SAML IDP Proxy
Introduction
NOTE: Ubisecure product names were unified in autumn 2011. All products which started with term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is used also when referring to old software versions which started with term "Ubilogin" at the time of their release.
Ubisecure SSO Server is a standards based Identity Provider (IDP). One of the roles of an Identity Provider is to enable federation of user identities from one independent domain to another. Federation is a term used to describe a functionality which transfers a user between two separate IDPs.
Ubisecure SSO provides SAML and WS-Federation protocols for identity federation. This page describes how to integrate another domain to a Ubisecure identity domain using SAML 2.0 protocol. This page will describe how to create an IDP Proxy authentication method that will authenticate users from another domain for SPs in the Ubisecure identity domain.
The process of creating a trust relationship from another domain to Ubisecure SSO Server follows the procedure described in the SSO Management documentation, where the other domain is treated as a SAML Service Provider.
Figure 1. Trust relationships between 2 domains |
Installation
This chapter goes through the necessary steps to make Ubisecure SSO Server trust another SAML Identity Provider and to configure the IDP Proxy authentication method.
Configuring Ubisecure Authentication Server as a Trusting Party
Add the trust relationship to the Ubisecure Directory
The IDP Proxy authentication method is added to the Ubisecure Directory by importing a LDIF file. Replace the dn and cn attributes with the name of the IDP Proxy instance and use the following script to import the LDIF to Ubisecure Directory. Note that for the least, you have to change the last part of the distinguished name from dc=localhost to the distinguished name of your local Ubisecure Directory.
You can find an example LDIF excerpt at the end of ubilogin/ldap/methods.ldif under the title SAML Federation.
# # SAML Federation # dn: cn=saml.idp.1,cn=Server,ou=System,cn=Ubilogin,dc=localhost changetype: add cn: saml.idp.1 objectClass: top objectClass: ubiloginAuthMethod ubiloginAuthMethodType: SAML ubiloginClassname: ubilogin.method.provider.saml2.AssertionConsumerMethod ubiloginEnabled: FALSE ubiloginTitle: Remote IDP
cd /d "C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\ldap"adam\import.cmd idp-proxy.ldif
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap openldap/import.sh idp-proxy.ldif
Import the Identity Provider metadata
Log into Ubisecure Server Management with System Administrator privileges. Navigate to the Server Authentication Methods view. Open the settings of the IDP Proxy method you just installed and choose the SAML view. Click Upload SAML Metadata and either upload the Identity Providers metadata file or copy and paste the metadata.
Export the SAML service provider metadata
Click Download SAML Metadata to download the Service Provider metadata and save it for configuring Ubisecure SSO Server as Service Provider for Identity Provider in the other identity domain.
Once you have configured your Identity Provider to accept SAML authentication requests from Ubisecure SSO Server, the IDP Proxy method has been set up.
Sending AssertionConsumerServiceURL in the Authentication Message
Ubisecure SSO can send the AssertionConsumerServiceURL of the assertion consumer service associated with the IDP proxy authentication method. This feature can be turned on with the compatibility flag 'SendAssertionConsumerServiceURL'.
Figure 2. SAML authentication method with SendAssertionConsumerServiceURL feature enabled |