...
...
...
...
...
...
Panel | ||||
---|---|---|---|---|
|
...
Universal Controller uses SAML Single Sign-On for authentication and Single Sign-On Settings#User User Provisioning. All user and group authorization must be configured within Universal Controller through Permission and Role assignment.
...
Any user created by SAML assertion attributes, during the single sign-on process, is considered an Identity Provider-sourced user. See Single Sign-On Settings#Attribute Attribute Mappings in Single Sign-On Settings#Single Sign-On Settings.
User Field Defaults
Single Sign-On provisioned users are created with the following default field values:
Field | Value |
---|---|
User Password | random, 32-characters |
Password Requires Reset | true |
Login Method | Single Sign-On |
Web Browser Access | - - System Default - - |
Command Line Access | - - System Default - - |
Web Service Access | - - System Default - - |
...
However, Universal Controller allows an administrator to customize the Service Provider Entity ID by specifying a Service Provider Entity ID Subdomain in the Single Sign-On Settings#Single Sign-On Settings in the user interface.
For example, an Service Provider Entity ID Subdomain value of dev
would allow for a Service Provider Entity ID of https://dev.uc.stonebranch.com/sp.
...
To configure the SP Entity Base URL to a specific value, an administrator can specify the Service Provider Entity Base URL from the Single Sign-On Settings#Single Sign-On Settings in the user interface.
The following table documents the SAML endpoints, and their supported bindings, contained within the Universal Controller Service Provider metadata.
...
You can specify the location of the Identity Provider metadata file in the Single Sign-On Settings#Single Sign-On Settings Details of the user interface. By default, on initial start-up, the Controller automatically populates the Identity Provider metadata file setting with a value of ${catalina.base}/conf/saml/idp.xml
.
...
To create the JKS keystore file, with the default private key, assuming your Identity Provider does not require keys be signed by a specific certification authority, you can use the Java utility keytool command to generate a self-signed key, entering the distinguished name information when prompted.
Panel |
---|
...
keytool -genkeypair -keyalg RSA -sigalg SHA256withRSA -alias ucsaml -keypass ucsaml -keystore samlKeystore.jks -storepass ucsaml -storetype JKS |
To import a key signed by a certification authority, which are typically provided in .p12/.pfx format (or can be converted to .p12/.pfx format using OpenSSL), you can use the following keytool command.
Panel |
---|
keytool -importkeystore -srckeystore key.p12 -srcstoretype PKCS12 -srcstorepass password -alias alias -destkeystore samlKeystore.jks -destalias ucsaml -destkeypass ucsaml |
To determine the alias available in the p12 file, you can use the following command.
...
following command.
Panel |
---|
keytool -list -keystore key.p12 -storetype pkcs12 |
If your Identity Provider metadata is signed, to verify trust of the signature, Universal Controller will use all keys found in the configured keystore. To import the public certificate of the metadata signature, you can use the following keytool command.
Panel |
---|
keytool -importcert -alias alias -keystore samlKeystore.jks -file signature.cer |
The location of the KeyStore File can be specified from the Single Sign-On Settings in the user interface. However, by default, Universal Controller automatically populates the KeyStore File setting with a value of ${catalina.base}/conf/saml/samlKeystore.jks
on initial start-up.
...
If your Identity Provider requires that you upload the public key certificate for the SAML Single Logout profile, you can export the certificate from the JKS keystore as follows.
Panel |
---|
keytool -exportcert -alias ucsaml -file ucsaml.cer -keystore samlKeystore.jks -storepass ucsaml -storetype JKS |
Java Cryptography Extension (JCE)
...
An administrator can turn on/off and configure SAML Single Sign-On through the user interface.
Note | ||
---|---|---|
| ||
Each Universal Controller cluster node maintains its own Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes. The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node. |
Step 1 | From the Administration navigation pane, select Configuration > Single Sign-On Settings. The Single Sign-On Settings page displays. |
---|---|
Step 2 | Enter / select your Single Sign-On Settings, using the field descriptions below as a guide.
|
Step 3 | Click the button. |
For information on how to access additional details - such as Metadata and complete database Details - for Single Sign-On Settings (or any type of record), see Records.
