SSO Management customization

Ubisecure SSO Management can be customized by enabling confirmation prompt on delete or remove operations and by disabling context menu items.

Disabling Context Menu items

Context menus can be disabled for Site Managers. Disabling context menus does not affect to System Administrators view. System Administrators have access to all entities in Ubisecure SSO Management application.

Context menu can be disabled on a Site scoped basis. This means, that when Context Menu items are disabled for a particular Site, the changes will also take effect recursively to all child objects in the Site hierarchy. Also, definitions will stack, which means that definitions declared for a parent site will also apply to the site's children, even when they have their own definitions.

Disabling Context Menu items makes it possible to restrict functionality on a single Site or a set of Sites. For example, it is possible to dedicate a site for user management tasks only and have all of the excess functionality removed by defining a ruleset definition for that site.

Figure 1, Figure 2 and Figure 3 illustrate the final result of a customized context menu ruleset.

Figure 1: This Organization Site has only the Site, Group and Users context menus enabled. Only groups and users can be managed at this level.


Figure 2: This Group's Site has only the Site and Groups context menus enabled. Only groups can be managed at this level.


Figure 3: This user's site has only the Site and Users context menus enabled. Only users can be managed at this level.


Defining a ruleset

Rulesets are configured by means of properties files in XML format, where each entry consists of the Site's Distinguished Name as the key and the restricted Context Menu item identifiers as whitespace delimited values.

Context Menu displayed

Identifier

Site Administrators

site/managedby

Applications

site/agents

Groups

site/groups

Users

site/users

Mappings

site/mappings

Authorization Policies

site/attributes

Site Methods

site/methods

Table 1. Context Menu Items of the Site object


Context Menu displayed

Identifier

Users

group/users

Groups

group/groups

Dynamic Members

group/memberurl

Attribute Members

group/attributemembers

Member Of

group/memberof

Allowed Applications

group/agents

Allowed Methods

group/methods

Authorization

group/attributes

Table 2. Context Menu Items of the Group object


Context Menu displayed

Identifier

Users

mapping/users

Applications

mapping/agents

Table 3. Context Menu Items of the Mappings object


Context Menu displayed

Identifier

Methods

user/methods

Member Of

user/memberof

Mappings

user/mappings

Table 4. Context Menu Items of the User object

Rulesets can only be defined, when it is known what Distinguished Name the target site has – or will have. In an LDAP directory tree, all Site objects are of the objectClass Organizational Unit (OU). The root of Ubisecure Directory is the Common Name (CN) "Ubilogin", followed by a number of Domain Components (DC), which are derived from the uas.url configuration parameter in win32.config file (or unix.config file.)

A Ruleset Example

If the uas.url parameter is in the form of "uas.url=http://www.example.com:8443", then the root of Ubisecure Directory is "cn=Ubilogin,dc=www,dc=example,dc=com".

If a new Site is created in the Site hierarchy called "Sample Site", the distinguished name would be "ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com".

Creating a new Site below the Sample Site, called Users, would have a distinguished name of "ou=Users,ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com". Hiding of the Applications and Methods items from the Context Menu for this Site's main view and additionally hiding the "Dynamic Members" item from the configuration of this Site's group objects is possible by placing the following ruleset.xml file in the UBISECURE_HOME/ubilogin/WEB-INF folder:

Listing 1. UBISECURE_HOME/ubilogin/WEB-INF/ruleset.xml
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
	<entry key="ou=Users,ou=Sample Site,cn=Ubilogin,dc=www,dc=example,dc=com">
		site/agents site/methods
		group/memberurl
	</entry>
</properties>

Furthermore, the changes will come into effect when the application is redeployed to the application server using the update command.

Listing 2. Update the Ubisecure SSO application and configurations on Windows
cd /d %UBISECURE_HOME%\config\tomcat
update.cmd


Listing 3. Update the Ubisecure SSO application and configurations on Linux
cd $UBISECURE_HOME\ubilogin\config\tomcat
./update.sh

Enabling Confirmation Prompt on Delete or Remove Operations

It is possible to have Ubisecure SSO Management, as a precaution to accidental removal, display a confirmation dialog every time object or attribute deletion or removal is initiated. This feature is enabled by opening the ubilogin.properties file from the UBISECURE_HOME/ubilogin/WEB-INF folder and setting the following value:

Listing 4. Enable confirmation prompt option in UBISECURE_HOME/ubilogin/WEB-INF/ubilogin.properties
com.ubisecure.ubilogin.admin.ui.prompt_on_delete=true

This setting will come to effect when the settings are merged into the Ubisecure SSO applications and the application is redeployed to the application server.

Excluding Top-Level Sites from Site Navigator

Top level sites can be explicitly excluded from site navigator from all users including system administrator. This is practical in cases, where the site contains so many sub items (users, applications, groups, etc) that it slows the Management application down.

Listing 5. Enable top-level site exclusion in UBISECURE_HOME/ubilogin/WEB-INF/ubilogin.properties
com.ubisecure.ubilogin.admin.ui.excluded-sites = eIDM Users, eIDM Mandates

Limiting the Number of Results Shown in Lists

The number of results shown in lists of users, groups and applications can be limited to a certain value or disabled.

Listing 6. Enable confirmation prompt option in UBISECURE_HOME/ubilogin/WEB-INF/ubilogin.properties
# list size limit (default is 1500, use 0 to disable limit)
com.ubisecure.ubilogin.admin.ui.size-limit = 1500