= Instructions =
== Important information : Reverse Proxies ==Single Sign-On (SSO) offers benefits beyond reusing a central account, such as ensuring only the identity provider and browser see user credentials, and enforcing two-factor authentication (2FA). Organizations often secure HTTPS interactions by ensuring requests carry a session cookie from the identity provider or redirecting requests to the identity provider.
While this works for web applications in browsers, it poses challenges for nonSingle Sign-browser applications like daemon services or mobile apps. UBIK® addresses this by requiring a valid On (SSO login via ) offers benefits beyond reusing a web browser to create session tokens for its own back channelscentral account, making interception by an application gateway not such as ensuring only ineffective but also problematicthe identity provider and browser see user credentials, as it prevents UBIK® from functioningenforcing two-factor authentication (2FA), and shielding intranet servers via reverse proxy checking for valid SSO sessions. Therefore, UBIK® web service URLs must be excluded Organizations often secure HTTPS interactions by ensuring requests carry a session cookie or bearer token from 2FA rules on the application gateway identity provider, otherwise redirecting requests to implement SSO securelythe identity provider.
{{Hint|It UBIK}} supports this, too, by providing the SSO bearer token within the "Authorization" header for every request. A reverse proxy can verify this token or prevent access otherwise. Unfortunately, Microsoft Entry Application Proxy - even with the helpful-sounding "header-based SSO" configuration - is necessary unable to just check this header without dropping the data when forwarding the incoming message to exclude {{UBIK}} web service URLs from . Hence, with the Microsoft Entra Application Proxy the only way is to deactivate the check. Also, any application gateway's 2FA redirect rules!method checking the session cookie is doomed to fail because for the backchannel, {{UBIK}}doesn't have any access to the browser's cookies, just to the SSO token.
Concerns about breaching cybersecurity protocols are unfounded{{Hint|With Microsoft Entra Application Proxy, as UBIK® ensures all sessions are secured via the identity provider. The responsibility for securing the back channel lies with UBIK®, as it is not a necessary to exclude {{UBIK}} web application.service URLs from the 2FA redirect rules!}}
If there are further questions, support is available to help.
[[Category:Client|Integrate UBIK in an SSO Environment]][[Category:How-To|Integrate UBIK in an SSO Environment]][[Category:Mobile|Integrate UBIK in an SSO Environment]][[Category:SSO|Integrate UBIK in an SSO Environment]][[Category:Version 3.6|Integrate UBIK in an SSO Environment]][[Category:WinX|Integrate UBIK in an SSO Environment]]
== Login ==