From 9717e8e1aa3a9ee7ac99ad6ac37d272c716a4b82 Mon Sep 17 00:00:00 2001 From: Thanuja Date: Mon, 18 Dec 2023 15:06:58 +0530 Subject: [PATCH] Update adaptive-metadata.json --- .../api/server/application/management/v1/adaptive-metadata.json | 2 +- pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/application/management/v1/adaptive-metadata.json b/modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/application/management/v1/adaptive-metadata.json index 8a761313a6..476e3e477c 100644 --- a/modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/application/management/v1/adaptive-metadata.json +++ b/modules/integration/tests-integration/tests-backend/src/test/resources/org/wso2/identity/integration/test/rest/api/server/application/management/v1/adaptive-metadata.json @@ -1,3 +1,3 @@ { - "templatesJSON": "{\"AdaptiveMFA\":{\"displayName\":\"Adaptive MFA\",\"templates\":[{\"summary\":\"Define conditional authentication by passing one or many Authentication Context Class References as comma separated values.\",\"preRequisites\":[\"Change the supportedAcrValues parameter to an array of ACR Levels.\",\"Modify the default authentication steps and option(s) as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+ACR-Based+Adaptive+Authentication\",\"code\":[\"// Define conditional authentication by passing one or many Authentication Context Class References \",\"// as comma separated values.\",\"\",\"// Specify the ordered list of ACR here.\",\"var supportedAcrValues = ['acr1', 'acr2', 'acr3'];\",\"\",\"var onLoginRequest = function(context) {\",\" var selectedAcr = selectAcrFrom(context, supportedAcrValues);\",\" Log.info('--------------- ACR selected: ' + selectedAcr);\",\" context.selectedAcr = selectedAcr;\",\" switch (selectedAcr) {\",\" case supportedAcrValues[0] :\",\" executeStep(1);\",\" break;\",\" case supportedAcrValues[1] :\",\" executeStep(1);\",\" executeStep(2);\",\" break;\",\" case supportedAcrValues[2] :\",\" executeStep(1);\",\" executeStep(3);\",\" break;\",\" default :\",\" executeStep(1);\",\" executeStep(2);\",\" executeStep(3);\",\" }\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\",\"Step 3\":\"FIDO authenticator\"},\"parametersDescription\":{\"supportedAcrValues\":\"An array of ACRs ordered by the level\"},\"name\":\"ACR-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]},\"3\":{\"federated\":[],\"local\":[\"FIDOAuthenticator\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"ACR-Based 2FA Template\",\"authenticationSteps\":3},{\"summary\":\"Define conditional authentication by risk score value calculated from analytics engine.\",\"preRequisites\":[\"Change the siddhiApplication and siddhiInputStream according to the Siddhi application you have deployed in the Stream Processor.\",\"Modify the default authentication steps and option(s) as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+Risk-Based+Adaptive+Authentication\",\"code\":[\"// [Deprecated - Use ELK-Risk-Based with ELK analytics integration]\",\"\",\"// Define conditional authentication by risk score value calculated from analytics engine.\",\"\",\"// Specify the Siddhi application name.\",\"var siddhiApplication = 'RiskBasedLogin';\",\"// Specify the Siddhi input stream name.\",\"var siddhiInputStream = 'InputStream';\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var username = context.currentKnownSubject.username;\",\" callAnalytics({'Application':siddhiApplication,'InputStream':siddhiInputStream}, {'username':username}, {\",\" onSuccess : function(context, data) {\",\" Log.info('--------------- Received risk score value: ' + data.event.riskScore);\",\" if (data.event.riskScore > 0) {\",\" executeStep(2);\",\" }\",\" }, onFail : function(context, data) {\",\" Log.info('--------------- Failed to call analytics engine');\",\" executeStep(2);\",\" }\",\" });\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"siddhiApplication\":\"Name of the Siddhi application in the Stream processor\",\"siddhiInputStream\":\"Name of the input stream in the above Siddhi application\"},\"name\":\"[Deprecated] Risk-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Risk-Based 2FA Template [Deprecated]\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who belong to any of the given sets of groups.\",\"preRequisites\":[\"Change the groupList parameter to an array of groups for which users need to enforce 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"code\":[\"// This script will step up authentication for any user who belongs\",\"// to one of the given groups.\",\"// If the user is a member of the following groups, authentication will be stepped up\",\"var groupsToStepUp = ['manager','employee'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step.\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is assigned to one of the given groups.\",\" var isMember = isMemberOfAnyOfGroups(user, groupsToStepUp);\",\" if (isMember) {\",\" Log.info(user.username + ' is a member of one of the groups: ' + groupsToStepUp.toString());\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\",\"Step 2\":\"Either of TOTP or FIDO\"},\"parametersDescription\":{\"groupsToStepUp\":\"An array of groups for which users need to enforce 2FA.\"},\"name\":\"Group-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\",\"FIDOAuthenticator\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Group-Based 2FA Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who are logging outside of the given ip range.\",\"preRequisites\":[\"Change the corpNetwork parameter to an array of ip ranges that should bypass 2FA\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+IP-Based+Adaptive+Authentication\",\"code\":[\"// This script will step up authentication for any user who are trying to log in outside from the configured network\",\"\",\"// Configure the network ranges here\",\"var corpNetwork = ['192.168.1.0/24', '10.100.0.0/16'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var user = context.currentKnownSubject;\",\" // Extracting the origin IP of the request\",\" var loginIp = context.request.ip;\",\" Log.info('User: ' + user.username + ' logged in from IP: ' + loginIp);\",\" // Checking if the IP is within the allowed range\",\" if (!isCorporateIP(loginIp, corpNetwork)) {\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\",\"\",\"// Function to convert ip address string to long value\",\"var convertIpToLong = function(ip) {\",\" var components = ip.split('.');\",\" if (components) {\",\" var ipAddr = 0, pow = 