Ubisecure Password method in AD integration - SSO
Ubisecure Password is a web application that provides a user interface for changing and resetting a password. It is included in the Ubisecure SSO Server installation package but needs to be activated before use.
The password reset application is shown below
Figure 1. Password Reset Application |
The password change application requires user login using an existing authentication method.
Ubisecure Password requires that the AD password authentication method has been installed. Please make sure that the AD password authentication method works before proceeding to the Ubisecure Password installation.
Ubisecure Password SP activation
First install the UAS SAML metadata by selecting the [SAML 2.0] link on the Ubisecure Server Management front page. Save the metadata file in the directoryubilogin-sso/ubilogin/webapps/password/WEB-INF/saml2/sp/metadata.
Figure 2. Select SAML 2.0 to save IDP metadata file. |
Then generate the SP identity and metadata. Use your public visible hostname in the Generate command URL parameter.
ubilogin-sso> $JAVA_HOME/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Generate https://idp.example.com/password/spsso -y -o ubilogin/webapps/password/WEB-INF/saml2/sp ubilogin-sso> $JAVA_HOME/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Metadata ubilogin/webapps/password/WEB-INF/saml2/sp -f password.xml
In Ubisecure Server Management, select System → Password → Applications → Password → Activate. Then upload the generated ubilogin-sso/password.xml file.
Figure 3. Select Activate to upload SAML Metadata of the Password application |
Configure mail settings
Ubisecure Password uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml
 file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.
<context-param> <param-name>mail.smtp.host</param-name> <param-value>smtp-gw.example.com</param-value> </context-param> <context-param> <param-name>mail.smtp.from</param-name> <param-value>password@example.com</param-value> </context-param>
Enable access to Ubisecure Password
- In Ubisecure Server Management, navigate to the Password site: select System → Password
- Add the password.ad.1 authentication method to the site: select Site Methods → Add… → password.ad.1 → OK
- Add AD users to the Password Users group by using the dynamic members functionality. (The following configuration is just an example. You will probably have a more detailed definition for the included users.)
Select Groups → Password Users→ Dynamic Members → Add
- Server: ldaps://ad.example.com/
- Distinguished Name: dc=ad,dc=example,dc=com
- Attributes: <empty>
- Scope: sub
- Filter: (objectClass=person)
- Extensions: <empty>
See Figure 4 and Figure 5 below for examples.
Figure 4. The group Password Users defines which users can change their password |
Figure 5. Add AD Users to the Password Users group using Group Dynamic Members |
- Enable password.ad.1 authentication method for the Password web agent:select the site Password → Applications → Password → Allowed Methods → password.ad.1 → Update
Enable Password web application
Remove the file ubilogin-sso/tomcat/conf/Ubilogin/idp.example.com/password.xml
. Then run update to update and restart SSO:
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
Password application user interface customization
All user interface text, including text used in emails sent to users are configured in the resource files of the application using a text editor. The keys are self-explanatory and default texts are provided.
ubilogin\webapps\password\WEB-INF\classes\resources_en.properties ubilogin\webapps\password\WEB-INF\classes\resources_fi.properties ubilogin\webapps\password\WEB-INF\classes\resources_sv.properties
The use of CSS style sheets is currently not supported. Further user interface style changes, including reference to style sheets requires minor modifications to the following files:ubilogin\webapps\password\WEB-INF\jsp*
Any changes to the above files must be followed by the update command as described below:
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
Linking to the Password application
For password change, direct the user to the following link. Locale is optional but desirable.
https://idp.example.com/password/change?locale=fi
For password reset, you must specify in the link which method the user is resetting. Locale is optional but desirable.
https://idp.example.com/password/reset?method=password.ad.1&locale=fi
Links can be added to the Ubisecure SSO user interface using the *LINKS settings described in Login screens - SSO.
Password application audit log
The audit log is written by default to
ubilogin/tomcat/log/locahost.YYYY-MM-DD.log
The log records all password reset and change actions and failures.
INFO: [INFO] Audit 2012-02-23T13:29:36.191Z [195.197.211.20] mail-fail 23423 reset.account.not-found 23.2.2012 15:29:47 org.apache.catalina.core.ApplicationContext log INFO: [INFO] Audit 2012-02-23T13:29:47.574Z [195.197.211.20] mail-fail CN=Keith Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com reset.mail.invalid 23.2.2012 15:29:57 org.apache.catalina.core.ApplicationContext log INFO: [INFO] Audit 2012-02-23T13:29:56.596Z [195.197.211.20] mail-sent CN=Keith Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com keith.uber@ubisecure.com 23.2.2012 15:34:11 org.apache.catalina.core.ApplicationContext log INFO: [INFO] Audit 2012-02-23T13:34:11.083Z [195.197.211.20] reset-success CN=Keith Uber,OU=Users,OU=Ubisecure,OU=Production,CN=Ubilogin,DC=demo,DC=ubisecure,DC=com