Skip to main content

Version: 23.10

SSO Authentication Provider

note

This service type is for dynamic Groovy services only.

Provides a Groovy script encapsulating SSO authentication logic which is executed by the GroovyUserDetailsAuthenticationProvider (com.avoka.fc.core.security.GroovyUserDetailsAuthenticationProvider) configured for the security manager.

This script is configured via the Security Manager's Authentication Providers tab.

Script Interface

/** Provides a Groovy script to return the AccountUserDetails for the given loggin attempt. 
    The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).

    Script parametes include:
        username : string
        authentication : <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/SSOAuthenticationToken.html">SSOAuthenticationToken</a>
        authParameters: <a target="_blank" href="http://docs.oracle.com/javase/7/docs/api/java/util/Map.html">Map</a>&lt;String, String>
        portal : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/Portal.html">Portal</a>
        securityManager : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/SecurityManager.html">SecurityManager</a>
    
    Script return:
        the user account details : <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/AccountUserDetails.html">AccountUserDetails</a>
    
    Script throws:
        <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/authentication/BadCredentialsException.html">BadCredentialsException</a> : if the user credentials were invalid 
        <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/core/userdetails/UsernameNotFoundException.html">UsernameNotFoundException</a> : if the user was not found
        <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/authentication/AuthenticationServiceException.html">AuthenticationServiceException</a> : if a system authentication service error occured   
        <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/NotPortalAccountException.html">AccountNotActiveException</a> : if the user account is not active 
        <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/NotPortalAccountException.html">NotPortalAccountException</a> : if the user account is not associated with the portal 
*/

Service Invoke Parameters

Parameters are optional except where otherwise indicated.

ParameterDescription
usernamestring
Required. The user login name, or login identifier.
authenticationSSOAuthenticationToken (com.avoka.fc.core.security.SSOAuthenticationToken)
Required. The SSO authentication token.
authParametersMap<String, String>
Required. A map of Authentication Provider configuration parameter values, keyed on parameter name.
portalPortal (com.avoka.fc.core.entity.Portal)
Required. The portal associated with the user's request.
securityManagerSecurityManager (com.avoka.fc.core.entity.SecurityManager)
Required. A SecurityManager configuration entity.

Error Handling

If an unexpected system error occurs, the script throws an AuthenticationServiceException which will be recorded in the Journey Manager database error log.

Other exceptions are used to convey authentication attempt failure information:

  • BadCredentialsException: If the user credentials are invalid.
  • UsernameNotFoundException: If the user is not found.
  • AccountNotActiveException (com.avoka.fc.core.security.AccountNotActiveException): If the user account is not active.
  • NotPortalAccountException (com.avoka.fc.core.security.NotPortalAccountException): If the user account is not associated with the portal.

Example

The script below provides an example SSO authentication provider script. It assumes the user has been successfully authenticated by a separate SSO identity management system, and a valid SSO authentication token is provided to this service.

This script performs a lookup to see if the linking SSO user account already exists in the Journey Manager database.

If the user account is found, a Spring AccountUserDetails (com.avoka.fc.core.security.AccountUserDetails) object referencing the user account record and the granted authorities (groups) from the authentication token is created. This object is then used to initialize the authenticated user session. The granted authorities can be used to enable form group access control to restricted forms by mapping provided SSO groups onto Journey Manager form groups.

If a linking SSO user account doesn't exist in the Journey Manager database, one is created using the UserService.createSsoUserAccount (com.avoka.fc.core.service.UserService) method. The returned user account object is used to initialize the AccountUserDetails object that is returned by the script.

/** Provides a Groovy script to return the AccountUserDetails for the given log-in attempt.  
    The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s). 
 
    Script parametes include: 
        username : string 
        authentication : com.avoka.fc.core.security.SSOAuthenticationToken 
        portal : com.avoka.fc.core.entity.Portal 
     
    Script return: 
        the user account details : com.avoka.fc.core.security.AccountUserDetails 
     
    Script throws: 
        org.springframework.security.authentication.BadCredentialsException : if the user credentials were invalid  
        org.springframework.security.core.userdetails.UsernameNotFoundException : if the user was not found 
        org.springframework.security.authentication.AuthenticationServiceException : if a system authentication service error occured    
        com.avoka.fc.core.security.AccountNotActiveException : if the user account is not active  
        com.avoka.fc.core.security.NotPortalAccountException : if the user account is not associated with the portal  
*/ 
import com.avoka.fc.core.dao.UserAccountDao 
import com.avoka.fc.core.service.ServiceFactory 
import com.avoka.fc.core.security.AccountUserDetails 
import com.avoka.fc.core.security.AccountNotActiveException
import org.springframework.security.authentication.AuthenticationServiceException 

// Exit early if no authentication token present
if (authentication == null) {
    throw new AuthenticationServiceException("Missing authentication token")    
}

// Get get user profile information from authentication token attributes 
def attributes = authentication.getAttributes() 
         
def email = attributes["email"] 
def firstName = attributes["firstName"] 
def lastName = attributes["lastName"] 
 
def profileMap = [:] 
profileMap["Email"] = email 
profileMap["Given Name"] = firstName 
profileMap["Family Name"] = lastName 
   
// Get the users granted authorities (Journey Manager Groups) from authentication token 
def authorities = authentication.getAuthorities() 

def userService = ServiceFactory.getUserService(portal) 
 
def userAccountDao = new UserAccountDao() 
def userAccount = userAccountDao.getActiveUserAccountForLogin(username)
 
// Found user ensure not locked and update profile and portal association
if (userAccount != null) {     
    // ensure a temporary lock is cleared if needed
    userService.updateLockStatus(userAccount)

    if (!userAccount.isActive()) {
        throw new AccountNotActiveException("Account not active: ", userAccount.getAccountStatus())
    }

    if (userAccount.isEmailVerificationRequired()) {
        throw new AccountNotActiveException("Account requires email verification", "")
    }

    userService.updateActiveUserProfile(userAccount, profileMap)

    userService.addPortalForUser(userAccount, portal)

    return new AccountUserDetails(userAccount, authorities)
}
 
// User account not found, create account
def newAccount = userService.createSsoUserAccount(username, email, firstName, lastName, profileMap) 
 
return new AccountUserDetails(newAccount, authorities)