The Groups view below presents all of the groups in the selected site.


Figure 1: The list of groups in the selected site

Group
Click group name, site or description to edit the group object
New Group…
Create a new group
Delete Group/ Check box
Select and click Delete to delete permanently the selected groups
Move here
Move a group to this site from another site

Group

Figure 2 shows the group editor where group properties can be edited.


Figure 2: The Group editor screen

Name
The name of the group object
Description / Update
Description of the group object. Click Update to update the description.
New
Create a new group
Delete
Delete this group
Rename
Rename this group

Users

The Users view presents all of the users in the selected group.


Figure 3: List of users in the selected group

User name
User name is a link to the user entity
Add
Add a Ubisecure user to this group
Remove
Remove the selected user(s) from this group

Groups

The Groups view presents static Ubisecure Groups that are member of the selected group.


Figure 4: The groups that belong to a group

Add
Add a group or groups to this group
Remove
Remove the selected group(s) from this group

Dynamic Members

The dynamic member feature allows defining the members of a group using rules that are evaluated at run-time. This feature allows dynamic groups and it is different from "traditional" static groups where the members of a group are defined one by one resulting in a static association.

The pros and cons of different group types are:

Static group
- Simple and easy to understand
- Allows complex membership that cannot be expressed by search filter
- Large groups can be hard to manage
- Works only within the Ubisecure Directory (not with external directories)
Dynamic group
- Enables integration with external directories
- New users added to a container are automatically members
- Complex dynamic group expressions can be hard to review/understand

Ubisecure SSO uses dynamic groups for two main purposes:

Dynamic group membership within the Ubisecure Directory
To associate users authenticated in an External Directory with groups in the Ubisecure Directory

The rule used for defining dynamic members closely follows the standard LDAP URL syntax. Please refer to RFC 2255 (http://www.rfc-editor.org/rfc/rfc2255.txt) for a specification of the LDAP URL syntax.

The Ubisecure SSO Management view to dynamic members simplifies editing LDAP URLs by providing access to the standard components of the LDAP URL.

In addition, the Ubisecure SSO Management view provides templates as help for the administrator when designing different kinds of dynamic member rules such as members of Ubisecure Directory and members of External Directory.

The Dynamic Member view is presented in Figure 5.


Figure 5: Configuring Group Dynamic Member

Server
The base address of the LDAP server in URI format. For example: ldap://localhost/ . The special value ldap:/// defines the LDAP server of the Ubisecure Directory .
Distinguished Name
The name of a directory object
Attributes
Optional value. List of attributes to read from the directory object. The list elements are separated by ','
Scope
Search scope. One of base, one or sub.
- Base: The object defined by the Distinguished Name value only.
- One: Exactly one level below the object defined by the Distinguished Name.
- Sub: Descendants of the object defined by the Distinguished Name, including the object itself.

Filter
LDAP search filter expression. For example: (objectClass=ubiloginUser) . The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt)
Extensions
LDAP URL extension value. Valid Ubisecure SSO extension values are:
- x-tokengroups
  For Microsoft Active Directory external directories, resolves group membership by reading the TokenGroups operational attribute from the user's object
Templates
Select a template that automatically inputs the default values for the fields above.
- Users of Ubisecure Site
  The most common use case for dynamic members within the Ubisecure Directory is Users of Ubisecure Site. This use case is implemented by defining the distinguished name of a Ubisecure Site and the search scope one or sub.
  Example: ldap:///ou=Users,cn=Ubilogin,dc=localhost??sub?objectclass=ubiloginUser→ This adds all users below the Users site as members of the group
- User in External Directory
  Add a single external user. Specify a LDAP URL where the DN identifies the user and search scope is base, leave the other fields empty.
  Example: ldap://localhost/uid=user1,ou=users??base
- Users of External Directory Branch
  Add all users of a directory branch. Specify a LDAP URL where the DN identifies a container, search scope is one or sub and optionally define a search filter.
  Example: ldap://localhost/ou=users??one?objectclass=person
- Members of External Directory Group
  Members of a group defined in external directory. This integration method is available if the group in the external directory has an attribute that lists the members of the group. This integration method does not resolve external dynamic groups or a group including group relationships.
  Specify a LDAP URL where the DN identifies the group, the attribute defines the name of the attribute that lists the members, search scope is base.
  Example: ldap://localhost/cn=group1,ou=users?member?base
- Members of Active Directory
  GroupMembers of a group defined in Active Directory. This integration method is available for Active Directory external directories. This integration method resolves the transitive group memberships for the given group.
  Specify a LDAP URL where the DN identifies the group, the attribute defines the binary objectSid attribute, search scope is base, x-tokengroups is included in the set of extensions.
  Example: ldap://localhost/cn=group1,ou=users?objectSid;binary?base??x-tokengroups

