Management UI Groups - SSO
The Groups view below presents all of the groups in the selected site.
Figure 1: The list of groups in the selected site |
- Group
Click group name, site or description to edit the group object - New Group…
Create a new group - Delete Group/ Check box
Select and click Delete to delete permanently the selected groups - Move here
Move a group to this site from another site
Group
Figure 2Â shows the group editor where group properties can be edited.
Figure 2: The Group editor screen |
- Name
The name of the group object - Description / Update
Description of the group object. Click Update to update the description. - New
Create a new group - Delete
Delete this group - Rename
Rename this group
Users
The Users view presents all of the users in the selected group.
Figure 3: List of users in the selected group |
- User name
User name is a link to the user entity - Add
Add a Ubisecure user to this group - Remove
Remove the selected user(s) from this group
Groups
The Groups view presents static Ubisecure Groups that are member of the selected group.
Figure 4: The groups that belong to a group |
- Add
Add a group or groups to this group - Remove
Remove the selected group(s) from this group
Dynamic Members
The dynamic member feature allows defining the members of a group using rules that are evaluated at run-time. This feature allows dynamic groups and it is different from "traditional" static groups where the members of a group are defined one by one resulting in a static association.
The pros and cons of different group types are:
- Static group
- Simple and easy to understand
- Allows complex membership that cannot be expressed by search filter
- Large groups can be hard to manage
- Works only within the Ubisecure Directory (not with external directories)
- Dynamic group
- Enables integration with external directories
- New users added to a container are automatically members
- Complex dynamic group expressions can be hard to review/understand
Ubisecure SSO uses dynamic groups for two main purposes:
- Dynamic group membership within the Ubisecure Directory
- To associate users authenticated in an External Directory with groups in the Ubisecure Directory
The rule used for defining dynamic members closely follows the standard LDAP URL syntax. Please refer to RFC 2255 (http://www.rfc-editor.org/rfc/rfc2255.txt) for a specification of the LDAP URL syntax.
The Ubisecure SSO Management view to dynamic members simplifies editing LDAP URLs by providing access to the standard components of the LDAP URL.
In addition, the Ubisecure SSO Management view provides templates as help for the administrator when designing different kinds of dynamic member rules such as members of Ubisecure Directory and members of External Directory.
The Dynamic Member view is presented in Figure 5.
Figure 5: Configuring Group Dynamic Member |
- Server
The base address of the LDAP server in URI format. For example:ldap://localhost/
. The special valueldap:///
defines the LDAP server of the Ubisecure Directory . - Distinguished Name
The name of a directory object - Attributes
Optional value. List of attributes to read from the directory object. The list elements are separated by ',' - Scope
Search scope. One of base, one or sub.- Base: The object defined by the Distinguished Name value only.
- One: Exactly one level below the object defined by the Distinguished Name.
- Sub: Descendants of the object defined by the Distinguished Name, including the object itself.
- Filter
LDAP search filter expression. For example:(objectClass=ubiloginUser)
. The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt) - Extensions
LDAP URL extension value. Valid Ubisecure SSO extension values are:- x-tokengroups
For Microsoft Active Directory external directories, resolves group membership by reading the TokenGroups operational attribute from the user's object
- x-tokengroups
- Templates
Select a template that automatically inputs the default values for the fields above.- Users of Ubisecure Site
The most common use case for dynamic members within the Ubisecure Directory is Users of Ubisecure Site. This use case is implemented by defining the distinguished name of a Ubisecure Site and the search scope one or sub.
Example:ldap:///ou=Users,cn=Ubilogin,dc=localhost??sub?objectclass=ubiloginUser
→ This adds all users below the Users site as members of the group
- User in External Directory
Add a single external user. Specify a LDAP URL where the DN identifies the user and search scope is base, leave the other fields empty.
Example:ldap://localhost/uid=user1,ou=users??base
- Users of External Directory Branch
Add all users of a directory branch. Specify a LDAP URL where the DN identifies a container, search scope is one or sub and optionally define a search filter.
