Enabling UsernameUserMappingIdentityFactory

Owned by ubisebastian
2022-01-16
3 min read

UsernameUserMapping is a legacy feature, which allows unregistered users to be mapped as UbiloginDirectory users based on the username of the unregistered user. As the same use case can be implemented with Directory User Mappings, which has much more flexibility in the configuration, UsernameUserMapping is nowadays considered to be deprecated. 

The feature causes an extra LDAP search on UbiloginDirectory to be performed during each login with an unregistered authentication method. Disabling UsernameUserMappingIdentityFactory prevents this search to be performed. Disabling UsernameUserMappingIdentityFactory is the default behaviour since 8.5.0 and should not be overridden unless UsernameUserMapping feature is actually in use.

In 8.5.0 UsernameUserMappingIdentityFactory is disabled by default and needs to be explicitly enabled using the flag EnableUsernameUserMapping if needed. The flag DisableUsernameUserMapping is no more supported and if used in the configuration has no effect.

How to examine if UsernameUserMapping is in use

One option is to check the diag logs for entries that contain text "UsernameUserMappingIdentityFactory.createIdentities". The problem is that for the entries to be logged, the diag.identity log needs to be set to debug level. Another more robust option is to check for UsernameUserMapping configuration objects directly from UbiloginDirectory. Both methods are described below.

If UsernameUserMapping is in use and it's not possible to disable it without preventing users from logging in, then it's possible to add EnableUsernameUserMapping in the server compatibility flags.

However, as the feature is deprecated and may be removed at some point in the future, it is advisable to migrate to use, for example, Directory User Mappings instead. If questions about this arise, please contact Ubisecure Support and state that the question is about disabling UsernameUserMapping.

Checking for the diag log entries written during UsernameUserMapping

When the search performed during UsernameUserMapping returns a result (and diag.identity log is set to debug level) the following diag log entry is written. If there is even one log entry similar to this one, then UsernameUserMapping is in use.

Diag log entry for an existing UsernameUserMapping entry
2019-11-27 12:15:05,932 identity UsernameUserMappingIdentityFactory.createIdentities:Identity[UBILOGIN&tupas.op.1&<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="ldap:///cn=Ubilogin,dc=test">CN=User1,OU=test,CN=Ubilogin,DC=test</saml:NameID>]

When the search performed during UsernameUserMapping returns no results (and diag.identity log is set to debug level) the following diag log entry is written. If there are only log entries similar to this and none similar to the one above, then UsernameUserMapping is not in use.

Diag log entry for a non-existing UsernameUserMapping entry
019-11-14 10:19:16,661 identity UsernameUserMappingIdentityFactory.createIdentities
login.InvalidUserException: The user was not found
	at ubilogin.directory.Locator.inner_findUbiloginAuthMapping(Locator.java:242)
	at ubilogin.directory.Locator.access$200(Locator.java:32)
	at ubilogin.directory.Locator$3.get(Locator.java:216)
	at ubilogin.directory.Locator$3.get(Locator.java:213)
	at com.ubisecure.util.cache.ExpiringCache.get(ExpiringCache.java:64)
	at ubilogin.directory.Locator.findUbiloginAuthMapping(Locator.java:211)
	at attributes.identity.UsernameUserMappingIdentityFactory.searchUbiloginIdentityByAuthMapping(UsernameUserMappingIdentityFactory.java:75)
	at attributes.identity.UsernameUserMappingIdentityFactory.createIdentities(UsernameUserMappingIdentityFactory.java:58)
	at ubilogin.UbiloginIdentityFactory.createIdentities(UbiloginIdentityFactory.java:127)
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.updateSession(UbiloginAuthenticationRequest.java:513)
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:533)
	at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.agentMethodService(ReturnServlet.java:128)
	at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.service(ReturnServlet.java:179)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.ubisecure.saml2.trace.TraceServlet.doFilter(TraceServlet.java:58)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at servlet.ContextFilter.doFilter(ContextFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.ubisecure.util.filter.ProxyFilter.doFilter(ProxyFilter.java:185)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.ubisecure.util.filter.SetEncodingFilter.doFilter(SetEncodingFilter.java:54)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:185)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Checking for UsernameUserMapping configuration objects in UbiloginDirectory

The best way to find out if UsernameUserMapping feature is in use is to check if UbiloginDirectory contains any objects, whose objectClass=ubiloginAuthMethod and have some value set in the attribute ubiloginAuthMapping. This can be done for example by running the following command in terminal. If it prints nothing, then it's certain that the feature is not in use and no further actions are needed.

Linux
ubilogin/ldap/openldap/export.sh -LLL "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))"
Windows
ubilogin\ldap\adam\export.cmd -r "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))" >nul & type export.ldif

Configuration

The configuration is done using the following flag, which can be set in the server compatibility flags:

EnableUsernameUserMapping

UsernameUserMappingIdentityFactory is enabled for all authentication methods.

Example 1: Set EnableUsernameUserMapping for the server using SSO Management UI.

  1. Select "Server" tab.
  2. Add EnableUsernameUserMapping to Server Compatibility Flags.
  3. Press Update


Ubisecure Privacy Policy & Cookie Statement