1;\",\" for (var i = 3; i >= 0; i -= 1) {\",\" ipAddr += pow * parseInt(components[i]);\",\" pow *= 256;\",\" }\",\" return ipAddr;\",\" } else {\",\" return -1;\",\" }\",\"};\",\"\",\"// Function to check if the ip address is within the given subnet\",\"var isCorporateIP = function(ip, subnets) {\",\" var subnetLength = subnets.length;\",\" for (var i = 0; i < subnetLength; i++) {\",\" var subnetComponents = subnets[i].split('/');\",\" var minHost = convertIpToLong(subnetComponents[0]);\",\" var ipAddr = convertIpToLong(ip);\",\" var mask = subnetComponents[1];\",\" if (subnetComponents && minHost >= 0) {\",\" var numHosts = Math.pow(2, 32 - parseInt(mask));\",\" if ((ipAddr >= minHost) && (ipAddr <= minHost + numHosts - 1)) {\",\" return true;\",\" }\",\" }\",\" }\",\" return false;\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"corpNetwork\":\"An array of ip ranges which should bypass 2FA\"},\"name\":\"IP-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"IP-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who are from one of the given user store domains.\",\"preRequisites\":[\"Change the userStoresToStepUp parameter to an array of user store domains that should require 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+User+Store-Based+Adaptive+Authentication\",\"code\":[\"// This script will prompt 2FA to the app only for a selected set of user stores.\",\"// If the user is in one of the following user stores, user will be prompted 2FA\",\"var userStoresToStepUp = ['EMPLOYEES', 'CONTRACTORS'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting user store domain of authenticated subject from the first step\",\" var userStoreDomain = context.currentKnownSubject.userStoreDomain;\",\" // Checking if the user is from whitelisted tenant domain\",\" if (userStoresToStepUp.indexOf(userStoreDomain) >= 0) {\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"userStoresToStepUp\":\"An array of user store domains of which users are required to use 2FA\"},\"name\":\"User Store-Based\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"runTime\":\"any\",\"category\":\"AdaptiveMFA\",\"title\":\"User Store-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Send an email notification and/or prompts 2FA to the users who is logging in from a previously unused device. A cookie is used to identify whether the device has been used before.\",\"preRequisites\":[\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\",\"Change the parameters detailed below to reflect your requirements\"],\"img\":\"./images/user.png\",\"code\":[\"// This script will step up authentication and send email notification in case of\",\"// a user being logging in from a new device (identified by a cookie).\",\"\",\"// Amount of time in seconds to remember a device. Set to 2 years below.\",\"var deviceRememberPeriod = 60 * 60 * 24 * 365 * 2;\",\"\",\"// Cookie name to be set\",\"var cookieName = 'deviceAuth';\",\"\",\"// Whether to send a notification on new device login\",\"var sendNotification = true;\",\"\",\"// Whether to step up authentication for new device login\",\"var stepUpAuthentication = true;\",\"\",\"// Email template to be used for new device login notification\",\"var emailTemplate = 'UnseenDeviceLogin';\",\"\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" subject = context.currentKnownSubject;\",\" if (!validateCookie(context, subject)) {\",\" Log.debug('New device login for ' + subject.identifier);\",\"\",\" if (sendNotification === true) {\",\" var templatePlaceholders = {\",\" 'username': subject.identifier,\",\" 'login-time': new Date().toUTCString()\",\" };\",\" var isSent = sendEmail(subject, emailTemplate, templatePlaceholders);\",\" if (isSent) {\",\" Log.debug('New device login notification sent to ' + subject.identifier);\",\" } else {\",\" Log.debug('New device login notification sending failed to ' + subject.identifier);\",\" }\",\" }\",\"\",\" if (stepUpAuthentication === true) {\",\" Log.debug('Stepping up authentication due to a new device login for ' + subject.identifier);\",\" executeStep(2, {\",\" onSuccess: function (context) {\",\" setCookie(context.response, cookieName, subject.identifier, {\",\" 'sign': true,\",\" 'max-age': deviceRememberPeriod,\",\" 'sameSite': 'LAX'\",\" });\",\" }\",\" });\",\" }\",\" }\",\" }\",\" });\",\"};\",\"\",\"//Validate if the user has a valid cookie with the value as subject's username\",\"var validateCookie = function(context, subject) {\",\" var cookieVal = getCookieValue(context.request, cookieName, {'validateSignature': true});\",\" return subject.identifier === cookieVal;\",\"};\",\"\"],\"parametersDescription\":{\"sendNotification\":\"Whether to send email notifications to the users\",\"stepUpAuthentication\":\"Whether to step up the authentication\",\"cookieName\":\"Cookie name to be used for device identification\",\"deviceRememberPeriod\":\"How long should this device be remembered as trusted. Once this time passed, login attempts will be considered as new device logins\"},\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"title\":\"New-Device-Based Authentication Template\",\"authenticationSteps\":2,\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+New-Device-Based+Adaptive+Authentication\",\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"name\":\"New-Device-Based\",\"runTime\":\"any\",\"category\":\"AdaptiveMFA\"},{\"summary\":\"Prompts 2FA to the users who are from one of the given tenants.\",\"preRequisites\":[\"Service provider should be registered as a SAAS Application.\",\"Change the tenantsToStepUp parameter to an array of tenant domains that should require 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+Tenant-Based+Adaptive+Authentication\",\"code\":[\"// This script will prompt 2FA to the app only for a selected\",\"// set of tenants.\",\"// The app is assumed to be a SAAS app here which can be accessed by any tenant\",\"\",\"// If the user is in one of the following tenants, user will be prompted 2FA\",\"var tenantsToStepUp = ['abc.com', 'xyz.com'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting tenant domain of authenticated subject from the first step\",\" var userTenantDomain = context.currentKnownSubject.tenantDomain;\",\" // Checking if the user is from whitelisted tenant domain\",\" if (tenantsToStepUp.indexOf(userTenantDomain) >= 0) {\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"tenantsToStepUp\":\"An array of tenants of which users are required to use 2FA\"},\"name\":\"Tenant-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Tenant-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who are successfully logging after specific number of failed login attempts.