Certain user groups will often want to authenticate to CustomerID using method only applicable to that particular group. These group-specific methods shouldn't be shown to other users for both usability and security reasons. How to configure one such case for administration users who will authenticate to CustomerID using internal Windows Authentication Provider is shown below.
In short: the authentication method(s) will be hidden in the SSO menu for CustomerID agent using template system. Then a CustomerID protection configuration corresponding to the internal authentication method and the url where user should be forwarded within CustomerID will be created.
In the below example the method which should be hidden in the authentication menu, but usable for smartlink is called win.ap.1. This guide expects that the win-ap method has already been configured properly for directory user mapping to the respective CustomerID administrators.
- Create an SSO template for the smartlink usecase. Let's call the template smartlink.
- Open the file <SSO-install-dir>/ubilogin/custom/template.index and add a line 'smartlink = templates/smartlink.properties'
- Go to the directory 'templates'. There should be a file called default.properties. Make a copy of it with the name smartlink.properties
- Open the smartlink.properties file, it should contain olnly line '@import = sso7', and add a method menu rules definition 'methodmenu.rules = smartlink.rules'
- Create a file in the templates directory called 'smartlink.rules' and add the following line to the file (replace DC=test with the proper dn suffix)
- dn: CN=eidm2,OU=eIDM Services,CN=Ubilogin,DC=test
- hide: win.ap.1
- Open the eidm agent view in SSO management and add the smartlink template to the template field values. Do the same for the workflow agent. Check that both agents also have the win.ap.1 method enabled in the methods view.
- Create a protection configuration in CustomerID for the smartlink.
- Open the file <CustomerID-install-dir>/application/custom/protection.properties
- Each protection configuration is prefixed with protection.N, use the next available value for N in the smartlink configuration.
- Use the following configuration for the smartlink.protection
- protection.N.methods = win.ap.1
- protection.N.sso.template = smartlink
- protection.N.customeriduseronly = false
- protection.N.continue = https://<CID-baseaddress>/eidm2/wf/admin
- Now accessing the URL https://<CID-address>/eidm2/wf/protection/N should take the user automatically to WinAP and then back to CustomerID administration interface.