Difference between revisions of "HowTo:Integrate UBIK in an SSO Environment"
(→Customizing the SSO processor) |
(→Important information) |
||
(8 intermediate revisions by the same user not shown) | |||
Line 6: | Line 6: | ||
= Instructions = | = Instructions = | ||
+ | |||
+ | == Important information == | ||
+ | Single Sign-On (SSO) offers benefits beyond reusing a central account, such as ensuring only the identity provider and browser see user credentials, and enforcing two-factor authentication (2FA). Organizations often secure HTTPS interactions by ensuring requests carry a session cookie from the identity provider or redirecting requests to the identity provider. | ||
+ | |||
+ | While this works for web applications in browsers, it poses challenges for non-browser applications like daemon services or mobile apps. UBIK® addresses this by requiring a valid SSO login via a web browser to create session tokens for its own back channels, making interception by an application gateway not only ineffective but also problematic, as it prevents UBIK® from functioning. Therefore, UBIK® web service URLs must be excluded from 2FA rules on the application gateway to implement SSO securely. | ||
+ | |||
+ | {{Hint|It is necessary to exclude {{UBIK}} web service URLs from any application gateway's 2FA redirect rules!}} | ||
+ | |||
+ | Concerns about breaching cybersecurity protocols are unfounded, as UBIK® ensures all sessions are secured via the identity provider. The responsibility for securing the back channel lies with UBIK®, as it is not a web application. | ||
+ | |||
+ | If there are further questions, support is available to help. | ||
+ | |||
+ | [[Category:How-To|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:SSO|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | ||
== Login == | == Login == | ||
Line 31: | Line 46: | ||
With this, the {{UBIK}} session in the web service's {{UBIK}} Environment is tagged with the SSO token, and the customizing code can use it to interact with 3rd party systems. | With this, the {{UBIK}} session in the web service's {{UBIK}} Environment is tagged with the SSO token, and the customizing code can use it to interact with 3rd party systems. | ||
− | + | ||
− | + | ||
− | + | ||
= Studio = | = Studio = | ||
Line 102: | Line 117: | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
<syntaxhighlight lang="csharp" > | <syntaxhighlight lang="csharp" > | ||
− | public class MyOIDCProcessor : DynamicOIDCProcessorExt | + | public class MyOIDCProcessor : UBIK.SSO.OIDCProcessor.DynamicOIDCProcessorExt |
{ | { | ||
// Example for a claim type identifier used to get a value from the Assertions() dictionary. | // Example for a claim type identifier used to get a value from the Assertions() dictionary. | ||
Line 110: | Line 125: | ||
{ } | { } | ||
− | protected override Login CreateLogin(string loginName, string domain, UBIK. | + | protected override Login CreateLogin(string loginName, string domain, UBIK.Service.DTO.V220.OSTypes osType) |
{ | { | ||
// In this example, we use the default login creation, but add the email address as the human-readable login name. | // In this example, we use the default login creation, but add the email address as the human-readable login name. | ||
Line 139: | Line 154: | ||
{ | { | ||
// Here, we could update groups assignment or other account information. | // Here, we could update groups assignment or other account information. | ||
+ | // If the login object is modified here, please remember to call the login.Save() method before returning! | ||
} | } | ||
return login; | return login; | ||
Line 181: | Line 197: | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | |||
= Client = | = Client = | ||
Line 187: | Line 207: | ||
* Set up an identity provider if necessary | * Set up an identity provider if necessary | ||
− | * Assemble a client configuration JSON string, .e.g.: | + | * Assemble a client configuration JSON string, .e.g. for Entra: |
<syntaxhighlight lang="javascript"> | <syntaxhighlight lang="javascript"> | ||
− | {'AuthorityURL' : 'https:// | + | {'AuthorityURL' : 'https://login.microsoftonline.com/{tenantid}/v2.0', |
− | 'ClientID' : ' | + | 'ClientID' : '{clientid}', |
'ClientSecret' : null, | 'ClientSecret' : null, | ||
'RedirectURL' : 'com.augmensys.ubik://SSO', | 'RedirectURL' : 'com.augmensys.ubik://SSO', | ||
Line 206: | Line 226: | ||
</InternalSSOSettings> | </InternalSSOSettings> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | {{Hint|Entra requires a client secret for web applications (to be configured both in Entra as well as in the client profile's OIDC settings described above). For native/mobile applications, the client secret must be null though!}} | ||
+ | |||
+ | [[Category:How-To|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:SSO|Integrate UBIK in an SSO Environment]] | ||
+ | [[Category:Version 3.6|Integrate UBIK in an SSO Environment]] | ||
== SAML == | == SAML == |
Latest revision as of 07:33, 9 October 2024
Single Sign-On (SSO) allows an end-user to interact with multiple services without logging in more than once.
This page shows how to integrate UBIK® into such an SSO environment.