Versions Compared

Old Version 2

changes.mady.by.user Stonebranch

Saved on

compared with

New Version Current

changes.mady.by.user Stonebranch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel
Table of Contents
maxlevel2

Overview

Note
titleNote

The information provided on this page assumes you have a working knowledge of SAML Single Sign-On.

...

Universal Controller uses SAML Single Sign-On for authentication and 794553148 User Provisioning. All user and group authorization must be configured within Universal Controller through Permission and Role assignment.

...

Identity Provider-initiated SAML Single Sign-On begins at the Identity Provider, typically by accessing an application-specific Identity Provider URL. Once authenticated, the user will be taken to the Universal Controller web application.

Action URLs

Any Action action URL parameters on the URL used by the SAML-authenticated user to access the Universal Controller web application are restored when the Service Provider-initiated SAML SSO authentication flow has completed successfully and the user has been redirected back to the Universal Controller web application.
 

Note
titleNote:

This is not applicable for an Identity Provider-initiated login.

...

If you are a SAML-enabled user, the Controller allows you to initiate the SAML Single Sign-On authentication flow without leaving the application. On the Session Expired pop-up, instead of entering your login credentials, simply click the Login button to initiate the SAML SSO authentication flow..

If only your Universal Controller session has expired, and not your session with the Identity Provider, you are logged in without being prompted for your credentials. Click Continue on the original dialog to proceed, which closes the SAML SSO authentication flow window.
 

...

Modification of the ops.admin account Login Method is not permitted; therefore, the account will always be accessible for cases where, for example, SAML Single Sign-On Settings are incorrectly configured or the Identity Provider is inaccessible.

...

The following diagram illustrates the expectations in Universal Controller for provisioning users from attributes available in the SAML assertion:
 

Image RemovedImage Added
 

As illustrated, when LDAP synchronization is enabled, provisioning of users through LDAP synchronization takes precedence over provisioning of users through the SAML assertion during the Single Sign-On process.

...

Any user created by SAML assertion attributes, during the single sign-on process, is considered an Identity Provider-sourced user. See 794553148 in 794553148 Attribute Mappings in Single Sign-On Settings.

User Field Defaults

Single Sign-On provisioned users are created with the following default field values:
 

...

However, Universal Controller allows an administrator to customize the Service Provider Entity ID by specifying a Service Provider Entity ID Subdomain in the 794553148 Single Sign-On Settings in the user interface.

For example, an Service Provider Entity ID Subdomain value of dev would allow for a Service Provider Entity ID of https://dev.uc.stonebranch.com/sp.

...

To configure the SP Entity Base URL to a specific value, an administrator can specify the Service Provider Entity Base URL from the 794553148 Single Sign-On Settings in the user interface.

The following table documents the SAML endpoints, and their supported bindings, contained within the Universal Controller Service Provider metadata.
 

...

Universal Controller provides a Service Provider Metadata link, from the SAML Single Sign-On Settings, for downloading the Universal Controller Service Provider metadata file.

...

You can specify the location of the Identity Provider metadata file in the 794553148 Single Sign-On Settings Details of the user interface. By default, on initial start-up, the Controller automatically populates the Identity Provider metadata file setting with a value of ${catalina.base}/conf/saml/idp.xml.

...

The location of the KeyStore File can be specified from the SAML Single Sign-On Settings in the user interface. However, by default, Universal Controller automatically populates the KeyStore File setting with a value of ${catalina.base}/conf/saml/samlKeystore.jks on initial start-up.

...

The JKS keystore password, the default private key alias, and the default private key password can also be specified from the SAML Single Sign-On Settings in the user interface. Each of these settings are populated with a default value of ucsaml on initial start-up.

...

Anchor
Single Sign-On Settings
Single Sign-On Settings

SAML Single Sign-On

...

An administrator can turn on/off and configure SAML Single Sign-On through the user interface.

Note
titleNote

Each Universal Controller cluster node maintains its own SAML Single Sign-On Settings configuration, associated by Node Id. Therefore, you must complete the SAML Single Sign-On Settings configuration for each deployed cluster node, including the Active node and any Passive nodes.

The Identify Provider Metadata File and KeyStore File, by default located under ${catalina.base}/conf/saml/, must be accessible to each cluster node.


Step 1

From the Administration navigation pane, selectConfiguration >  SAML Single Sign-On Settings. The SAML Single Sign-On Settings page displays.
 
Image RemovedImage Added

Step 2

Enter / select your SAML Single Sign-On Settings, using the field descriptions below as a guide.

  • Required fields display an asterisk ( * ) after the field name.
  • Default values for fields, if available, display automatically.

Step 3

Click the button.

For information on how to access additional details - such as Metadata and complete database Details - for SAML Single Sign-On Settings (or any type of record), see Records.
 

Anchor
Single Sign-On Settings Field Descriptions
Single Sign-On Settings Field Descriptions

SAML Single Sign-On

...

Field Descriptions

The following table describes the fields and buttons that display in the SAML Single Sign-On Settings.
 

Field Name

Description

Details

This section contains detailed information on the SAML Single Sign-On settings.

SAML Single Sign-On

If enabled, turns on SAML Single Sign-On.
 
If disabled, all fields are read-only.

Anchor
User Provisioning
User Provisioning
User Provisioning

If enabled, turns on the provisioning of users through SAML assertion attributes.

