EyalSperling (Customer) asked a question.
I need assistance in defining or understanding the following scenario:
An enterprise user is required to access an existing form in the RSA IG&L system via a link that appears in an email or on another website. According to the documentation in the guide (under the FormToken section), it is necessary to provide the sessionToken of the user who performed the login.
From the guide/manual :
***
RSA Governance & Lifecycle lets you access request forms from an external website or program through a Single Sign-On (SSO) portal. You access the form by issuing a command that must include three and an optional fourth items.
formName – Request form name. Get the form name using the findForms command (documented in Web Services).
token – LoggedIn user token value retrieved from the Web Services loginUser command.
prevURL – URL needs to be re-directed on click of Cancel/Close button (It should be encoded by Base64 bit algorithm).
Oid (optional) – Object ID that is associated with the request form (Example: Application/Directory/DataResource etc..)
To access the SSO portal, you have to get the token using the RSA Governance & Lifecycle Web Services API. See the loginUser command in Web Services, by going to Admin > Web Services.
To call the form, you must also know the title of the request form. See the findForms command in Web Services, by going to Admin > Web Services.
External request form URL example:
http://<ip>:<port>/aveksa/externalform?formName=<Value>&Oid=<Value>&token=<Value>&prevURL=<Value>
***
The RSA IG&L system is configured to work with SSO. How, in this entire process, is the sessionToken obtained?
As I understand it, calling the LoginUser WebService requires providing the user’s password as part of the API request.
I would appreciate help in understanding or guidance on how this process is supposed to work.
Regards
Eyal
from a technical perspective, to acquire a token you can leverage SSO User Header.
Disclaimer: I never used it, so everything that I say needs to be validated.
From what I understand, you will be able to send a header (with a certain value) which will be accepted by G&L and in response G&L will provide a token.
You will need to code a class (ValidatorClass) for G&L to check the value which was sent in the header.
externalForm is also something I've never used before. I suggest you start by testing the basics.
Issue a token via a standard loginUser API.
Use this token and call the form in the format you specified - http://<ip>:<port>/aveksa/externalform?formName=<Value>&Oid=<Value>&token=<Value>&prevURL=<Value>
See if this works as expected.
Hi
if I log into the system via the LoginUser API in a development environment (using a tool like Postman, etc.), receive a LoginToken, and then access the URL as described in the documentation—it will work.
However, in production environments (at least with the clients I work with), the Authentication Source is typically restricted to SAML/SSO only. In such cases, the LoginUser API cannot be invoked at all, even through external API tools.
My requirement is to achieve a user experience similar to what a user gets when performing an approval task: a link in an email that brings them directly to the chanage request or, in our case, directly to the form. Currently, I don't see a way to implement this using the service the system provides ( external forms ).
Is there another way to enable direct access to the form via a link ?
I would be happy to hear any additional ideas
Regards
Eyal
you wrote: "and then access the URL as described in the documentation—it will work"
Did you check it and it works (using externalForm)? or you assume it will work?
I tried in my env and encountered with an error.
If you try and encounter with an error as well, please open a support case.
Customers will continue to use SAML to login via a browser.
You will need to acquire somehow user's token and then pass it in externalForm. That's why I mentioned SSO User Header. You will need to add it to the authentication methods. It doesn't replace SAML SSO.
as far as I know, access to forms is different than accessing a change request (with a static URL). Not sure if there is an alternative.
Hi,
Regarding the part about obtaining the Token and accessing the form via ExternalForms—the answer is yes, it worked for me.
However, as mentioned, I still have two main issues:
First: It is impossible to generate a Token when the system is configured for SAML/SSO only.
Second: How to actually construct the URL "on the fly."
Currently, the ExternalForms approach doesn't seem to meet my needs due to the constraints mentioned
as I've suggested in previous reply, you can't acquire a token (over API) with SAML SSO authentication method.
you will need to configure SSO User Header type and use it to acquire a token via API
Can you describe the use case which you are trying to accomplish?