Invalidating All Sessions for a User in AM Authentication Decision Script

karannayyar · July 22, 2024, 5:14am

We have a scenario where, based on the username collected in the tree, we intend to invalidate all the sessions associated with the provided username. How can we obtain the SSO token of an administrative user in an authentication decision script? The admin SSO token is needed to invoke the endpoint https://openam.example.com:8443/openam/json/realms/root/sessions/?_action=logoutByHandle to log out all sessions for a given user.

stephane.orluc · July 22, 2024, 11:55am

Hi @karannayyarI,
You should have a look at this page to know how to get your admin token : Get an access token in a journey :: PingOne Advanced Identity Cloud Docs
regards,
Steph

stephane.orluc · July 22, 2024, 12:16pm

@karannayyar
If you wan to use the cookie of the admin user that is connected you can also get it with headers.
If you’re using next-gen script it’s even more easy you can use the requestCookies documented here: Scripted decision node API :: PingOne Advanced Identity Cloud Docs
regards,
Steph.

karannayyar · July 22, 2024, 2:19pm

@stephane.orluc We don’t have any cookies in the request while initiating a request to the tree. Hence, we are looking to get an admin SSO token (cookie) via the authentication decision script. Is there any binding or method that can be used to retrieve an SSO token? For instance, the CoreWrapper Java class has the getAdminToken method. However, we are unable to utilize the same in a Groovy script for a self-managed ForgeRock Identity Platform.

stephane.orluc · July 22, 2024, 3:42pm

hi @karannayyar
Then if you don’t have cookie, you should create a scripted node to get a token as described in this page: Get an access token in a journey :: PingOne Advanced Identity Cloud Docs and then use this AT to call the API. In a similar approach as the one described in this page: Use case: Create dynamically branded journeys in ForgeRock Identity Cloud
Personnaly, except for really specific tasks that require external java classes, I try not to use java.
regards,
Steph.

grpensa · July 22, 2024, 4:57pm

I have had the need to lookup all the sessions for a specific user in the past. As opposed to using the RESTful api of AM for the task, I have used an ldapsearch.
For example: ldapsearch -p 50636 -h configds -b “ou=famrecords,ou=openam-session,ou=tokens,dc=openam,dc=forgerock,dc=org” -D “cn=directory manager” -w “Bigsecret!” -s sub -X -Z coreTokenUserId=“id=demo,ou=user,dc=openam,dc=forgerock,dc=org” coreTokenObject coreTokenId

Useful??

Of course the response would be parsed for the relevant bits…