\",\"preRequisites\":[\"Change the parameters at the top of the script as needed to match the requirements.\",\"Modify the authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Adaptive+Authentication+Scenarios\",\"code\":[\"// This script will step up authentication for any user who has exceeded 3 invalid login attempts continuously.\",\"// This variable is used to define the number of invalid attempts allowed before prompting the second facto.\",\"var invalidAttemptsToStepup = 3;\",\"\",\"var failedLoginAttemptsBeforeSuccessClaim= 'http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess';\",\"var onLoginRequest = function(context) {\",\" doLogin(context);\",\"};\",\"\",\"var doLogin = function(context) {\",\" executeStep(1, {\",\" onSuccess : function(context){\",\" var user = context.steps[1].subject;\",\" if (isExceedInvalidAttempts(user)) {\",\" executeStep(2, {\",\" onSuccess : function(context) {\",\" var user = context.steps[1].subject;\",\" user.localClaims[failedLoginAttemptsBeforeSuccessClaim] = \\\"0\\\";\",\" }\",\" });\",\" }\",\" },\",\" onFail : function(context) {\",\" // Retry the login..\",\" doLogin(context);\",\" }\",\" });\",\"};\",\"\",\"var isExceedInvalidAttempts = function(user) {\",\" if (user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >= invalidAttemptsToStepup) {\",\" return true;\",\" } else {\",\" return false;\",\" }\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"invalidAttemptsToStepup\":\"Minimum number of attempts made by a user to prompt 2FA.\"},\"name\":\"Login-Attempts-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Login-Attempts-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who belongs to any of the given set of roles which are associated to the application.\",\"preRequisites\":[\"Change the rolesList parameter to an array of roles of which users need to enforce 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/latest/guides/authentication/conditional-auth/role-based-template/\",\"code\":[\"// This script will step up authentication for any user belonging\",\"// to one of the given roles\",\"// If the user has any of the below roles, authentication will be stepped up\",\"var rolesToStepUp = ['admin', 'manager'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is assigned to one of the given roles\",\" var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);\",\" if (hasRole) {\",\" Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\",\"Step 2\":\"Either of TOTP or FIDO\"},\"parametersDescription\":{\"rolesToStepUp\":\"An array of roles of which users need to enforce 2FA.\"},\"name\":\"Role-Based-V2\",\"runtime\":\"new\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\",\"FIDOAuthenticator\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Role-V2-Based 2FA Template\",\"authenticationSteps\":2},{\"summary\":\"Define conditional authentication by risk score value calculated from ELK.\",\"preRequisites\":[\"Change elasticsearch domain with the port.\",\"Modify the default authentication steps and option(s) as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/latest/learn/configuring-risk-based-adaptive-authentication/\",\"code\":[\"// Define conditional authentication by risk score value calculated from ELK analytics.\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var username = context.currentKnownSubject.username;\",\" callElastic({'username': username}, {\",\" onSuccess : function(context, data) {\",\" Log.info('--------------- Received risk score value: ' + data.risk_score);\",\" if (data.risk_score > 0) {\",\" executeStep(2);\",\" }\",\" }, onFail : function(context, data) {\",\" Log.info('--------------- Failed to call ELK');\",\" executeStep(2);\",\" }\",\" });\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"duration\":\"[optional] Aggregation time period from current timestamp. (Default: '5m')\",\"riskLogic\":\"[optional] Elastic map script to calculate the summation of values. (Default: 'state.sum.add(doc['amount'].value);')\",\"index\":\"[optional] Elasticsearch index to calculate the risk score. (Default: 'transaction')\",\"threshold\":\"[optional] Threshold summation value to identify as a risk. (Default: '10000')\",\"username\":\"Current login context username.\"},\"name\":\"ELK-Risk-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"ELK Risk-Based 2FA Template\",\"authenticationSteps\":2}],\"icon\":\"./images/adaptive-mfa-template.png\",\"order\":2},\"uncategorized\":{\"displayName\":\"Uncategorized\",\"order\":10000},\"AccessControl\":{\"displayName\":\"Access Control\",\"templates\":[{\"summary\":\"Allow login to application if the user's age is over configured value. User's age is calculated using the user's date of birth attribute.\",\"preRequisites\":[\"Change the parameters at the top of the script as needed to match the requirements.\",\"Modify the authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+User-Age-Based+Adaptive+Authentication\",\"code\":[\"// This script will only allow login to application if the user's age is over configured value\",\"// The user will be redirected to an error page if the date of birth is not present or user is below configured value\",\"\",\"var ageLimit = 18;\",\"\",\"// Error page to redirect unauthorized users,\",\"// can be either an absolute url or relative url to server root, or empty/null\",\"// null/empty value will redirect to the default error page\",\"var errorPage = '';\",\"\",\"// Additional query params to be added to the above url.\",\"// Hint: Use i18n keys for error messages\",\"var errorPageParameters = {\",\" 'status': 'Unauthorized',\",\" 'statusMsg': 'You need to be over ' + ageLimit + ' years to login to this application.'