SSO Authentication Provider · Transact Services Guide (TSG)

Dynamic Groovy Services Only

Provides an Groovy script encapsulating SSO authentication logic which is executed by the GroovyUserDetailsAuthenticationProvider configured for the security manager.

This script is configured via the Security Manager's 'Authentication Providers' tab.

Script Interface

/** Provides a Groovy script to return the AccountUserDetails for the given loggin attempt. 
    The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).

    Script parametes include:
        username : string
        authentication : <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/SSOAuthenticationToken.html">SSOAuthenticationToken</a>
        authParameters: <a target="_blank" href="http://docs.oracle.com/javase/7/docs/api/java/util/Map.html">Map</a>&lt;String, String>
        portal : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/Portal.html">Portal</a>
        securityManager : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/SecurityManager.html">SecurityManager</a>
    
    Script return:
        the user account details : <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/AccountUserDetails.html">AccountUserDetails</a>
    
    Script throws:
        <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/authentication/BadCredentialsException.html">BadCredentialsException</a> : if the user credentials were invalid 
        <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/core/userdetails/UsernameNotFoundException.html">UsernameNotFoundException</a> : if the user was not found
        <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/authentication/AuthenticationServiceException.html">AuthenticationServiceException</a> : if a system authentication service error occured   
        <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/NotPortalAccountException.html">AccountNotActiveException</a> : if the user account is not active 
        <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/NotPortalAccountException.html">NotPortalAccountException</a> : if the user account is not associated with the portal 
*/

Service Invoke Parameters

Parameter	Description	Optional
username	the user login name, or login identifier	no
authentication	the SSO authentication token	no
authParameters	a map of Authentication Provider configuration parameter values for the , keyed on parameter name	no
portal	the portal associated with the user's request	no
securityManager	the SecurityManager configuration entity	no

Error Handling

If an unexpected system error occurs your script should throw a AuthenticationServiceException which will be recorded in the Journey Manager database error log.

Other exceptions are used convey to authentication attempt failure information:

BadCredentialsException : if the user credentials werer invalid
UsernameNotFoundException : if the user was not found
AccountNotActiveException : if the user account is not active
NotPortalAccountException : if the user account is not associated with the portal

Example

The script below provides an example SSO authentication provider script. Please note this script assumes the user has been successfully authenticated by a separate SSO identity management system, and a valid SSO authentication token is provided to this service.

This script performs a lookup to see if the linking SSO user account already exists in the Journey Manager database.

If the user account is found, a Spring AccountUserDetails object referencing the user account record and the granted authorities (groups) from the authentication token is created. This object will then be used to initialize the authenticated user session. The granted authorities can be used to enable form group access control to restricted forms by mapping provided SSO groups onto Journey Manager form groups.

If a linking SSO user account doesn't exist in the Journey Manager database, one is created using the UserService.createSsoUserAccount method. The returned user account object is used to initialize a AccountUserDetails object which is then returned.

/** Provides a Groovy script to return the AccountUserDetails for the given log-in attempt.  
    The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s). 
 
    Script parametes include: 
        username : string 
        authentication : com.avoka.fc.core.security.SSOAuthenticationToken 
        portal : com.avoka.fc.core.entity.Portal 
     
    Script return: 
        the user account details : com.avoka.fc.core.security.AccountUserDetails 
     
    Script throws: 
        org.springframework.security.authentication.BadCredentialsException : if the user credentials were invalid  
        org.springframework.security.core.userdetails.UsernameNotFoundException : if the user was not found 
        org.springframework.security.authentication.AuthenticationServiceException : if a system authentication service error occured    
        com.avoka.fc.core.security.AccountNotActiveException : if the user account is not active  
        com.avoka.fc.core.security.NotPortalAccountException : if the user account is not associated with the portal  
*/ 
import com.avoka.fc.core.dao.UserAccountDao 
import com.avoka.fc.core.service.ServiceFactory 
import com.avoka.fc.core.security.AccountUserDetails 
import com.avoka.fc.core.security.AccountNotActiveException
import org.springframework.security.authentication.AuthenticationServiceException 

// Exit early if no authentication token present
if (authentication == null) {
    throw new AuthenticationServiceException("Missing authentication token")    
}

// Get get user profile information from authentication token attributes 
def attributes = authentication.getAttributes() 
         
def email = attributes["email"] 
def firstName = attributes["firstName"] 
def lastName = attributes["lastName"] 
 
def profileMap = [:] 
profileMap["Email"] = email 
profileMap["Given Name"] = firstName 
profileMap["Family Name"] = lastName 
   
// Get the users granted authorities (Journey Manager Groups) from authentication token 
def authorities = authentication.getAuthorities() 

def userService = ServiceFactory.getUserService(portal) 
 
def userAccountDao = new UserAccountDao() 
def userAccount = userAccountDao.getActiveUserAccountForLogin(username)
 
// Found user ensure not locked and update profile and portal association
if (userAccount != null) {     
    // ensure a temporary lock is cleared if needed
    userService.updateLockStatus(userAccount)

    if (!userAccount.isActive()) {
        throw new AccountNotActiveException("Account not active: ", userAccount.getAccountStatus())
    }

    if (userAccount.isEmailVerificationRequired()) {
        throw new AccountNotActiveException("Account requires email verification", "")
    }

    userService.updateActiveUserProfile(userAccount, profileMap)

    userService.addPortalForUser(userAccount, portal)

    return new AccountUserDetails(userAccount, authorities)
}
 
// User account not found, create account
def newAccount = userService.createSsoUserAccount(username, email, firstName, lastName, profileMap) 
 
return new AccountUserDetails(newAccount, authorities)