Page tree
Skip to end of metadata
Go to start of metadata

The Groups view below presents all of the groups in the selected site.

Figure 1: The list of groups in the selected site
  • Group
    Click group name, site or description to edit the group object
  • New Group…
    Create a new group
  • Delete Group/ Check box
    Select and click Delete to delete permanently the selected groups
  • Move here
    Move a group to this site from another site


Figure 2 shows the group editor where group properties can be edited.

Figure 2: The Group editor screen
  • Name
    The name of the group object
  • Description / Update
    Description of the group object. Click Update to update the description.
  • New
    Create a new group
  • Delete
    Delete this group
  • Rename
    Rename this group


The Users view presents all of the users in the selected group.

Figure 3: List of users in the selected group
  • User name
    User name is a link to the user entity
  • Add
    Add a Ubisecure user to this group
  • Remove
    Remove the selected user(s) from this group


The Groups view presents static Ubisecure Groups that are member of the selected group.

Figure 4: The groups that belong to a group
  • Add
    Add a group or groups to this group
  • Remove
    Remove the selected group(s) from this group

Dynamic Members

The dynamic member feature allows defining the members of a group using rules that are evaluated at run-time. This feature allows dynamic groups and it is different from "traditional" static groups where the members of a group are defined one by one resulting in a static association.

The pros and cons of different group types are:

  • Static group
    • Simple and easy to understand
    • Allows complex membership that cannot be expressed by search filter
    • Large groups can be hard to manage
    • Works only within the Ubisecure Directory (not with external directories)
  • Dynamic group
    • Enables integration with external directories
    • New users added to a container are automatically members
    • Complex dynamic group expressions can be hard to review/understand

Ubisecure SSO uses dynamic groups for two main purposes:

  1. Dynamic group membership within the Ubisecure Directory
  2. To associate users authenticated in an External Directory with groups in the Ubisecure Directory

The rule used for defining dynamic members closely follows the standard LDAP URL syntax. Please refer to RFC 2255 ( for a specification of the LDAP URL syntax.

The Ubisecure SSO Management view to dynamic members simplifies editing LDAP URLs by providing access to the standard components of the LDAP URL.

In addition, the Ubisecure SSO Management view provides templates as help for the administrator when designing different kinds of dynamic member rules such as members of Ubisecure Directory and members of External Directory.

The Dynamic Member view is presented in Figure 5.

Figure 5: Configuring Group Dynamic Member
  • Server
    The base address of the LDAP server in URI format. For example: ldap://localhost/ . The special value ldap:/// defines the LDAP server of the Ubisecure Directory .
  • Distinguished Name
    The name of a directory object
  • Attributes
    Optional value. List of attributes to read from the directory object. The list elements are separated by ','
  • Scope
    Search scope. One of base, one or sub.
    • Base: The object defined by the Distinguished Name value only.
    • One: Exactly one level below the object defined by the Distinguished Name.
    • Sub: Descendants of the object defined by the Distinguished Name, including the object itself.
  • Filter
    LDAP search filter expression. For example: (objectClass=ubiloginUser) . The LDAP search filter syntax is specified by RFC 2254 (
  • Extensions
    LDAP URL extension value. Valid Ubisecure SSO extension values are:
    • x-tokengroups
      For Microsoft Active Directory external directories, resolves group membership by reading the TokenGroups operational attribute from the user's object
  • Templates
    Select a template that automatically inputs the default values for the fields above.
    • Users of Ubisecure Site
      The most common use case for dynamic members within the Ubisecure Directory is Users of Ubisecure Site. This use case is implemented by defining the distinguished name of a Ubisecure Site and the search scope one or sub.
      Example: ldap:///ou=Users,cn=Ubilogin,dc=localhost??sub?objectclass=ubiloginUser
      → This adds all users below the Users site as members of the group
    • User in External Directory
      Add a single external user. Specify a LDAP URL where the DN identifies the user and search scope is base, leave the other fields empty.
      Example: ldap://localhost/uid=user1,ou=users??base
    • Users of External Directory Branch
      Add all users of a directory branch. Specify a LDAP URL where the DN identifies a container, search scope is one or sub and optionally define a search filter.
      Example: ldap://localhost/ou=users??one?objectclass=person
    • Members of External Directory Group
      Members of a group defined in external directory. This integration method is available if the group in the external directory has an attribute that lists the members of the group. This integration method does not resolve external dynamic groups or a group including group relationships.
      Specify a LDAP URL where the DN identifies the group, the attribute defines the name of the attribute that lists the members, search scope is base.
      Example: ldap://localhost/cn=group1,ou=users?member?base
    • Members of Active Directory
      GroupMembers of a group defined in Active Directory. This integration method is available for Active Directory external directories. This integration method resolves the transitive group memberships for the given group.
      Specify a LDAP URL where the DN identifies the group, the attribute defines the binary objectSid attribute, search scope is base, x-tokengroups is included in the set of extensions.
      Example: ldap://localhost/cn=group1,ou=users?objectSid;binary?base??x-tokengroups

