Getting Started with Scripting in ForgeRock Identity Cloud: Part 3 - Capturing user login time

Getting Started Guides Scripting
, , , , ,
#1

This is Part 3 of 5 in the series Getting started with Scripting in ForgeRock Identity Cloud.

Capturing user login time using a script ~ 10 minutes

Capturing the login time in a user’s profile upon successful authentication can be useful in many situations. At minimum it can be used to keep track of active vs dormant user accounts in a system.

ForgeRock Identity Cloud has a sample Journey Decision Node script that calculates the current date and time and inserts it into the sharedState. When invoked from a Scripted Decision node in an authentication journey, the script makes the current date and time (effectively the time at which a user authenticates) available in the sharedState, which can then be used by a suitable node later in the journey to update the user’s profile.

Overview

This guide takes you through the following steps:

Creating the last-login-time script in Identity Cloud

  1. In the Identity Cloud Admin UI, go to /alpha > Scripts > Auth Scripts > + New Script.

    gs_scripts_new_script
    gs_scripts_new_script1600×821 168 KB

  2. Select Journey Decision Node and click Next.

    gs_scripts_new_journey_script
    gs_scripts_new_journey_script1066×1410 187 KB

  3. Provide the following details:

    Name: last-login-time
    Description: Script to set last login time in ForgeRock Identity Cloud
    JavaScript: Replace the placeholder code with the code below. You can also find the sample script on ForgeRock GitHub Community repository, here.

       /**
   * @file Script to store the last login time of a user on successful AuthN
   * @version 0.1.0
   * @keywords authN lastLoginTime ISO8601
   * @license
   * DISCLAIMER: The sample code described herein is provided on an "as is" basis, without warranty of any kind, to the fullest extent permitted by law. ForgeRock does not warrant or guarantee the individual success developers may have in implementing the sample code on their development platforms or in production configurations. ForgeRock does not warrant, guarantee or make any representations regarding the use, results of use, accuracy, timeliness or completeness of any data or information relating to the sample code. ForgeRock disclaims all warranties, expressed or implied, and in particular, disclaims all warranties of merchantability, and warranties related to the code, or any service or software related thereto.
   * ForgeRock shall not be liable for any direct, indirect or consequential damages or costs of any type arising out of any action taken by you or others related to the sample code.
   */

  /**
   * Script configuration
  */
  var config = {
      /**
       * @property {string} nodeName - The name of the executing node, used for logging
       * @property {string} lastLoginAttribute - The name of attribute used to the store the last login timestamp of a user
       */
      lastLoginAttribute: "frUnindexedDate1",
      nodeName: "***last-login-time"
  };

  /**
   * Enum Pass or Fail outcomes
   * @readonly
   * @enum {number}
   */
  var nodeOutcome = {
      PASS: "Success"
  };

  /**
   * Add the node info prefix to a log message
   * @param {string} message - the message body
   * @returns a tagged version of the message
   */
   function tag(message) {
      return "***".concat(config.nodeName).concat(": ").concat(message);
  }

  /**
   * Node entry point
   */
  logger.message(tag("Node executing"));
  var dateTime = new Date().toISOString();
  sharedState.get("objectAttributes").put(config.lastLoginAttribute, dateTime);
  logger.message(tag("User object attributes updated to populate " + config.lastLoginAttribute + " with this date: " + dateTime));
  outcome = nodeOutcome.PASS;

    gs_scripts_last_login_script
    gs_scripts_last_login_script1602×1052 141 KB

For reference, important sections of the script are described in the table below:

Code Section

 Description 
var config = { 
        lastLoginAttribute: "frIndexedDate1", 
        nodeName: "***last-login-time"
};
Declares the following two properties:
  • lastLoginAttribute – points to the Identity Cloud IDM attribute identified (frIndexedDate1) to store the last login time of a user
  • nodeName – sets a name for the node (***last-login-time) 
var nodeOutcome = { 
        PASS: "Success" 
};

Declares a property PASS set to a value "Success". This is used to define the outcome of the node later in the code. 

 function tag(message) { 
    return "***".concat(config.nodeName). 
        concat(": ").concat(message); 
} 
logger.message(tag("Node executing"));

Defines a function named tag that concatenates the value of the nodeName config property as a tag to the messages it receives from the logger methods (logger.message) in the code.

e.g: ******last-login-time: Node executing 

var dateTime = new Date().toISOString();

Sets the current date & time in ISO format as value to the variable dateTime. 

sharedState.get("objectAttributes").
put(config.lastLoginAttribute, dateTime); 
logger.message(tag("User object attributes updated"));

Updates the "objectAttributes" in the sharedState to include the lastLoginAttribute property value, set to date & time saved in the dateTime variable.

