public ActionResult ValidateUser()
{
PswMigrationResponse pswMigrationRsp = new PswMigrationResponse();
LdapServiceModel ldapServiceModel = null;
CustomUser oktaUser = null;
string username = null;
string password = null;
username = Request["username"];
password = Request["password"];
ldapServiceModel = new LdapServiceModel();
ldapServiceModel.ldapServer = appSettings["ldap.server"];
ldapServiceModel.ldapPort = appSettings["ldap.port"];
ldapServiceModel.baseDn = appSettings["ldap.baseDn"];
//use received username and password to bind with LDAP
//if password is valid, set password in Okta
try
{
//check username in Okta and password status
oktaUser = _oktaUserMgmt.GetCustomUser(username);
}
catch (OktaException)
{
//trap error, handle User is null
}
if (oktaUser != null)
{
if (string.IsNullOrEmpty(oktaUser.Profile.IsPasswordInOkta) || oktaUser.Profile.IsPasswordInOkta == "false")
{
//check user credentials in LDAP
bool rspIsAuthenticated = _credAuthentication.IsAuthenticated(username, password, ldapServiceModel);
if (rspIsAuthenticated)
{
//set password in Okta
bool rspSetPsw = _oktaUserMgmt.SetUserPassword(oktaUser.Id, password);
if (rspSetPsw)
{
//update attribute in user profile when set password successful
oktaUser.Profile.IsPasswordInOkta = "true";
bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(oktaUser);
if (rspPartialUpdate)
{
pswMigrationRsp.status = "set password in Okta successful";
pswMigrationRsp.isPasswordInOkta = "true";
}
else
{
pswMigrationRsp.status = "set password in Okta successful";
pswMigrationRsp.isPasswordInOkta = "unknown";
}
}
else
{
//update attribute in user profile when set password fails
oktaUser.Profile.IsPasswordInOkta = "true";
bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(oktaUser);
if (rspPartialUpdate)
{
pswMigrationRsp.status = "set password in Okta failed";
pswMigrationRsp.isPasswordInOkta = "false";
}
else
{
pswMigrationRsp.status = "set password in Okta failed";
pswMigrationRsp.isPasswordInOkta = "unknown";
}
}
}
else
{
//arrive here is user creds not validated in Ldap
pswMigrationRsp.status = "LDAP validation failed";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
else
{
//no work required
pswMigrationRsp.status = oktaUser.Status;
pswMigrationRsp.isPasswordInOkta = "true";
}
//build response
pswMigrationRsp.oktaId = oktaUser.Id;
pswMigrationRsp.login = oktaUser.Profile.Login;
}
else
{
//arrive here if user not found in Okta
//check user credentials and get profile from LDAP
CustomUser rspCustomUser = _credAuthentication.IsCreated(username, password, ldapServiceModel);
if (rspCustomUser != null)
{
rspCustomUser.Profile.Login = username + _userdomain;
Okta.Core.Models.Password pswd = new Okta.Core.Models.Password();
pswd.Value = password;
rspCustomUser.Credentials.Password = pswd;
//create Okta user with password
rspAddCustomUser = _oktaUserMgmt.AddCustomUser(rspCustomUser);
if (rspAddCustomUser != null)
{
Uri rspUri = new Uri("https://tbd.com");
bool rspActivate = _oktaUserMgmt.ActivateUser(rspAddCustomUser, out rspUri);
if (rspActivate)
{
rspCustomUser.Profile.IsPasswordInOkta = "true";
bool rspPartialUpdate = _oktaUserMgmt.UpdateCustomUserAttributesOnly(rspAddCustomUser);
if (rspPartialUpdate)
{
pswMigrationRsp.oktaId = rspAddCustomUser.Id;
pswMigrationRsp.login = rspAddCustomUser.Profile.Login;
pswMigrationRsp.status = "Created in Okta";
pswMigrationRsp.isPasswordInOkta = "true";
}
else
{
pswMigrationRsp.oktaId = rspAddCustomUser.Id;
pswMigrationRsp.login = rspAddCustomUser.Profile.Login;
pswMigrationRsp.status = "Created in Okta";
pswMigrationRsp.isPasswordInOkta = "unknown";
}
}
else
{
pswMigrationRsp.oktaId = "none";
pswMigrationRsp.login = "******";
pswMigrationRsp.status = "User NOT Created in Okta";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
else
{
pswMigrationRsp.oktaId = "none";
pswMigrationRsp.login = "******";
pswMigrationRsp.status = "User NOT Created in Okta";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
else
{
pswMigrationRsp.oktaId = "none";
pswMigrationRsp.login = "******";
pswMigrationRsp.status = "User NOT Created in Okta";
pswMigrationRsp.isPasswordInOkta = "false";
}
}
return(Content(content: JsonConvert.SerializeObject(pswMigrationRsp), contentType: "application/json"));
}
public ActionResult VerifyActivate(string recoveryToken, string oktaId)
{
logger.Debug("VerifyActivate ");
if (string.IsNullOrEmpty(recoveryToken) && TempData["recoveryToken"] != null)
{
recoveryToken = TempData["recoveryToken"].ToString();
}
