Enabling UsernameUserMappingIdentityFactory
UsernameUserMapping is a legacy feature, which allows unregistered users to be mapped as UbiloginDirectory users based on the username of the unregistered user. As the same use case can be implemented with Directory User Mappings, which has much more flexibility in the configuration, UsernameUserMapping is nowadays considered to be deprecated.
The feature causes an extra LDAP search on UbiloginDirectory to be performed during each login with an unregistered authentication method. Disabling UsernameUserMappingIdentityFactory prevents this search to be performed. Disabling UsernameUserMappingIdentityFactory is the default behaviour since 8.5.0 and should not be overridden unless UsernameUserMapping feature is actually in use.
In 8.5.0 UsernameUserMappingIdentityFactory is disabled by default and needs to be explicitly enabled using the flag EnableUsernameUserMapping if needed. The flag DisableUsernameUserMapping is no more supported and if used in the configuration has no effect.
How to examine if UsernameUserMapping is in use
One option is to check the diag logs for entries that contain text "UsernameUserMappingIdentityFactory.createIdentities". The problem is that for the entries to be logged, the diag.identity log needs to be set to debug level. Another more robust option is to check for UsernameUserMapping configuration objects directly from UbiloginDirectory. Both methods are described below.
If UsernameUserMapping is in use and it's not possible to disable it without preventing users from logging in, then it's possible to add EnableUsernameUserMapping in the server compatibility flags.
However, as the feature is deprecated and may be removed at some point in the future, it is advisable to migrate to use, for example, Directory User Mappings instead. If questions about this arise, please contact Ubisecure Support and state that the question is about disabling UsernameUserMapping.
Checking for the diag log entries written during UsernameUserMapping
When the search performed during UsernameUserMapping returns a result (and diag.identity log is set to debug level) the following diag log entry is written. If there is even one log entry similar to this one, then UsernameUserMapping is in use.
2022-11-27 12:15:05,932 uas identity DEBUG UsernameUserMappingIdentityFactory.createIdentities:Identity[UBILOGIN&tupas.op.1&<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="ldap:///cn=Ubilogin,dc=test">CN=User1,OU=test,CN=Ubilogin,DC=test</saml:NameID>]
When the search performed during UsernameUserMapping returns no results (and diag.identity log is set to debug level) the following diag log entry is written. If there are only log entries similar to this and none similar to the one above, then UsernameUserMapping is not in use.
2022-11-14 10:19:16,661 uas identity DEBUG UsernameUserMappingIdentityFactory.createIdentities login.InvalidUserException: The user was not found at ubilogin.directory.Locator.inner_findUbiloginAuthMapping(Locator.java:242) at ubilogin.directory.Locator.access$200(Locator.java:32) at ubilogin.directory.Locator$3.get(Locator.java:216) at ubilogin.directory.Locator$3.get(Locator.java:213) at com.ubisecure.util.cache.ExpiringCache.get(ExpiringCache.java:64) at ubilogin.directory.Locator.findUbiloginAuthMapping(Locator.java:211) at attributes.identity.UsernameUserMappingIdentityFactory.searchUbiloginIdentityByAuthMapping(UsernameUserMappingIdentityFactory.java:75) at attributes.identity.UsernameUserMappingIdentityFactory.createIdentities(UsernameUserMappingIdentityFactory.java:58) at ubilogin.UbiloginIdentityFactory.createIdentities(UbiloginIdentityFactory.java:127) at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.updateSession(UbiloginAuthenticationRequest.java:513) at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:533) at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.agentMethodService(ReturnServlet.java:128) at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.service(ReturnServlet.java:179) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.ubisecure.saml2.trace.TraceServlet.doFilter(TraceServlet.java:58) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at servlet.ContextFilter.doFilter(ContextFilter.java:46) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.ubisecure.util.filter.ProxyFilter.doFilter(ProxyFilter.java:185) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.ubisecure.util.filter.SetEncodingFilter.doFilter(SetEncodingFilter.java:54) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:185) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Checking for UsernameUserMapping configuration objects in UbiloginDirectory
The best way to find out if UsernameUserMapping feature is in use is to check if UbiloginDirectory contains any objects, whose objectClass=ubiloginAuthMethod
and have some value set in the attribute ubiloginAuthMapping
. This can be done for example by running the following command in terminal. If it prints nothing, then it's certain that the feature is not in use and no further actions are needed.
ubilogin/ldap/openldap/export.sh -LLL "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))"
ubilogin\ldap\adam\export.cmd -r "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))" >nul & type export.ldif
Configuration
The configuration is done using the following flag, which can be set in the server compatibility flags:
EnableUsernameUserMapping
UsernameUserMappingIdentityFactory is enabled for all authentication methods.
Example 1: Set EnableUsernameUserMapping for the server using SSO Management UI.
- Select "Server" tab.
- Add EnableUsernameUserMapping to Server Compatibility Flags.
- Press Update
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2022. All Rights Reserved.