IdmGetUserByCredentialState
This AuthState is an authenticating AuthState ).
This plug-in is basically a mapping between an external token/ID and a nevisIDM user. The state assumes that there is only a single user with the token. If more than one user is found, an exception occurs.
If we want to look up the user by SAML federation credential, all SAML federation-specific attributes are mandatory. In this case, do not set the credential value.
| Topic | Description |
|---|---|
| Class | ch.nevis.idm.authstate.IdmGetUserByCredentialState |
| Logging | IdmAuth |
| Auditing | None |
| Marker | NevisIDM:extern |
| Properties | credential.type (string, -) Define credential type (EL supported). |
| credential.value (string, "${inargs:credentialValue}") Define credential value. | |
| credential.saml.issuerNameId (string, -) Define SAML federation issuer name ID. | |
| credential.saml.subjectNameId (string, -) Define SAML federation subject name ID. | |
| credential.saml.issuerNameIdFormat (string, -) Define URI of the SAML federation issuer name ID format | |
| credential.saml.subjectNameIdFormat (string, -) Define URI of the SAML federation subject name ID format | |
| client.name (defined in the chapter "Default input properties") | |
| updateLoginInformation (boolean, false) Setting this parameter to true causes a success update (increments login success count, sets the last login date to current date) on the found credential. | |
| Methods | process (all events) |
| Input | None |
| Transitions | ok: one existing user is found successfully. |
| failed: Mapping the credential type and value to the user failed, or the found user is not active. This is also the case if the credential is not active. | |
| clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available. | |
| Output | None |
| Errors | 1: Login failed. GUI descriptor:AuthErrorDialog is generated. |
| Notes | None |
Example
<AuthState name="IdmGetUserByCredentialState" final="false"
class="ch.nevis.idm.authstate.IdmGetUserByCredentialState">
<ResultCond name="ok" next="AuthDone"/>
<Response value="AUTH_ERROR">
<Gui name="AuthErrorDialog"/>
</Response>
<propertyRef name="IdmCertificateLogin"/>
<property name="credential.type" value="KERBEROS" />
<property name="credential.value" value="KRB_ID" />
<property name="updateLoginInformation" value="true" />
</AuthState>