Use Directory User Mapping with SQL databases
In order to use Directory User Mapping with SQL databases, additional configuration is required.
It is enabled by configuring a REST service to be called during the login event, which will return the user ID that will be used in the SQL query to find the user account.
The REST call is made using a GET call and the response must be in XML format. The format of the query string used in the GET call is configurable and can include user attributes variables received from the method. The format of the XML response is flexible, as the attribute used for future processing is targeted from the response using an XPATH parameter.
NOTE: The returned value from the REST call must differ from the original sub value in order for directory user mapping to be executed using the returned value.
If HTTPS is used for the backend service, the issuer of the server SSL certificate used by the backend service must be trusted by the java used by Ubilogin SSO components.
Example 1
The following configfuration attributes must be added to the authentication method in the LDAP directory using an LDAP editor tool or ldif import technique:
# define the REST call to be made # in this example the URL # http://localhost:8000/backend/userid.aspx?userid=${method.sub} # will be called containing the subject as the userid parameter # the response is in the format # <user><userid>jsmith</userid></user> # where the user id jsmith is retrieved using the XPath statement # /user/userid # This definition could be shared by multiple methods or directories dn: cn=RESTService,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com changetype: add objectClass: ubiloginService objectClass: top cn: RESTService ubiloginClassname: com.ubisecure.ubilogin.restclient.impl.UbiloginRestClientFactory ubiloginServiceOutputParameter: directory.login /user/userid ubiloginServiceTemplate: https://localhost:8000/backend/userid.aspx?userid=${method.sub} ubiloginTitle: REST Service # define the mapping to be used dn: cn=SQL Mapping,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com changetype: add objectClass: ubiloginLDAPURLUserMappingTable objectClass: top cn: SQL Mapping # point the mapping to the directory service which will be used for lookup once # the directory.login is resolved dn: cn=0529f14a-7fec-4967-be26-8aaa6c459f09,cn=SQL Mapping,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com changetype: add objectClass: ubiloginServiceUserMappingEntry objectClass: ubiloginServiceReference objectClass: top ubiloginDirectoryServiceDN: cn=PostgreSQL External DB,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com ubiloginServiceDN: cn=RESTService,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com cn: 0529f14a-7fec-4967-be26-8aaa6c459f09 # attach the mapping to the authentication method # relate the user directory authentication method dn: cn=password.skuid,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com changetype: modify replace: ubiloginLDAPURLUserMappingTableDN ubiloginLDAPURLUserMappingTableDN: cn=SQL Mapping,cn=Server,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com - replace: ubiloginDirectoryServiceDN ubiloginDirectoryServiceDN: cn=PostgreSQL External DB,cn=Services,ou=System,cn=Ubilogin,dc=sso,dc=example,dc=com -
An example response message from REST service at http://localhost:8000/backend/userid.aspx?userid=${method.sub}
<user> <userid>jsmith</userid> </user>
Example 2
This examples shows how to return a different user ID in order to initiate Directory User Mapping for SQL databases.
For example, if the authentication provider can return a national ID number, but the relationship between a national ID number and the user ID is only available via an external service.
An example response message from REST service at http://localhost:8000/backend/userid.aspx?ssn=${method.ssn}
<user> <ssn>232342343</ssn> <email>jsmith@company.com</email> </user>
The configuration used in Example 1 would be similar, except for the following two changes
ubiloginServiceOutputParameter: directory.login /user/email ubiloginServiceTemplate: https://localhost:8000/backend/userid.aspx?ssn=${method.ssn}