-
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Update deploy-github.ps1 Lowered minimum version to publish GitHub release. * ✨🚩UPDATE New-IDSession Adds saml authentication support, when providing SAML assertion from an external IDP * Update CHANGELOG.md
- Loading branch information
Showing
11 changed files
with
539 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
Function Complete-SamlAuthentication { | ||
<# | ||
.SYNOPSIS | ||
Completes a saml authentication request | ||
.DESCRIPTION | ||
Complete the SAML authentication session against CyberArk Identity. | ||
This request utilizes the cookies returned after Start-SamlAuthentication. | ||
The CyberArk ISPSS tenant should respond and set additional cookies that are used for subsequent authentication. | ||
.PARAMETER LogonRequest | ||
The LogonRequest created via New-IDSession | ||
.EXAMPLE | ||
$LogonRequest | Complete-SamlAuthentication | ||
Complete the SAML authentication process, started by Start-SamlAuthentication. | ||
.NOTES | ||
Pete Maan 2023 | ||
#> | ||
|
||
[CmdletBinding(SupportsShouldProcess)] | ||
param( | ||
[parameter( | ||
Mandatory = $true, | ||
ValueFromPipeline = $true | ||
)] | ||
[ValidateNotNullOrEmpty()] | ||
[hashtable]$LogonRequest | ||
) | ||
|
||
process { | ||
|
||
#Setup request. This command will return html, so supress output/html error detection | ||
$Script:ExpectHtml = $true | ||
$LogonRequest['Method'] = 'GET' | ||
$LogonRequest['Uri'] = "$Script:tenant_url/login" | ||
|
||
if ($PSCmdlet.ShouldProcess($Script:tenant_url, 'Send Assertion')) { | ||
|
||
try { | ||
|
||
#Perform Start Authentication | ||
$IDSession = Invoke-IDRestMethod @LogonRequest | ||
|
||
#Output IDSession | ||
$IDSession | ||
|
||
} catch { throw $PSItem } | ||
|
||
} | ||
|
||
$Script:ExpectHtml = $false | ||
#TODO: Check if sucesful auth or error | ||
|
||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
Function Start-SamlAuthentication { | ||
<# | ||
.SYNOPSIS | ||
Starts SAML user authentication | ||
.DESCRIPTION | ||
Start SAML user authentication against CyberArk Identity. | ||
When the user wants to authenticate to CyberArk Identity providing a SAML Response. | ||
Successful response should contain the following cookies: .ASPXAUTH, antixss, CCSID, podloc, sessdata, userdata | ||
Returned cookies will be saved in the WebSession object used by the module for future operations. | ||
.PARAMETER LogonRequest | ||
The LogonRequest created via New-IDSession | ||
.PARAMETER SAMLResponse | ||
Credential object containing username and password required to authenticate to CyberArk Identity. | ||
.EXAMPLE | ||
$LogonRequest | Start-SamlAuthentication SAMLResponse $SAMLResponse | ||
Start the SAML authentication process using the specified SAMLResponse. | ||
.NOTES | ||
Pete Maan 2023 | ||
#> | ||
|
||
[CmdletBinding(SupportsShouldProcess)] | ||
param( | ||
[parameter( | ||
Mandatory = $true, | ||
ValueFromPipeline = $true | ||
)] | ||
[ValidateNotNullOrEmpty()] | ||
[hashtable]$LogonRequest, | ||
|
||
#SAML Assertion | ||
[Parameter( | ||
Mandatory = $true, | ||
ValueFromPipelinebyPropertyName = $true | ||
)] | ||
[ValidateNotNullOrEmpty()] | ||
[string]$SAMLResponse | ||
) | ||
|
||
process { | ||
|
||
#Setup request. This command will return html, so supress output/html error detection | ||
$Script:ExpectHtml = $true | ||
$LogonRequest['ContentType'] = 'application/x-www-form-urlencoded' | ||
$LogonRequest['Uri'] = "$Script:tenant_url/my" | ||
|
||
$LogonRequest['Body'] = @{ | ||
|
||
SAMLResponse = $SAMLResponse | ||
|
||
} | ||
|
||
if ($PSCmdlet.ShouldProcess($Script:tenant_url, 'Send SAML Assertion')) { | ||
|
||
try { | ||
|
||
#Perform Start Authentication | ||
$IDSession = Invoke-IDRestMethod @LogonRequest | ||
|
||
#Output IDSession | ||
$IDSession | ||
|
||
} catch { throw $PSItem } | ||
|
||
} | ||
|
||
$Script:ExpectHtml = $false | ||
#TODO: Check for expected cookies | ||
|
||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.