Changes

HowTo:Integrate UBIK in an SSO Environment

1,870 bytes added, 09:17, 12 April 2023
= Studio =
<!-- DO NOT MODIFY THE NAME OF THIS SECTION, BUT REMOVE IT IF NOT REQUIRED -->
 
== Authentication ==
* Install the Auth Processor plugin (SAMLProcessor or OIDCProcessor plugin) in your web service's injection folder
* Customize your UBIK Context, overriding the method "GetSSOProcessor" so it returns an instance of the authentication processor:
 
OIDC:
<syntaxhighlight lang="c#">
public override UBIK.Kernel.SSO.ISSOProcessor GetSSOProcessor(System.String token)
{
if (this.Name == "MyContextName")
{
string jwks = "...";
return new UBIK.SSO.OIDCProcessor.OIDCProcessorExt(Environment, token, jwks);
}
return base.GetSSOProcessor(token);
}
</syntaxhighlight>
You will need to insert the correct jwks from your OIDC Provider instead of "...".
 
SAML:
<syntaxhighlight lang="c#">
public override UBIK.Kernel.SSO.ISSOProcessor GetSSOProcessor(System.String token)
{
if (this.Name == "MyContextName")
{
byte[] certificate= null; // load from file
return new UBIK.SSO.SAMLProcessor.SAMLProcessorExt(Environment, token, certificate);
}
return base.GetSSOProcessor(token);
}
</syntaxhighlight>
You will need to load the correct certificate from your SAML Identity Provider instead of null. It's recommended to save the certificate on the server and load it from file storage. The certificate must be the one the IdP uses to sign its SAML responses with.
 
== Authorization ==
* Add [[SYSCLS_EXTERNALAUTHCONFIG|External Auth Config]] objects to the client's infrastructure
* Add the [[SYSCLS_EXTERNALENTITY|External Entity Classification]] to all affected meta classesclass scopes An external auth config object specifies for which meta class and sync action (e.g., when uploading instruction documents), which SSO configuration should be used. The result of a correct configuration will be, that the client sends an SSO token to the server when performing the sync action for an instance of the meta class. On the server side, you can use that token to interact with the external system. This only works if there is a scope with the external entity classification for that meta class, because it provides the means to transport the token.
= Client =
1,606
edits