Directory user mapping is a mechanism for mapping users that have been authenticated by third-party identity providers dynamically to one or more user accounts in different LDAP directories. As a result of successful mapping, run-time Ubisecure or directory identities are created and made available to be used by the agent application in a single sign-on session.
Users that have been identified by a third party are called unregistered users. For example, if an external strong authentication method is used (e.g., a certificate based method), the identifier returned is the subject from the user certificate, which may not exactly match the user id (uid) in the Ubisecure Directory or another integrated directory. For this reason, mapping is performed to match the identifier(s) returned by the identity provider to one or more fields in the user account. After this match is performed, the applicable agents will have access to both sets of user data (limited only by the Authorization Policy used).
In order to be able to use an external authentication method with directory user mappings, following configurations are required for the authentication method:
- Add the method to the directory that are used for the mapping, for example in tab Services → CustomerID Directory → Connected Methods
- Add the method to the site(s) where the users are located, for example in tab eIDM Users → Site Methods
A directory user mapping is configured using extended LDAP URL syntax, which provides a capability to create search filters with values of arbitrary method attributes. In addition, it is possible to define search preconditions based on attribute values.
|Figure 1: Directory User Mappings list|
Directory User Mappings (Home, Directory User Mappings) presents a list of directory user mapping tables.
- New Mapping
Create a new directory user mapping table
- Delete Mapping
Delete selected directory user mapping tables
- Directory user mapping table
- The Directory user mapping table configuration view is opened by clicking a name of directory user mapping table in the list.
|Figure 2: Directory User Mappings main view|
Name of the directory user mapping table
Description of the directory user mapping table
Update the modified description
Create a new directory user mapping table
Delete the directory user mapping table
Rename the directory user mapping table
User Mappings View
|Figure 3: User Mappings view|
The User Mappings view shows the contents of a directory user mapping table. Each entry of a directory user mapping table consists of an optional precondition and an LDAP search url. A Directory User Mapping may contain many entries, for example to map users from different branches of an LDAP to based on different attributes, or to match users to different user repositories based on method attributes or authentication methods used.
- Directory User Mapping Entry
Click a directory user mapping entry to edit values
Create a new directory user mapping entry
Figure 4: Adding a new Directory User Mapping
Remove selected directory user mapping entries
Directory User Mapping edit view is presented below.
|Figure 5: Directory User Mapping edit view|
If a precondition exists, it must be evaluated successfully before the LDAP search is performed. The syntax of precondition follows the precondition syntax of method attribute mapping with an exception in attribute names: attribute name is defined with
prefix:name notation, where prefix may be one of the following:
Attribute name refers to the method attributes. Refer to the authentication method documentation for a list of available attributes for specific authentication methods.
Attribute name refers to the subject attributes. Subject attributes are following:
Format of username
Actual username string
Namequalifier specifying the username namespace
The LDAP URL section of the directory user mapping edit view has following fields:
The drop-down list contains all enabled pre-configured directories from the Server → Services. Select the directory to which the user should be mapped. Selection of this item will complete the Server and Distinguished Name fields.
The base address of the LDAP server in URI format. For example:
ldap://localhost/. The special value
ldap:///defines the LDAP server of the Ubisecure Directory . This value is completed after service selection.
- Distinguished Name
The name of a directory object. This value is completed after service selection. To optimize the query, reduce the scope of the hierarchy if it is known that matches will be found in only a certain particular branch of the LDAP directory.
Search scope. One of base, one, or sub.
The object defined by the Distinguished Name value only. The user object to be mapped must be found at this level.
Exactly one level below the object defined by the Distinguished Name. The user object to be mapped must be found at this level.
Descendants of the object defined by the Distinguished Name, including the object itself. The user object to be mapped can be at any level below the object defined by the Distinguished Name.
LDAP search filter expression.
The LDAP search filter syntax is specified by RFC 2254 (http://www.rfc-editor.org/rfc/rfc2254.txt). Attribute names enclosed in curly braces are replaced with corresponding attribute values before the search. The syntax of attribute names follows the same prefix:name notation as the precondition syntax. An attribute must have exactly one single value or else the search fails.
The example above will match an LDAP user with objectclass equal to ubiloginUser and mobile attribute that matches the mobile attribute that was received from the authentication method.
The example shown in Figure 5 above will match an LDAP user with objectclass equal to ubiloginUser and description attribute that matches the custid attribute that was received from the authentication method. The mapping will only be performed if the custid method attribute contains a value.
After configuration is complete and OK has been pressed, the user mappings view (example Figure 3) shows the full LDAP query that will be executed to perform the mapping. Symbols %7D and %7B represent curly braces containing variables that will be replaced at runtime execution.
|Figure 6: Methods view|
The Methods view shows the list of available authentication methods. Selected methods are assigned with the current directory user mapping table. Each method may be assigned with at most one directory user mapping table at a time. Therefore, assigning a mapping table for a method replaces the previous assignment.
Assign the directory user mapping table with selected authentication methods