SSO Get Authentication Token
This service provides a script to retrieve an SSO token from a request. It is called by the Journey Manager SSOAuthenticationFilter
to obtain the SSOAuthenticationToken when an unauthenticated request attempts to access a protected resource.
This script is configured via the Security Manager 'SSO Auth Filter' tab.
Script Interface
/** Provides a Groovy script to get an SSOAuthenticationToken from a request.
The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).
Script parameters include:
request : <a target="_blank" href="http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html">HttpServletRequest</a>
portal : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/Portal.html">Portal</a>
securityManager : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/SecurityManager.html">SecurityManager</a>
Script return:
SSO auth token, or if null then other Authentication filters will be executed : <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/SSOAuthenticationToken.html">SSOAuthenticationToken</a>
Script throws:
redirect exception to redirect to an external login page : <a target="_blank" href="../../javadoc/com/avoka/fc/core/servlet/RedirectException.html">RedirectException</a>
*/
Service Invoke Parameters
| Parameter | Description | Optional |
|---|---|---|
| request | the HTTP request made by the user | no |
| portal | the portal associated with the user's request | no |
| securityManager | the security manager configuration entity | no |
Error Handling
This Groovy script is executed by the SSOAuthenticationFilter. If the SSO authentication token is not present in the request, the script should redirect the user to the external authentication provider's login page using a RedirectException.
If there is a different system authentication error, the script can throw an AuthenticationException. The SSOAuthenticationFilter will then clear the SecurityContextHolder and set the exception in the request attribute WebAttributes.AUTHENTICATION_EXCEPTION.
Examples
Cookie Based SSO
The example script below gets the HTTP session cookie IM-AUTH-TOKEN from the request. If this value is
present then the user has been logged in by the SSO identity manager. If this cookie is not present, the user
is redirected away to the SSO identity manager login page using a
RedirectException.
In the case when the user is authenticated, the script gets the users login name and some user profile attributes from secure cookie values. Then it creates an SSOAuthenticationToken with the username and profile attributes set and returns the authentication token. This SSOAuthenticationToken is subsequently passed to the configured AbstractUserDetailsAuthenticationProvider which will perform user account creation steps if required and establish the login session.
Once the Spring login session has been established, this script will not need to be executed again until the user has logged out.
/** Provides a Groovy script to get an SSOAuthenticationToken from a request.
The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).
Script parameters include:
request : javax.servlet.http.HttpServletRequest
portal : com.avoka.fc.core.entity.Portal
Script return:
SSO auth token, or if null then other Authentication filters will be executed : com.avoka.fc.core.security.SSOAuthenticationToken
Script throws:
redirect exception to redirect to an external login page : com.avoka.fc.core.servlet.RedirectException
*/
import org.apache.click.util.ClickUtils
import com.avoka.fc.core.security.SSOAuthenticationToken
import com.avoka.fc.core.servlet.RedirectException
def authToken = ClickUtils.getCookieValue(request, 'IM-AUTH-TOKEN')
if (authToken != null) {
def username = ClickUtils.getCookieValue(request, 'IM-USER-ID')
def attributes = [:]
attributes['email'] = ClickUtils.getCookieValue(request, 'IM-USER-EMAIL')
attributes['firstName'] = ClickUtils.getCookieValue(request, 'IM-USER-FIRST-NAME')
attributes['lastName'] = ClickUtils.getCookieValue(request, 'IM-USER-LAST-NAME')
return new SSOAuthenticationToken(username, attributes)
} else {
throw new RedirectException('https://login.mycorp.com/?return=forms.mycorp.com/forms/secure/account/home.htm')
}
SAML2 (Security Assertion Markup Language) Based SSO - ADFS
The example script below gets the HTTP request parameter SAMLResoponse from the request (HttpServletRequest).
A SAML Response is sent by an Identity Provider (like Microsoft ADFS server) to a Service Provider (TM).
The script first checks to see if there is a SAMLResponse. If it doesn't have a SAML Response is redirects the browser to the Identity Provider via the redirect exception. The user will authenticate with the Identity Provider. RedirectException.
The Identity Provider initiates a HTTP POST from the Users browser to Journey Manager (Service Provider). Note the Identity Provider can directly POST the SAML Response to Journey Manager without redirecting to it first. A instance of the Saml2Parser is created to first Base64 decodes the SAML response converting the raw response to XML. The parser then proceeds to validate and parse the response it returns a Saml2ParserResult.
In the case when the user has authenticated successfully, the script then returns the result.ssoAuthToken which is a type of SSOAuthenticationToken with the username and profile attributes set and returns the authentication token. This SSOAuthenticationToken is subsequently passed to the configured AbstractUserDetailsAuthenticationProvider which will perform user account creation steps if required and establish the login session.
Once the Spring login session has been established, this script will not need to be executed again until the user has logged out.
/** Provides a Groovy script to get an SSOAuthenticationToken from a request.
The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).
Script parameters include:
request : HttpServletRequest
portal : Portal
securityManager : SecurityManager
Script return:
SSO auth token, or if null then other Authentication filters will be executed : SSOAuthenticationToken
Script throws:
redirect exception to redirect to an external login page : RedirectException
*/
import com.avoka.core.groovy.SecurityLogger as logger
import com.avoka.tm.security.*
import com.avoka.fc.core.util.RedirectUtils
import com.avoka.fc.core.util.PortalUtils
import com.avoka.fc.core.entity.SecurityManager
import com.avoka.fc.core.util.RedirectUtils
import com.avoka.fc.core.servlet.RedirectException
// Stores the Entry URL into the session which is used by the Auth Ok Response Script.
if (!Saml2Parser.hasSamlToken(request)) {
logger.info "No SAML Token, Storing sessionEntryUrl and redirecting to ADFS server"
RedirectUtils.storeSessionEntryUrl(request)
return null
}
Saml2ParserResult result = new Saml2Parser()
.setValidationCertData(securityManager.getSsoValidatorCertData())
.setKeystoreData(securityManager.getSsoKeystoreData())
.setKeystorePassword(securityManager.getSsoKeystorePassword())
.setPrivateKeyAlias(securityManager.getSsoPrivateKeyAlias())
.setPrivateKeyPassword(securityManager.getSsoPrivateKeyPassword())
.setGroupAttribName("http://schemas.xmlsoap.org/claims/Group")
.skipResponseSignatureValidation()
.parse(request)
if (result.isValid) {
return result.ssoAuthToken
} else {
logger.debug result.debugLog
logger.info result.error
logger.debug result.responseRaw
logger.info "Redirecting to " + PortalUtils.getNotAuthorizedPath(portal)
throw new RedirectException(PortalUtils.getNotAuthorizedPath(portal))
}