Active Directory integration - SSO

NOTE: Ubisecure product names were unified in autumn 2011. All products which started with term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is used also when referring to old software versions which started with term "Ubilogin" at the time of their release.

This documentation describes the Microsoft Active Directory (AD) specific implementation alternative for the Ubisecure External Directory Integration feature. The main focus is on the installation and configuration of this alternative of the Ubisecure External Directory Integration feature.

This alternative can only be used with the Microsoft Active Directory. For other LDAP directories select either the Basic LDAP or the Schema Enhanced LDAP alternative. In Ubisecure terminology, the chosen directory is also called the External Directory.

In this case the Ubisecure Authentication Server has a read/write LDAPS connection with the external directory. There is no need for LDAP schema changes in the external directory as this alternative uses the attributes and objects provided by the AD by default.

Figure 1. Ubisecure Active Directory Integration architecture overview

Requirements

For successful integration, the following conditions should be met:

  • Ubisecure SSO Server is accessible with administrative privileges
  • Active Directory is accessible (Typically port 636 for SSL)
  • Ubisecure SSO Server version 6.2.0 or greater.
  • Active Directory containing the relevant user information.
  • A dedicated user in the Active Directory that will be used when making the LDAPS connections. The user needs to have enough access rights to perform the functions needed for implementing the authentication method tasks. Required rights are detailed later in this document.
  • SSL certificate to be used when contacting the Active Directory with LDAPS.
  • Ubisecure Management installation directory is accessible