Example:ldap://localhost/ou=users??one?objectclass=person
- Members of External Directory Group
Members of a group defined in external directory. This integration method is available if the group in the external directory has an attribute that lists the members of the group. This integration method does not resolve external dynamic groups or a group including group relationships.
Specify a LDAP URL where the DN identifies the group, the attribute defines the name of the attribute that lists the members, search scope is base.
Example:ldap://localhost/cn=group1,ou=users?member?base
- Members of Active Directory
GroupMembers of a group defined in Active Directory. This integration method is available for Active Directory external directories. This integration method resolves the transitive group memberships for the given group.
Specify a LDAP URL where the DN identifies the group, the attribute defines the binary objectSid attribute, search scope is base, x-tokengroups is included in the set of extensions.
Example:ldap://localhost/cn=group1,ou=users?objectSid;binary?base??x-tokengroups
- Users of Ubisecure Site
Attribute Members
The Attribute Members feature enables defining group memberships based on attributes received during authentication. Users can be mapped to groups dynamically at run-time based on the logical queries about the presence or absence of user and methods attributes as well as their values.
An example is shown in Figure 6. Users can sign in using two different authentication methods – HST card, based on Certificate Authentication Provider, or TUPAS. TUPAS allows both individuals and companies to authenticate. First, Method Attribute Mapping is used to ensure the Personal Identity Number is in the same format and present in same variable name (hetu). Next, Users with the variable hetu are assigned dynamically to the group Persons. Authentication by persons using corporate bank accounts, which contain the variable y-tunnus, are assigned dynamically to the group Organizations.
Figure 6: Example of group membership based on attributes |
The pros and cons of the attribute members feature are:
- Allows assigning group memberships for unregistered users
- Allows external management of group members
- Membership is independent of user repositories
- Forfeits control of individual group members
Attribute membership is defined as one or more preconditions. Each precondition is shown as an entry in attribute members view. User is considered as a member of the group if any of precondition entries is evaluated to true.
Precondition syntax follows the LDAP search filter syntax with minor modifications. The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Modifications are as follows:
- Equality is the only supported matching operation
- Supported logical operations include AND, OR, and NOT
- Asterisk is the only supported wildcard. Asterisk evaluates to true if defined attribute has any value.
- Attribute name is defined as prefix:name, where possible prefixes are following:
- method
Attribute name refers to a method attribute
For example: method:organization=organizationA - subject
Attribute name refers to a subject attribute. Possible subject attributes are following:- format
Refers to subject format - username
Refers to subject username - namequalifier
Refers to subject namequalifier
- format
- method
The most common attribute membership precondition is a simple equality match of a method attribute.
Attribute membership is only evaluated for the current user if the authentication method that the user is signing in with is also selected in the Allowed Methods tab. (Applies to version 5.0.3 and higher)
NOTE: Whitespaces may break the precondition syntax, please be careful when using them.
Member Of
The Member Of view presents the static groups that this group is member of.
Figure 7: The Member Of - view of a group |
- Add
Add new groups - Remove
Remove the memberships of the selected group(s)
Allowed Applications
The Allowed Applications view presents all those Applications that this group has access to by the Allowed To list association.
Figure 8: The list of applications the selected group has access to |
- Add
Add this group to applications access control list - Remove
Remove this group from selected application(s) access control list
Allowed Methods
By selecting authentication methods for this group you can configure that unregistered users belong to the selected group. An unregistered user is one that has its user identity stored in an external authentication service.
Figure 9: Selecting unregistered users behind authentication services for the selected group |
- Update / Check box
Select or deselect the users behind authentication services
NOTE: Unregistered users represent the user identities stored in external authentication services. By selecting methods in this view, all users authenticated in external authentication services belong to this group.
Authorization
The Authorization view (see Figure 10) presents the Authorization policies associated with the selected group.
Figure 10: Authorization policies related to the selected group |
The authorization policies that are associated with this group can be managed in the site's authorization view. Please refer to page Manage authorization policies - SSO.