Home
Administrator Guides
Administrator Guide
Administrator Guide
SAML 2.0 based federated authentication
Unica Platform implements a SAML 2.0 based Identity Provider (IdP) that enables a single sign-on federation among Unica products or between Unica products and third party applications.
How to implement federated authentication
Perform the procedures in this section to implement SAML 2.0 based federated authentication with ExperienceOne products.
Using the IdP client façade to generate tokens and pass them to Service Providers
When a user is authenticated and wants to access the services of another SP, call the following code on the SP side.

Administrator Guides
- Administrator Guide
  - Administrator Guide
    - Unica Platform features
      Unica Platform provides security, configuration, notification, and dashboard features for Unica products.
    - Licensing - overview
    - HCL Unica user account management
      You can manage the attributes of user accounts created using Unica Platform user interface, which we refer to as internal accounts. This is in contrast to external user accounts, which are imported from an external system such as an LDAP server or web access control system.
    - Security management
      Unica Platform supports roles and permissions to control user access to objects and features in Unica applications.
    - Configuration management
      When Unica is first installed, the Configuration page shows only the properties used to configure Unica Platform and some global configuration properties. When you install additional Unica applications, the properties used to configure these applications are registered with Unica Platform. These properties are then shown on the Configuration page, where you can set or modify their values.
    - Dashboard management
      Dashboards are configurable pages that contain information useful to groups of users who fill various roles within your company. The components that make up dashboards are called portlets. Dashboards can contain pre-defined portlets or portlets that you create.
    - The HCL Unica Scheduler
      The Unica Scheduler enables you to configure a process to run at intervals that you define.
    - SAML 2.0 based federated authentication
      Unica Platform implements a SAML 2.0 based Identity Provider (IdP) that enables a single sign-on federation among Unica products or between Unica products and third party applications.
      - How to implement federated authentication
        Perform the procedures in this section to implement SAML 2.0 based federated authentication with ExperienceOne products.
        Creating the data repository
        Create two database tables, TP_MASTER and TP_MAPPING, to hold user mappings. Any schema can be used to create the tables.
        Configuring the IdP data source in the web application server
        Tomcat, WebSphere®, and WebLogic are supported web application servers for the IdP server. After the IdP server is deployed on the web application server, configure a JNDI data source to connect the IdP server with the data repository.
        Setting up the classpaths for the IBM IdP client façade
        If you want to use the IBM® IdP client façade, you must add JAR files in the classpath of your IdP server and the SPs.
        Deploying the IdP server
        The IdP-Server.war file can be deployed along with the Unica Platform WAR file in the same server, or it can be deployed separately. There is no direct dependence between these two WAR files.
        Configuring the IdP server
        The IdP server stores its keystore in its configuration to assert the SAML token coming from SPs. The configurations are stored in the IdPServerConfig.properties file under the conf folder of the web application server where the IdP server is deployed.
        Obtaining keystores and importing them into the IdP server
        To establish the trusted party assertion, individual keystores are required for each integrating application and the IdP server.
        Setting configuration properties on the Configuration page
        Set configuration properties on the Settings > Configuration page to configure federated authentication in Unica.
        Onboarding Service Providers and users
        The IdP server administrator must make one-time entries in the TP_MASTER table to onboard SPs and users.
        Using the IdP client façade to generate tokens and pass them to Service Providers
        When a user is authenticated and wants to access the services of another SP, call the following code on the SP side.
        Reference: RESTful services
        Use this information to troubleshoot issues when you use the client facade, or to develop your own SAML 2.0 implementation with the IdP server provided by IBM.
      - Related concepts
        This section provides general information about the technologies used in the ExperienceOne implementation of SAML 2.0 based federated single sign-on.
    - SAML 2.0 single sign-on
      Unica Platform supports SAML 2.0 based single sign-on.
    - Single sign-on between HCL Unica and IBM Digital Analytics
      If your organization uses IBM Digital Analytics, you can enable single sign-on between Digital Analytics and Unica.
    - Integration between HCL Unica and Windows Active Directory
      Unica Platform can be configured to integrate with Windows™ Active Directory server or another LDAP (Lightweight Directory Access Protocol) server. By integrating Unica with a directory server, you can maintain users and groups in one centralized location. Integration provides a flexible model for extending the enterprise authorization policies into Unica applications. Integration reduces support costs and the time needed to deploy an application in production.
    - Integration between HCL Unica and LDAP servers
      Unica Platform can be configured to integrate with Windows™ Active Directory server or another LDAP (Lightweight Directory Access Protocol) server. By integrating Unica with a directory server, you can maintain users and groups in one centralized location. Integration provides a flexible model for extending the enterprise authorization policies into Unica applications. Integration reduces support costs and the time needed to deploy an application in production.
    - Integration with web access control platforms
      Organizations use web access control platforms to consolidate their security systems, which provide a portal that regulates user access to web sites. This section provides an overview of Unica integration with web access control platforms.
    - Alert and notification management
      Unica Platform provides support for system alerts and user notifications sent by Unica products.
    - Implementation of one-way SSL
      This section describes one-way SSL in Unica.
    - Security framework for HCL Unica APIs
      Unica Platform provides the security framework for the APIs implemented by Unica products.
    - Data filter creation and management
      Data filters make it possible to restrict the customer data that an Unica user can view and work with in Unica applications. You can think of the data you secure with a data filter as a data set defined by the fields in your customer tables that you specify.
    - Audit event tracking in HCL Unica
      You can configure which audit events are tracked and assign a severity level to each tracked event.
    - The Unica Platform system log
      You should check the system log first if the Unica Platform application malfunctions. The system log is independent of the security audit information, which is stored in the system tables. While the system log tracks some of the same information contained in the security audit reports, it also contains information useful in troubleshooting Unica Platform.
    - Unica Platform utilities
      This section provides an overview of the Unica Platform utilities, including some details that apply to all the utilities and which are not included in the individual utility descriptions.
    - Unica Platform SQL scripts
      This section describes the SQL scripts provided with Unica Platform to perform various tasks relating to the Unica Platform system tables.
    - HCL Unica configuration properties
      This section describes the configuration properties found on the Settings & Configuration page.
    - Customization of stylesheets and images in the HCL Unica user interface
      You can customize the appearance of the user interface where most Unica product pages appear. By editing a cascading style sheet and providing your own graphics, you can change many of the images, fonts, and colors in the user interface.
- Configuration Properties Guide
- System Tables