The Identity Management nodes save the data in shared state in the "objectAttributes" object. An example:

objectAttributes={username=fruser10,givenName=ForgeRock,sn=User10,mail=fruser10@example.com,preferences={marketing=false,updates=false}}

So to access IDM properties saved in shared state, refer to it using the "objectAttributes" object. For example, to access the last name (sn) from the shared state, returned from an Identity Management node, use the following:

var lastName = objectAttributes.get("sn").asString(); 

outcome = nodeOutcome.PASS;
Lastly, the outcome variable is set to a value Success.

Recall, the script outcome can be defined either by using the outcome variable or by using the Action interface. In an earlier example, the outcome was set using the goTo method of the Action interface.

  1. Click Save and Close.

Preparing the attribute in Identity Management (IDM)

  1. In the Identity Cloud Admin UI, go to /alpha > Native Consoles > Identity Management.

    gs_identity_management_menu
    gs_identity_management_menu292×1100 59.1 KB

    The Identity Management admin UI opens in a separate browser tab.

  2. Go to CONFIGURE > MANAGED OBJECTS.

    gs_configure_managed_objects
    gs_configure_managed_objects1600×822 120 KB

  3. Click on Alpha_user Managed Object.

    gs_scripts_alpha_user
    gs_scripts_alpha_user1600×822 134 KB

  4. Scroll down the list of properties to find the frIndexedDate1 property.

    gs_scripts_frindexddate1
    gs_scripts_frindexddate11600×814 166 KB

    Note that this is the IDM property used in the “last-login-time” script to set the last login time of a user. Several such placeholder attributes are present in Identity Cloud, which can be used to store values for custom attributes in a user profile. Some of these attributes are indexed, making it search-friendly, while some are unindexed. The attribute name suggests whether an attribute is indexed or not.

  5. Click on frIndexedDate1 property and change the Readable Title to Last Login Time and click Save.

    gs_scripts_frindexeddate1_config
    gs_scripts_frindexeddate1_config1604×828 96.9 KB

Modifying the Login journey in Identity Cloud

  1. In the Identity Cloud Admin UI, go to /alpha > Journeys.

  2. Duplicate the Login journey by using the Login > > Duplicate option.

  3. Use the information below as a reference to complete the Duplicate Journey form:

    Name: Login with script sample
    Identity Object: Alpha realm - Users managed/alpha_user
    Description: Login that uses a Scripted Decision Node to capture last login time

  4. Click Save.

  5. Drag the Scripted Decision (Utilities) node on to the Login with script sample journey.

  6. Select the Scripted Decision node.

  7. Under Script drop down, choose the script “last-login-time” script you created earlier.

    gs_scripts_scripted_decision_last_login
    gs_scripts_scripted_decision_last_login424×970 56.1 KB

  8. In Outcomes, type Success and hit enter.

    gs_scripts_scripted_decision_outcomes
    gs_scripts_scripted_decision_outcomes428×896 50.1 KB

    Notice that the Scripted Decision node now has an outcome that can be connected to other nodes in the journey. Also, give the node a more meaningful name, say “Last Login Time”.

  9. Drag the Patch Object (Identity Management) node onto the canvas.

  10. Select the Patch Object node and change the value of Identity Resource property to managed/alpha_user.

    gs_scripts_patch_object

  11. Connect the nodes as shown in the following screenshot and click Save.

    gs_scripts_flast_login_journey
    gs_scripts_flast_login_journey1600×739 114 KB

Testing the journey

  1. In the top right corner of the journey edit page, copy the journey preview URL.

    gs_scripts_last_login_journey_preview
    gs_scripts_last_login_journey_preview1604×834 114 KB

  2. In a supported browser, different from the one that has an active Identity Cloud admin session, paste and go to the Login with script sample journey preview URL.

    The Sign In screen appears.

  3. Log in using one of the Identity Cloud user credentials (say, fruser10).

    The user is logged into the end user dashboard.

  4. Click Edit Your Profile.

  5. Click Edit Personal Info.

  6. Scroll down to see the updated Last Login Time field.

    gs_scripts_lat_login_time_field
    gs_scripts_lat_login_time_field1604×822 126 KB

    1. Log out of the end user session.

Further reading

Other guides in the Getting started with Scripting in ForgeRock Identity Cloud series:

Other useful links:

Please provide us your feedback on this guide.

1 Like