Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.4.0 - Creating custom Authentication and Authorization plugins

Examples

The following example checks if the user has entered the string good as the token number. If the value of the token number is anything other than good, the plugin displays a prompt to the user up to three times. After three unsuccessful attempts, the plugin terminates the connection.

Example
def authenticate(self, key_value_pairs, cookie):
    if key_value_pairs.get('token') == "good":
        return {'verdict': 'ACCEPT'}

    cookie['cnt'] = cookie.get('cnt', 0) + 1
    if cookie['cnt'] > 3:
        return {'verdict': 'DENY'}

    return {'verdict': 'NEEDINFO',
            'question': ('token', 'Enter token number: '),
            'cookie': cookie
    }

The following example shows how to use the cookie to transfer data from the authenticate method to the session_ended method.

Example
import sys


class Plugin(object):

    def authenticate(self, session_id, cookie, protocol, 
    connection_name, client_ip, client_port, key_value_pairs):
        token = key_value_pairs.pop('token', None)

    # Accept the connection if the user provides a token number
    if token:
        # Write code here that validates the token number and 
        retrieves the username and usergroups of the user
        # We add the client_ip to the 'cookie' so it will be 
        available in the session_ended method as well
        return {
            'verdict': 'ACCEPT',
            'gateway_user': 'username-received-from-third-party',
            'gateway_groups': [
                'usergroup1-received-from-third-party',
                'usergroup2-received-from-third-party'],
            'additional_metadata': token,
            'cookie': {'client_ip': client_ip}
        }

    # Display a prompt to the user to request a token number
    else:
        return {
            'verdict': 'NEEDINFO',
            'question': ('token', 'Enter your token number: ')
        }

    def session_ended(self, session_id, cookie):
        session_details = ','.join([
            '{0}={1}'.format(key, cookie[key]) for key in 
            sorted(cookie.keys())
        ])

    # Send a log message when the session ends, including the 
    # client_ip address received in the cookie
    print("Session ended; session_id='{0}', session_details='{1}'".
        format(session_id, session_details))

Related Documents