1
0
-1

I am getting an SSO token from client, in it, it has user name, and which groups the belongs to. Since the groups of which the user belong to could change quite frequently, I would like to

  1. Upon receiving the SSO token, first check if user exists? if not exist, the create user and add user to all the groups
  2. If the user does exist, then update the groups the user belongs to.

My question is how do I do point 2? Is there some examples on which method can I call?

  1. Ben Warner

    Are you using the Fluent SDK?

  2. Mike Chen

    Yes Fluent, but at client site I don't get to install SDK, so I have to code in browser. 

  3. Jim Basey

    Hi Mike,

    Do you really need to lazy create the user? I believe you can assign group access dynamically in a session once you have verified the SSO credentials and checked wnat groups the user needs to be in (I believe we are talking ADFS Claims here).

  4. Mike Chen

    Currently in the security manager template, it will create an user. Cause the Groovy Authentication Provider script, it will return an AccountUserDetail object, and it needs UserAccount as part of its constructor. So I have to create an UserAccount based on SSO credentials.

    If there are better ways of doing it, please tell me.

CommentAdd your comment...

3 answers

  1.  
    2
    1
    0

    Not sure how others have addressed this... but I found that there were some groups that were managed in TM so removing the user from all groups and re-adding them based on SSO token caused the user to be removed from some TM groups.

    I had a manageable set of groups which were managed by SSO so I included them in a service parameter (JSON) for the Security Manager and only removed the user from those groups.

    { "ssoGroups" : ["FUT1", "FUT2"] }
        GroupDao groupDao = DaoFactory.getGroupDao()
    
        // Process sso groups - remove user from all sso groups.
        List<String> svcSsoGroups = (new JsonSlurper().parseText(ssoGroups) as Map<String,Object>).ssoGroups as ArrayList<String>
            if (svcSsoGroups ){    
                svcSsoGroups.each { String g ->
    
                    Group eGroup = groupDao.getGroupForName(g)
                    if (g)
                    userService.removeUserFromGroup(userAccount, eGroup)   
                }
                userService.commitChanges()
            }
    
    

    Then did a look-up for each group from the token and added them...

    // lookup group, if valid then add user to group	
    		Group group = groupDao.getGroupForName(svcGroupName)
    		if (group != null) {
    			userService.addUserToGroup(userAccount, group)
    			userService.commitChanges()  
    		}
    
    
      CommentAdd your comment...
    1.  
      3
      2
      1

      Hi Mike,

      This is how I've done before.


      • Write some code in 'Authentication Provider' for the Security Manager which does the SSO. Authentication Provider will run after a successful authentication sequence is executed in Security Manager's 'SSO Auth OK Response' code.
      • In 'Authentication Provider' logic you will get access to the user and its attributes. Create/Activate the user here first.
      • Then you should remove all the roles and apply the new set of roles. This will make sure that old roles are removed. Add the new set of roles then after.
      user = new UserBuilder(STAFF_PORTAL)
      .setLoginName(loginName)
      .removeRoleName(currentRole.toString())
      .createOrUpdate()
      
      String newRole= getGroupNameForRole(currentRole?.toString())
      if (newRole) {
      user = new UserBuilder(STAFF_PORTAL)
      .setLoginName(loginName)
      .addRoleName(currentRoleName)
      .addOrgName(ORG_NAME)
      .createOrUpdate()
      }



      1. Unknown User (ppandya)

        Hi Mike,

        Please note that my above code is for Role mapping but similar applies to group membership if you wanted to do it.

      CommentAdd your comment...
    2.  
      2
      1
      0

      Hi Mike


      Please take a look at UserBuilder class - addGroupName() and createOrUpdate() capabilities.


      Regards
      Rado


      CommentAdd your comment...