Difference between revisions of "HowTo:Integrate UBIK in an SSO Environment"
(→Studio) |
|||
(7 intermediate revisions by the same user not shown) | |||
Line 20: | Line 20: | ||
* On the server side, make sure that an SSO Processor is configured able to process the responses from the IdP. Also, the processor can be customized for managing the login in greater detail and according to the project's requirements. | * On the server side, make sure that an SSO Processor is configured able to process the responses from the IdP. Also, the processor can be customized for managing the login in greater detail and according to the project's requirements. | ||
− | == Interfacing == | + | == Interfacing with SSO == |
− | When a {{UBIK}} object is synchronized between client and server, the {{UBIK}} customizing can interact with external systems. There, we might require | + | When a {{UBIK}} object is synchronized between client and server, the {{UBIK}} customizing can interact with external systems. There, we might require authentication, and we need the user to provide a respective token so we can act on their behalf. In order to do so, we have to clarify the following details: |
− | * For which types of objects (meta classes) do I need to interact with external systems, requiring SSO | + | * For which types of objects (meta classes) do I need to interact with external systems, requiring SSO authentication? |
− | * For which synchronization operations (e.g., update, commit, create, etc.) do I need | + | * For which synchronization operations (e.g., update, commit, create, etc.) do I need authentication? |
* Which SSO client configurations (identity provider base URL, scopes, etc. - see "login") are used in this case? | * Which SSO client configurations (identity provider base URL, scopes, etc. - see "login") are used in this case? | ||
For each resulting combination we have to create an [[SYSCLS_EXTERNALAUTHCONFIG|External Auth Config]] object and give it to the client in the infrastructure list. | For each resulting combination we have to create an [[SYSCLS_EXTERNALAUTHCONFIG|External Auth Config]] object and give it to the client in the infrastructure list. | ||
− | Further, we have to make sure the | + | Further, we have to make sure the authentication tokens can be transported to the server. Therefore, add the [[SYSCLS_EXTERNALENTITY|External Entity Classification]] to all meta classes of objects that need external authentication. |
With this, the {{UBIK}} session in the web service's {{UBIK}} Environment is tagged with the SSO token, and the customizing code can use it to interact with 3rd party systems. | With this, the {{UBIK}} session in the web service's {{UBIK}} Environment is tagged with the SSO token, and the customizing code can use it to interact with 3rd party systems. | ||
− | + | [[Category:How-To|Integrate UBIK in an SSO Environment]] | |
− | + | [[Category:SSO|Integrate UBIK in an SSO Environment]] | |
− | + | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | |
= Studio = | = Studio = | ||
Line 98: | Line 98: | ||
There are several use-cases where we need to customize the SSO processor. We can define what should be done when a login object is required or found, and we can use the information delivered with the SSO token in the form of assertions or claims. In any case, we must override the SSO processor implementation, e.g.: | There are several use-cases where we need to customize the SSO processor. We can define what should be done when a login object is required or found, and we can use the information delivered with the SSO token in the form of assertions or claims. In any case, we must override the SSO processor implementation, e.g.: | ||
− | < | + | <div class="toccolours mw-collapsible mw-collapsed" style="width:100%; overflow:auto;"> |
− | public class MyOIDCProcessor : DynamicOIDCProcessorExt | + | <div style="font-weight:bold;line-height:1.6;">Example Code</div> |
+ | <div class="mw-collapsible-content"> | ||
+ | <syntaxhighlight lang="csharp" > | ||
+ | public class MyOIDCProcessor : UBIK.SSO.OIDCProcessor.DynamicOIDCProcessorExt | ||
{ | { | ||
// Example for a claim type identifier used to get a value from the Assertions() dictionary. | // Example for a claim type identifier used to get a value from the Assertions() dictionary. | ||
Line 107: | Line 110: | ||
{ } | { } | ||
− | protected override Login CreateLogin(string loginName, string domain, OSTypes osType) | + | protected override Login CreateLogin(string loginName, string domain, UBIK.Service.DTO.V220.OSTypes osType) |
{ | { | ||
// In this example, we use the default login creation, but add the email address as the human-readable login name. | // In this example, we use the default login creation, but add the email address as the human-readable login name. | ||
Line 115: | Line 118: | ||
// The Assertions() method yields a Dictionary<string, object>, where the values usually are strings, too. | // The Assertions() method yields a Dictionary<string, object>, where the values usually are strings, too. | ||
// The keys correspond to the claim type identifiers. | // The keys correspond to the claim type identifiers. | ||
− | if (Assertions().ContainsKey( | + | if (Assertions().ContainsKey(KEY_MAIL) && !string.IsNullOrEmpty(Assertions()[KEY_MAIL] as string)) |
{ | { | ||
− | login.Name = Assertions()[ | + | login.Name = Assertions()[KEY_MAIL] as string; |
UBIKKernel.LogCustomizing(MethodBase.GetCurrentMethod(), | UBIKKernel.LogCustomizing(MethodBase.GetCurrentMethod(), | ||
$"Login name for {login.ID} was set to {login.Name} -> Key: {KEY_MAIL}"); | $"Login name for {login.ID} was set to {login.Name} -> Key: {KEY_MAIL}"); | ||
Line 147: | Line 150: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | </div></div> | ||
+ | |||
+ | |||
+ | |||
Line 173: | Line 181: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | [[Category:How-To|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:SSO|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | ||
= Client = | = Client = | ||
Line 179: | Line 191: | ||
* Set up an identity provider if necessary | * Set up an identity provider if necessary | ||
− | * Assemble a client configuration JSON string, .e.g.: | + | * Assemble a client configuration JSON string, .e.g. for Entra: |
<syntaxhighlight lang="javascript"> | <syntaxhighlight lang="javascript"> | ||
− | {'AuthorityURL' : 'https:// | + | {'AuthorityURL' : 'https://login.microsoftonline.com/{tenantid}/v2.0', |
− | 'ClientID' : ' | + | 'ClientID' : '{clientid}', |
'ClientSecret' : null, | 'ClientSecret' : null, | ||
'RedirectURL' : 'com.augmensys.ubik://SSO', | 'RedirectURL' : 'com.augmensys.ubik://SSO', | ||
Line 198: | Line 210: | ||
</InternalSSOSettings> | </InternalSSOSettings> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | [[Category:How-To|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:SSO|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | ||
== SAML == | == SAML == |
Latest revision as of 09:46, 27 June 2024
Single Sign-On (SSO) allows an end-user to interact with multiple services without logging in more than once.
This page shows how to integrate UBIK® into such an SSO environment.