public ActionResult ValidateUser() { PswMigrationResponse pswMigrationRsp = new PswMigrationResponse(); LdapServiceModel ldapServiceModel = null; CustomUser oktaUser = null; string username = null; string password = null; username = Request["username"]; password = Request["password"]; ldapServiceModel = new LdapServiceModel(); ldapServiceModel.ldapServer = appSettings["ldap.server"]; ldapServiceModel.ldapPort = appSettings["ldap.port"]; ldapServiceModel.baseDn = appSettings["ldap.baseDn"]; //use received username and password to bind with LDAP //if password is valid, set password in Okta try { //check username in Okta and password status oktaUser = _oktaUserMgmt.GetCustomUser(username); } catch (OktaException) { //trap error, handle User is null } if (oktaUser != null) { if (string.IsNullOrEmpty(oktaUser.Profile.IsPasswordInOkta) || oktaUser.Profile.IsPasswordInOkta == "false") { //check user credentials in LDAP bool rspIsAuthenticated = _credAuthentication.IsAuthenticated(username, password, ldapServiceModel); if (rspIsAuthenticated) { //set password in Okta bool rspSetPsw = _oktaUserMgmt.SetUserPassword(oktaUser.Id, password); if (rspSetPsw) { //update attribute in user profile when set password successful oktaUser.Profile.IsPasswordInOkta = "true"; bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(oktaUser); if (rspPartialUpdate) { pswMigrationRsp.status = "set password in Okta successful"; pswMigrationRsp.isPasswordInOkta = "true"; } else { pswMigrationRsp.status = "set password in Okta successful"; pswMigrationRsp.isPasswordInOkta = "unknown"; } } else { //update attribute in user profile when set password fails oktaUser.Profile.IsPasswordInOkta = "true"; bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(oktaUser); if (rspPartialUpdate) { pswMigrationRsp.status = "set password in Okta failed"; pswMigrationRsp.isPasswordInOkta = "false"; } else { pswMigrationRsp.status = "set password in Okta failed"; pswMigrationRsp.isPasswordInOkta = "unknown"; } } } else { //arrive here is user creds not validated in Ldap pswMigrationRsp.status = "LDAP validation failed"; pswMigrationRsp.isPasswordInOkta = "false"; } } else { //no work required pswMigrationRsp.status = oktaUser.Status; pswMigrationRsp.isPasswordInOkta = "true"; } //build response pswMigrationRsp.oktaId = oktaUser.Id; pswMigrationRsp.login = oktaUser.Profile.Login; } else { //arrive here if user not found in Okta //check user credentials and get profile from LDAP CustomUser rspCustomUser = _credAuthentication.IsCreated(username, password, ldapServiceModel); if (rspCustomUser != null) { rspCustomUser.Profile.Login = username + _userdomain; Okta.Core.Models.Password pswd = new Okta.Core.Models.Password(); pswd.Value = password; rspCustomUser.Credentials.Password = pswd; //create Okta user with password rspAddCustomUser = _oktaUserMgmt.AddCustomUser(rspCustomUser); if (rspAddCustomUser != null) { Uri rspUri = new Uri("https://tbd.com"); bool rspActivate = _oktaUserMgmt.ActivateUser(rspAddCustomUser, out rspUri); if (rspActivate) { rspCustomUser.Profile.IsPasswordInOkta = "true"; bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(rspAddCustomUser); if (rspPartialUpdate) { pswMigrationRsp.oktaId = rspAddCustomUser.Id; pswMigrationRsp.login = rspAddCustomUser.Profile.Login; pswMigrationRsp.status = "Created in Okta"; pswMigrationRsp.isPasswordInOkta = "true"; } else { pswMigrationRsp.oktaId = rspAddCustomUser.Id; pswMigrationRsp.login = rspAddCustomUser.Profile.Login; pswMigrationRsp.status = "Created in Okta"; pswMigrationRsp.isPasswordInOkta = "unknown"; } } else { pswMigrationRsp.oktaId = "none"; pswMigrationRsp.login = "******"; pswMigrationRsp.status = "User NOT Created in Okta"; pswMigrationRsp.isPasswordInOkta = "false"; } } else { pswMigrationRsp.oktaId = "none"; pswMigrationRsp.login = "******"; pswMigrationRsp.status = "User NOT Created in Okta"; pswMigrationRsp.isPasswordInOkta = "false"; } } else { pswMigrationRsp.oktaId = "none"; pswMigrationRsp.login = "******"; pswMigrationRsp.status = "User NOT Created in Okta"; pswMigrationRsp.isPasswordInOkta = "false"; } } return(Content(content: JsonConvert.SerializeObject(pswMigrationRsp), contentType: "application/json")); }