\",\"};\",\"\",\"// Date of birth attribute at the client side\",\"var dateOfBirthClaim = 'http://wso2.org/claims/dob';\",\"\",\"// The validator function for DOB. Default validation check if the DOB is in YYYY-MM-dd format\",\"var validateDOB = function (dob) {\",\" return dob.match(/^(\\\\d{4})-(\\\\d{2})-(\\\\d{2})$/);\",\"};\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var underAge = true;\",\" // Extracting user store domain of authenticated subject from the first step\",\" var dob = context.currentKnownSubject.localClaims[dateOfBirthClaim];\",\" Log.debug('DOB of user ' + context.currentKnownSubject.identifier + ' is : ' + dob);\",\" if (dob && validateDOB(dob)) {\",\" var birthDate = new Date(dob);\",\" if (getAge(birthDate) >= ageLimit) {\",\" underAge = false;\",\" }\",\" }\",\" if (underAge === true) {\",\" Log.debug('User ' + context.currentKnownSubject.identifier + ' is under aged. Hence denied to login.');\",\" sendError(errorPage, errorPageParameters);\",\" }\",\" }\",\" });\",\"};\",\"\",\"var getAge = function(birthDate) {\",\" var today = new Date();\",\" var age = today.getFullYear() - birthDate.getFullYear();\",\" var m = today.getMonth() - birthDate.getMonth();\",\" if (m < 0 || (m === 0 && today.getDate() < birthDate.getDate())) {\",\" age--;\",\" }\",\" return age;\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\"},\"parametersDescription\":{\"ageLimit\":\"Minimum age required for the user to login to the application\",\"errorPage\":\"Error page to redirect user, if the age limit is below ageLimit\",\"errorPageParameters\":\"Parameters to be passed to the error page\"},\"name\":\"User-Age-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]}},\"category\":\"AccessControl\",\"title\":\"User-Age-Based Authentication Template\",\"authenticationSteps\":1},{\"summary\":\"Prompts session handling to the users who belongs to any of the given set of roles which are associated to the application based on currently active session count.\",\"preRequisites\":[\"Change the rolesList parameter to an array of roles of which users need to prompt for session handling.\",\"Modify the maxSessionCount parameter as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/latest/guides/authentication/conditional-auth/concurrent-session-based-template/\",\"code\":[\"// This script will prompt concurrent session handling\",\"// to one of the given roles\",\"// If the user has any of the below roles, concurrent session handling will be prompted\",\"// and it will either kill sessions or abort login based on number of active concurrent user sessions\",\"var rolesToStepUp = ['admin', 'manager'];\",\"var maxSessionCount = 1;\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is assigned to one of the given roles\",\" var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);\",\"\",\" if (hasRole) {\",\" Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());\",\" executeStep(2, {\",\" authenticatorParams: {\",\" local: {\",\" SessionExecutor: {\",\" MaxSessionCount: '1'\",\" }\",\" }\",\" }\",\" }, {});\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\"},\"parametersDescription\":{\"rolesToStepUp\":\"An array of roles of which users should be prompted for session handling.\",\"MaxSessionCount\":\"Maximum number of allowed concurrent sessions for the role which a particular user belongs to.\"},\"name\":\"Session-Based-V2\",\"runtime\":\"new\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"SessionExecutor\"]}},\"category\":\"AccessControl\",\"title\":\"Concurrent Session Management Template with V2 Roles\",\"authenticationSteps\":1}],\"icon\":\"./images/access-control-template.png\",\"order\":1},\"PasskeyEnrollment\":{\"displayName\":\"Passkey Enrollment\",\"templates\":[{\"summary\":\"If Passkey is set as a 1st authentication factor and there is a need to enable progressive Passkey enrollment, this adaptive script, along with the relevant connections configurations, should be added.\",\"preRequisites\":[\"Modify the 1st factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/7.0.0/guides/authentication/passwordless-login/add-passwordless-login-with-passkey\",\"code\":[\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onFail: function(context) {\",\" var authenticatorStatus = context.request.params.scenario;\",\"\",\" // If it is a passkey progressive enrollment request trigger the following flow.\",\" if (authenticatorStatus != null && authenticatorStatus[0] == 'INIT_FIDO_ENROLL') {\",\" var filteredAuthenticationOptions = filterAuthenticators(context.steps[1].options, 'FIDOAuthenticator');\",\" executeStep(1, {\",\" stepOptions: {\",\" markAsSubjectIdentifierStep: 'true',\",\" markAsSubjectAttributeStep: 'true'\",\" },\",\" authenticationOptions: filteredAuthenticationOptions\",\" }, {\",\" onSuccess: function(context) {\",\" // If user got successfully authenticated \",\" executeStep(1, {\",\" stepOptions: {\",\" forceAuth: 'true'\",\" },\",\" authenticationOptions: [{\",\" authenticator: 'FIDOAuthenticator'\",\" }]\",\" }, {});\",\" },\",\" });\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Passkey and Basic (Password) authenticator.\"},\"name\":\"Passkey Progressive Enrollment\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\",\"FIDOAuthenticator\"]}},\"category\":\"PasskeyEnrollment\",\"title\":\"Passkey Progressive Enrollment Template\",\"authenticationSteps\":1}],\"icon\":\"./images/passkey-enrollment-template.png\",\"order\":4},\"UserAttributes\":{\"displayName\":\"User Attributes\",\"templates\":[{\"summary\":\"Office365 integration of WSO2 IS require role based, on-demand user provisioning. Therefore assign a given role specific to office365 for successfully authenticated users if not already assigned, in order to trigger the role based user provisioning.\",\"preRequisites\":[\"Create a new role specific for Office365.\",\"Change the assigningRoles parameter to a single element array with the role specific to office365.\",\"Modify the 1st factor authentication option from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Adaptive+Authentication+Scenarios\",\"code\":[\"// This script will assign the below Office365 specific role to any user if not already assigned\",\"var roleToBeAssigned = ['Internal/office365Role'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is already assigned to the given Office365 specific role\",\" var hasRole = hasAnyOfTheRoles(user, roleToBeAssigned);\",\" if (!hasRole) {\",\" Log.info('Assigning role: ' + roleToBeAssigned.toString() + ' for the user:' + user.username);\",\" assignUserRoles(user, roleToBeAssigned);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\"},\"parametersDescription\":{\"roleToBeAssigned\":\"A single element array with a given role specific for Office365.\"},\"name\":\"Update Office365 role\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]}},\"category\":\"UserAttributes\",\"title\":\"Office365-Based Authentication Template\",\"authenticationSteps\":1}],\"icon\":\"./images/user-attributes-template.png\",\"order\":3}}" + "templatesJSON":"{\"AdaptiveMFA\":{\"displayName\":\"Adaptive MFA\",\"templates\":[{\"summary\":\"Define conditional authentication by passing one or many Authentication Context Class References as comma separated values.\",\"preRequisites\":[\"Change the supportedAcrValues parameter to an array of ACR Levels.\",\"Modify the default authentication steps and option(s) as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+ACR-Based+Adaptive+Authentication\",\"code\":[\"// Define conditional authentication by passing one or many Authentication Context Class References \",\"// as comma separated values.\",\"\",\"// Specify the ordered list of ACR here.\",\"var supportedAcrValues = ['acr1', 'acr2', 'acr3'];\",\"\",\"var onLoginRequest = function(context) {\",\" var selectedAcr = selectAcrFrom(context, supportedAcrValues);\",\" Log.info('--------------- ACR selected: ' + selectedAcr);\",\" context.selectedAcr = selectedAcr;\",\" switch (selectedAcr) {\",\" case supportedAcrValues[0] :\",\" executeStep(1);\",\" break;\",\" case supportedAcrValues[1] :\",\" executeStep(1);\",\" executeStep(2);\",\" break;\",\" case supportedAcrValues[2] :\",\" executeStep(1);\",\" executeStep(3);\",\" break;\",\" default :\",\" executeStep(1);\",\" executeStep(2);\",\" executeStep(3);\",\" }\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\",\"Step 3\":\"FIDO authenticator\"},\"parametersDescription\":{\"supportedAcrValues\":\"An array of ACRs ordered by the level\"},\"name\":\"ACR-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]},\"3\":{\"federated\":[],\"local\":[\"FIDOAuthenticator\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"ACR-Based 2FA Template\",\"authenticationSteps\":3},{\"summary\":\"Define conditional authentication by risk score value calculated from analytics engine.\",\"preRequisites\":[\"Change the siddhiApplication and siddhiInputStream according to the Siddhi application you have deployed in the Stream Processor.\",\"Modify the default authentication steps and option(s) as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+Risk-Based+Adaptive+Authentication\",\"code\":[\"// [Deprecated - Use ELK-Risk-Based with ELK analytics integration]\",\"\",\"// Define conditional authentication by risk score value calculated from analytics engine.\",\"\",\"// Specify the Siddhi application name.\",\"var siddhiApplication = 'RiskBasedLogin';\",\"// Specify the Siddhi input stream name.\",\"var siddhiInputStream = 'InputStream';\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var username = context.currentKnownSubject.username;\",\" callAnalytics({'Application':siddhiApplication,'InputStream':siddhiInputStream}, {'username':username}, {\",\" onSuccess : function(context, data) {\",\" Log.info('--------------- Received risk score value: ' + data.event.riskScore);\",\" if (data.event.riskScore > 0) {\",\" executeStep(2);\",\" }\",\" }, onFail : function(context, data) {\",\" Log.info('--------------- Failed to call analytics engine');\",\" executeStep(2);\",\" }\",\" });\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"siddhiApplication\":\"Name of the Siddhi application in the Stream processor\",\"siddhiInputStream\":\"Name of the input stream in the above Siddhi application\"},\"name\":\"[Deprecated] Risk-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Risk-Based 2FA Template [Deprecated]\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who belong to any of the given sets of groups.\",\"preRequisites\":[\"Change the groupList parameter to an array of groups for which users need to enforce 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"code\":[\"// This script will step up authentication for any user who belongs\",\"// to one of the given groups.\",\"// If the user is a member of the following groups, authentication will be stepped up\",\"var groupsToStepUp = ['manager','employee'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step.\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is assigned to one of the given groups.\",\" var isMember = isMemberOfAnyOfGroups(user, groupsToStepUp);\",\" if (isMember) {\",\" Log.info(user.username + ' is a member of one of the groups: ' + groupsToStepUp.toString());\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\",\"Step 2\":\"Either of TOTP or FIDO\"},\"parametersDescription\":{\"groupsToStepUp\":\"An array of groups for which users need to enforce 2FA.\"},\"name\":\"Group-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\",\"FIDOAuthenticator\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Group-Based 2FA Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who are logging outside of the given ip range.\",\"preRequisites\":[\"Change the corpNetwork parameter to an array of ip ranges that should bypass 2FA\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+IP-Based+Adaptive+Authentication\",\"code\":[\"// This script will step up authentication for any user who are trying to log in outside from the configured network\",\"\",\"// Configure the network ranges here\",\"var corpNetwork = ['192.168.1.0/24', '10.100.0.0/16'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var user = context.currentKnownSubject;\",\" // Extracting the origin IP of the request\",\" var loginIp = context.request.ip;\",\" Log.info('User: ' + user.username + ' logged in from IP: ' + loginIp);\",\" // Checking if the IP is within the allowed range\",\" if (!isCorporateIP(loginIp, corpNetwork)) {\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\",\"\",\"// Function to convert ip address string to long value\",\"var convertIpToLong = function(ip) {\",\" var components = ip.split('.');\",\" if (components) {\",\" var ipAddr = 0, pow = 1;\",\" for (var i = 3; i >= 0; i -= 1) {\",\" ipAddr += pow * parseInt(components[i]);\",\" pow *= 256;\",\" }\",\" return ipAddr;\",\" } else {\",\" return -1;\",\" }\",\"};\",\"\",\"// Function to check if the ip address is within the given subnet\",\"var isCorporateIP = function(ip, subnets) {\",\" var subnetLength = subnets.length;\",\" for (var i = 0; i < subnetLength; i++) {\",\" var subnetComponents = subnets[i].split('/');\",\" var minHost = convertIpToLong(subnetComponents[0]);\",\" var ipAddr = convertIpToLong(ip);\",\" var mask = subnetComponents[1];\",\" if (subnetComponents && minHost >= 0) {\",\" var numHosts = Math.pow(2, 32 - parseInt(mask));\",\" if ((ipAddr >= minHost) && (ipAddr <= minHost + numHosts - 1)) {\",\" return true;\",\" }\",\" }\",\" }\",\" return false;\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"corpNetwork\":\"An array of ip ranges which should bypass 2FA\"},\"name\":\"IP-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"IP-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who are from one of the given user store domains.\",\"preRequisites\":[\"Change the userStoresToStepUp parameter to an array of user store domains that should require 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+User+Store-Based+Adaptive+Authentication\",\"code\":[\"// This script will prompt 2FA to the app only for a selected set of user stores.\",\"// If the user is in one of the following user stores, user will be prompted 2FA\",\"var userStoresToStepUp = ['EMPLOYEES', 'CONTRACTORS'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting user store domain of authenticated subject from the first step\",\" var userStoreDomain = context.currentKnownSubject.userStoreDomain;\",\" // Checking if the user is from whitelisted tenant domain\",\" if (userStoresToStepUp.indexOf(userStoreDomain) >= 0) {\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"userStoresToStepUp\":\"An array of user store domains of which users are required to use 2FA\"},\"name\":\"User Store-Based\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"runTime\":\"any\",\"category\":\"AdaptiveMFA\",\"title\":\"User Store-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Send an email notification and/or prompts 2FA to the users who is logging in from a previously unused device. A cookie is used to identify whether the device has been used before.\",\"preRequisites\":[\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\",\"Change the parameters detailed below to reflect your requirements\"],\"img\":\"./images/user.png\",\"code\":[\"// This script will step up authentication and send email notification in case of\",\"// a user being logging in from a new device (identified by a cookie).\",\"\",\"// Amount of time in seconds to remember a device. Set to 2 years below.\",\"var deviceRememberPeriod = 60 * 60 * 24 * 365 * 2;\",\"\",\"// Cookie name to be set\",\"var cookieName = 'deviceAuth';\",\"\",\"// Whether to send a notification on new device login\",\"var sendNotification = true;\",\"\",\"// Whether to step up authentication for new device login\",\"var stepUpAuthentication = true;\",\"\",\"// Email template to be used for new device login notification\",\"var emailTemplate = 'UnseenDeviceLogin';\",\"\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" subject = context.currentKnownSubject;\",\" if (!validateCookie(context, subject)) {\",\" Log.debug('New device login for ' + subject.identifier);\",\"\",\" if (sendNotification === true) {\",\" var templatePlaceholders = {\",\" 'username': subject.identifier,\",\" 'login-time': new Date().toUTCString()\",\" };\",\" var isSent = sendEmail(subject, emailTemplate, templatePlaceholders);\",\" if (isSent) {\",\" Log.debug('New device login notification sent to ' + subject.identifier);\",\" } else {\",\" Log.debug('New device login notification sending failed to ' + subject.identifier);\",\" }\",\" }\",\"\",\" if (stepUpAuthentication === true) {\",\" Log.debug('Stepping up authentication due to a new device login for ' + subject.identifier);\",\" executeStep(2, {\",\" onSuccess: function (context) {\",\" setCookie(context.response, cookieName, subject.identifier, {\",\" 'sign': true,\",\" 'max-age': deviceRememberPeriod,\",\" 'sameSite': 'LAX'\",\" });\",\" }\",\" });\",\" }\",\" }\",\" }\",\" });\",\"};\",\"\",\"//Validate if the user has a valid cookie with the value as subject's username\",\"var validateCookie = function(context, subject) {\",\" var cookieVal = getCookieValue(context.request, cookieName, {'validateSignature': true});\",\" return subject.identifier === cookieVal;\",\"};\",\"\"],\"parametersDescription\":{\"sendNotification\":\"Whether to send email notifications to the users\",\"stepUpAuthentication\":\"Whether to step up the authentication\",\"cookieName\":\"Cookie name to be used for device identification\",\"deviceRememberPeriod\":\"How long should this device be remembered as trusted. Once this time passed, login attempts will be considered as new device logins\"},\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"title\":\"New-Device-Based Authentication Template\",\"authenticationSteps\":2,\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+New-Device-Based+Adaptive+Authentication\",\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"name\":\"New-Device-Based\",\"runTime\":\"any\",\"category\":\"AdaptiveMFA\"},{\"summary\":\"Prompts 2FA to the users who are from one of the given tenants.\",\"preRequisites\":[\"Service provider should be registered as a SAAS Application.\",\"Change the tenantsToStepUp parameter to an array of tenant domains that should require 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+Tenant-Based+Adaptive+Authentication\",\"code\":[\"// This script will prompt 2FA to the app only for a selected\",\"// set of tenants.\",\"// The app is assumed to be a SAAS app here which can be accessed by any tenant\",\"\",\"// If the user is in one of the following tenants, user will be prompted 2FA\",\"var tenantsToStepUp = ['abc.com', 'xyz.com'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting tenant domain of authenticated subject from the first step\",\" var userTenantDomain = context.currentKnownSubject.tenantDomain;\",\" // Checking if the user is from whitelisted tenant domain\",\" if (tenantsToStepUp.indexOf(userTenantDomain) >= 0) {\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"tenantsToStepUp\":\"An array of tenants of which users are required to use 2FA\"},\"name\":\"Tenant-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Tenant-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who are successfully logging after specific number of failed login attempts.\",\"preRequisites\":[\"Change the parameters at the top of the script as needed to match the requirements.\",\"Modify the authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Adaptive+Authentication+Scenarios\",\"code\":[\"// This script will step up authentication for any user who has exceeded 3 invalid login attempts continuously.\",\"// This variable is used to define the number of invalid attempts allowed before prompting the second facto.\",\"var invalidAttemptsToStepup = 3;\",\"\",\"var failedLoginAttemptsBeforeSuccessClaim= 'http://wso2.org/claims/identity/failedLoginAttemptsBeforeSuccess';\",\"var onLoginRequest = function(context) {\",\" doLogin(context);\",\"};\",\"\",\"var doLogin = function(context) {\",\" executeStep(1, {\",\" onSuccess : function(context){\",\" var user = context.steps[1].subject;\",\" if (isExceedInvalidAttempts(user)) {\",\" executeStep(2, {\",\" onSuccess : function(context) {\",\" var user = context.steps[1].subject;\",\" user.localClaims[failedLoginAttemptsBeforeSuccessClaim] = \\\"0\\\";\",\" }\",\" });\",\" }\",\" },\",\" onFail : function(context) {\",\" // Retry the login..\",\" doLogin(context);\",\" }\",\" });\",\"};\",\"\",\"var isExceedInvalidAttempts = function(user) {\",\" if (user.localClaims[failedLoginAttemptsBeforeSuccessClaim] >= invalidAttemptsToStepup) {\",\" return true;\",\" } else {\",\" return false;\",\" }\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"invalidAttemptsToStepup\":\"Minimum number of attempts made by a user to prompt 2FA.\"},\"name\":\"Login-Attempts-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Login-Attempts-Based Authentication Template\",\"authenticationSteps\":2},{\"summary\":\"Prompts 2FA to the users who belongs to any of the given set of roles which are associated to the application.\",\"preRequisites\":[\"Change the rolesList parameter to an array of roles of which users need to enforce 2FA.\",\"Modify the 1st and 2nd factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/latest/guides/authentication/conditional-auth/role-based-template/\",\"code\":[\"// This script will step up authentication for any user belonging\",\"// to one of the given roles\",\"// If the user has any of the below roles, authentication will be stepped up\",\"var rolesToStepUp = ['admin', 'manager'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is assigned to one of the given roles\",\" var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);\",\" if (hasRole) {\",\" Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());\",\" executeStep(2);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\",\"Step 2\":\"Either of TOTP or FIDO\"},\"parametersDescription\":{\"rolesToStepUp\":\"An array of roles of which users need to enforce 2FA.\"},\"name\":\"Role-Based\",\"runtime\":\"new\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\",\"FIDOAuthenticator\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"Role-Based 2FA Template\",\"authenticationSteps\":2},{\"summary\":\"Define conditional authentication by risk score value calculated from ELK.\",\"preRequisites\":[\"Change elasticsearch domain with the port.\",\"Modify the default authentication steps and option(s) as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/latest/learn/configuring-risk-based-adaptive-authentication/\",\"code\":[\"// Define conditional authentication by risk score value calculated from ELK analytics.\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var username = context.currentKnownSubject.username;\",\" callElastic({'username': username}, {\",\" onSuccess : function(context, data) {\",\" Log.info('--------------- Received risk score value: ' + data.risk_score);\",\" if (data.risk_score > 0) {\",\" executeStep(2);\",\" }\",\" }, onFail : function(context, data) {\",\" Log.info('--------------- Failed to call ELK');\",\" executeStep(2);\",\" }\",\" });\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\",\"Step 2\":\"TOTP authenticator\"},\"parametersDescription\":{\"duration\":\"[optional] Aggregation time period from current timestamp. (Default: '5m')\",\"riskLogic\":\"[optional] Elastic map script to calculate the summation of values. (Default: 'state.sum.add(doc['amount'].value);')\",\"index\":\"[optional] Elasticsearch index to calculate the risk score. (Default: 'transaction')\",\"threshold\":\"[optional] Threshold summation value to identify as a risk. (Default: '10000')\",\"username\":\"Current login context username.\"},\"name\":\"ELK-Risk-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"totp\"]}},\"category\":\"AdaptiveMFA\",\"title\":\"ELK Risk-Based 2FA Template\",\"authenticationSteps\":2}],\"icon\":\"./images/adaptive-mfa-template.png\",\"order\":2},\"uncategorized\":{\"displayName\":\"Uncategorized\",\"order\":10000},\"AccessControl\":{\"displayName\":\"Access Control\",\"templates\":[{\"summary\":\"Allow login to application if the user's age is over configured value. User's age is calculated using the user's date of birth attribute.\",\"preRequisites\":[\"Change the parameters at the top of the script as needed to match the requirements.\",\"Modify the authentication option(s) from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Configuring+User-Age-Based+Adaptive+Authentication\",\"code\":[\"// This script will only allow login to application if the user's age is over configured value\",\"// The user will be redirected to an error page if the date of birth is not present or user is below configured value\",\"\",\"var ageLimit = 18;\",\"\",\"// Error page to redirect unauthorized users,\",\"// can be either an absolute url or relative url to server root, or empty/null\",\"// null/empty value will redirect to the default error page\",\"var errorPage = '';\",\"\",\"// Additional query params to be added to the above url.\",\"// Hint: Use i18n keys for error messages\",\"var errorPageParameters = {\",\" 'status': 'Unauthorized',\",\" 'statusMsg': 'You need to be over ' + ageLimit + ' years to login to this application.'\",\"};\",\"\",\"// Date of birth attribute at the client side\",\"var dateOfBirthClaim = 'http://wso2.org/claims/dob';\",\"\",\"// The validator function for DOB. Default validation check if the DOB is in YYYY-MM-dd format\",\"var validateDOB = function (dob) {\",\" return dob.match(/^(\\\\d{4})-(\\\\d{2})-(\\\\d{2})$/);\",\"};\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" var underAge = true;\",\" // Extracting user store domain of authenticated subject from the first step\",\" var dob = context.currentKnownSubject.localClaims[dateOfBirthClaim];\",\" Log.debug('DOB of user ' + context.currentKnownSubject.identifier + ' is : ' + dob);\",\" if (dob && validateDOB(dob)) {\",\" var birthDate = new Date(dob);\",\" if (getAge(birthDate) >= ageLimit) {\",\" underAge = false;\",\" }\",\" }\",\" if (underAge === true) {\",\" Log.debug('User ' + context.currentKnownSubject.identifier + ' is under aged. Hence denied to login.');\",\" sendError(errorPage, errorPageParameters);\",\" }\",\" }\",\" });\",\"};\",\"\",\"var getAge = function(birthDate) {\",\" var today = new Date();\",\" var age = today.getFullYear() - birthDate.getFullYear();\",\" var m = today.getMonth() - birthDate.getMonth();\",\" if (m < 0 || (m === 0 && today.getDate() < birthDate.getDate())) {\",\" age--;\",\" }\",\" return age;\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator\"},\"parametersDescription\":{\"ageLimit\":\"Minimum age required for the user to login to the application\",\"errorPage\":\"Error page to redirect user, if the age limit is below ageLimit\",\"errorPageParameters\":\"Parameters to be passed to the error page\"},\"name\":\"User-Age-Based\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]}},\"category\":\"AccessControl\",\"title\":\"User-Age-Based Authentication Template\",\"authenticationSteps\":1},{\"summary\":\"Prompts session handling to the users who belongs to any of the given set of roles which are associated to the application based on currently active session count.