Attribute Members

The Attribute Members feature enables defining group memberships based on attributes received during authentication. Users can be mapped to groups dynamically at run-time based on the logical queries about the presence or absence of user and methods attributes as well as their values.

An example is shown in Figure 6. Users can sign in using two different authentication methods – HST card, based on Certificate Authentication Provider, or TUPAS. TUPAS allows both individuals and companies to authenticate. First, Method Attribute Mapping is used to ensure the Personal Identity Number is in the same format and present in same variable name (hetu). Next, Users with the variable hetu are assigned dynamically to the group Persons. Authentication by persons using corporate bank accounts, which contain the variable y-tunnus, are assigned dynamically to the group Organizations.

example of group membership based on attributes

Figure 6: Example of group membership based on attributes

The pros and cons of the attribute members feature are:

  • Allows assigning group memberships for unregistered users
  • Allows external management of group members
  • Membership is independent of user repositories
  • Forfeits control of individual group members

Attribute membership is defined as one or more preconditions. Each precondition is shown as an entry in attribute members view. User is considered as a member of the group if any of precondition entries is evaluated to true.
Precondition syntax follows the LDAP search filter syntax with minor modifications. The LDAP search filter syntax is specified by RFC 2254 ( Modifications are as follows:

  • Equality is the only supported matching operation
  • Supported logical operations include AND, OR, and NOT
  • Asterisk is the only supported wildcard. Asterisk evaluates to true if defined attribute has any value.
  • Attribute name is defined as prefix:name, where possible prefixes are following:
    • method
      Attribute name refers to a method attribute
      For example: method:organization=organizationA
    • subject
      Attribute name refers to a subject attribute. Possible subject attributes are following:
      • format
        Refers to subject format
      • username
        Refers to subject username
      • namequalifier
        Refers to subject namequalifier

The most common attribute membership precondition is a simple equality match of a method attribute.

Attribute membership is only evaluated for the current user if the authentication method that the user is signing in with is also selected in the Allowed Methods tab. (Applies to version 5.0.3 and higher)

NOTE: Whitespaces may break the precondition syntax, please be careful when using them.

Member Of

The Member Of view presents the static groups that this group is member of.

Figure 7: The Member Of - view of a group
  • Add
    Add new groups
  • Remove
    Remove the memberships of the selected group(s)

Allowed Applications

The Allowed Applications view presents all those Applications that this group has access to by the Allowed To list association.

Figure 8: The list of applications the selected group has access to
  • Add
    Add this group to applications access control list
  • Remove
    Remove this group from selected application(s) access control list

Allowed Methods

By selecting authentication methods for this group you can configure that unregistered users belong to the selected group. An unregistered user is one that has its user identity stored in an external authentication service.

Figure 9: Selecting unregistered users behind authentication services for the selected group
  • Update / Check box
    Select or deselect the users behind authentication services

NOTE: Unregistered users represent the user identities stored in external authentication services. By selecting methods in this view, all users authenticated in external authentication services belong to this group.


The Authorization view (see Figure 10) presents the Authorization policies associated with the selected group.

Figure 10: Authorization policies related to the selected group

The authorization policies that are associated with this group can be managed in the site's authorization view. Please refer to page Manage authorization policies - SSO.

  • No labels