How to do external authentication with a scripted node

This topic has 4 replies, 3 voices, and was last updated 3 weeks, 1 day ago by Jatinder Singh (AcceptingNewProjects).

  • Author
    Posts
  • #28175
     edward.winston
    Participant

    We are doing a POC with ForgeRock. To get something going quickly I am trying to create an Authentication tree that takes a user name, does some external processing by calling out to an external process and then returns if the username is valid.

    The callouts work, but no matter what I return I am always getting a 401. The last node in the tree is the Success node (or Failure), but even when I return a success outcome, the user is not authenticated.

    Is there something else I need to do or set in the shared state to mark the user/session as authenticated?

    Thanks,
    Edward

    #28176

    In your scripted node, you need to set and return the value of outcome variable to the values being managed by the node in your tree.

    For example, if your outcome value is being returned as success, in your tree connect the success outcome with success node.

    If you are still experiencing issues – I would suggest to debug and print the value of outcome to see what it is and that there is no exception being thrown in your script. For this you will have to set the debug level of your script to MESSAGE.

    Hope this helps!

    #28226
     Scott Heger
    Participant

    Improper Identity Store configuration can cause 401 errors. Check to ensure the values for LDAP Users Search Attribute and Authentication Naming Attribute in your Identity Store are correct. They both default to “uid” but if your username is using a different attribute then things won’t work right.

    #28246
     edward.winston
    Participant

    Thanks for the replies! I think the problem was due to a stale login window. The scripted node was actually just testing to see if the name was valid against an external source. I did get it to work by making sure I reloaded the login window if I had been away for a while.

    #28248

    Yes, that could be a valid reason. FYI – when using Intelligent Authentication Trees, the default max duration of an authentication session is 5 minutes which can be tweaked at Global or Realm level.

    Happy ForgeRocking!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?