The Groups view below presents all of the groups in the selected site.

• Group
  Click group name, site or description to edit the group object
• New Group…
  Create a new group
• Delete Group/ Check box
  Select and click Delete to delete permanently the selected groups
• Move here
  Move a group to this site from another site

Group

Figure 2 shows the group editor where group properties can be edited.

• Name
  The name of the group object
• Description / Update
  Description of the group object. Click Update to update the description.
• New
  Create a new group
• Delete
  Delete this group
• Rename
  Rename this group

Users

The Users view presents all of the users in the selected group.

• User name
  User name is a link to the user entity
• Add
  Add a Ubisecure user to this group
• Remove
  Remove the selected user(s) from this group

Groups

The Groups view presents static Ubisecure Groups that are member of the selected group.

• Add
  Add a group or groups to this group
• Remove
  Remove the selected group(s) from this group

Dynamic Members

The dynamic member feature allows defining the members of a group using rules that are evaluated at run-time. This feature allows dynamic groups and it is different from "traditional" static groups where the members of a group are defined one by one resulting in a static association.

The pros and cons of different group types are:

• Static group
  • Simple and easy to understand
  • Allows complex membership that cannot be expressed by search filter
  • Large groups can be hard to manage
  • Works only within the Ubisecure Directory (not with external directories)
• Dynamic group
  • Enables integration with external directories
  • New users added to a container are automatically members
  • Complex dynamic group expressions can be hard to review/understand

Ubisecure SSO uses dynamic groups for two main purposes:

1. Dynamic group membership within the Ubisecure Directory
2. To associate users authenticated in an External Directory with groups in the Ubisecure Directory

The rule used for defining dynamic members closely follows the standard LDAP URL syntax. Please refer to RFC 2255 (http://www.rfc-editor.org/rfc/rfc2255.txt) for a specification of the LDAP URL syntax.

The Ubisecure SSO Management view to dynamic members simplifies editing LDAP URLs by providing access to the standard components of the LDAP URL.

In addition, the Ubisecure SSO Management view provides templates as help for the administrator when designing different kinds of dynamic member rules such as members of Ubisecure Directory and members of External Directory.

The Dynamic Member view is presented in Figure 5.

• Server
  The base address of the LDAP server in URI format. For example: ldap://localhost/ . The special value ldap:/// defines the LDAP server of the Ubisecure Directory .
• Distinguished Name
  The name of a directory object
• Attributes
  Optional value. List of attributes to read from the directory object. The list elements are separated by ','
• Scope
  Search scope. One of base, one or sub.
  • Base: The object defined by the Distinguished Name value only.
  • One: Exactly one level below the object defined by the Distinguished Name.
  • Sub: Descendants of the object defined by the Distinguished Name, including the object itself.

• Filter
  LDAP search filter expression. For example: (objectClass=ubiloginUser) . The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt)
• Extensions
  LDAP URL extension value. Valid Ubisecure SSO extension values are:
  • x-tokengroups
    For Microsoft Active Directory external directories, resolves group membership by reading the TokenGroups operational attribute from the user's object
• Templates
  Select a template that automatically inputs the default values for the fields above.
  • Users of Ubisecure Site
    The most common use case for dynamic members within the Ubisecure Directory is Users of Ubisecure Site. This use case is implemented by defining the distinguished name of a Ubisecure Site and the search scope one or sub.
    Example: ldap:///ou=Users,cn=Ubilogin,dc=localhost??sub?objectclass=ubiloginUser
→ This adds all users below the Users site as members of the group
  • User in External Directory
    Add a single external user. Specify a LDAP URL where the DN identifies the user and search scope is base, leave the other fields empty.
    Example: ldap://localhost/uid=user1,ou=users??base
  • Users of External Directory Branch
    Add all users of a directory branch. Specify a LDAP URL where the DN identifies a container, search scope is one or sub and optionally define a search filter.
    Example: ldap://localhost/ou=users??one?objectclass=person
  • Members of External Directory Group
    Members of a group defined in external directory. This integration method is available if the group in the external directory has an attribute that lists the members of the group. This integration method does not resolve external dynamic groups or a group including group relationships.
    Specify a LDAP URL where the DN identifies the group, the attribute defines the name of the attribute that lists the members, search scope is base.
    Example: ldap://localhost/cn=group1,ou=users?member?base
  • Members of Active Directory
    GroupMembers of a group defined in Active Directory. This integration method is available for Active Directory external directories. This integration method resolves the transitive group memberships for the given group.
    Specify a LDAP URL where the DN identifies the group, the attribute defines the binary objectSid attribute, search scope is base, x-tokengroups is included in the set of extensions.
    Example: ldap://localhost/cn=group1,ou=users?objectSid;binary?base??x-tokengroups

Attribute Members

The Attribute Members feature enables defining group memberships based on attributes received during authentication. Users can be mapped to groups dynamically at run-time based on the logical queries about the presence or absence of user and methods attributes as well as their values.

An example is shown in Figure 6. Users can sign in using two different authentication methods – HST card, based on Certificate Authentication Provider, or TUPAS. TUPAS allows both individuals and companies to authenticate. First, Method Attribute Mapping is used to ensure the Personal Identity Number is in the same format and present in same variable name (hetu). Next, Users with the variable hetu are assigned dynamically to the group Persons. Authentication by persons using corporate bank accounts, which contain the variable y-tunnus, are assigned dynamically to the group Organizations.

The pros and cons of the attribute members feature are:

• Allows assigning group memberships for unregistered users
• Allows external management of group members
• Membership is independent of user repositories
• Forfeits control of individual group members

Attribute membership is defined as one or more preconditions. Each precondition is shown as an entry in attribute members view. User is considered as a member of the group if any of precondition entries is evaluated to true.
Precondition syntax follows the LDAP search filter syntax with minor modifications. The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Modifications are as follows:

• Equality is the only supported matching operation
• Supported logical operations include AND, OR, and NOT
• Asterisk is the only supported wildcard. Asterisk evaluates to true if defined attribute has any value.
• Attribute name is defined as prefix:name, where possible prefixes are following:
  • method
    Attribute name refers to a method attribute
    For example: method:organization=organizationA
  • subject
    Attribute name refers to a subject attribute. Possible subject attributes are following:
    • format
      Refers to subject format
    • username
      Refers to subject username
    • namequalifier
      Refers to subject namequalifier

The most common attribute membership precondition is a simple equality match of a method attribute.

Attribute membership is only evaluated for the current user if the authentication method that the user is signing in with is also selected in the Allowed Methods tab. (Applies to version 5.0.3 and higher)

Member Of

The Member Of view presents the static groups that this group is member of.

• Add
  Add new groups
• Remove
  Remove the memberships of the selected group(s)

Allowed Applications

The Allowed Applications view presents all those Applications that this group has access to by the Allowed To list association.

• Add
  Add this group to applications access control list
• Remove
  Remove this group from selected application(s) access control list

Allowed Methods

By selecting authentication methods for this group you can configure that unregistered users belong to the selected group. An unregistered user is one that has its user identity stored in an external authentication service.

• Update / Check box
  Select or deselect the users behind authentication services
  

Authorization

The Authorization view (see Figure 10) presents the Authorization policies associated with the selected group.

The authorization policies that are associated with this group can be managed in the site's authorization view. Please refer to page Manage authorization policies - SSO.