//set parameters
string relayState = Request["relayState"];
if (string.IsNullOrEmpty(relayState) && Request.QueryString["RelayState"] != null)
{
relayState = Request.QueryString["RelayState"];
}
else if (string.IsNullOrEmpty(relayState) && TempData["relayState"] != null)
{
relayState = (string)TempData["relayState"];
}
TempData["relayState"] = relayState;
string stateToken = Request["stateToken"];
if (string.IsNullOrEmpty(stateToken) && TempData["stateToken"] != null)
{
stateToken = TempData["stateToken"].ToString();
}
TempData["stateToken"] = stateToken;
string userName = Request["userName"];
if (string.IsNullOrEmpty(userName) && TempData["userName"] != null)
{
userName = TempData["userName"].ToString();
}
TempData["userName"] = userName;
//TempData["helpLink"] = MvcApplication.helpLink;
string tokenFailedErrorMessage = "We could not activate your account at this time. Please try clicking the link in your email again " +
"or contact the service center via the information at the bottom of the page.";
//get UserClient based on Org credentials
OktaClient oktaClient = new OktaClient(MvcApplication.apiToken, MvcApplication.apiUrl);
UsersClient usersClient = oktaClient.GetUsersClient();
//Validate Token from branded email response link
//get user profile data
//compare with received token
if (!string.IsNullOrEmpty(recoveryToken) && !string.IsNullOrEmpty(oktaId))
{
//validate token
//get custom profile for user
User oktaBaseUser = new Okta.Core.Models.User();
CustomUser customUser = new CustomUser(oktaBaseUser);
customUser = oktaUserMgmt.GetCustomUser(oktaId);
if (customUser.Status != "STAGED")
{
//if it doesnt work out return to beginning
logger.Error("Token validation is not appropriate for current user state " + customUser.Status);
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}
if (string.IsNullOrEmpty(customUser.Profile.activation_passCode) || string.IsNullOrEmpty(customUser.Profile.activation_setDate))
{
logger.Error("Token validation information is not available");
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}
//this is a one time token, so if profile received reset the data.
string activation_passCode = customUser.Profile.activation_passCode;
string activation_setDate = customUser.Profile.activation_setDate;
customUser.Profile.activation_passCode = "";
customUser.Profile.activation_setDate = "";
bool rspSetCustomUserProfile = oktaUserMgmt.UpdateCustomUserAttributesOnly(customUser);
if (!rspSetCustomUserProfile)
{
logger.Error("Unable to Set User Custom Profile to reset activation passCode: " + customUser.Profile.Email);
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}
//compare to passed in token
//Get current time
DateTime currentTime = DateTime.Now;
DateTime setTime = DateTime.Parse(activation_setDate);
//Get the difference in Minutes between the set time and Current Time.
TimeSpan timeSpan = currentTime.Subtract(setTime);
long myInterval = Convert.ToInt32(timeSpan.TotalHours);
long authExpiry = Convert.ToInt32(appSettings["custom.ActivationExpire_hours"]);
//check received passcode matches what was saved in storage app attribute
if (activation_passCode == recoveryToken)
{
//check for expired activation code
if (authExpiry > myInterval)
{
//continue to set password
User oktaUser = new User();
oktaUser.Id = oktaId;
try
{
//transistion user accout from STAGED to PROVISIONED
var rspUri = usersClient.Activate(oktaUser, sendEmail: false);
//rsp is email activation link for embedded workflow
//this cannot be branded so we are setting password directly
}
catch (OktaException ex)
{
if (ex.ErrorCode == "E0000001")
{
logger.Error("Api Valiadation Failed: " + userName);
}
else
{
logger.Error(userName + " = " + ex.ErrorCode + ":" + ex.ErrorSummary);
// generic failure
}
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}//end catch
logger.Debug("Token Validated Successfully proceed to create password");
return(RedirectToAction("GetPassword"));
}
else
{
logger.Debug("Token is correct, but has exceeded time limit " + appSettings["custom.ActivationExpire_hours"] + " hours");
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}
}
else
{
logger.Error("Cannot Validate Token: " + recoveryToken + " locator: " + oktaId);
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}
}
else
{
//if it doesnt work out return to beginning
logger.Error("Cannot Validate Token: " + recoveryToken + " locator: " + oktaId);
TempData["errMessage"] = tokenFailedErrorMessage;
return(RedirectToAction("Index", "Home"));
}
}