public ActionResult VerifyActivate(string recoveryToken, string oktaId) { logger.Debug("VerifyActivate "); if (string.IsNullOrEmpty(recoveryToken) && TempData["recoveryToken"] != null) { recoveryToken = TempData["recoveryToken"].ToString(); } //set parameters string relayState = Request["relayState"]; if (string.IsNullOrEmpty(relayState) && Request.QueryString["RelayState"] != null) { relayState = Request.QueryString["RelayState"]; } else if (string.IsNullOrEmpty(relayState) && TempData["relayState"] != null) { relayState = (string)TempData["relayState"]; } TempData["relayState"] = relayState; string stateToken = Request["stateToken"]; if (string.IsNullOrEmpty(stateToken) && TempData["stateToken"] != null) { stateToken = TempData["stateToken"].ToString(); } TempData["stateToken"] = stateToken; string userName = Request["userName"]; if (string.IsNullOrEmpty(userName) && TempData["userName"] != null) { userName = TempData["userName"].ToString(); } TempData["userName"] = userName; //TempData["helpLink"] = MvcApplication.helpLink; string tokenFailedErrorMessage = "We could not activate your account at this time. Please try clicking the link in your email again " + "or contact the service center via the information at the bottom of the page."; //get UserClient based on Org credentials OktaClient oktaClient = new OktaClient(MvcApplication.apiToken, MvcApplication.apiUrl); UsersClient usersClient = oktaClient.GetUsersClient(); //Validate Token from branded email response link //get user profile data //compare with received token if (!string.IsNullOrEmpty(recoveryToken) && !string.IsNullOrEmpty(oktaId)) { //validate token //get custom profile for user User oktaBaseUser = new Okta.Core.Models.User(); CustomUser customUser = new CustomUser(oktaBaseUser); customUser = oktaUserMgmt.GetCustomUser(oktaId); if (customUser.Status != "STAGED") { //if it doesnt work out return to beginning logger.Error("Token validation is not appropriate for current user state " + customUser.Status); TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); } if (string.IsNullOrEmpty(customUser.Profile.activation_passCode) || string.IsNullOrEmpty(customUser.Profile.activation_setDate)) { logger.Error("Token validation information is not available"); TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); } //this is a one time token, so if profile received reset the data. string activation_passCode = customUser.Profile.activation_passCode; string activation_setDate = customUser.Profile.activation_setDate; customUser.Profile.activation_passCode = ""; customUser.Profile.activation_setDate = ""; bool rspSetCustomUserProfile = oktaUserMgmt.UpdateCustomUserAttributesOnly(customUser); if (!rspSetCustomUserProfile) { logger.Error("Unable to Set User Custom Profile to reset activation passCode: " + customUser.Profile.Email); TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); } //compare to passed in token //Get current time DateTime currentTime = DateTime.Now; DateTime setTime = DateTime.Parse(activation_setDate); //Get the difference in Minutes between the set time and Current Time. TimeSpan timeSpan = currentTime.Subtract(setTime); long myInterval = Convert.ToInt32(timeSpan.TotalHours); long authExpiry = Convert.ToInt32(appSettings["custom.ActivationExpire_hours"]); //check received passcode matches what was saved in storage app attribute if (activation_passCode == recoveryToken) { //check for expired activation code if (authExpiry > myInterval) { //continue to set password User oktaUser = new User(); oktaUser.Id = oktaId; try { //transistion user accout from STAGED to PROVISIONED var rspUri = usersClient.Activate(oktaUser, sendEmail: false); //rsp is email activation link for embedded workflow //this cannot be branded so we are setting password directly } catch (OktaException ex) { if (ex.ErrorCode == "E0000001") { logger.Error("Api Valiadation Failed: " + userName); } else { logger.Error(userName + " = " + ex.ErrorCode + ":" + ex.ErrorSummary); // generic failure } TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); }//end catch logger.Debug("Token Validated Successfully proceed to create password"); return(RedirectToAction("GetPassword")); } else { logger.Debug("Token is correct, but has exceeded time limit " + appSettings["custom.ActivationExpire_hours"] + " hours"); TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); } } else { logger.Error("Cannot Validate Token: " + recoveryToken + " locator: " + oktaId); TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); } } else { //if it doesnt work out return to beginning logger.Error("Cannot Validate Token: " + recoveryToken + " locator: " + oktaId); TempData["errMessage"] = tokenFailedErrorMessage; return(RedirectToAction("Index", "Home")); } }