Network address tolerance
The SAML protocol uses the network address of the user for session tracking and message replay detection.
In many deployments however the network address of the user is not reliable because of Network Address Translation (NAT), HTTP Proxy and other network components. Use the
ServiceProvider.Netmask setting in the
appSettings section of
web.config to adjust how the Service Provider relies on the network address.
Specify an empty value to completely disable network address validation.
Controlling resource access
Use the ASP.NET standard authorization declarations with deny and allow roles to specify access control to the resources of the web application.
In the example below, Listing 1, only authenticated users ("*") can access the resource. Anonymous unauthenticated users ("?") are will be redirected to the Ubisecure Authentication Server for authentication and presented with a login page.
Defining the User Name Attribute
By default, after authentication, the ASP.NET
Context.User.Identity.Name variable contains the user principle in Distinguished Name (DN) format. In Ubisecure SSO Server version 5 or newer, this variable may optionally contain Transient or Persistent user IDs.
If the ASP.NET application requires
Context.User.Identity.Name data in a different format (eg. Firstname Lastname or samAccountName from Active Directory), this can be achieved by first creating an Authorization Policy containing the desired value in another arbitrary attribute, and then mapping this attribute to
Context.User.Identity.Name. Use the
ServiceProvider.UsernameAttribute setting in the
web.config file to specify the name of the user attribute which value will be returned by the ASP.NET
Context.User.Identity.Name variable (see Listing 2).
In the example below (see Listing 2), the variable
Context.User.Identity.Name will now contain the value of the attribute username, as specified in the Authorization Policy configured for this agent in Ubisecure Server Management. Figure 1 contains an example Authentication Policy setting, where the username value is set to the email address of the user. The chosen configuration depends on the requirements of the target application. For more information on Authorization Policy usage, please refer to Manage authorization policies - SSO.
|Figure 1. Example Authentication Policy in Ubisecure SSO Management. Here the username attribute is set to the mail attribute of the user's account.|
The Service Provider calls registered event listeners to notify the application of certain events during SAML protocol message processing.
Please refer to the API documentation for details about the following event handler interfaces (see API Documentation in SAML SP for ASP.NET application integration - SSO):
|AuthnRequestEvent||This event is called when the user is attempting to access a resource but has not yet been authenticated. This event allows the application designer to customize certain properties of the AuthnRequest protocol message, such as to pass the user locale to the IDP or to dynamically at runtime request a specific authentication technique.|
|LoginEvent||This event is called when the user has authenticated at the IDP and returned with a valid response|
|LoginErrorEvent||This event is called when the user has cancelled the login at the IDP or another error has occurred during login|
|LogoutEvent||This event is called when logout has been requested.|
The following example, Listing 4, will redirect the user to the specified page, for example if the cancel button is pressed during the login process.
User attributes as specified in the Authorization Policy, are accessible from the Login event. Listing 5 is very basic example of how to access user attributes within the
For complete technical descriptions of the API interface, please refer to the API Documentation (see API Documentation in SAML SP for ASP.NET application integration - SSO).
Membership and Role Providers
ASP.NET provides a role-based security model. SAML SP for ASP.NET can optionally be configured to provide role information according to this interface (MembershipProvider and RoleProvider). The
ServiceProviderRoleProvider are implementations of ASP.NET
For more information on the use of roles in applications, please refer to Microsoft ASP.NET documentation.
Roles defined in an Authorization Policy in Ubilogin Management will be mapped to ASP.NET roles.
|Figure 2. Example Authorization Policy, Roles tab|
|Figure 3. Example Authorization Policy, Attributes tab - Roles are visible as a multi-value SAML attribute called role|
Please note that the current implementation covers only the minimum feature set required for Microsoft SharePoint integration. Any features of
RoleProvider that are not supported or not implemented will raise
NotSupportedException errors. For example,
ServiceProviderRoleProvider.CreateRole is not supported.
To use Membership and Role Providers, the configuration in Listing 6 must be added to the
web.config file within the
Specifying a default role for all Authenticated users
ServiceProvider.Role setting to specify the name of a ASP.NET role that is automatically associated with all users authenticated by the Service Provider. In the following example, Listing 7, all users will be assigned to a role called "UbiloginAuthenticatedUsers". This role name is arbitrary and does not need to be defined in the Authorization Policy. This role is additional to any roles received in the SAML request. This value is optional.
Access control using roles
A typical use for roles is to establish rules that allow or deny access to pages or folders. These access rules are defined in the
<authorization> section of the
Web.config file. The following example, Listing 8, allows users in the role of
ADMIN to view pages in the folder named
FolderNameToBeProtected and denies access to anyone else. Multiple roles can also be specified, e.g.,
<allow roles="RoleA,RoleB" />.
Use the role function of Authorization Policy settings in the Ubisecure Management application to associate roles with user groups. The roles specified in Ubisecure Management are automatically mapped into ASP.NET roles. In the following example, Listing 9, unauthenticated users and users with a role of
VIEWLOG are forbidden access. Other authenticated users are permitted.
Determining role membership in ASP.NET
Roles.IsUserInRole() function to test for role membership. See Listing 10.
Listing all user roles in ASP.NET
Roles.GetRolesForUser() function to list user roles. See Listing 11.
Requesting a specific authentication method in ASP.NET
RequestedAuthnContext.AuthnContextDeclRef function to request a specific method by method ID. For example, if the calling application knows what the authentication method that the user needs to use, this selection can be made before redirect to the Ubisecure Server. See Listing 11.