SP Entity ID

Read-only; Unique identifier of the Universal Controller Service Provider.

SP Entity ID Subdomain

Customize the SP Entity ID with a unique subdomain.

SP Entity Base URL

Base URL to construct SAML endpoints from; must be a URL with protocol, server, port. and context path. If one is not specified, it defaults to values from the initial request in this format: scheme://server:port/contextPath

Identity Provider Metadata Source

Anchor
Identity Provider Metadata Source
Identity Provider Metadata Source

Specifies Identity Provider Metadata Source:

  • File
  • URL
Note

The uc.saml.metadata.refresh_interval property can be configured in uc.properties to specify the refresh interval of Identity Provider Metadata.


Identity Provider Metadata File

If 794553148 Identity Provider Metadata Source = File;

Identity Provider metadata file location.

Identity Provider Metadata URL

If 794553148 Identity Provider Metadata Source = URL;

Identity Provider metadata URL location.

Anchor
Service Provider Metadata field
Service Provider Metadata field
Service Provider Metadata

Link to download the Service Provider metadata for the Universal Controller node.

Key Management


KeyStore File

Keystore file location.

KeyStore Password

Password used to protect the integrity of the keystore. Default is ucsaml.

Private Key Alias

Alias of the private key (with either self-signed or CA-signed certificate) used to digitally sign SAML messages. Default is ucsaml.

Private Key Password

Password used to protect the integrity of the private key. Default is ucsaml. See 794553148 SAML KeyStore.

Anchor
Attribute Mappings
Attribute Mappings
Attribute Mappings

If 794553148 User Provisioning is enabled; This section allows you to configure a mapping between user fields and attributes from the attribute statement of a SAML assertion. It is displayed only when 794553148 User Provisioning is enabled. See 794553148 User Attribute Mapping for more details.
 
In addition to user fields, you can specify an attribute mapping for Groups allowing for automatic provisioning of a user's group membership. See 794553148 Group Membership Attribute Mapping for more details.

First Name

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the First Name of the user.

Middle Name

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Middle Name of the user.

Last Name

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Last Name of the user.

Email

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Email of the user.

Active

Name of an attribute, of type xs:boolean, xs:string or xs:any, from the attribute statement of the SAML assertion containing the Active condition of the user.
 
Non-boolean type values that evaluate to true are "true", "1", "yes", and "on." All other non-boolean type values evaluate to false.

Groups

Name of a multi-valued attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Group Name of each group that the user is a member of.

Title

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Title of the user.

Department

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Department of the user.

Manager

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Name of the Manager of the user.

Business Phone

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Business Phone of the user.

Mobile Phone

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Mobile Phone of the user.

Home Phone

Name of an attribute, of type xs:string or xs:any, from the attribute statement of the SAML assertion containing the Home Phone of the user.

Buttons

This section identifies the buttons displayed above and below the SAML Single Sign-On Settings that let you perform various actions.

Update

Include Page
IL:Update button
IL:Update button

Refresh

Refreshes any dynamic data displayed in the SAML Single Sign-On Settings.

Default Configuration

Upon initial start-up of Universal Controller, a default SAML Single Sign-On Settings record is created and associated with the Universal Controller node by node id. The settings are specific to the Universal Controller node, as the SP Entity ID, Base URL, and File paths may differ between each Universal Controller node. See 794553148 SAML Single Sign-On Field Descriptions, above, for the default configuration.

Security

SAML Single Sign-On Settings can be viewed only by users with the ops_admin role, regardless of Navigation Visibility; therefore, only users with the ops_admin role can update SAML Single Sign-On Settings.

Bulk Import/Export

Any SAML Single Sign-On Settings record in the database that has a corresponding Universal Controller node is exported to ops_single_sign_on.xml during the Bulk Export server operation.

SAML Single Sign-On Settings being updated through the Bulk Import server operation are applied immediately; however, you can update the SAML Single Sign-On Settings only for the node you are performing the Bulk Import on.

...

Universal Controller Uninitialized

While the Universal Controller web application is initializing, the user login flow cannot proceed. Any users attempting to authenticate with SAML at this time receive the following error:
 
Universal Controller is being initialized. Please try again later.

User Account Not Found

Any SAML-authenticated user who cannot be linked to a user account in the Universal Controller database is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' not synchronized with a Universal Controller account.

User Account Not Active

Any SAML-authenticated user linked to a Universal Controller user account that is not Active is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' is synchronized with an inactive Universal Controller account.

Login Method

Any SAML-authenticated user linked to a Universal Controller user account that is not designated to use Single Sign-On login method is prohibited from accessing the application and receives the following error:
 
User 'username' not synchronized with Universal Controller. Please check with your administrator.
 
Additionally, the uc.log will contain the following warning:
 
User 'username' authenticated by identity provider 'remote-entity-id' is not permitted to use Single Sign-On login method.

User Account Locked

Any SAML-authenticated user linked to a Universal Controller user account that is locked is prohibited from accessing the application and receives the following error:
 
User account 'username' is locked. Please check with your administrator.

No Web Browser Access

Any SAML-authenticated user linked to a Universal Controller user account designated with the Single Sign-On login method, but without Web Browser Access, is prohibited from accessing the application and receives the following error:
 
User 'username' not permitted to login through the web browser. Please check with your administrator.

...