Skip to main content

Version: 24.10

SSO Get Authentication Token

note

This service type is for dynamic Groovy services only.

This service provides a script to retrieve an SSO token from a request. It is called by the Journey Manager (JM) SSOAuthenticationFilter (com.avoka.fc.core.security.SSOAuthenticationFilter) to obtain the SSOAuthenticationToken (com.avoka.fc.core.security.SSOAuthenticationToken) when an unauthenticated request attempts to access a protected resource.

This script is configured via the Security Manager SSO Auth Filter tab.

Script Interface

/** Provides a Groovy script to get an SSOAuthenticationToken from a request. 
The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).

Script parameters include:
request : <a target="_blank" href="http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html">HttpServletRequest</a>
portal : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/Portal.html">Portal</a>
securityManager : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/SecurityManager.html">SecurityManager</a>

Script return:
SSO auth token, or if null then other Authentication filters will be executed : <a target="_blank" href="../../javadoc/com/avoka/fc/core/security/SSOAuthenticationToken.html">SSOAuthenticationToken</a>

Script throws:
redirect exception to redirect to an external login page : <a target="_blank" href="../../javadoc/com/avoka/fc/core/servlet/RedirectException.html">RedirectException</a>
*/

Service Invoke Parameters

Parameters are optional except where otherwise indicated.

ParameterDescription
requestHttpServletRequest
Required. The HTTP request made by the user.
portalPortal (com.avoka.fc.core.entity.Portal)
Required. The portal associated with the user's request.
securityManagerSecurityManager (com.avoka.fc.core.entity.SecurityManager)
Required. A SecurityManager configuration entity.

Error Handling

This Groovy script is executed by the SSOAuthenticationFilter. If the SSO authentication token is not present in the request, the script redirects the user to the external authentication provider's login page using a RedirectException (com.avoka.fc.core.servlet.RedirectException).

If there is a different system authentication error, the script can throw an AuthenticationException. The SSOAuthenticationFilter will then clear the SecurityContextHolder and set the exception in the request attribute WebAttributes.AUTHENTICATION_EXCEPTION.

Examples

The example script below gets the HTTP session cookie IM-AUTH-TOKEN from the request. If this value is present then the user has been logged in by the SSO identity manager. If this cookie is not present, the user is redirected away to the SSO identity manager login page using a RedirectException.

In the case when the user is authenticated, the script first gets the user's login name and some user profile attributes from secure cookie values. Then, it creates an SSOAuthenticationToken with the username and profile attributes set, and returns the authentication token. This SSOAuthenticationToken is subsequently passed to the configured AbstractUserDetailsAuthenticationProvider which will perform user account creation steps, if required, and establish the login session.

Once the Spring login session has been established, this script will not need to be executed again until the user has logged out.

/** Provides a Groovy script to get an SSOAuthenticationToken from a request. 
The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).

Script parameters include:
request : javax.servlet.http.HttpServletRequest
portal : com.avoka.fc.core.entity.Portal

Script return:
SSO auth token, or if null then other Authentication filters will be executed : com.avoka.fc.core.security.SSOAuthenticationToken

Script throws:
redirect exception to redirect to an external login page : com.avoka.fc.core.servlet.RedirectException
*/
import org.apache.click.util.ClickUtils
import com.avoka.fc.core.security.SSOAuthenticationToken
import com.avoka.fc.core.servlet.RedirectException

def authToken = ClickUtils.getCookieValue(request, 'IM-AUTH-TOKEN')

if (authToken != null) {
def username = ClickUtils.getCookieValue(request, 'IM-USER-ID')

def attributes = [:]
attributes['email'] = ClickUtils.getCookieValue(request, 'IM-USER-EMAIL')
attributes['firstName'] = ClickUtils.getCookieValue(request, 'IM-USER-FIRST-NAME')
attributes['lastName'] = ClickUtils.getCookieValue(request, 'IM-USER-LAST-NAME')

return new SSOAuthenticationToken(username, attributes)

} else {
throw new RedirectException('https://login.mycorp.com/?return=forms.mycorp.com/forms/secure/account/home.htm')
}

SAML2 Based SSO - ADFS

The example script below gets the SAML Response parameter from the HTTP request (HttpServletRequest). A SAML Response is sent by an Identity Provider (like Microsoft ADFS server) to a Service Provider (JM).

The script first checks to see if there is a SAML Response. If there isn't, the browser is redirected to the Identity Provider via the RedirectException. The user is authenticated with the Identity Provider.

The Identity Provider initiates a HTTP POST from the user's browser to Journey Manager (Service Provider). The Identity Provider can directly POST the SAML Response to Journey Manager without redirecting to it first. An instance of the Saml2Parser is created, and Base64-decodes the SAML response, converting the raw response to XML. The parser then proceeds to validate and parse the response which it returns as a Saml2ParserResult.

In the case when the user has authenticated successfully, the script then returns result.ssoAuthToken which is a type of SSOAuthenticationToken (com.avoka.fc.core.security.SSOAuthenticationToken) with the username and profile attributes set and returns the authentication token. This SSOAuthenticationToken is subsequently passed to the configured AbstractUserDetailsAuthenticationProvider that performs user account creation steps, if required, and establishes the login session.

Once the Spring login session has been established, this script does not need to be executed again until the user has logged out.

/** Provides a Groovy script to get an SSOAuthenticationToken from a request. 
The returned SSOAuthenticationToken will then be processed by the configured AuthenticationProvider(s).

Script parameters include:
request : HttpServletRequest
portal : Portal
securityManager : SecurityManager

Script return:
SSO auth token, or if null then other Authentication filters will be executed : SSOAuthenticationToken

Script throws:
redirect exception to redirect to an external login page : RedirectException
*/
import com.avoka.core.groovy.SecurityLogger as logger

import com.avoka.tm.security.*
import com.avoka.fc.core.util.RedirectUtils
import com.avoka.fc.core.util.PortalUtils
import com.avoka.fc.core.entity.SecurityManager
import com.avoka.fc.core.util.RedirectUtils
import com.avoka.fc.core.servlet.RedirectException

// Stores the Entry URL into the session which is used by the Auth Ok Response Script.
if (!Saml2Parser.hasSamlToken(request)) {
logger.info "No SAML Token, Storing sessionEntryUrl and redirecting to ADFS server"
RedirectUtils.storeSessionEntryUrl(request)
return null
}

Saml2ParserResult result = new Saml2Parser()
.setValidationCertData(securityManager.getSsoValidatorCertData())
.setKeystoreData(securityManager.getSsoKeystoreData())
.setKeystorePassword(securityManager.getSsoKeystorePassword())
.setPrivateKeyAlias(securityManager.getSsoPrivateKeyAlias())
.setPrivateKeyPassword(securityManager.getSsoPrivateKeyPassword())
.setGroupAttribName("http://schemas.xmlsoap.org/claims/Group")
.skipResponseSignatureValidation()
.parse(request)

if (result.isValid) {
return result.ssoAuthToken

} else {
logger.debug result.debugLog
logger.info result.error
logger.debug result.responseRaw

logger.info "Redirecting to " + PortalUtils.getNotAuthorizedPath(portal)
throw new RedirectException(PortalUtils.getNotAuthorizedPath(portal))
}