= Instructions =
== Important information ==
Single Sign-On (SSO) offers benefits beyond reusing a central account, such as ensuring only the identity provider and browser see user credentials, and enforcing two-factor authentication (2FA). Organizations often secure HTTPS interactions by ensuring requests carry a session cookie from the identity provider or redirecting requests to the identity provider.
While this works for web applications in browsers, it poses challenges for non-browser applications like daemon services or mobile apps. UBIK® addresses this by requiring a valid SSO login via a web browser to create session tokens for its own back channels, making interception by an application gateway not only ineffective but also problematic, as it prevents UBIK® from functioning. Therefore, UBIK® web service URLs must be excluded from 2FA rules on the application gateway to implement SSO securely.
{{Hint|It is necessary to exclude {{UBIK}} web service URLs from any application gateway's 2FA redirect rules!}}
Concerns about breaching cybersecurity protocols are unfounded, as UBIK® ensures all sessions are secured via the identity provider. The responsibility for securing the back channel lies with UBIK®, as it is not a web application.
If there are further questions, support is available to help.
== Login ==
* [[SYSCLS_EXTERNALENTITY|External Entity Classification (SSO)]]
[[Category:Client|Integrate UBIK in an SSO Environment]]
[[Category:How-To|Integrate UBIK in an SSO Environment]]
[[Category:Mobile|Integrate UBIK in an SSO Environment]]
[[Category:SSO|Integrate UBIK in an SSO Environment]]
[[Category:Version 3.6|Integrate UBIK in an SSO Environment]]
[[Category:Client|Integrate UBIK in an SSO Environment]]
[[Category:WinX|Integrate UBIK in an SSO Environment]]
[[Category:Mobile|Integrate UBIK in an SSO Environment]]
