Introduction
Safewhere Identify has many scripting extensible points where you can add custom business logics to Identify runtime pipeline using C# scripts. Problems arise when you have many resources, e.g. multiple connections, and you need to configure the same script for all of them. As a consequence, if you want to make a small change to your script, you will need to update it for all connections.
Scripting library is a new way to manage your scripts. You can define your scripts on the Scripting library page. To use them, you can then add the name of a script to a scripting setting. You can see that the new scripting library feature is very similar to how Scripting claims transformation works.
Please note that not the scripting library does not yet support all scripting features. We will make sure that they are in coming versions.
Script library menu
A script has the following properties:
- Name: name of a script
- Script type: please see section Script type
- Script: a script is written in CSharp language and is compiled against .NET framework 4.8
- Additional assembly references: please see the Additional assembly references section.
- Additional namespaces: please see the Additional namespaces section.
- Validation: when saving a script, the system will validate whether the script has correct syntax and structure, and then try to compile the script.
Script types
There are 7 script types supported in this version:
Validate authentication context class that is sent via an AuthnRequest from this Service Provider
You can use a script of this type to customize validation of an authentication context class that is sent via an AuthnRequest from a service provider
Validate authentication context class that is returned from this Identity Provider
You can use a script of this type to customize validation of authentication context class that is returned from an identity provider
Customize step-up behavior
You can use a script of this type to customize step-up behaviors of a SAML service provider
Map a requested authentication context class to a value that will be sent to this Identity Provider
You can use a script of this type to customize authentication context class mapping from a value sent by a service provider to a value that will be sent to an identity provider. The script is configured for the identity provider.
Select what Identity Providers that this Service Provider can use
You can use a script of this type to specify what identity providers that a service provider can use. This script overrides the default behavior which uses the connection dependency list.
Claims transformations
This script type is similar to the existing Scripting claims transformation but has more advanced features such as additional namespaces and references. After defining a script, you can use it for a Scripting claims transformation.
Customize second factor authentication
You can use a script of this type to customize the second factor policy of an identity provider.
Syntax
To reference a script defined in the Script library, you can use the following syntax:
|
1 |
UseScriptLibrary::{name-of-your-script-library} |
For example:
|
1 |
UseScriptLibrary::CustomizeClaimsTransformation |
Note that you cannot append more code after UseScriptLibrary::{} because Identify treats everything after the "::" portion as a part of the script name
Additional assembly references
Normal scripting features have a fixed set of referenced assemblies. With Script library, you can add references to additional assemblies. Note that your custom assembly references must either exist in the [your tenant folder]\Admin\bin and [your tenant folder]\Runtime\bin folders or in GAC.
Warning: due to Identify's caching mechanism, making changes to the Additional assembly references setting only does not force a cache reload on Identify runtime. To force cache reload, you can add a space character at the end of the script and save.
Syntax:
|
1 |
name-of-the-file.dll |
For example:
|
1 |
Safewhere.External.dll |
Additional namespaces
Warning: due to Identify's caching mechanism, making changes to the Additional assembly references setting only does not force a cache reload on Identify runtime. To force cache reload, you can add a space character at the end of the script and save.
Like additional references, you can also specify additional namespaces for your scripts.
Syntax:
|
1 |
using {your-additional-namespace}; |
For example:
|
1 |
using System.Collections; |
Some very common .NET namespaces and Identify's namespaces have been added by default already. You can find that list below:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
using System; using System.Collections.Generic; using System.Globalization; using System.Linq; using System.Reflection; using System.Security.Claims; using System.Text; using System.Web; using System.Web.Mvc; using System.Xml; using System.IO; using System.IdentityModel; using System.IdentityModel.Tokens; using Safewhere.ModelFoundation.Kernel; using Safewhere.ModelFoundation.Kernel.CommonLogging; using Safewhere.ServiceProvider.Xml.RequestTypes; using Safewhere.IdentityProviderModel; using Safewhere.IdentityProviderModel.ContextualClaimTransformation; using Safewhere.IdentityProviderModel.Claims; using Safewhere.IdentityProviderModel.PolicyScript; using Safewhere.IdentityProviderModel.SessionState; using Safewhere.IdentityProvider.RuntimeModel; using Safewhere.IdentityProvider.Saml2.Authentication; using Safewhere.IdentityProvider.Saml2.Protocol; using Safewhere.IdentityProvider.Saml2; using Safewhere.IdentityModel.Core; using Safewhere.ServiceProvider.ServiceProviderConstants; using Safewhere.IdentityProvider.Otp; using Safewhere.IdentityProviderModel.DomainEvent; |
Delete a script library that is in use
You cannot delete a script library that is currently in use:
