Page tree
Skip to end of metadata
Go to start of metadata

UsernameUserMapping is a legacy feature, which allows unregistered users to be mapped as UbiloginDirectory users based on the username of the unregistered user. As the same use case can be implemented with Directory User Mappings, which has much more flexibility in the configuration, UsernameUserMapping is nowadays considered to be deprecated. 

The feature causes an extra LDAP search on UbiloginDirectory to be performed during each login with an unregistered authentication method. Disabling UsernameUserMappingIdentityFactory prevents this search to be performed. Disabling UsernameUserMappingIdentityFactory is recommended in 8.4.1 and later versions, unless UsernameUserMapping feature is actually in use.

In 8.4.X and older versions UsernameUserMappingIdentityFactory is enabled by default, but in upcoming versions it will be disabled by default and needs to be explicitly enabled using the flag EnableUsernameUserMapping if needed.

How to examine if UsernameUserMapping is in use

One option is to check the diag logs for entries that contain text "UsernameUserMappingIdentityFactory.createIdentities". The problem is that for the entries to be logged, the diag.identity log needs to be set to debug level. Another more robust option is to check for UsernameUserMapping configuration objects directly from UbiloginDirectory. Both methods are described below.

If UsernameUserMapping is in use and it's not possible to disable it without preventing users from logging in, then it's possible to add EnableUsernameUserMapping in the server compatibility flags to retain backwards compatibility in upcoming versions.

However, as the feature is deprecated and may be removed at some point in the future, it is advisable to migrate to use, for example, Directory User Mappings instead. If questions about this arise, please contact Ubisecure Support and state that the question is about disabling UsernameUserMapping.

Checking for the diag log entries written during UsernameUserMapping

When the search performed during UsernameUserMapping returns a result (and diag.identity log is set to debug level) the following diag log entry is written. If there is even one log entry similar to this one, then UsernameUserMapping is in use.

Diag log entry for an existing UsernameUserMapping entry
2019-11-27 12:15:05,932 identity UsernameUserMappingIdentityFactory.createIdentities:Identity[UBILOGIN&tupas.op.1&<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="ldap:///cn=Ubilogin,dc=test">CN=User1,OU=test,CN=Ubilogin,DC=test</saml:NameID>]

When the search performed during UsernameUserMapping returns no results (and diag.identity log is set to debug level) the following diag log entry is written. If there are only log entries similar to this and none similar to the one above, then UsernameUserMapping is not in use.

Diag log entry for a non-existing UsernameUserMapping entry
019-11-14 10:19:16,661 identity UsernameUserMappingIdentityFactory.createIdentities
login.InvalidUserException: The user was not found
	at ubilogin.directory.Locator.inner_findUbiloginAuthMapping(Locator.java:242)
	at ubilogin.directory.Locator.access$200(Locator.java:32)
	at ubilogin.directory.Locator$3.get(Locator.java:216)
	at ubilogin.directory.Locator$3.get(Locator.java:213)
	at com.ubisecure.util.cache.ExpiringCache.get(ExpiringCache.java:64)
	at ubilogin.directory.Locator.findUbiloginAuthMapping(Locator.java:211)
	at attributes.identity.UsernameUserMappingIdentityFactory.searchUbiloginIdentityByAuthMapping(UsernameUserMappingIdentityFactory.java:75)
	at attributes.identity.UsernameUserMappingIdentityFactory.createIdentities(UsernameUserMappingIdentityFactory.java:58)
	at ubilogin.UbiloginIdentityFactory.createIdentities(UbiloginIdentityFactory.java:127)
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.updateSession(UbiloginAuthenticationRequest.java:513)
	at com.ubisecure.ubilogin.sso.ui.conversation.authn.UbiloginAuthenticationRequest.assertAccessAllowed(UbiloginAuthenticationRequest.java:533)
	at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.agentMethodService(ReturnServlet.java:128)
	at com.ubisecure.ubilogin.sso.ui.servlet.ReturnServlet.service(ReturnServlet.java:179)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.ubisecure.saml2.trace.TraceServlet.doFilter(TraceServlet.java:58)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at servlet.ContextFilter.doFilter(ContextFilter.java:46)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.ubisecure.util.filter.ProxyFilter.doFilter(ProxyFilter.java:185)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.ubisecure.util.filter.SetEncodingFilter.doFilter(SetEncodingFilter.java:54)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:185)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Checking for UsernameUserMapping configuration objects in UbiloginDirectory

The best way to find out if UsernameUserMapping feature is in use is to check if UbiloginDirectory contains any objects, whose objectClass=ubiloginAuthMethod and have some value set in the attribute ubiloginAuthMapping. This can be done for example by running the following command in terminal. If it prints nothing, then it's certain that the feature is not in use and DisableUsernameUserMapping can safely be set in the server compatibility flags.

Linux
ubilogin/ldap/openldap/export.sh -LLL "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))"
Windows
ubilogin\ldap\adam\export.cmd -r "(&(objectClass=ubiloginAuthMethod)(ubiloginAuthMapping=*))" >nul & type export.ldif

Configuration

The configuration is done using one of the following flags, which can be set in the server compatibility flags.

DisableUsernameUserMapping

UsernameUserMappingIdentityFactory is disabled for all authentication methods.

EnableUsernameUserMapping

UsernameUserMappingIdentityFactory is enabled for all authentication methods.

Example 1: Set DisableUsernameUserMapping for the server using SSO Management UI.

  1. Select "Server" tab.
  2. Add DisableUsernameUserMapping to Server Compatibility Flags.
  3. Press Update


  • No labels