip archive into the C:\Program Files\Ubisecure folder.

  • Right click on the file ubilogin-sso-8.x.x.xxxx.zip and choose Extract All…

  • Enter the directory C:\Program Files\Ubisecure and click Next.

Modify the Configuration Template

Windows 2012: Open the command prompt using Run as Administrator mode. Administrative rights are required in order to install the required system services. See Figure 1.

Figure 1. Installations must use Run as administrator

Copy the configuration template to the C:\Program Files\Ubisecure\ubilogin-sso\ubilogin folder:

cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
copy config\win32.config .

Open win32.config file in a text editor. Modify the public visible URL address of the Ubisecure SSO deployment, which is set with key uas.url. The installation is accessible from the local machine only if the value is left to localhost. The resulting line for uas.url might look like the following:

uas.url = https://sso.example.com:8443
Before saving the changes modify additional Accounting Service related settings.

Example of modified Accounting Service related settings:

accounting.url = https://manage.example.com
accounting.proxy.local.url = https://localhost:8442
accounting.datasource.url = jdbc:postgresql://databasehost:5432/accountingdb
accounting.datasource.username = accounting_user
accounting.datasource.password = Wsop%6deE65-_ftl+tY

Create the configuration files

Create the configuration files with the setup.cmd script:

cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin"
.\setup.cmd

New LDAP passwords are generated every time the setup command is executed. For this reason, the  secrets.ldif   file must be imported to the LDAP directory after running the setup script. After this, the Tomcat update script must be run to have the applications use the new passwords. See SSO Applications Upgrade for more details about the update process.

Install and prepare PostgreSQL

Since SSO version 8.4 with Accounting Service feature access to PostgreSQL database is required for the service to run. If you have already installed Ubisecure CustomerID you can use the existing PostgreSQL installation but you need to create a specific database for this purpose. The necessary tables are automatically created during the initial startup of the Accounting Service.

See PostgreSQL preparation on Windows for more information and steps to accomplish.

Configure Accounting Service

Before continuing with the installation which will start the Accounting Service you need to enter and save the secret key contents in the location referred by accounting.secret-key-location in win32.config. See Accounting Service security about the usage of the key for pseudonymisation. The page contains a suggested script to create a secure enough secret in the default location.

You may also customise other Accounting Service configuration settings for your needs, which is recommended. See Accounting Service additional configuration about the properties to set.

When customising edit this file which is copied from the installation package by the setup script: C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\accounting\config\application.yaml

If the file were not present copy the default file from this directory: C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\accounting\config

Install and start Ubisecure Directory

Install ADAM or AD LDS as Ubisecure Directory according to your platform:

  • On Windows 2016 R2 and  Windows Server 2019 install AD LDS using Server Manager: Server Manager →  AddRoles and Features → Role-based or feature-based installation
     → Next → Select current server → Next → Active Directory Lightweight Directory Services
     → Add Required Features → Include Management Features → Select Features (no changes)
     → Next  (click as many times until Confirmation view is shown) → Confirmation → Install 
  • On Windows 10 turn Active Directory Lightweight Directory Services feature on and configure UbisecureDirectory instance with Active Directory Lightweight Directory Services Setup Wizard - enter the same information as in C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam\adaminstall.txt

Now run the adaminstall.cmd script to automatically configure ADAM or AD LDS and start it:

cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap\adam"
.\adaminstall.cmd

When installing SSO 8.9.0 or later, import initial key

Server signing and decryption key management was updated for SSO 8.9 and the initial signing and decryption key generated during SSO setup must be imported manually in the new location in Ubilogin Directory.

.\import.cmd ..\initial-key.ldif

Install and start Ubisecure SSO Tomcat and Accounting Service as Windows Services

Run the Tomcat install script to install the Ubisecure SSO Tomcat as a service. Since v. 8.4 also the Accounting Service shall be installed as such a service.

cd "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\config\tomcat"
.\install.cmd

The install script does the following:

  1. Creates a self-signed SSL certificate for test purposes with the configured host name as the subject DN a.k.a owner.
  2. Installs the applications in ubilogin/webapps for Ubisecure SSO Tomcat.
  3. Installs Ubisecure SSO as a service.
  4. Copies the Accounting Service configuration settings to /accounting/config directory.
  5. Installs Accounting Service as a service.
  6. Creates and configures a site named Accounting under System site with an OAuth 2.0 application named Accounting. This application is needed for the secured endpoints to access Accounting Service data. The application is allowed to a group named Accounting Users. The System Administrator user is by default added to this group but you can configure the users otherwise once Ubisecure SSO is running, see SSO Management UI Groups.
  7. Starts Accounting Service
    1. On the first time the necessary database tables are created in your database.
    2. If you are doing the initial Accounting Service installation and the service does not start you may need to change the Accounting Service related settings in the win32.config file before continuing. see Change configuration settings during installation process in Windows. See also Troubleshooting Accounting Service.
  8. Starts Ubisecure SSO


Accounting Service should always be running before SSO is started or otherwise SSO log will be filled with errors but still keeps running if there is enough disk space. SSO can recover without a restart from Accounting Service restart if necessary.


Continue on the page Installation finalisation to verify that the installation was successful.

Ubisecure Privacy Policy & Cookie Statement