Difference between revisions of "HowTo:Integrate UBIK in an SSO Environment"
(→Studio) |
(→Important information) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
= Instructions = | = Instructions = | ||
+ | |||
+ | == Important information == | ||
+ | Single Sign-On (SSO) offers benefits beyond reusing a central account, such as ensuring only the identity provider and browser see user credentials, and enforcing two-factor authentication (2FA). Organizations often secure HTTPS interactions by ensuring requests carry a session cookie from the identity provider or redirecting requests to the identity provider. | ||
+ | |||
+ | While this works for web applications in browsers, it poses challenges for non-browser applications like daemon services or mobile apps. UBIK® addresses this by requiring a valid SSO login via a web browser to create session tokens for its own back channels, making interception by an application gateway not only ineffective but also problematic, as it prevents UBIK® from functioning. Therefore, UBIK® web service URLs must be excluded from 2FA rules on the application gateway to implement SSO securely. | ||
+ | |||
+ | {{Hint|It is necessary to exclude {{UBIK}} web service URLs from any application gateway's 2FA redirect rules!}} | ||
+ | |||
+ | Concerns about breaching cybersecurity protocols are unfounded, as UBIK® ensures all sessions are secured via the identity provider. The responsibility for securing the back channel lies with UBIK®, as it is not a web application. | ||
+ | |||
+ | If there are further questions, support is available to help. | ||
+ | |||
+ | [[Category:How-To|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:SSO|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | ||
== Login == | == Login == | ||
Line 31: | Line 46: | ||
With this, the {{UBIK}} session in the web service's {{UBIK}} Environment is tagged with the SSO token, and the customizing code can use it to interact with 3rd party systems. | With this, the {{UBIK}} session in the web service's {{UBIK}} Environment is tagged with the SSO token, and the customizing code can use it to interact with 3rd party systems. | ||
− | + | ||
− | + | ||
− | + | ||
= Studio = | = Studio = | ||
Line 139: | Line 154: | ||
{ | { | ||
// Here, we could update groups assignment or other account information. | // Here, we could update groups assignment or other account information. | ||
+ | // If the login object is modified here, please remember to call the login.Save() method before returning! | ||
} | } | ||
return login; | return login; | ||
Line 153: | Line 169: | ||
</div></div> | </div></div> | ||
− | + | [[Category:How-To|Integrate UBIK in an SSO Environment]] | |
− | + | [[Category:SSO|Integrate UBIK in an SSO Environment]] | |
− | + | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | |
== Interfacing == | == Interfacing == | ||
Line 182: | Line 198: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | ||
− | + | ||
− | + | ||
= Client = | = Client = | ||
Line 210: | Line 226: | ||
</InternalSSOSettings> | </InternalSSOSettings> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | {{Hint|Entra requires a client secret for web applications (to be configured both in Entra as well as in the client profile's OIDC settings described above). For native/mobile applications, the client secret must be null though!}} | ||
[[Category:How-To|Integrate UBIK in an SSO Environment]] | [[Category:How-To|Integrate UBIK in an SSO Environment]] |
Latest revision as of 07:33, 9 October 2024
Single Sign-On (SSO) allows an end-user to interact with multiple services without logging in more than once.
This page shows how to integrate UBIK® into such an SSO environment.