Management UI common tasks - SSO

This page introduces basic tasks that the System Administrator needs to carry out in order to use Ubisecure SSO and its services.

Contents

Logging into Ubisecure SSO Management for the first time

After installing and setting up the Ubisecure SSO accordingly, the System Administrator can log in to the Ubisecure SSO Management application.


The initial login and password for the System Administrator identity is presented in page SSO Single Node Installation.

NOTE: It is important to change the System Administrator password to a strong password.

After successful login to Ubisecure SSO Management, the administrator can see the following view (Figure 1).

Figure 1: The first view after logging into Ubisecure SSO Management

The System Administrator view differs from the view seen by Site Manager. The Site Manager cannot configure the "Global Method Settings" and cannot reset the server secret.

The typical tasks in Ubisecure SSO Management after the first login are creating new objects on the server. For more details, please see the following chapters.

Creating a site hierarchy

The tree hierarchy in the database can be used to partition a large database into smaller entities, which are then easier to manage.
For example, the site structure used to manage the employees of a company can be created to match the organizational hierarchy of the company:

  • Corporation
    • Management
    • Production
    • Research

Another way to divide entities in the organization is to assign each kind of object for each site:

  • Corporation
    • Applications
    • Groups
    • Users
    • Roles

Another important purpose of the Site hierarchy is the concept of delegation of management tasks. Each Site can be assigned a set of users as Site Managers that can manage any of the entities contained within that Site, including any sub sites. It is also important to note that Ubisecure SSO hides and prevents access to any other sites where the user is not assigned to the sites Site Administrator groups.

An example of delegating management tasks to Site Managers:

  • Corporation; Managed by "System Administrators"
    • Research; Managed by "Research Administrators"
    • Production; Managed by "Production Administrators"

In this scenario the members of the System Administrators group can see and manage the entire database whereas the members of the Research Administrators group can see and manage entities only within the Research site.

Creating a New Site

To create a new site:

  1. Select a site where you want to add a new site.
  2. Click "New…".
  3. "Create site" window opens up. Give name and description for the site, and click OK to continue.

You have now created a new site.

Adding a New Group to a Site

To add a new group to a site:

  1. Select a site where you want to add a new group.
  2. Select "Groups" to add a group.
  3. Click "New…".
  4. "Create Group" window opens up. Give name and description for the group and click OK to continue.

You have now created a group.

Adding a New User to a Site and to a Group

To add a new user to a site and to a group:

  1. Select a site where you want to add a new user.
  2. Select "Users" to add an user.
  3. Click "New…".
  4. "Create User" window opens up.
  5. Give the user a "Name" which appears in the Ubisecure SSO Management.
  6. Give the user a "Username" which works as user ID.
  7. Give the user a "Mobile Phone" number if user has mobile authentication methods in use.
  8. Give the user other information if needed.
  9. Click status "Enabled" to enable the user account.
  10. Click OK.
    New user is now created.
  11. Give the user a password by clicking "Reset password".
  12. Type the password, enable the authentication method and click OK to continue.
  13. Give the user the authentication methods he is allowed to use by clicking "Methods".
  14. Select the allowed methods and click Update to continue.
  15. Add user in the group that was created earlier by clicking "Member of".
  16. Click "Add", select the group you want to add user to, and click OK to continue.

You have now added the new user to a group.

Creating a new Web Application

To create a new web application:

  1. Select a site where you want to add a new Web Application.
  2. Click "Applications".
  3. Click "New Application…".
  4. Give the needed information: name, application type and click OK.
  5. Define additional information, if needed.
  6. Click "Allowed Methods".
  7. Choose authentication methods to be used with this application and click Update.
  8. Click "Allowed to".
  9. Select groups that can access this application.

Adding New Site Managers

To add new administrators to the site you have two choices:

  • Add new group (where the new administrator belongs to) to the "Site Administrators" list that can manage the selected site.

OR

  • Add the new administrator user to the same group that is already managing this site.

    NOTE: To add a user to a group, you have to be a Site Manager of that group.

An example is shown in Figure 4. The Site "Demonstration" is managed by the group "Demonstration Site Managers".

Figure 2. Site Administrators – Members of the Demonstration Site Managers group can manage the Demonstration site in the Ubisecure SSO Management application

NOTE:  Site Managers must have access to the Ubisecure SSO Management application in order to login. Ensure that all Site Administrators groups are listed in Allowed to tab of the Ubisecure SSO Management application under the System site.

To allow a group to access the Ubisecure SSO Management application:

  1. Select Home → System site and click the Applications tab.
  2. Select the Ubilogin application
  3. Select the Allowed To tab of the application
  4. Click the "Add…" button and select the group containing site managers. Click OK.
  5. The group has been added and is visible in the Allowed To tab (see Figure 5)

An example is shown in Figure 5. The group "Demonstration Site Managers" are allowed to use the application "Ubilogin".