...
Field Name | Description | ||||||
---|---|---|---|---|---|---|---|
Details | This section contains detailed information on the Single Sign-On settings. | ||||||
SAML Single Sign-On | If enabled, turns on SAML Single Sign-On. | ||||||
| If enabled, turns on the provisioning of users through SAML assertion attributes. | ||||||
SP Entity ID | Read-only; Unique identifier of the Universal Controller Service Provider. | ||||||
SP Entity ID Subdomain | Customize the SP Entity ID with a unique subdomain. | ||||||
SP Entity Base URL | Base URL to construct SAML endpoints from; must be a URL with protocol, server, port. and context path. If one is not specified, it defaults to values from the initial request in this format: | ||||||
Identity Provider Metadata File | Identity Provider metadata file location. | ||||||
| Link to download the Service Provider metadata for the Universal Controller node. | ||||||
Key Management | |||||||
KeyStore File | Keystore file location. | ||||||
KeyStore Password | Password used to protect the integrity of the keystore. Default is ucsaml. | ||||||
Private Key Alias | Alias of the private key (with either self-signed or CA-signed certificate) used to digitally sign SAML messages. Default is ucsaml. | ||||||
Private Key Password | Password used to protect the integrity of the private key. Default is ucsaml. See Single Sign-On Settings#SAML SAML KeyStore. | ||||||
| If Single Sign-On Settings#User User Provisioning is enabled; This section allows you to configure a mapping between user fields and attributes from the attribute statement of a SAML assertion. It is displayed only when Single Sign-On Settings#User User Provisioning is enabled. See Single Sign-On Settings#User User Attribute Mapping for more details. | ||||||
First Name | Name of an attribute, of type | ||||||
Middle Name | Name of an attribute, of type | ||||||
Last Name | Name of an attribute, of type | ||||||
Name of an attribute, of type | |||||||
Active | Name of an attribute, of type | ||||||
Groups | Name of a multi-valued attribute, of type | ||||||
Title | Name of an attribute, of type | ||||||
Department | Name of an attribute, of type | ||||||
Manager | Name of an attribute, of type | ||||||
Business Phone | Name of an attribute, of type | ||||||
Mobile Phone | Name of an attribute, of type | ||||||
Home Phone | Name of an attribute, of type | ||||||
Buttons | This section identifies the buttons displayed above and below the Single Sign-On Settings that let you perform various actions. | ||||||
Update |
| ||||||
Refresh | Refreshes any dynamic data displayed in the Single Sign-On Settings. |
...
Upon initial start-up of Universal Controller, a default Single Sign-On Settings record is created and associated with the Universal Controller node by node id. The settings are specific to the Universal Controller node, as the SP Entity ID, Base URL, and File paths may differ between each Universal Controller node. See Single Sign-On Settings#Single Sign-On Settings Field Descriptions, above, for the default configuration.
...
Universal Controller Uninitialized | While the Universal Controller web application is initializing, the user login flow cannot proceed. Any users attempting to authenticate with SAML at this time receive the following error: | ||
---|---|---|---|
User Account Not Found | Any SAML-authenticated user who cannot be linked to a user account in the Universal Controller database is prohibited from accessing the application and receives the following error: | ||
User Account Not Active | Any SAML-authenticated user linked to a Universal Controller user account that is not Active is prohibited from accessing the application and receives the following error: | ||
Login Method | Any SAML authenticated user linked to a Universal Controller user account that is not designated to use Single Sign-On login method is prohibited from accessing the application and receives the following error: | ||
User Account Locked | Any SAML-authenticated user linked to a Universal Controller user account that is locked is prohibited from accessing the application and receives the following error: | ||
No Web Browser Access | Any SAML-authenticated user linked to a Universal Controller user account designated with the Single Sign-On login method, but without Web Browser Access, is prohibited from accessing the application and receives the following error: | ||
Authentication Statement Too Old | If users already are authenticated with their Identity Provider, depending on how long their Identify Provider allows them to stay authenticated, they could experience an "Error validating SAML message" authentication error when signing into the Universal Controller through single sign-on.
|
...