Integrate UBIK in an SSO Environment

Single Sign-On (SSO) allows an end-user to interact with multiple services without logging in more than once.

This page shows how to integrate UBIK^® into such an SSO environment.

Instructions

Login

As explained in the Single Sign-On article, we want the mobile application to receive a token of authenticity from an authority the user has provided their credentials to. Next, the mobile application should ask the USAM web service to accept this token as credentials and establish a UBIK^® session. Of course, the USAM web service must verify whether the token is valid. If so, an internal UBIK^® login object is created for the user, if it doesn't exist yet. This can be customized in order to add further information to the login object (like a name, group relations or other arbitrary information), or to restrict which users may log in, now that their identity is verified.

To implement this, the following steps must be done:

UBIK^® must be registered as a client application (or "service provider" in SAML) at the customer's authority or identity provider (IdP).
- The service engineer must provide a callback URL at which we want to receive the result. In case of OIDC, this is the app's deep link URL "com.augmensys.ubik://SSO". For SAML, an intermediate server (assertion consumer service, ACS) is required to relay the token for the app - we provide the UBIK^® auth mediator server for this.
- In return, the customer must provide a client ID and client secret for us to configure.
- In case of OIDC, the customer can decide which scopes/claims should be delivered with the token and whether they want to use the ID token or the access token for authentication.
In the UBIK^® client profile, the SSO relevant settings must be adjusted (enabling SSO, specifying the protocol, the IdP URL, client ID, client secret, scopes and whether to use the access token).
On the server side, make sure that an SSO Processor is configured able to process the responses from the IdP. Also, the processor can be customized for managing the login in greater detail and according to the project's requirements.

Interfacing

When a UBIK^® object is synchronized between client and server, the UBIK^® customizing can interact with external systems. There, we might require authorization, and we need the user to provide a respective token so we can act on their behalf. In order to do so, we have to identify the specific authorization use-cases:

For which types of objects (meta classes) do I need to interact with external systems, requiring SSO authorization?
For which synchronization operations (e.g., update, commit, create, etc.) do I need authorization?
Which SSO client configurations (identity provider base URL, scopes, etc. - see "login") are used in this case?

For each resulting combination we have to create an External Auth Config object and give it to the client in the infrastructure list.

Further, we have to make sure the authorization tokens can be transported to the server. Therefore, add the External Entity Classification to all meta classes of objects that need external authorization.

Studio

Login

Install the Auth Processor plugin (SAMLProcessor or OIDCProcessor plugin) in your web service's injection folder
Customize your UBIK Context, overriding the method "GetSSOProcessor" so it returns an instance of the authentication processor:

OIDC:

In the case of a periodic rolling of the signing key, use the DynamicOIDCProcessor which fetches the JWKS automatically via the base URL of the chosen OIDC Provider:

public override UBIK.Kernel.SSO.ISSOProcessor GetSSOProcessor(System.String token)
{
if (this.Name == "MyContextName")
{
string authorityBaseUrl = "...";
return new UBIK.SSO.OIDCProcessor.DynamicOIDCProcessorExt(Environment, token, authorityBaseUrl);
}
return base.GetSSOProcessor(token);
}

Instead of "..." you will need to insert the correct URL from your OIDC Provider where the JWKS should originate from.

If the JWKS does not roll periodically:

public override UBIK.Kernel.SSO.ISSOProcessor GetSSOProcessor(System.String token)
{
if (this.Name == "MyContextName")
{
string jwks = "...";
return new UBIK.SSO.OIDCProcessor.OIDCProcessorExt(Environment, token, jwks);
}
return base.GetSSOProcessor(token);
}

You will need to insert the correct jwks from your OIDC Provider instead of "...".

SAML:

public override UBIK.Kernel.SSO.ISSOProcessor GetSSOProcessor(System.String token)
{
if (this.Name == "MyContextName")
{
byte[] certificate= null; // load from file
return new UBIK.SSO.SAMLProcessor.SAMLProcessorExt(Environment, token, certificate);
}
return base.GetSSOProcessor(token);
}

You will need to load the correct certificate from your SAML Identity Provider instead of null. It's recommended to save the certificate on the server and load it from file storage. The certificate must be the one the IdP uses to sign its SAML responses with.

Customizing the SSO processor

There are several use-cases where we need to customize the SSO processor. We can define what should be done when a login object is required or found, and we can use the information delivered with the SSO token in the form of assertions or claims. In any case, we must override the SSO processor implementation, e.g.:

public class MyOIDCProcessor : DynamicOIDCProcessorExt
{
// Example for a claim type identifier used to get a value from the Assertions() dictionary.
public const string KEY_MAIL = @"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress";

public MyOIDCProcessor(UBIKEnvironment environment, string token, string authorityBaseUrl) : base(environment, token, authorityBaseUrl)
{ }

protected override Login CreateLogin(string loginName, string domain, OSTypes osType)
{
// In this example, we use the default login creation, but add the email address as the human-readable login name.
// However, we could also use a special MetaClass for creating the login instance or do anything else we require.
Login login = base.CreateLogin(loginName, domain, osType);

// The Assertions() method yields a Dictionary<string, object>, where the values usually are strings, too.
// The keys correspond to the claim type identifiers.
if (Assertions().ContainsKey(Settings.KEY_MAIL) && !string.IsNullOrEmpty(Assertions()[KEY_MAIL] as string))
{
login.Name = Assertions()[Settings.KEY_MAIL] as string;
UBIKKernel.LogCustomizing(MethodBase.GetCurrentMethod(),
$"Login name for {login.ID} was set to {login.Name} -> Key: {KEY_MAIL}");
}
return login;
}

public override string GetLoginID()
{
// Here, we could influence the login ID used in UBIK, if we have a good mapping.
return base.GetLoginID();
}

public override Login GetLogin(UBIK.Service.DTO.V220.OSTypes osType)
{
Login login = base.GetLogin(osType);
if (login == null)
{
// Here, we could update groups assignment or other account information.
}
return login;
}

public override bool IsValid()
{
// Here, we could only accept trusted accounts, for example.
return base.IsValid();
}
}

Interfacing

Add External Auth Config objects to the client's infrastructure
Add the External Entity Classification to all affected meta class scopes

An external auth config object specifies for which meta class and sync action (e.g., when uploading instruction documents), which SSO configuration should be used. The result of a correct configuration will be, that the client sends an SSO token to the server when performing the sync action for an instance of the meta class. On the server side, you can use that token to interact with the external system. This only works if there is a scope with the external entity classification for that meta class, because it provides the means to transport the token.

Integrate UBIK in an SSO Environment

Instructions

Login

Interfacing

Studio

Login

Customizing the SSO processor

Interfacing

Client

OIDC

SAML

See also