Skip to main content

Chain selector

An authentication chain selector plugin either selects a chain using a status update of SERVICE_CHANGED, or removes selectable chains on a NEED_TOKENS status with the respective chains returned. If only one chain is returned in the chain’s KVGroup, then the authentication chain is executed without a selection available to the user.

Input

 "" "" = { 
      "can_use_response.pss" = "true" 
      "cfgid" = "DEFAULT_LOGIN:1" 
      "chain" = "DEFAULT_LOGIN" 
      "module" = "psf" 
   
      "cgi" "" = { # HTTP HEADER information 
            ... 
      } 
      "chain" "" = { # Supported chains 
          "<chain id>" = "1" 
          "<chain id>" = "1" 
          "<chain id>" = "1" 
            ... 
      } 
      "evaluation_status" "<chain path>" = { 
          "<chain id>:<sequence>" = "<status>" 
      } 
      "parameters" "" = { # HTTP Post information 
      } 
      "viewer" "user" = { 
            # User account/profile and request attribute information 
   
      } 
}

Output

"" "" = { 
   "retval" = "0" # 0 on success; non-zero on failure 
   "status" = "<NEED_TOKENS|SERVICE_CHANGED>" 
   "chains" "" = { # required only for NEED_TOKENS status 
       "<chain id>" = "1" 
       "<chain id>" = "1" 
       "<chain id>" = "1" 
       ... 
    } 
    "parameters" "" = { # required only for SERVICE_CHANGED status 
       "NEW_SERVICE_NAME" = "<chain id>" 
    } 
}

chainselect

The chainselect.psl sample script, found in the samples directory, provides a simple demonstration of an authentication chain selector plugin. The script implements an IP-based chain selecting logic.

authselect

You can write a plugin to automatically choose an authentication method, allowing users to log in using a pre-defined authentication chain.

A sample PSLang script for performing this configuration (authselect.psl) can be found in the samples directory. The plugin and associated m4 file demonstrate how a chain selector plugin can be used to enable a single-page sign-on configuration.

To configure Bravura Security Fabric to automatically choose an authentication method:

  1. Ensure the DEFAULT_LOGIN authentication chain is enabled and has Use PSFEXT_VALUES selected as an Available chain.

  2. Copy authselect.psl from the samples directory to the plugin directory.

  3. Copy or append the contents of samples\authselect.m4 to design\custom\authchain.m4.

  4. Generate and install a new set of skins. (make default en-us and make install default en-us for English).

  5. Disable the DEFAULT_LOGIN authentication chain so that you can configure it.

  6. Configure the DEFAULT_LOGIN authentication chain by setting Run this plugin to automatically select a sub-chain to authselect.psl .

    The script is configured to use the internal password.pss module.

  7. Re-enable the DEFAULT_LOGIN authentication chain.

fedidp-cs

The fedidp-cs.exe chain selector is capable of selecting authentication chains for SAML federated authentication requests based on the contents of the sp _authchain table, and is used by the Scenario.hid _saml _idp component.

Input

 "" "" = { 
   
  "module" = "psf" 
   
  "chain" = "SAML" 
   
  "cfgid" = "SAML:1" 
  "evaluation_status" "\$INTERNAL\\DEFAULT_LOGIN\\SAML\\" = { 
    "SAML:1" = "UNKNOWN" 
    "SAML:2" = "UNKNOWN" 
  } 
  "can_use_response.pss" = "false" 
  "viewer" "user" = { 
    "id" = # User ID 
    "name" = # User name 
    "acl" "" = { # User ACL information 
   
          ... 
    } 
  } 
  "cgi" "" = { # HTTP HEADER information. 
       # HTTP_REFERER may or may not include SAMLRequest and RelayState parameters. 
    "HTTP_REFERER" = "https://<server>/<instance>/sso/psf.exe?baseurl=/<instance>/sso&SAMLRequest=<Request data>&RelayState=<State data>" 
    "REQUEST_METHOD" = "POST" 
  } 
  "parameters" "" = { 
    "HOSTID" = "PSYNCH" 
    "IDENT_HOSTID" = "PSYNCH" 
    "LANG" = "en-US" 
    "NEW_SERVICE_NAME" = # Auth chain calling this selector 
    "SETTABLEFIELDSCOOKIE" = "" 
    "SETTABLEFIELDSDB" = "" 
    "SKIN" = "default" 
    "SUBMIT-TOKENS.x" = "Continue" 
    "TRANSACTION" = "C_AUTHCHAIN_LOGIN" 
    "USER_IDENT" = # User ID 
  } 

  "SESSDATA" "" = { # Session data information, including: 
    "NEW_SERVICE_NAME" = # Auth chain calling this selector 
    "SAML_ISSUER" = # The SP that issued the request 
   
    "SAML_RELAY_STATE" = # Request state data 
    "SAML_REQUEST" = # XML request data 
  } 
  "chains" "" = { # Supported chains 
  } 
  "sessionid" = # Session ID 
}

Output

"" "" = { 
  "errmsg" = "" 
  "retval" = "0" 
  "status" = "SERVICE_CHANGED" # If status = SERVICE_CONTINUE, then no chains are returned, and the user continues with the chain that called this plugin. 
  "parameters" "" = { 
    "NEW_SERVICE_NAME" = # Chains available to the user 
  } 
}
In this section: