LoginUser object

The Privileged Access Service creates a single LoginUser object for each SAML user session. The object is an instance of the LoginUser class, and is a read/write object.

The function LoginUser.Get() retrieves any one of the current user’s attributes. It takes as its argument a string that specifies the key of the attribute to retrieve. LoginUser.Get(“mail”), for example, returns the user’s email address as stored in Active Directory.

When LoginUser.Get() executes, the Privileged Access Service contacts the source directory through the connector for the user’s organization and retrieves the attribute. If, for example, an Active Directory user has logged into the Admin Portal as a member of the Acme organization, executing LoginUser.Get() during one of that user’s log-on sessions contacts the Acme Active Directory service through the connector set up in Acme’s internal network. If a user has logged in, executing LoginUser.Get() queries the Cloud Directory Service (CDS).

Note:   Not all attributes are common between directory services. If you have uses managed by different directory services (for example, AD and LDAP), use the LoginUser.ServiceType or Login.User.ServiceName properties to determine the user’s source directory and then get the appropriate attribute key. Refer to LoginUser object for more information.

Example

if(LoginUser.ServiceType == 'LDAPProxy'){
    UserIdentifier = LoginUser.Get('uid');
} else {
    UserIdentifier = LoginUser.Username;
}

Explanation

The preceding example checks to see if the user is managed by LDAP. If the user’s service type is LDAPProxy, the script gets the current user’s UID attribute, otherwise it uses the LoginUser.Username property.

The LoginUser object has the following methods:

Function name

Description

LoginUser.Get(ADkey)

This function returns any one of the current user’s Active Directory attributes. It takes as its argument a string that specifies the key of the attribute to retrieve. An example: LoginUser.Get(“mail”) returns the user’s email address as stored in the user’s Active Directory account.

LoginUser.GetValues(ADkey)

This function returns an array with all values of an Active Directory attribute with multiple values for the current user. It takes as its argument a string that specifies the key of the attribute to retrieve. For example, the line

setAttributeArray('proxies', LoginUser.GetValues('proxyAddresses'));

sets an attribute array named proxies that includes all values for the logged in user for the AD key proxyAddresses.

LoginUser.GetGroupAttributeValues(ADkey)

This function returns the values of the current user's groups specified AD attribute. It takes as its argument a string that specifies the key of the attribute to retrieve. An example: LoginUser.GetGroupAttributeValues(“sAMAccountName”) returns the user’s groups sAMAccountName value as stored in the user’s Active Directory account.

The LoginUser object’s properties describe the user as he or she is presented to the web application. The following table describes those properties.

Property name

Description

LoginUser.Username

The user identity presented in the SAML assertion to the web application. The Privileged Access Servicedetermines the user ID for this user session depending on the “Map to User Accounts” setting in the Application Settings tab. (These settings determine the user name, which is the user ID presented in the SAML assertion.)

LoginUser.FirstName

The first name of the user presented in the SAML assertion to the web application. Note the following special cases for parsing this attribute for users in directory services that do not have the FirstName attribute, such as Centrify Directory:

FirstName attribute is parsed from the first string of DisplayName.

If DisplayName is a single string, the same string is used for the FirstName and LastName attributes.

If DisplayName is null, FirstName and LastName return as null. SAML apps that require non-empty values will fail to launch in this case.

LoginUser.LastName

The last name of the user presented in the SAML assertion to the web application. Note the following special cases for parsing this attribute for users in directory services that do not have the LastName attribute, such as Centrify Directory:

The LastName attribute is parsed from the last string of DisplayName. Any additional strings between the first string and the last string are ignored.

If DisplayName is a single string, the same string is used for the FirstName and LastName attributes.

If DisplayName is null, FirstName and LastName return as null. SAML apps that require non-empty values will fail to launch in this case.

LoginUser.GroupNames

An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account). A user is an effective member of a group if he is either a direct member of the group or is a direct member of a group that is in turn a member of the group.

This property returns the same value as LoginUser.EffectiveGroupNames.

LoginUser.GroupNames2

An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account), returning only the user’s group’ ‘name attribute.

LoginUser.RoleNames

An array of Privileged Access Service role names for roles in which the user is a member.

The following example illustrates how to set an array named "Groups" that includes the Centrify roles that the logged in user is a member of.

setAttributeArray("Group", LoginUser.RoleNames);

LoginUser.EffectiveGroupNames

An array of group names for groups in which the user is an effective member (according to the user’s Active Directory account). A user is an effective member of a group if he is either a direct member of the group or is a direct member of a group that is in turn a member of the group.

This property returns the same value as LoginUser.GroupNames.

LoginUser.GroupDNs

An array of distinguished names of groups in which the user is an effective member.

This property returns the same value as LoginUser.EffectiveGroupDNs.

LoginUser.EffectiveGroupDNs

An array of distinguished names of groups in which the user is an effective member.

This property returns the same value as LoginUser.GroupDNs.

LoginUser.ServiceType

The type of directory service managing the user’s user object. Possible values are:

ADProxy

LDAPProxy

CDS (Cloud Directory Service)

FDS (Federated Directory Service)

LoginUser.ServiceName

The name of the directory service managing the user’s user object. These values are set by the network administrator. This property is useful in environments with more than one LDAP proxy.