CertAP integration - SSO

In this page, Ubisecure Certificate AP is integrated with Ubisecure SSO. Ubisecure Certificate AP works as a SAML authentication method from the point of view of Ubisecure SSO.

Configuring Ubisecure SSO

A new authentication method is to be created corresponding the Certificate AP

  1. Open Ubisecure SSO Management and create a new SAML authentication method

    Figure 1. Creating the SAML method

  2. Obtain the SAML2 metadata of Certificate AP by either:

    1. downloading it from the respective server at  https://certap.example.com:9443/certap/saml2/metadata.xml the domain depending on Certificate AP deployment location. You will need a client certificate to be able to do this.

    2. generating it on the command line as in the example below:

      Listing 1. Generating Certificate AP SAML2 metadata on Linux
      java -classpath '/usr/local/ubisecure/certap/certap/webapps/certap/WEB-INF/lib/*' com.ubisecure.saml2.config.Main Metadata /usr/local/ubisecure/certap/certap/webapps/certap/WEB-INF/uap  -idp -f ~/certap-metadata.xml
      Listing 2. Generating Certificate AP SAML2 metadata on Windows
      java -classpath '%PROGRAMFILES%\ubisecure\certap\certap\webapps\certap\WEB-INF\lib\*' com.ubisecure.saml2.config.Main Metadata "%PROGRAMFILES%\ubisecure\certap\certap\webapps\certap\WEB-INF\uap"  -idp -f "%HOME%\certap-metadata.xml"
  3. Upload the metadata of Certificate AP to the created SAML method. .

    Figure 2. Uploading the metadata of the Certificate AP to the SAML method in Ubilogin SSO

  4. Enable the method

Set Certificate AP to Trust Ubisecure SSO

The metadata of Ubisecure SSO must be downloaded to the Certificate AP in order to create a trust relationship.

  1. Download the Ubisecure SSO metadata by pressing [Download Metadata] link:

    Figure 3. Downloading the metadata of Ubisecure SSO
  2. Place the metadata in CERTAP_HOME\webapps\certap\WEB-INF\uap\metadata\metadata.xml
  3. Restart Certificate AP

    Listing 3. Restarting the Certificate AP on Windows
    cd /d "C:\Program Files\Ubisecure\certap\certap"
    config\tomcat\update.cmd 
    Listing 4. Restarting the Certificate AP on Linux
    systemctl stop certap-server
    cd /usr/local/ubisecure/certap/certap/config/tomcat/
    ./update.sh
    sudo systemctl start certap-server

Now you can log in to an application by using the Certificate AP method. See Ubisecure Management user interface - SSO pages for instructions on how to attach an authentication method to a web application and create a group for users of certificates.