IdmGetPropertiesState
This AuthState is a processing AuthState.
This plug-in is used as post-processing after other nevisIDM login steps to retrieve the user's profile information and roles from nevisIDM and return them as delegation and security role information to the caller (access proxy).
Topic | Description |
---|---|
Class | ch.nevis.idm.authstate.IdmGetPropertiesState |
Logging | IdmAuth |
Auditing | None |
Marker | NevisIDM:selection |
Properties | user.attributes (string, -) Comma-separated list of user attributes to fetch, where attributes can be (sorted by required user detail level):
|
user.properties (string, -) Comma-separated list of user properties (scope onUserGlobal) to fetch. The property name must be defined exactly as in nevisIDM. Otherwise, the property value will never be written into the session. The required minimum detail levels for properties are detaillevel.user MEDIUM and detaillevel.property MEDIUM. | |
user.cred.<credentialtype>.attributename (boolean, -) Defines which credential attributes to fetch.The following attributes are supported: value, state, extId, validFrom, validTo, lastLogin, name, policyName And these credential types are supported: password, securid_account, ticket, safeword_account, otp, temp_string_password, kerberos, mtan, mobile_signature, saml_federation | |
user.cred.certificateN.attributename (boolean, -) Define which certificate attribute to fetch, where N is the number of the certificate (1, 2, …). The attribute name can be: value, state, extId, validFrom, validTo, lastLogin, name | |
user.cred.genericN.attributename (boolean, -) Define which generic credential attribute to fetch, where N is the number of the generic credential (1, 2, …). The attributename can be: value, state, extId, validFrom, validTo | |
user.cred.context_passwordN.attributename (boolean, -) Define which context password credential attribute to fetch, where N is the number of the context password (1, 2, …). The attributename can be: context, value, state, extId, validFrom, validTo | |
user.cred.mobile_signature.<attributename> (boolean, -) Define which mobile signature credential attribute to fetch, where attributename can be: msspIdentifier, identificator, signerCert | |
user.cred.saml_federationN.<attributename> (boolean, -) Define which SAML federation credential attribute to fetch, where N is the number of the SAML federation credential (1, 2, …).The attribute name can be: issuerNameId, subjectNameId, issuerNameIdFormat, subjectNameIdFormat, value, state, extId, validFrom, validTo | |
unit.attributes (string, -) Comma-separated list of unit attributes to fetch, where attributes can be (sorted by required unit detail level):
| |
unit.properties (string, -) Comma-separated list of unit properties (scope onUnitGlobal) to fetch. The property name must be exactly as defined in nevisIDM. Otherwise, the property value will never be written into the session. The required minimum detail levels for properties are detaillevel.unit MEDIUM and detaillevel.property MEDIUM. | |
chooseProfileFromSession (string, "ch.adnovum.nevisidm.profileId") Gets the profile ID from the session. If it is not set, the ID will be extracted from the inArgs with the following key: ch.nevis.idm.auth.chosenProfileId | |
applRoleGlobalPostfix (string, "") Used for backward compatibility by modifying global roles. | |
forceDataReload (boolean, false) If set to "true", IdmGetPropertiesState will reload the complete user object including its sub-objects from nevisIDM before writing user data into the session. | |
chooseDefaultProfile (boolean, false) If set to "true", IdmGetPropertiesState automatically chooses the user's default profile instead of showing the profile selection GUI. | |
detaillevel.{*}: as specified in the chapter Transitions shared among all nevisIDM AuthStates | |
Properties impersonation | If any of the impersonated properties are set, IdmGetPropertiesState operates in "impersonation mode". The current user on the session is the impersonator who will act on behalf of the impersonated user. After this state, the impersonated user is the one logged in on the current session. Using impersonation mode forces forceDataReload to be true. See the nevisIDM reference guide for the specification of technical users and role impersonation. Impersonated properties:
|
Input | None |
Transitions | ok: Profile extracted, transition to AuthDone expected. |
default: No user authenticated, ignore profile extraction. | |
clientNotFound: User uses an unsupported client ID or the "default" client ID (see input above) is not available. | |
showGui: Profile could not be extracted because the user has multiple active profiles and chooseProfileFromSession, chooseDefaultProfile are not set. Therefore a dialog to select a profile is shown. | |
Output | ch.adnovum.nevisidm.userDto: Will be updated if IdmGetPropertiesStates has to retrieve the data from nevisIDM again. Possible reasons for re-retrieval of data: property "forceDataReload=true", impersonation use case, or if IdmGetPropertiesState detects that the current DTO data in the session was retrieved with a detail level lower than the one IdmGetPropertiesState requires to set all the configured entity attributes and properties in the session. |
ch.adnovum.nevisidm.clientName: Mandator name of the user. ch.adnovum.nevisidm.clientId: Unique identifier of the client. | |
ch.adnovum.nevisidm.profileName: Account name of the user. ch.adnovum.nevisidm.profileId: Unique identifier of the profile. ch.adnovum.nevisidm.profileDeputedId: Unique identifier of the deputed profile if the actual profile is a deputy profile (not set if profile is not a deputy profile). | |
The following profile properties are written to the session:
| |
property.<application>.:* All the user's custom application delegation properties are returned here.property.<role>.{*} : All the user's custom role delegation properties are returned here. | |
Sets the following key/value pairs in the session depending on which attribute has been selected in the config:
If the following config is set:
| |
Properties that are only set if the IdmGetPropertiesState operates in impersonation mode:
| |
Errors | None |
Notes | None |
Example
<AuthState name="IdmPostProcessing" final="false"
class="ch.nevis.idm.authstate.IdmGetPropertiesState" >
<ResultCond name="ok" next="AuthDone"/>
<ResultCond name="showGui" next="IdmPostProcessing"/>
<ResultCond name="SOAP:showGui" next="AuthDone"/>
<ResultCond name="default" next="AuthDone"/>
<Response value="AUTH_CONTINUE">
<Gui name="AuthProfileSelectionDialog">
<GuiElem name="lasterror" type="error"
label="${notes:lasterrorinfo}" value="${notes:lasterror}"/>
</Gui>
</Response>
<propertyRef name="IdmCertificateLogin"/>
</AuthState>