Called when the RemoteApp Launcher requests the application credentials. Can be called multiple times for the same session.
Called when the RemoteApp Launcher requests the application credentials. Can be called multiple times for the same session.
asset
Type: string |
Description: The asset /database etc./ password requested for.
connection_name
Type: string |
Description: The connection name the RemoteApp session uses. This is required if your SPS is linked to SPP.
session_id
Type: string |
Description: The unique identifier of the session.
cookie
Type: dictionary |
Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see Examples in the Creating Custom Authentication and Authorization Plugins.
session_cookie
Type: dictionary |
Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.
protocol
Type: string |
Description: The protocol name, in lowercase letters (http, ica, rdp, ssh, telnet, vnc).
client_hostname
Type: string |
Description: A string containing the hostname of the client, if DNS lookup has been successful. If not, the value of this parameter is None.
client_ip
Type: string |
Description: A string containing the IP address of the client.
gateway_username
Type: string |
gateway_password
Type: string |
gateway_groups
Type: list |
gateway_domain
string |
target_username - DEPRECATED
string |
target_host - DEPRECATED
string |
target_port - DEPRECATED
Type: int |
target_domain - DEPRECATED
Type: string |
server_username
string |
server_ip
string |
server_hostname
string |
server_port
Type: int |
server_domain
Type: string |
cookie
Type: dictionary |
Required: no |
Description: The cookie returned by the previous hook in the session. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by one of the previous calls in this particular custom Credential Store plugin. You can use the cookie to maintain the state for each particular connection or to transfer information between the different methods of the plugin. For an example that transfers information in the cookie between two methods, see Examples in the Creating Custom Authentication and Authorization Plugins.
session_cookie
Type: dictionary |
Required: no |
Description: You can use the session cookie to maintain global state between plugins for each particular connection. If this is the first call for that session, it is initialized as an empty dictionary, otherwise it has the value returned by a previous plugin hook in the session.
passwords
Type: string list |
Required: no |
Description: If the plugin returns multiple passwords, SPS tries to use them to authenticate on the target server (in the order they are listed).
The following example shows a simple plugin that can return both passwords and private keys based on usernames:
class Plugin(object): passdb = { "user": ["password"], } privkeydb = { "user1": [('ssh-rsa', """ -----BEGIN RSA PRIVATE KEY----- ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6 aBHymY/+Xwf08GiuLg2hFmfLNGZlJNnF9YB4+3o7MfjPDZJR1ne8Vr9hkte/SuK2 OhZbAeWbxHLsdOv0+ZCm7h5/nEM1gj4va+uKgpShVbxqEH7RglyUDvKUgQ7KwUZE GW+RPApnXFN3OVjFdAqOpzeayH0kA52A3W/ske81JFGEHvfP54EePJx1qncJAX1z jFPllYjPlMSLujbH7sabL0+LbnZDfMxOw2NXwnaKPgVlJ7I7YQDE11NLhiWbC2f1 pTLIerTOG9lovC3caa7TaIRs8VfZLjjNXWnS5wIDAQABAoIBAB6HLgz5eXIFT+ai ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6 QScd2MYvJ9dIdumxbk5dK7+5I3fGHroXTRgUF6AIKI2FCsnQtDyTY1mjZ99+dGjH AjOKnIbKPuaj+Mpx3dLhlhDgi+DncGSizhOtb3jK1tq++YLoA7W/7n9av5Ybz8c0 iqF0WUwcd6KYphuL9583OPP6Gv33Br4jP729EkqXnJa8PcniX8y3ZlFcVmxOGqnL ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6 