Figure 3. Ubilogin Management application Allowed To tab must contain all site manager groups

Removing Site Managers

To remove administrators from the site you have two choices:

  • Remove the user from the same group that is already managing this site.

    NOTE: To remove a user from a group, you have to be a Site Manager of that group.

OR

  • Remove the whole group from the "Site Administrators" list. Mark the check box of the group and click "Remove" to remove the group(s).

Creating a New Method

To create a new authentication method:

  1. Select Home → Applications and click the "New Application…" button.
  2. "Add New Application" view opens (Figure 4).

    • Enter the title for the method in "Title" field.

    • Enter the name for system's internal use in "Name" field.

    • Select the method type from the "Method Type" drop-down menu.

      • Option "Other" is used to specify custom authentication methods.

    • The method class is inserted automatically to the "Method Class" field after the method type selection and does not need to be edited.

    • For custom authentication methods, insert the java class name here, according to separate installation instructions.

    • If you want to link the authentication method to Ubisecure Directory or an external user directory, select the desired directory from the Directory drop-down menu. The directories shown in this list come from the Home → Services menu.

    • Click "OK" to create the method.

    Figure 4. Add New Method window

Creating a New Method Attribute Mapping

Attribute Mappings menu enables configuration of Method Attribute Mappings. Method Attribute Mappings change the attributes received from Authentication Methods. Attributes can be removed, transformed or mapped to other attributes. Refer to page Management UI Attribute Mappings - SSO for a full description.
To create a new method attribute mapping:

  1. Select Home →  Attribute Mappings
  2. Click New Mapping…
  3. Enter a Name and Description. Click OK.
  4. The screen shown in Figure 5 will be displayed.

    Figure 5. Method Attribute Mapping configuration: Main tab
  5. Select the Attributes tab. Click Add…

  6. Enter a precondition, attribute name and attribute value. If the precondition is left blank, the mapping will be executed. Precondition syntax follows the LDAP search filter syntax. Refer to page Management UI Attribute Mappings - SSO for a full description. Figure 6 shows an example completed mapping consisting of five attributes. In this example, the value received from the authentication method attribute http://axschema.org/contact/country/home will be mapped to the attribute country.

    Figure 6. Method Attribute Mapping configuration: Attributes tab
  7. Repeat for each desired attribute as required.

  8. Select the Methods tab.
  9. Enable only the methods for which this mapping will be applied. In the example in Figure 7, the same mapping has been applied to all OpenID authentication methods. This mapping will be executed only for logins performed with the selected attributes.

    Figure 7. Method Attribute Mapping configuration: Methods tab

Creating a New Directory User Mapping

Externally authenticated users can be mapped to a directory user with Directory User Mapping. The user may be in the Ubisecure Directory or in an external LDAP user directory. Directory User Mapping is described on page Management UI Directory User Mappings - SSO.

To create a new directory user mapping:

  1. Select Home → Directory User Mappings.
  2. Click the "New Mapping..." button.
  3. "Create Directory User Mapping" view opens (Figure 8).
    Enter appropriate name and description and click "OK".

    Figure 8. Create Directory User Mapping window
  4. From the "User Mappings" tab, select "Add…" to add a mapping entry.

    Figure 9. Adding new User Mapping entry
  5. "Directory User Mapping Entry" window opens (Figure 10).
    This screen is described on page Management UI Directory User Mappings - SSO.
    The example mapping shown in Figure 10 links an OpenID user to an Ubisecure Directory user based on the email address sent from the OpenID provider. The rule is only executed if the _method:http://axschema.org/contact/email_ value contains a value.
    Completed user mapping entry of the example is shown in Figure 11.


    Figure 10. Adding a user mapping entry

    Figure 11. Completed user mapping entry

  6. To enable the Directory User Mapping for a method, go to the "Methods" tab, select the desired method by selecting its checkbox, and click the "Update" button.

    Figure 12. Enabling Directory User Mapping for a Method 

Mapping Authenticated User to Directory User – Steps to Consider

  1. Is there a common attribute between the authentication provider and the directory user?
    1. If not
      1. Use user driven federation (Ubisecure SSO User Driven Federation - documentation)
      2. Use RESTServiceUserMapping / JSONServiceUserMapping to use a backend service to convert one ID to another
      3. Use basic user mapping to manually manage (Management UI Mappings - SSO)
      4. Use custom attributes to all admin or user to manage a common attribute and use that for mapping
    2. If so
      1. Is the attribute already in the correct format when received from the method?
        1. If not → Use method attribute mapping to make the format match the directory user attributes (Management UI Attribute Mappings - SSO)
  2. Configure directory user mapping
    1. Activate for each method
  3. Configure authorization policy