Attribute Members

The Attribute Members feature enables defining group memberships based on attributes received during authentication. Users can be mapped to groups dynamically at run-time based on the logical queries about the presence or absence of user and methods attributes as well as their values.

An example is shown in Figure 6. Users can sign in using two different authentication methods – HST card, based on Certificate Authentication Provider, or TUPAS. TUPAS allows both individuals and companies to authenticate. First, Method Attribute Mapping is used to ensure the Personal Identity Number is in the same format and present in same variable name (hetu). Next, Users with the variable hetu are assigned dynamically to the group Persons. Authentication by persons using corporate bank accounts, which contain the variable y-tunnus, are assigned dynamically to the group Organizations.


Figure 6: Example of group membership based on attributes

The pros and cons of the attribute members feature are:

Allows assigning group memberships for unregistered users
Allows external management of group members
Membership is independent of user repositories
Forfeits control of individual group members

Attribute membership is defined as one or more preconditions. Each precondition is shown as an entry in attribute members view. User is considered as a member of the group if any of precondition entries is evaluated to true.
Precondition syntax follows the LDAP search filter syntax with minor modifications. The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Modifications are as follows:

Equality is the only supported matching operation
Supported logical operations include AND, OR, and NOT
Asterisk is the only supported wildcard. Asterisk evaluates to true if defined attribute has any value.
Attribute name is defined as prefix:name, where possible prefixes are following:
- method
  Attribute name refers to a method attribute
  For example: method:organization=organizationA
- subject
  Attribute name refers to a subject attribute. Possible subject attributes are following:
  - format
    Refers to subject format
  - username
    Refers to subject username
  - namequalifier
    Refers to subject namequalifier

The most common attribute membership precondition is a simple equality match of a method attribute.

Attribute membership is only evaluated for the current user if the authentication method that the user is signing in with is also selected in the Allowed Methods tab. (Applies to version 5.0.3 and higher)

NOTE: Whitespaces may break the precondition syntax, please be careful when using them.

Member Of

The Member Of view presents the static groups that this group is member of.


Figure 7: The Member Of - view of a group

Add
Add new groups
Remove
Remove the memberships of the selected group(s)

Allowed Applications

The Allowed Applications view presents all those Applications that this group has access to by the Allowed To list association.


Figure 8: The list of applications the selected group has access to

Add
Add this group to applications access control list
Remove
Remove this group from selected application(s) access control list

Allowed Methods

By selecting authentication methods for this group you can configure that unregistered users belong to the selected group. An unregistered user is one that has its user identity stored in an external authentication service.


Figure 9: Selecting unregistered users behind authentication services for the selected group

Update / Check box
Select or deselect the users behind authentication services

NOTE: Unregistered users represent the user identities stored in external authentication services. By selecting methods in this view, all users authenticated in external authentication services belong to this group.

Authorization

The Authorization view (see Figure 10) presents the Authorization policies associated with the selected group.


Figure 10: Authorization policies related to the selected group

The authorization policies that are associated with this group can be managed in the site's authorization view. Please refer to page Manage authorization policies - SSO.

Browser not supported