Ubisecure SSO Management can be customized by enabling confirmation prompt on delete or remove operations and by disabling context menu items.

Disabling context menu items

Context menus can be disabled for Site Managers. Disabling context menus does not affect to System Administrators view. System Administrators have access to all entities in Ubisecure SSO Management application.

Context menu can be disabled on a Site scoped basis. This means, that when Context Menu items are disabled for a particular Site, the changes will also take effect recursively to all child objects in the Site hierarchy. Also, definitions will stack, which means that definitions declared for a parent site will also apply to the site's children, even when they have their own definitions.

Disabling Context Menu items makes it possible to restrict functionality on a single Site or a set of Sites. For example, it is possible to dedicate a site for user management tasks only and have all of the excess functionality removed by defining a ruleset definition for that site.

Figure 1, Figure 2 and Figure 3 illustrate the final result of a customized context menu ruleset.


Figure 1: This Organization Site has only the Site, Group and Users context menus enabled. Only groups and users can be managed at this level.


Figure 2: This Group's Site has only the Site and Groups context menus enabled. Only groups can be managed at this level.


Figure 3: This user's site has only the Site and Users context menus enabled. Only users can be managed at this level.

Defining a ruleset

Rulesets are configured by means of properties files in XML format, where each entry consists of the Site's Distinguished Name as the key and the restricted Context Menu item identifiers as whitespace delimited values.

*Context Menu displayed*	*Identifier*
Site Administrators	site/managedby
Applications	site/agents
Groups	site/groups
Users	site/users
Mappings	site/mappings
Authorization Policies	site/attributes
Site Methods	site/methods

Table 1. Context Menu Items of the Site object

*Context Menu displayed*	*Identifier*
Users	group/users
Groups	group/groups
Dynamic Members	group/memberurl
Attribute Members	group/attributemembers
Member Of	group/memberof
Allowed Applications	group/agents
Allowed Methods	group/methods
Authorization	group/attributes

Table 2. Context Menu Items of the Group object

*Context Menu displayed*	*Identifier*
Users	mapping/users
Applications	mapping/agents

Table 3. Context Menu Items of the Mappings object

*Context Menu displayed*	*Identifier*
Methods	user/methods
Member Of	user/memberof
Mappings	user/mappings

Table 4. Context Menu Items of the User object

Rulesets can only be defined, when it is known what Distinguished Name the target site has – or will have. In an LDAP directory tree, all Site objects are of the objectClass Organizational Unit (OU). The root of Ubisecure Directory is the Common Name (CN) "Ubilogin", followed by a number of Domain Components (DC), which are derived from the uas.url configuration parameter in win32.config file (or unix.config file.)

A Ruleset Example

If the uas.url parameter is in the form of "uas.url=http://www.example.com:8443", then the root of Ubisecure Directory is "cn=Ubilogin,dc=www,dc=example,dc=com".

If a new Site is created in the Site hierarchy called "Sample Site", the distinguished name would be "ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com".

Creating a new Site below the Sample Site, called Users, would have a distinguished name of "ou=Users,ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com". Hiding of the Applications and Methods items from the Context Menu for this Site's main view and additionally hiding the "Dynamic Members" item from the configuration of this Site's group objects is possible by placing the following ruleset.xml file in the UBISECURE_HOME/ubilogin/WEB-INF folder:

Listing 1. UBISECURE_HOME/ubilogin/WEB-INF/ruleset.xml

<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
	<entry key="ou=Users,ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com">
		site/agents site/methods
		group/memberurl
	</entry>
</properties>

Furthermore, the changes will come into effect when the application is redeployed to the application server using the update command.

Listing 2. Update the Ubisecure SSO application and configurations on Windows

cd /d %UBISECURE_HOME%\config\tomcat
update.cmd

Listing 3. Update the Ubisecure SSO application and configurations on Linux

cd $UBISECURE_HOME\ubilogin\config\tomcat
./update.sh

Enabling Confirmation Prompt on Delete or Remove Operations

It is possible to have Ubisecure SSO Management, as a precaution to accidental removal, display a confirmation dialog every time object or attribute deletion or removal is initiated. This feature is enabled by opening the ubilogin.properties file from the UBISECURE_HOME/ubilogin/WEB-INF folder and setting the following value:

Listing 4. Enable confirmation prompt option in UBISECURE_HOME/ubilogin/WEB-INF/ubilogin.properties

com.ubisecure.ubilogin.admin.ui.prompt_on_delete=true

This setting will come to effect when the settings are merged into the Ubisecure SSO applications and the application is redeployed to the application server.

Excluding Top-Level Sites from Site Navigator

Top level sites can be explicitly excluded from site navigator from all users including system administrator. This is practical in cases, where the site contains so many sub items (users, applications, groups, etc) that it slows the Management application down.

Listing 5. Enable top-level site exclusion in UBISECURE_HOME/ubilogin/WEB-INF/ubilogin.properties

com.ubisecure.ubilogin.admin.ui.excluded-sites = eIDM Users, eIDM Mandates

Limiting the Number of Results Shown in Lists

The number of results shown in lists of users, groups and applications can be limited to a certain value or disabled.

Listing 6. Enable confirmation prompt option in UBISECURE_HOME/ubilogin/WEB-INF/ubilogin.properties

# list size limit (default is 1500, use 0 to disable limit)
com.ubisecure.ubilogin.admin.ui.size-limit = 1500

Browser not supported