UumxiQECgYEA9yPcGBo/R/2IyjyKBXjYcd/1u0kYZRWvloahjNoWQjs/EHvbBMlM xmtowOHbbEg4BgymPmVR8Ux24B3XJR6SbAPMF15wJ7oD1WwG8djQSw0RrbuPgP4s OJnRpCn4blpa15n5qUF8wCwnEJow+UUaYY1znMlmAyeWjaK1VHV7tEUCgYEA8MH1 guHR+hHyZcLTT2+QTuL2Pu2MrwLhXNz5hPcCRH72dKBdfrvpRwLKj3XJKBK4r4gN hByiT2sJKCNks4LkyOlWQtd0khRuan/xkliH7a6Fcx+d5odQsZrRbrjpsUQFlnTB AFv6kSnhAtmJVDalYWfPSQCuE0nwB9TaDU6UGzsCgYAItvwA4ZQPrtIPB5l6XeuM ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6 QDIHNO5RiE6wTPHlv1aA/wH7lVyXGN9oU4w/9Lbs9US0y5oxLL0Abc4m2LkXYSdv ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6 FykNgS4dhrCG3NmpP4zQbKnS+VDQrLJ/qbSG59Ida8nIs74yanQX17EPuzqD/iJT LoahB2128G7BiEfcIpFVCgI0OqikYQkM4oOQD3sUw8ySfi/rZMxGtT34uf7398FH bBRnAoGBANRNw9oTcSh/ScLNqhB1pld81UX8jf+4+9hj9U+gpQCkujVxTs7xil8R ISNFNFIASNFIANSFINSDIIISLLERfEJW++SppInNHlL89wTymILaxgln7FfQ2vr6 31nME0D1kojABIMeW8cITVHx4PD7I8jp+3sIPRXzCr8bfTzGSOAA -----END RSA PRIVATE KEY----- """)], } def get_private_key_list(self, session_id, cookie, protocol, client_ip, gateway_username, gateway_password, target_username, target_host, target_port, target_domain=None, gateway_domain=None, gateway_groups=None): keylist = [] if target_username in self.privkeydb: keylist = self.privkeydb[target_username] print "Retrieved private keys;" print keylist else: print "User not found;" return { "private_keys": keylist, } def get_password_list(self, session_id, cookie, protocol, client_ip, gateway_username, gateway_password, target_username, target_host, target_port, target_domain=None, gateway_domain=None gateway_groups=None): pwlist = [] if target_username in self.passdb: pwlist = self.passdb[target_username] print "Retrieved passwords;" else: print "User not found;" return { "passwords": pwlist, } def authentication_completed(self, session_id, cookie): return None def session_ended(self, session_id, cookie): return None
The following example demonstrates how the predefined hooks can be enhanced with additional logic:
import inspect class Plugin(object): passdb = { "joe": ["joespw1", "joespw2", ], "jack": ["jackspw", ], } def get_password_list(self, session_id, cookie, protocol, client_ip, gateway_username, gateway_password, target_username, target_host, target_port, target_domain=None, gateway_domain=None, gateway_groups=None): # Discard "None" parameters, log all other returned parameters args = list(inspect.getargvalues(inspect.currentframe()).args) logkws = ["{arg}='{value}'".format(arg=arg, value=locals()[arg]) for arg in args if arg != 'self' and locals()[arg] is not None] if "call_count" in cookie: call_count = cookie["call_count"] else: call_count = 0 logkws.append("call_count='{0}'".format(call_count)) print ("Retrieving passwords, non-null parameters follow; " + ', '.join(logkws)) # Return the password list for the user pwlist = [] if target_username in self.passdb: pwlist = self.passdb[target_username] print "Retrieved passwords;" else: print "User not found;" return { "passwords": pwlist, "cookie": {"call_count": call_count + 1} } def authentication_completed(self, session_id, cookie): call_count = cookie["call_count"] if "call_count" in cookie else None print ("Received notification about completed authentication; " "call_count='{call_count}'").format(call_count=call_count) return None def session_ended(self, session_id, cookie): call_count = cookie["call_count"] if "call_count" in cookie else None print ("Received notification about session end; " "call_count='{call_count}'").format(call_count=call_count) return None
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Términos de uso Privacidad Cookie Preference Center