Login options
The following identification and authentication options can be accessed via Manage the system > Policies > Login options .
Identifying users with profile attributes instead of login IDs
You can use the AUTH IDENTITY ATTRIBUTES setting (Manage the system > Policies > Login options) to define a comma-delimited list of profile attributes that can be used to login into Bravura Security Fabric . A profile attribute can be set as a secondary identifier that will be treated the same as a normal login ID. When configured, users can login using either their profile ID or profile attribute, such as email address. In the event that multiple users share the same profile attribute value, Bravura Security Fabric will prompt the user to select their user profile from a list.
Click below to view a demonstration of adding an employee number as an accepted login ID. The demo includes the following steps:
Create an EMPLOYEE-NUMBER profile and request attribute.
Map the EMPLOYEE-NUMBER profile and request attribute to the AD employeeNumber account attribute.
Run auto discovery to apply the override on the account attribute action and populate the EMPLOYEE-NUMBER profile attribute.
Confirm the attribute has been mapped by running a Profiles report.
Allow the EMPLOYEE-NUMBER profile attribute to be treated as a login ID.
Test the configuration by logging in an employee using their Profile ID and then their employee number.
Redirecting users on logout
The Bravura Security Fabric front-end includes a plugin architecture. You can use a plugin defined by the LOGOUT REDIRECT PLUGIN setting to redirect users on log out from Bravura Security Fabric . This is useful if you want to pass parameters that are used for users’ subsequent login to Bravura Security Fabric .
To configure the logout redirection plugin to run every time a user logs out:
Click Manage the system > Policies > Login options .
Type the name of the plugin in LOGOUT REDIRECT PLUGIN.
Click Update.
The logouturl.psl sample script, found in the samples directory, provides a simple demonstration of a logout redirection plugin. After logging out, the plugin passes the user’s ID. Depending on whether the user is a superuser or not, the next login will take the user to the PSA or PSF module.
Requirements
This plugin is run on the Bravura Security Fabric server. See Writing plugins for general requirements.
Execution points
When configured, the plugin is run when a user attempts to log out from any Bravura Security Fabric module.
Input
The input includes:
The address of the instance
The name of the CGI module from which the user logs out
Encoded error message which causes the logout
The current session id of the user
The profile ID of the end user who is logging out
The input is passed as plain text, in KVGroup format.
For example, if the log out was done by superuser from the following URL:
https://mercury/default/manage_the_system
the plugin would receive input in the format:
"" "" = {
"address" = "https://mercury/default"
"module" = "psa"
"sessionid" = "S6542aa5d-ab83-422a-bda4-870a5376dd15"
"userid" = "superuser"
}Output
The output includes:
The address to which a user will be redirected
Parameters to be appended to end of the redirect address. For instance, this may be the <userID> parameter.
For example, if the log out was done by superuser from the following URL:
https://mercury/default/manage_the_system
the following would be an expected output from a log out redirection plugin:
"" "" = {
"redirect_url" = "https://mercury/default/cgi/psa.exe"
"parameters" "" = {
"USERID" = "superuser"
}
"retval" = "0"
}Caution
The input address and output address must have identical base addresses. The plugin cannot be used to redirect between a URL containing a DNS name and a URL containing an IP address even if they are equivalent, since most browsers prevent this as a security measure.
Login events (exit traps)
Login events
The following identification and authentication events apply to all modules and can be accessed from the Configure event (ITSM) module or Manage the system > Policies > Login options :
Option | Description |
|---|---|
USER IDENTIFY SUCCESS | A user is successfully identified by Bravura Security Fabric . |
USER IDENTIFY FAILURE | A user could not be identified by Bravura Security Fabric . |
FEDIDP IDENTIFY SUCCESS | A federated login attempt had its SAML request successfully parsed by Bravura Security Fabric . |
FEDIDP IDENTIFY FAILURE | A federated login attempt SAML request could not be parsed by Bravura Security Fabric . |
AUTH MODULE FAILURE | A user fails authentication for a module configured as part of an authentication chain. |
AUTH CHAIN SUCCESS | An authentication chain step successfully authenticates a user. |
AUTH CHAIN FAILURE | A user fails an authentication chain step. |
USER LOGIN CHANGED | The user was successfully changed to another profile via an authentication chain. |
IDAPI LOGIN FAILURE | A script fails to authenticate via API Service ( |
IDAPI LOGIN SUCCESS | A script successfully authenticates via API Service. |
USER LOGIN SUCCESS | A user is successfully authenticated by Bravura Security Fabric . |
USER LOGIN FAILURE | A user fails authentication. |
USER LOGIN LOCKOUT | Too many invalid login attempts to the end module causes the account to be locked out. |
FEDIDP AUTH SUCCESS | A user attempting federated login was successfully authenticated, and the outgoing SAML assertion was successfully signed and issued. |
FEDIDP AUTH FAILURE | A user attempting federated login was successfully authenticated, but the outgoing SAML assertion could not be signed and issued. |
FEDIDP SSO SESSION CREATE | A single sign-on session was successfully initiated as part of a federated login. |
FEDIDP SSO SESSION DESTROY | A single sign-on session was successfully terminated. |
FEDSP SAMLAUTH ISSUED | A SAML authentication request has been submitted by Bravura Security Fabric to an external identity provider. |
FEDSP SAMLAUTH ASR SUCCESS | A SAML assertion from a trusted identity provider was successfully received and parsed. |
FEDSP SAMLAUTH ASR FAILURE | A SAML assertion from a trusted identity provider could not be parsed. |
See Event Actions for more information about event configuration.