Management UI Mappings - SSO

Mappings are used to manually map a Ubisecure user's user id to a user id required by an application. For example, if user "John Doe" in Ubisecure SSO requires access to various existing applications. In his CRM application, the name must be in the form "jdoe", and in a legacy ERP application his name is "u44342".

Figure 1: User Mappings

An example of mappings defined for a user across multiple applications is shown in Figure 1. From the example, when user3 accesses the:

  • CRM application, their identity will be sent in LDAP DN format
  • HR application, their identity will be sent in email address format
  • ERP application, their identity will be sent in windows DOMAIN\shortname format

Once a table of mappings has been defined, it may be assigned to one or more Web Applications.

It is also possible to perform user name mappings using the Authorization Policy function. Use an Authorization Policy to use an existing user attribute as a username (for example, email address or employee number), or even use a common user name for all users of a specific group. Please refer to page Authorization for more information.

The first view of Mappings (Figure 2) presents all mapping tables in the selected site.

Figure 2. Mapping tables on the selected site
  • Mapping item
    Click mapping name, site or description to edit the mapping.
  • New Mapping
    Create a new mapping.
  • Delete Mapping / Check box
    Select mappings with checkboxes and click "Delete Mapping" to delete the selected mappings.

Mapping

The main view of a mapping object is presented in Figure 3.

Figure 3: The main view of a mapping object
  • Name
    Descriptive identifier for this Mapping configuration
  • NameID Format
    • Ubisecure User Mapping
      Execute a manual user mapping as specified in the Users tab. The mapped value will be sent as the NameID.
    • Persistent ID (XML ID format)
      Send a Persistent ID to the target application.
    • Persistent ID (UUID format)
      Send a Persistent ID to the target application.
    • Transient ID
      Send a Transient ID to the target application.
    • OAuth Refresh Token
      Send an OAuth Refresh Token to the target application.
  • Affiliation ID (SPNameQualifier)
    Set SPNameQualifier of SAML assertions to selected Applications. Optional. In most cases leave blank.
  • Platform
    This field is for administrators to keep notes related to this configuration. This field is informative only and does not affect system functionality. Optional.
  • Description
    This field is for administrators to keep notes related to this configuration. Complete a meaningful description explaining who has made the configuration and why. Reference other system documentation if appropriate. This field is informative only and does not affect system functionality. Optional.
  • Update
    Update the edited fields
  • New
    Create a new mapping table
  • Delete
    Delete this mapping table
  • Rename
    Rename this mapping table

Users

The Users view (Figure 4) presents all user mappings in this mapping table. In this example, the user named user3 will have the name "CN=John Smith,OU=CRM Users,CN=crm,DC=example,DC=com" when accessing the Applications of the mapping (specified in Figure 5). Without a name policy, by default, the user's location in the Ubisecure Directory is sent as the NameID.

The mapped name can be in any format expected by the target application: LDAP distinguished name, windows shortname, email address. Different users can also be mapped to the same user in the target system.

Figure 4: User mapping(s) in this mapping table
  • User
    Click user Name or Site to edit the user object
  • Mapped name / Update
    Edit this field to provide a different user name for the selected agent(s). Click "Update" to save changes.
  • Add
    Add a new user mapping.
  • Remove
    Remove the selected user mapping(s)

Multiple users can be added using the "Add…" function. All added names can then be edited in a convenient list format.

Applications

The Applications view (Figure 5) specifies with which applications the mapped name(s) will be used.

If you link mapping to more than one application, then all these applications will receive the same persistentId. Generally each application should have its own persistentId mapping.

In the example, the CRM mapping will be used by the test and production CRM applications, as well as the CRM Help System.

Figure 5: The list of agents that the mapped names will be provided for
  • Application
    Click the application name, site, status or type to open and edit the application configuration
  • Add
    Add a new application to the selected mapping table
  • Remove
    Remove the selected application(s) from this mapping table