Using the IdP client façade to generate tokens and pass them to Service Providers

When a user is authenticated and wants to access the services of another SP, call the following code on the SP side.

About this task

The code generates the federated token.


// One time properties to initialize the IdP client.
Properties properties = new Properties();
properties.put(IdPClient.IDP_SERVER_URL, "URL");
properties.put(IdPClient.IDP_CLIENT_CERTIFICATE_ISSUER, "URL");
properties.put(IdPClient.IDP_CLIENT_KEYSTORE_PATH, "JKS file path");
properties.put(IdPClient.IDP_CLIENT_KEYSTORE_PASSKEY, "JKS passkey");
properties.put(IdPClient.IDP_CLIENT_KEYSTORE_ALIAS, "Certificate alias");
// Get the IdP client factory singleton instance 
//with the specified parameters.
IdPClientFactory clientFactory = IdPClientFactory.getInstance(properties);
// Get the partition specific client facade to do the assertion.
IdPClientFacade clientFacade = clientFactory.getIdPClientFacade(partition);
// Establish SSO Login with the IdP server 
IdPClientToken token = clientFacade.doIdPLogin(clientId, forUserId, spId);

After the token is obtained, it can be passed to target SPs to access their resources based on the mapped user's roles and permissions.


// Security token is validated at Service Provider side.
IdPClientAssertion assertion = spFacade.assertIdPToken(clientId, forUserId, spId, 
token.getTokenId());
// Retrieve the principal from the assertion, if there is no exception.
String principal = assertion.getMappedUser();

The client facade is multi-tenant aware and can be used to configure each partition separately. To use this feature, append the client ID to each property name. For example:


properties.put(IdPClient.IDP_CLIENT_KEYSTORE_PATH + 
".partition1", "JKS file path"); 
properties.put(IdPClient.IDP_CLIENT_KEYSTORE_PASSKEY + 
".partition1", "JKS passkey"); 
properties.put(IdPClient.IDP_CLIENT_KEYSTORE_ALIAS + 
".partition1", "Certificate alias");

Have feedback?
Google Analytics is used to store comments and ratings. To provide a comment or rating for a topic, click Accept All Cookies or Allow All in Cookie Preferences in the footer of this page.