\",\"preRequisites\":[\"Change the rolesList parameter to an array of roles of which users need to prompt for session handling.\",\"Modify the maxSessionCount parameter as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/latest/guides/authentication/conditional-auth/concurrent-session-based-template/\",\"code\":[\"// This script will prompt concurrent session handling\",\"// to one of the given roles\",\"// If the user has any of the below roles, concurrent session handling will be prompted\",\"// and it will either kill sessions or abort login based on number of active concurrent user sessions\",\"var rolesToStepUp = ['admin', 'manager'];\",\"var maxSessionCount = 1;\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is assigned to one of the given roles\",\" var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);\",\"\",\" if (hasRole) {\",\" Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());\",\" executeStep(2, {\",\" authenticatorParams: {\",\" local: {\",\" SessionExecutor: {\",\" MaxSessionCount: '1'\",\" }\",\" }\",\" }\",\" }, {});\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\"},\"parametersDescription\":{\"rolesToStepUp\":\"An array of roles of which users should be prompted for session handling.\",\"MaxSessionCount\":\"Maximum number of allowed concurrent sessions for the role which a particular user belongs to.\"},\"name\":\"Session-Based\",\"runtime\":\"new\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]},\"2\":{\"federated\":[],\"local\":[\"SessionExecutor\"]}},\"category\":\"AccessControl\",\"title\":\"Concurrent Session Management Template with Roles\",\"authenticationSteps\":1}],\"icon\":\"./images/access-control-template.png\",\"order\":1},\"PasskeyEnrollment\":{\"displayName\":\"Passkey Enrollment\",\"templates\":[{\"summary\":\"If Passkey is set as a 1st authentication factor and there is a need to enable progressive Passkey enrollment, this adaptive script, along with the relevant connections configurations, should be added.\",\"preRequisites\":[\"Modify the 1st factor authentication option(s) from defaults as required.\"],\"helpLink\":\"https://is.docs.wso2.com/en/7.0.0/guides/authentication/passwordless-login/add-passwordless-login-with-passkey\",\"code\":[\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onFail: function(context) {\",\" var authenticatorStatus = context.request.params.scenario;\",\"\",\" // If it is a passkey progressive enrollment request trigger the following flow.\",\" if (authenticatorStatus != null && authenticatorStatus[0] == 'INIT_FIDO_ENROLL') {\",\" var filteredAuthenticationOptions = filterAuthenticators(context.steps[1].options, 'FIDOAuthenticator');\",\" executeStep(1, {\",\" stepOptions: {\",\" markAsSubjectIdentifierStep: 'true',\",\" markAsSubjectAttributeStep: 'true'\",\" },\",\" authenticationOptions: filteredAuthenticationOptions\",\" }, {\",\" onSuccess: function(context) {\",\" // If user got successfully authenticated \",\" executeStep(1, {\",\" stepOptions: {\",\" forceAuth: 'true'\",\" },\",\" authenticationOptions: [{\",\" authenticator: 'FIDOAuthenticator'\",\" }]\",\" }, {});\",\" },\",\" });\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Passkey and Basic (Password) authenticator.\"},\"name\":\"Passkey Progressive Enrollment\",\"runtime\":\"any\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\",\"FIDOAuthenticator\"]}},\"category\":\"PasskeyEnrollment\",\"title\":\"Passkey Progressive Enrollment Template\",\"authenticationSteps\":1}],\"icon\":\"./images/passkey-enrollment-template.png\",\"order\":4},\"UserAttributes\":{\"displayName\":\"User Attributes\",\"templates\":[{\"summary\":\"Office365 integration of WSO2 IS require role based, on-demand user provisioning. Therefore assign a given role specific to office365 for successfully authenticated users if not already assigned, in order to trigger the role based user provisioning.\",\"preRequisites\":[\"Create a new role specific for Office365.\",\"Change the assigningRoles parameter to a single element array with the role specific to office365.\",\"Modify the 1st factor authentication option from defaults as required.\"],\"helpLink\":\"https://docs.wso2.com/display/IS570/Adaptive+Authentication+Scenarios\",\"code\":[\"// This script will assign the below Office365 specific role to any user if not already assigned\",\"var roleToBeAssigned = ['Internal/office365Role'];\",\"\",\"var onLoginRequest = function(context) {\",\" executeStep(1, {\",\" onSuccess: function (context) {\",\" // Extracting authenticated subject from the first step\",\" var user = context.currentKnownSubject;\",\" // Checking if the user is already assigned to the given Office365 specific role\",\" var hasRole = hasAnyOfTheRolesV2(context, roleToBeAssigned);\",\" if (!hasRole) {\",\" Log.info('Assigning role: ' + roleToBeAssigned.toString() + ' for the user:' + user.username);\",\" assignUserRolesV2(context, roleToBeAssigned);\",\" }\",\" }\",\" });\",\"};\"],\"defaultStepsDescription\":{\"Step 1\":\"Basic (Password) authenticator.\"},\"parametersDescription\":{\"roleToBeAssigned\":\"A single element array with a given role specific for Office365.\"},\"name\":\"Update Office365 role\",\"runtime\":\"new\",\"defaultAuthenticators\":{\"1\":{\"federated\":[],\"local\":[\"BasicAuthenticator\"]}},\"category\":\"UserAttributes\",\"title\":\"Office365-Based Authentication Template\",\"authenticationSteps\":1}],\"icon\":\"./images/user-attributes-template.png\",\"order\":3}}" } diff --git a/pom.xml b/pom.xml index 1d251ce523..490fd58cca 100755 --- a/pom.xml +++ b/pom.xml @@ -2242,7 +2242,7 @@ - 5.25.624 + 5.25.626 [5.14.67, 6.0.0]