Skip to main content

Version: 23.10

SSO Revalidation

note

This service type is for dynamic Groovy services only.

SSO revalidation enables the creation of a script that can trigger the SSO process to authenticate the user (again). If the script returns true, the SSO Authentication scripts are run again (the Get SSO Auth script is executed, and the authentication provider runs); otherwise, the user's current login session is used.

danger

The SSO Revalidation configuration is available for the Microsoft ADFS and OAuth2 SSO Security Manager templates only.

The SSO Revalidation script is enabled by selecting Enable SSO Filter and Enable SSO Revalidation on the Security Manager tab for a Security Manager. Selecting these options makes the SSO Revalidation tab visible, where the script can be modified.

Where the execution path returns true, the script should logout from the spring security context. This will invalidate the current session. You may be required to copy the session attribute from the existing session; logout, then write them to the new session.

This is how to logout from the spring security context:

SecurityContextLogoutHandler securityContextLogoutHandler = new SecurityContextLogoutHandler();
securityContextLogoutHandler.logout(request, null, null);

The intent of this script is to look at changes in the request headers which can trigger the re-authentication process. For example:

  • Checking the "referer" header: revalidate if this is not coming from a Journey Manager Form Space or Federated Endpoint.
  • Checking if a header that holds the user login name against the currentUserAuthentication.getUsername().

This Groovy script is executed by the SSOAuthenticationFilter.

Script Interface

/* A Groovy script to determine whether the requests session requires revalidation.

   Script parameters include: 
       request : <a target="_blank" href="http://docs.oracle.com/javaee/7/api/javax/servlet/http/HttpServletRequest.html">HttpServletRequest</a>
       currentUserAuthentication : <a target="_blank" href="http://static.springsource.org/spring-security/site/docs/3.1.x/apidocs/org/springframework/security/core/Authentication.html">Authentication</a>
       portal : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/Portal.html">Portal</a>
       securityManager : <a target="_blank" href="../../javadoc/com/avoka/fc/core/entity/SecurityManager.html">SecurityManager</a>
    
   Script return:
       true is revalidation is required, otherwise false. NOTE: script must return a boolean result.
*/

Service Invoke Parameters

Parameters are optional except where otherwise indicated.

ParameterDescription
requestHttpServletRequest
Required. A HTTP servlet request.
currentUserAuthenticationAuthentication
Required. The current users SpringSecurity authentication token.
portalPortal
Required. The portal associated with the user's request.
securityManagerSecurityManager
Required. A SecurityManager configuration entity.

Error Handling

This script should generally not throw any errors. It should simply return true if re-authentication is required, otherwise false. Any errors thrown are logged to the Journey Manager Error Log table by the SSOAuthenticationFilter.

Examples

The example script below requires re-authentication if the referer header has changed. This can be useful in the scenario where a user opening a new form on a client's web site should be re-authenticated to ensure we have their latest profile information for form prefill.

/* A Groovy script to determine whether the requests session requires revalidation.

   Script parameters include: 
       request : javax.servlet.http.HttpServletRequest
       currentUserAuthentication : org.springframework.security.core.Authentication
       portal : com.avoka.fc.core.entity.Portal
       securityManager : com.avoka.fc.core.entity.SecurityManager
    
   Script return:
       true is revalidation is required, otherwise false
*/
import com.avoka.core.groovy.GroovyLogger as logger
import org.apache.commons.lang3.StringUtils
import com.avoka.fc.core.service.EventLogService

EventLogService eventLogService = new EventLogService()

def logEvent = { msg ->
    if (false) {
      eventLogService.logInfoEvent("SSO Revalidation Script: " + msg, request)
    }
}

def msg = ""

String referer = request.getHeader("referer")

if (StringUtils.isBlank(referer) || StringUtils.isBlank(portal.getContextPath())){
  msg += "\n either referer or portal context path is blank. Revalidate=false"
  logEvent(msg)
  return false
}

if( referer.toLowerCase().startsWith(portal.getContextPath().toLowerCase())) {
  msg += "\n referer is from the portal. Revalidate=false"
  logEvent(msg)
  return false
}

if( referer.toLowerCase().startsWith("https://{adfs server domain name}/adfs")) {
  msg += "\n referer is from the federated endpoint. Revalidate=false"
  logEvent(msg)
  return false
}

msg += "\n referer is from a separate URL. Logging out spring security context. Revalidate=true"

logEvent(msg)

return true