Versions Compared

Old Version 10

changes.mady.by.user Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
Table of Contents
maxlevel2

...

The administrative functionality in the user interface that allows for management of User Sessions is applicable only for local Universal Controller sessions; therefore, expiring a user's session through this interface is only expiring the local Universal Controller session.

Anchor
User Provisioning
User Provisioning

User Provisioning

The following diagram illustrates the expectations in Universal Controller for provisioning users from attributes available in the SAML assertion:
 

...

SAML Profile

Binding

Endpoint

Web Single Sign-on

HTTP-POST, HTTP-Artifact

scheme://server:port/contextPath/saml/SSO

Single Logout

HTTP-POST, HTTP-Redirect

scheme://server:port/contextPath/saml/SingleLogout

...

Note
titleNote

Starting with Java 1.8.0_162, JCE unlimited policy is enabled by default.  You no longer need to install the policy file in the JRE or set the security property crypto.policy.

Debugging

The uc.saml.log.level property can be configured in the uc.properties to enable debug logging for the SAML framework. However, as a best practice, saml.log.level should remain at INFO under normal operation.

...

An administrator can turn on/off and configure SAML Single Sign-On through the user interface.

Note
titleNote

Each Universal Controller cluster node maintains its own Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes.

The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node.


Step 1

From the Administration navigation pane, select Configuration > Single Sign-On Settings. The Single Sign-On Settings page displays.
 

Step 2

Enter / select your Single Sign-On Settings, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

Step 3

Click the button.

...

Field Name

Description

Details

This section contains detailed information on the Single Sign-On settings.

SAML Single Sign-On

If enabled, turns on SAML Single Sign-On.
 
If disabled, all fields are read-only.

Anchor
User Provisioning
User Provisioning
User Provisioning

If enabled, turns on the provisioning of users through SAML assertion attributes.

SP Entity ID

Read-only; Unique identifier of the Universal Controller Service Provider.

SP Entity ID Subdomain

Customize the SP Entity ID with a unique subdomain.

SP Entity Base URL

Base URL to construct SAML endpoints from; must be a URL with protocol, server, port. and context path. If one is not specified, it defaults to values from the initial request in this format: scheme://server:port/contextPath

Identity Provider Metadata Source

Anchor
Identity Provider Metadata Source
Identity Provider Metadata Source

Specifies Identity Provider Metadata Source:

  • File
  • URL
Note

The uc.saml.metadata.refresh_interval property can be configured in uc.properties to specify the refresh interval of Identity Provider Metadata.


Identity Provider Metadata File

If Identity Provider Metadata Source = File;

Identity Provider metadata file location.

Identity Provider Metadata URL

If Identity Provider Metadata Source = URL;

Identity Provider metadata URL location.

Anchor
Service Provider Metadata field
Service Provider Metadata field
Service Provider Metadata

Link to download the Service Provider metadata for the Universal Controller node.

Key Management


KeyStore File

Keystore file location.

KeyStore Password

Password used to protect the integrity of the keystore. Default is ucsaml.

Private Key Alias

Alias of the private key (with either self-signed or CA-signed certificate) used to digitally sign SAML messages. Default is ucsaml.

Private Key Password

Password used to protect the integrity of the private key. Default is ucsaml. See SAML KeyStore.

Anchor
Attribute Mappings
Attribute Mappings
Attribute Mappings

If User Provisioning is enabled; This section allows you to configure a mapping between user fields and attributes from the attribute statement of a SAML assertion. It is displayed only when User Provisioning is enabled. See User Attribute Mapping for more details.
 
In addition to user fields, you can specify an attribute mapping for Groups allowing for automatic provisioning of a user's group membership. See Group Membership Attribute Mapping for more details.

First Name

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the First Name of the user.

Middle Name

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Middle Name of the user.

Last Name

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Last Name of the user.

Email

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Email of the user.

Active

Name of an attribute, of type xs:boolean, xs:string or xs:any, from the attribute statement of the SAML assertion containing the Active condition of the user.
 
Non-boolean type values that evaluate to true are "true", "1", "yes", and "on." All other non-boolean type values evaluate to false.

Groups

Name of a multi-valued attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Group Name of each group that the user is a member of.

Title

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Title of the user.

Department

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Department of the user.

Manager

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Name of the Manager of the user.

Business Phone

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Business Phone of the user.

Mobile Phone

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Mobile Phone of the user.

Home Phone

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Home Phone of the user.

Buttons

This section identifies the buttons displayed above and below the Single Sign-On Settings that let you perform various actions.

Update

Include Page
IL:Update button
IL:Update button

Refresh

Refreshes any dynamic data displayed in the Single Sign-On Settings.

...