Use Directory User Mapping with SQL databases
- Keith Uber
- Former user (Deleted)
In order to use Directory User Mapping with SQL databases, additional configuration is required.
It is enabled by configuring a REST service to be called during the login event, which will return the user ID that will be used in the SQL query to find the user account.
The REST call is made using a GET call and the response must be in XML format. The format of the query string used in the GET call is configurable and can include user attributes variables received from the method. The format of the XML response is flexible, as the attribute used for future processing is targeted from the response using an XPATH parameter.
NOTE: The returned value from the REST call must differ from the original sub value in order for directory user mapping to be executed using the returned value.
If HTTPS is used for the backend service, the issuer of the server SSL certificate used by the backend service must be trusted by the java used by Ubilogin SSO components.
Example 1
The following configfuration attributes must be added to the authentication method in the LDAP directory using an LDAP editor tool or ldif import technique:
# define the REST call to be made
# in this example the URL
# http://localhost:8000/backend/userid.aspx?userid=${method.sub}
# will be called containing the subject as the userid parameter
# the response is in the format
# <user><userid>jsmith</userid></user>
# where the user id jsmith is retrieved using the XPath statement
# /user/userid
# This definition could be shared by multiple methods or directories
dn: cn=RESTService,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
changetype: add
objectClass: ubiloginService
objectClass: top
cn: RESTService
ubiloginClassname: com.ubisecure.ubilogin.restclient.impl.UbiloginRestClientFactory
ubiloginServiceOutputParameter: directory.login /user/userid
ubiloginServiceTemplate: https://localhost:8000/backend/userid.aspx?userid=${method.sub}
ubiloginTitle: REST Service
# define the mapping to be used
dn: cn=SQL Mapping,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
changetype: add
objectClass: ubiloginLDAPURLUserMappingTable
objectClass: top
cn: SQL Mapping
# point the mapping to the directory service which will be used for lookup once
# the directory.login is resolved
dn: cn=0529f14a-7fec-4967-be26-8aaa6c459f09,cn=SQL Mapping,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
changetype: add
objectClass: ubiloginServiceUserMappingEntry
objectClass: ubiloginServiceReference
objectClass: top
ubiloginDirectoryServiceDN: cn=PostgreSQL External DB,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
ubiloginServiceDN: cn=RESTService,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
cn: 0529f14a-7fec-4967-be26-8aaa6c459f09
# attach the mapping to the authentication method
# relate the user directory authentication method
dn: cn=password.skuid,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
changetype: modify
replace: ubiloginLDAPURLUserMappingTableDN
ubiloginLDAPURLUserMappingTableDN: cn=SQL Mapping,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
-
replace: ubiloginDirectoryServiceDN
ubiloginDirectoryServiceDN: cn=PostgreSQL External DB,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com
-
An example response message from REST service at http://localhost:8000/backend/userid.aspx?userid=${method.sub}
<user> <userid>jsmith</userid> </user>
Example 2
This examples shows how to return a different user ID in order to initiate Directory User Mapping for SQL databases.
For example, if the authentication provider can return a national ID number, but the relationship between a national ID number and the user ID is only available via an external service.
An example response message from REST service at http://localhost:8000/backend/userid.aspx?ssn=${method.ssn}
<user> <ssn>232342343</ssn> <email>jsmith@company.com</email> </user>
The configuration used in Example 1 would be similar, except for the following two changes
ubiloginServiceOutputParameter: directory.login /user/email
ubiloginServiceTemplate: https://localhost:8000/backend/userid.aspx?ssn=${method.ssn}