Basic LDAP integration - Ubisecure Password

Ubisecure Password is a web application that provides a user interface for changing and resetting a password. It is included in the Ubisecure SSO Server installation package and needs to be activated. Ubisecure Password uses the same JNDI configuration as the external directory password authentication method. Please make sure that the external directory password authentication method works before proceeding to the Ubisecure Password installation. 

The password reset application is shown below

Figure 1. Password Reset Application

Password Properties

The Ubisecure Password web application has some properties that need to be defined to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/password.properties file.

Listing 1. Password Properties
# authentication method name
com.ubisecure.ubilogin.password.method = password.external.1
 
# for ldap directory method specifies path to ldap connection properties
directory.jndi.properties = C:/Program Files/Ubisecure/ubilogin-sso/ubilogin/custom/jndi1.properties

Ubisecure Password SP Activation

First install the UAS SAML metadata by selecting the [SAML 2.0] link on the Ubisecure Server Management front page. Save the metadata file in the directory
ubilogin-sso/ubilogin/webapps/password/WEB-INF/saml2/sp/metadata.

Figure 2. Select SAML 2.0 to save IDP metadata file.

Then generate the SP identity and metadata. Use your public visible hostname in the Generate command URL parameter.

Generate SAML SP identity and metadata (in Windows use '\' instead of '/')

Listing 2. Generate SAML SP identity and metadata (in Windows use '\' instead of '/')
ubilogin-sso> java/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Generate https://idp.example.com/password/spsso -y -o ubilogin/webapps/password/WEB-INF/saml2/sp
ubilogin-sso> java/bin/java -jar ubilogin/webapps/password/WEB-INF/lib/ubisaml2.jar Metadata ubilogin/webapps/password/WEB-INF/saml2/sp -f password.xml

In Ubisecure Server Management, select System → Password → Applications → Password → Activate. Then upload the generated ubilogin-sso/password.xml file.

Figure 3. Select Activate to upload SAML Metadata of the Password application

Configure Mail Settings

Ubisecure Password uses email when performing the password reset functionality. Mail settings need to be configured to the ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml file. Uncomment the context-param elements that contain mail.smtp.host and mail.smtp.from param-names. Edit the param-values according to your environment.

Listing 3. Excerpt from ubilogin-sso/ubilogin/webapps/password/WEB-INF/web.xml
    <context-param>
        <param-name>mail.smtp.host</param-name>
        <param-value>smtp-gw.example.com</param-value>
    </context-param>
    <context-param>
        <param-name>mail.smtp.from</param-name>
        <param-value>password@example.com</param-value>
    </context-param>

Enable Access to Ubisecure Password

  • In Ubisecure Server Management, navigate to the Password site:select System → Password
  • Add the password.external.1 authentication method to the site: select Site Methods → Add… → password.external.1 → OK
  • Add external directory users to the Password Users group by using the dynamic members functionality (The following configuration is just an example. You will probably have a more detailed definition for the included users):

Select Groups → Password Users → Dynamic Members → Add

    • Server:  ldaps://pdc.example.com/
    • Distinguished Name: dc=example,dc=com
    • Attributes: <empty>
    • Scope: sub
    • Filter: (objectClass=person)
    • Extensions: <empty>
  • Enable password.external.1 authentication method for the Password web application : select the site Password → Applications → Password → Allowed Methods → password.external.1 → Update

Enable Password Web Application

Remove the file ubilogin-sso/tomcat/conf/Ubilogin/idp.example.com/password.xml. Then run update the update:

Listing 4. Update Ubisecure Server in Windows
C:\Program Files\Ubisecure\ubilogin-sso\ubilogin> config\tomcat\update.cmd
Listing 5. Update Ubisecure Server in Linux
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server stop
/usr/local/ubisecure/ubilogin-sso/ubilogin# ./config/tomcat/update.sh
/usr/local/ubisecure/ubilogin-sso/ubilogin# /etc/init.d/ubilogin-server start