AD password method

The AD password authentication method allows you to authenticate with username and password when the credentials are stored in Active Directory. LDAPS is used to access the Active Directory. The authentication method also allows the user to change an expiring or expired password. The same Ubisecure SSO Server can connect to multiple AD directories.

To add an AD Password Method, use the Ubisecure Management application with an Administrator account:

1. Select Home → Global Method Settings (see Figure 1)

2. Select New Method…

3. Complete the Add New Method dialog

   1. Title: A human readable name describing this method. Shown in the management user interface and possibly in the end user interface if no localization is available

   2. Name: A unique system reference to this directory. This is used by administrators to identify this authentication method. Typically values are for example: password.ad, password.ad.prod, password.ad.test, password.customer1

   3. Method Type: Select SPI Password

      1. Method Class: This will be automatically filled in.

   4. Directory: Select the AD directory made in the previous step.

4. Press OK

5. The method configuration screen is shown, see Figure 2.

6. SAML Authentication Context and SAML NameID Policy related configurations are described in the Management user interface - SSO documentation. Changes to these settings are typically not required.

7. Tick Enabled to enable the method

8. Hidden will remove this method from any system generated authentication method selection menus. This is described in more detail in the Management user interface - SSO. By default this is unselected.

9. Limit Method Visibility specifies to which IP netmask ranges this method will be shown in any system generated authentication method selection menus. Leave blank to show to all IP address. For AD password methods in a corporate environment, typically this is set to the netmask of domain users. This is described in more detail in the Management user interface - SSO documentation. By default this is unselected.

10. The Account Lockout Policy settings are ignored for AD installations. All account policy changes are performed in the Active Directory Group Policy settings of Windows.

11. Further configuration can be made using the Configuration String settings. Default settings are adequate for most installations. Possible configurations are described below.

12. Press Update to record the settings.

    Listing 1. Example Configuration string settings that can be used on the authentication method level if not already defined in the Directory Service (AD Directory)

    directory.account.login=mail policy.password.protocol=ActiveDirectoryLds policy.password.expiring=36000

    • Configuration string settings

      •  

        • policy.password.expiring → Most of the password policy settings are defined only in Active Directory. However the AD authentication method LDAP object has a separate policy setting for controlling the pre-expiration password change option. If user's password is older than this he/she is given a chance to change the password. Setting value is in minutes. 36000 means warning will occur 25 days prior to expiration. OPTIONAL.

        • directory.account.login→ Specifies the name of the user attribute to be used for the username lookup. Any user attribute which uniquely defines the user may be used. If more than one user has the same value in the attribute, login will fail with an error.
          For example, to allow an AD user to login using their email address as the username, set this value to mail.
          For example, to allow an AD user to login using their mobile phone number as the username, set this value to mobile. OPTIONAL.
          By default, samAccountName is used. Other typical values include:

          • uid

          • samAccountName

          • mobile

          • mail

        • policy.password.protocol → he password protocol that should be used for this integration. Possible values are: ActiveDirectory, ActiveDirectoryLds, ActiveDirectoryDs. Default value is ActiveDirectoryDs. OPTIONAL.

13. The SPI Password tab is not used for AD Integration. Password encoding is configured in Active Directory. This value is ignored.

14. The Sites tab lists which sites may use this method. To activate the method for a site:

    1. Open a site from the Site Navigator

    2. Select the Site Methods tab

    3. Press Add Method…

    4. Select the newly created AD Method and press OK (See Figure 3)

    5. The AD Method is now added to the site, and the site is visible from the AD Method's Sites tab (see Figure 4)

15. The Groups tab lists which Ubilogin groups users of this method will be assigned to. Group Members settings are described in more detail in the Management user interface - SSO documentation. These settings are made from within the Methods tab of Groups.

AD OTP method

The Active Directory One-Time-Password authentication method allows you to authenticate with username, password and a one-time-password. The password is stored in Active Directory and the one-time-password list is stored in Ubisecure Directory.

This authentication method is not installed by default and must be added to Ubisecure Management application

To add the AD OTP Method, use the Ubisecure Management application with an Administrator account:

1. Select Home → Global Method Settings (see Figure 5)

2. Select New Method…

3. Complete the Add New Method dialog

   1. Title: A human readable name describing this method. Shown in the management user interface and possibly in the end user interface if no localization is available.

   2. Name: A unique system reference to this directory. This is used by administrators to identify this authentication method. Typically values are for example: otp.ad.1, otp.ad.prod, otp.ad.test, otp.customer1, ubikey.otp.1

   3. Method Type: Select SPI Ubikey OTP Printout

      1. Method Class: This will be automatically filled in.

   4. Directory: Select the AD directory made in the previous step.

4. Press OK

5. The method configuration screen is shown, see Figure 6.

6. SAML Authentication Context and SAML NameID Policy related configurations are described in the Management user interface - SSO. Changes to these settings are typically not required.

7. Tick Enabled to enable the method

8. Hidden will remove this method from any system generated authentication method selection menus. This is described in more detail in the Management user interface - SSO documentation. By default this is unselected.

9. Limit Method Visibility specifies to which IP netmask ranges this method will be shown in any system generated authentication method selection menus. Leave blank to show to all IP address. For AD password methods in a corporate environment, typically this is set to the netmask of domain users. This is described in more detail in the Management user interface - SSO documentation. By default this is unselected.

10. The Account Lockout Policy settings here apply to the OTP code entry part of the login process.

    1. Lockout Threshold (attempts): How many times an incorrect OTP number can be entered before the account is locked.

    2. Lockout Duration (minutes): How many minutes an account is locked for, if the lockout threshold is exceeded. You can specify that the account will be locked out until a System Administrator or a Site Manager explicitly unlocks it by setting the value to 0.

11. Set the password method to use with this OTP method in the Configuration string section. Note that this is not mandatory if the password method name has already been set in the used Directory Service (AD Directory). 

    password-name=password.ad.1

    Further configuration can be made using the Configuration String settings described below.

12. Press Update to record the settings. Some settings are updated to the Configuration String section.