Class: AWSUDO::IdentityProviders::Okta

Inherits:

AWSUDO::IdentityProvider

• Object
• AWSUDO::IdentityProvider
• AWSUDO::IdentityProviders::Okta

Defined in:

lib/awsudo/identity_providers/okta.rb

Instance Attribute Summary

• #api_endpoint ⇒ Object

  Returns the value of attribute api_endpoint.

Attributes inherited from AWSUDO::IdentityProvider

#idp_login_url, #logger, #password, #saml_provider_name, #username

Class Method Summary

• .new_from_config(config, username, password) ⇒ Object

Instance Method Summary

• #authenticate ⇒ Object
• #initialize(url, name, endpoint, username, password) ⇒ Okta constructor

  A new instance of Okta.

• #saml_request ⇒ Object

Methods inherited from AWSUDO::IdentityProvider

#assume_role, #get_saml_response, sts

Constructor Details

#initialize(url, name, endpoint, username, password) ⇒ Okta

Returns a new instance of Okta.

# File 'lib/awsudo/identity_providers/okta.rb', line 15

def initialize(url, name, endpoint, username, password)
  super(url, name, username, password)
  @api_endpoint = endpoint
  logger.debug "api_endpoint: <#{@api_endpoint}>"
  begin
    URI.parse(@api_endpoint)
  rescue
    raise "`#{@api_endpoint.inspect}' is not a valid API endpoint"
  end
end

Instance Attribute Details

#api_endpoint ⇒ Object

Returns the value of attribute api_endpoint.

# File 'lib/awsudo/identity_providers/okta.rb', line 8

def api_endpoint
  @api_endpoint
end

Class Method Details

.new_from_config(config, username, password) ⇒ Object

# File 'lib/awsudo/identity_providers/okta.rb', line 10

def self.new_from_config(config, username, password)
  new(config['IDP_LOGIN_URL'], config['SAML_PROVIDER_NAME'],
      config['API_ENDPOINT'], username, password)
end

Instance Method Details

#authenticate ⇒ Object

# File 'lib/awsudo/identity_providers/okta.rb', line 26

def authenticate
  payload = { 
    'username' => username,
    'password' => password,
    'options'  => {
      'multiOptionalFactorEnroll' => false,
    'warnBeforePasswordExpired' => false
    }
  }.to_json
  uri = URI.parse(api_endpoint + '/authn')
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER

  req = Net::HTTP::Post.new(uri.request_uri)
  req.content_type = 'application/json'
  req['Accept'] = 'application/json'
  req.body = payload
  logger.debug {"payload: <#{req.body.inspect}>"}
  res = http.request(req)
  logger.debug {"Headers: <#{res.to_hash.inspect}>"}
  logger.debug {"Body: <#{res.body.inspect}>"}
  result = JSON.parse(res.body)

  case result['status']
  when 'SUCCESS'
    return result['sessionToken']
  when 'MFA_REQUIRED'
    raise 'MFA required'
  else
    raise 'Authentication failed'
  end
end

#saml_request ⇒ Object

# File 'lib/awsudo/identity_providers/okta.rb', line 60

def saml_request
  session_token = authenticate
  uri = URI.parse(idp_login_url)
  req = Net::HTTP::Post.new(uri.request_uri)
  req.set_form_data({'onetimetoken' => session_token})
  req
end