Your custom post-authentication plug-in, or module, must minimally perform the following operations:
Read the value of an LDAP attribute, its name to be specified in an OpenSSO Enterprise property com.sun.identity.firsttime_login_attr_name.
If the value of the attribute is true, determine that the user is logging-in for the first time.
If the user is logging in for the first time, redirect to the Identity Manager URL where the user can enter or set challenge questions.
Before you begin, determine the LDAP attribute you will use to identify a user who is logging in for the first time, and replace occurrences of employeeType in the following instructions with the custom LDAP attribute name. This attribute is ideally a boolean LDAP attribute that takes values true or false. In the procedures described below, the attribute is employeeType.
You can develop your own code based on the code sample made available in the opensso.zip distribution. Or you can use the source code that comes with OpenSSO Enterprise. Choose only one of the following procedures:
The following code sample is a post-authentication plug-in. In this code sample, OpenSSO Enteprise redirects to an Identity Manager URL if the value of the configured LDAP attribute is true.
Replace occurrences of com.sun.identity.authentication.spi.FirstTimeLogin with the fully qualified name of your class.
package com.sun.identity.authentication.spi; import com.iplanet.am.util.Debug; import com.iplanet.am.util.Misc; import com.iplanet.am.util.SystemProperties; import com.iplanet.sso.SSOToken; import com.iplanet.sso.SSOException; import com.sun.identity.authentication.service.AuthUtils; import com.sun.identity.authentication.util.ISAuthConstants; import com.sun.identity.idm.AMIdentity; import com.sun.identity.idm.IdRepoException; import com.sun.identity.idm.IdUtils; import java.io.IOException; import java.lang.System; import java.util.Iterator; import java.util.Map; import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class FirstTimeLogin implements AMPostAuthProcessInterface { //add this attribute as an advance property private static final String FIRSTTIME_LOGIN_ATTR_NAME = "com.sun.identity.firsttime_login_attr_name"; private static Debug debug = Debug.getInstance("FirstTimeLogin"); /** * Post processing on successful authentication. * @param requestParamsMap contains HttpServletRequest parameters * @param request HttpServlet request * @param response HttpServlet response * @param ssoToken user's session * @throws AuthenticationException if there is an error while setting * the session paswword property */ public void onLoginSuccess(Map requestParamsMap, HttpServletRequest request, HttpServletResponse response, SSOToken ssoToken) throws AuthenticationException { if (debug.messageEnabled()) { debug.message("FirstTimeLogin.onLoginSuccess called: Req:" + request.getRequestURL()); } String strAttributeName = SystemProperties.get(FIRSTTIME_LOGIN_ATTR_NAME); try { if(strAttributeName != null && !strAttributeName.trim().equals("")){ AMIdentity amIdentityUser = IdUtils.getIdentity(ssoToken); Map attrMap = amIdentityUser.getAttributes(); String strAttributeValue = Misc.getMapAttr( attrMap, strAttributeName, null); if (debug.messageEnabled()) { debug.message("FirstTimeLogin.onLoginSuccess: " + strAttributeName + "=" + strAttributeValue); } System.out.println("FirstTimeLogin.onLoginSuccess: " + strAttributeName + "=" + strAttributeValue); if(strAttributeValue != null && strAttributeValue.equalsIgnoreCase("true")){ if (request != null){ request.setAttribute(AMPostAuthProcessInterface.POST_PROCESS_LOGIN_SUCCESS_URL, "http://localhost:8081/idm/user/main.jsp?goto=http://mail.yahoo.com"); } } } if (debug.messageEnabled()) { debug.message("FirstTimeLogin.onLoginSuccess: FirstTimeLogin " + "concluded successfully"); } } catch (IdRepoException ire) { debug.error("FirstTimeLogin.onLoginSuccess: IOException while " + "fetching user attributes: " + ire); } catch (SSOException sse) { debug.error("FirstTimeLogin.onLoginSuccess: SSOException while " + "setting session password property: " + sse); } } /** * Post processing on failed authentication. * @param requestParamsMap contains HttpServletRequest parameters * @param req HttpServlet request * @param res HttpServlet response * @throws AuthenticationException if there is an error */ public void onLoginFailure(Map requestParamsMap, HttpServletRequest req, HttpServletResponse res) throws AuthenticationException { debug.message("FirstTimeLogin.onLoginFailure: called"); } /** * Post processing on Logout. * @param req HttpServlet request * @param res HttpServlet response * @param ssoToken user's session * @throws AuthenticationException if there is an error */ public void onLogout(HttpServletRequest req, HttpServletResponse res, SSOToken ssoToken) throws AuthenticationException { debug.message("FirstTimeLogin.onLogout called"); } }
If you want to preserve the value of the OpenSSO Enterprise goto URL, and pass it on to Identity Manager, you can do that in the post-authentication plug-in. You can retrieve the original URL parameters from the HTTP request, and incorporate them into the request to the Identity Manager URL. See the Adding Authentication Post Processing Features in Sun OpenSSO Enterprise 8.0 Developer’s Guide
The sample source code is contained in file opensso/integrations/idm/src/com/sun/identity/authentication/spi/FirstTimeLogin.java. Replace occurrences of com.sun.identity.authentication.spi.FirstTimeLogin with the fully qualified name of your class. Replace the Identity Manager URL an appropriate URL to suit your deployment.