About this documentation

NOTE: Ubisecure product names were unified in autumn 2011. All products which started with term "Ubilogin" were renamed to start with term "Ubisecure". In documentation this name change is implemented retroactively, i.e., the new naming practice is used also when referring to old software versions which started with term "Ubilogin" at the time of their release.

Ubisecure SSO

This documentation describes how Ubisecure SAML Service Provider for ASP.NET (later Ubisecure SAML SP or SAML SP) is installed and configured on supported web and application servers.

The Ubisecure SSO (Single Sign-On) is an access management solution that enables single sign-on user authentication using a selection of authentication methods: username and password, One-Time Passwords, smart card (or other client certificate), or GSM short messages (plain text or signed) etc.

The key functionality of Ubisecure SSO is to offer single sign-on to web applications with a selection of authentication methods to best serve the needs of the application or user level in question.

Ubisecure SSO authentication process

Ubisecure SSO product versions 3.1 and newer support the Oasis-Open's (http://www.oasis-open.org/) SAML 2.0 protocol. The trust model of Ubisecure and SAML is shown in Figure 1 below. Ubisecure Authentication Server (UAS) acts as the Identity Provider and Ubisecure SAML SP implements the Service Provider.


Figure 1. Client authenticates to the Identity Provider (IDP) and Service Provider (SP) trusts the assertions of IDP about Client's identity

Ubisecure SAML SP for ASP.NET

Ubisecure SAML SP for ASP.NET enables the SAML 2.0 protocol based sign-on and logout process on Microsoft .NET Framework 2.0 compliant web and application servers.

For more information regarding SAML integration, please refer to the /wiki/spaces/DOC/pages/43548672.

Requirements

System requirements

Ubisecure Server 4.x, 5.x, 6.x or later as an Identity Provider
Windows Server 2003 for Service Provider
- Internet Information Services 6.0
- Microsoft .NET Framework 2.0
Windows Server 2008 Server R2 for Service Provider
- Internet Information Services 7.0/7.5
- Microsoft .NET Framework 2.0, 3.5, or 4.0 or 4.5
Windows Server 2012 for Service Provider
- Internet Information Services 8.0/8.5
- Microsoft .NET Framework 2.0, 3.5, 4.0 or 4.5

System time of SP system must be continually synchronized with the time of the IDP by using an NTP server.

For security reasons, the SAML standard specifies strict time limits on transaction processing times to prevent unauthorized use. Failure to synchronize the time between the IDP and SP machines will cause authentication failures.

Before beginning installation, please ensure that you have a working application installed and running using ASP.NET

Installation Checklist

Installation and configuration of the SAML SP is performed in the order according to the table below. Instructions are provided in the following pages.

Step	Task
1	Ensure all system requirements are met, clocks are synchronized and ASP.NET applications can be accessed from remote user's browsers
2	Install SAML SP for ASP.NET to the program files directory and the .Net application bin directory
3	Create the SAML Service Provider Identity file `identity.properties`
4	Generate the SAML Service Provider metadata and upload the metadata to the SAML IDP
5	Get the metadata of the SAML IDP and save it on SAML SP server
6	If necessary, get the Attribute Authority metadata of the SAML IDP and save on SAML SP server
7	Configure `web.config` for forms authentication using the `ServiceProviderAuthentication` module.
8	Confirm that `web.config` is correctly configured. Attempts to access resources that require authentication should be redirected to the IDP for authentication.
9	Check metadata is available from the address `/spsso.ashx/saml2/metadata.xml`
10	Complete application integration using `IAssertionIdentity` object or ASP.NET Roles, if required.
11	Configure timeouts at the application, server and Web Application levels.
12	Configure logout links appropriately
13	Review and test error handling process flows. Check cancelled login attempts.
14	Implement additional features as required using the API.
15	Perform security audit

Installing the software

Before installing Ubisecure SAML SP for ASP.NET, please make sure that the system requirements are met.

Required files

Ubilogin SAML SP for ASP.NET_1.3.30.zip
- The Service Provider installer package.

Unzip the file contents to the C:\Program Files\Ubisecure\ Ubisecure.SAML2.ServiceProvider directory. See Figure 2.


Figure 2. Software extracted from the zip using Windows Extract All function.


Figure 3. Software is installed in the `Program Files` directory

Installer Package Contents

Installation Directory:

Windows Server 2003/2008/2012:
- C:\Program Files\Ubisecure\Ubisecure.SAML2.ServiceProvider

Bin\
- Service Provider configuration tool
- saml2.exe
- Service Provider executables. These files must be copied to the bin directory of any integrated ASP.Net application.
  - Ubisecure.SAML2.dll
  - Ubisecure.SAML2.Schema.dll
  - Ubisecure.SAML2.ServiceProvider.dll
  - Ubisecure.SAML2.ServiceProvider.SharePoint.dll
  - Ubisecure.Util.dll
Samples\
- Configuration and integration samples.
- Sharepoint configuration files.
  - Sharepoint
- web.config for IIS6
  - WebApplication
- web.config for IIS7, /IIS7.5 and IIS8
  - WebApplication-2008
Docs\Ubisecure.SAML2.ServiceProvider.html
- API documentation for Ubisecure.SAML2.ServiceProvider.dll

Configuration Files:

Windows Server 2003:
- C:\Documents and Settings\All Users\Application Data\Ubisecure\Ubisecure.SAML2.ServiceProvider
Windows Server 2008/2012:
- C:\ProgramData\Ubisecure\Ubisecure.SAML2.ServiceProvider
The folder for Service Provider configuration files. Note ProgramData is often hidden by default.


Figure 4. Installed DLL files

Copy the 5 DLL files from the bin directory to the bin directory of the application.

Identity Server 8.2

SAML SP for ASP.NET installation guide