1 Overview
2 Single Sign-On Login
- 2.1 Universal Controller Initiated Login
- 2.2 Identity Provider-Initiated Login
- 2.3 Action URLs
- 2.4 Session Expired
- 2.5 Administrator Account
3 Logout
- 3.1 User Sessions
4 User Provisioning
- 4.1 User Attribute Mapping
- 4.2 User Field Defaults
- 4.3 Group Membership Attribute Mapping
5 OAuth Single Sign-On
- 5.1 OAuth Single Sign-On Field Descriptions
- 5.2 Security
6 Troubleshooting
- 6.1 Login Errors

Overview

Universal Controller enables Web Browser Single Sign-On (SSO) through OAuth 2.0 (with OpenID Connect).

OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user's protected resources, without necessarily revealing their long-term credentials or even their identity.

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. It extends OAuth 2.0 to include user authentication, enabling clients to verify the identity of the user and obtain basic profile information.

Universal Controller uses OAuth Single Sign-On for authentication and User Provisioning. All user and group authorization must be configured within Universal Controller through Permission and Role assignment.

Single Sign-On Login

OAuth Single Sign-On can be initiated by either Universal Controller or the Identity Provider.

Only users designated with Single Sign-On as a Login Method can authenticate using OAuth Single Sign-On. However, users designated with both Standard and Single Sign-On as a Login Method can continue to log into the Universal Controller using the standard application URL (see Logging In).

Universal Controller Initiated Login

Universal Controller will initiate the OAuth Single Sign-On login flow when an unauthenticated user accesses the web application through the following URL.

http(s)://<server:port>/uc/oauth2

Identity Provider-Initiated Login

Identity Provider-initiated OAuth Single Sign-On begins at the Identity Provider, typically by accessing an application-specific Identity Provider URL. Once authenticated, the user will be taken to the Universal Controller web application.

Action URLs

Any action URL parameters on the URL used by the OAuth-authenticated user to access the Universal Controller web application are restored when the Service Provider-initiated OAuth SSO authentication flow has completed successfully and the user has been redirected back to the Universal Controller web application.

This is not applicable for an Identity Provider-initiated login.

Session Expired

Universal Controller allows you to restore an HTTP session without leaving the application (or losing data) by prompting you to re-enter your login credentials in a Session Expired pop-up.

If you are a OAuth-enabled user, the Controller allows you to initiate the OAuth Single Sign-On authentication flow without leaving the application. On the Session Expired pop-up, instead of entering your login credentials, simply click the Login button to initiate the OAuth SSO authentication flow.

If only your Universal Controller session has expired, and not your session with the Identity Provider, you are logged in without being prompted for your credentials. Click Continue on the original dialog to proceed, which closes the OAuth SSO authentication flow window.

If your session with the Identity Provider has expired, you are prompted for its login credentials.

When the Identity Provider has authenticated you and the OAuth SSO authentication flow has completed, click Continue on the original dialog to proceed, which closes the OAuth SSO authentication flow window.

Administrator Account

Modification of the ops.admin account Login Method is not permitted; therefore, the account will always be accessible for cases where, for example, OAuth Single Sign-On are incorrectly configured or the Identity Provider is inaccessible.

Logout

By initiating the Logout menu option, an OAuth-authenticated user is only logged out of the Universal Controller.

User Sessions

The administrative functionality in the user interface that allows for management of User Sessions is applicable only for local Universal Controller sessions; therefore, expiring a user's session through this interface is only expiring the local Universal Controller session.

User Provisioning

The following diagram illustrates the expectations in Universal Controller for provisioning users from attributes available in the Access / ID Token:

When LDAP synchronization is enabled, provisioning of users through LDAP synchronization takes precedence over provisioning of users through the Access / ID Token during the Single Sign-On process.

During the next scheduled LDAP refresh, consistent with locally created users and groups, any Identity Provider-sourced user or group matching a user or group synchronized from the LDAP automatically is converted to an LDAP-sourced user or group.

Once a user has been provisioned (created) in the Universal Controller database, its Source (ldap:dn or idp:remote-entity-id) determines how the user record is refreshed during the next login through single sign-on.

User Attribute Mapping

For Universal Controller to correlate OAuth Token claims/attributes with Universal Controller user fields, a mapping between Universal Controller User fields and OAuth Token claims/attributes must be configured.

The following Universal Controller user fields are mappable.

User Id (Username)
(By default, this field is automatically mapped to the OAuth Subject identifier (sub) from the OAuth Token; however, you can override this by specifying a User Id (Username) Claim Name.)
First Name (Required)
Middle Name
Last Name
Email
Title
Department
Manager (This field is a reference to another user and is mapped only if the attribute value contains the Name of a valid Universal Controller user.)
Business Phone
Mobile Phone
Home Phone
Active

Any user created by OAuth Token claims/attributes during the single sign-on process is considered an Identity Provider-sourced user.

Universal Controller allows for provisioning of OAuth authenticated users through both Web Browser Access and Web Service Access. When logging in through the User Interface using OAuth Single Sign-On (Web Browser Access), the authenticated user's attributes are consolidated from the ID Token claims and the User Info claims. When invoking a Web Service with an OAuth2 Bearer Token (Web Service Access), the authenticated user's attributes come from the Bearer Token for a JWT, or from the introspection response for an Opaque Token.

User Field Defaults

OAuth Single Sign-On provisioned users are created with the following default field values:

Field	Value

Field	Value
User Password	random, 32-characters
Password Requires Reset	true
Login Method	Single Sign-On
Web Browser Access	- - System Default - -
Command Line Access	- - System Default - - Applies only to users designated to use the Standard login method.
Web Service Access	- - System Default - - Applies only to users designated to use the Standard login method.