Configure single sign-on authentication

About this task

Guidewire provides the following configuration as a basic example. Use this example to develop more complicated authentication features, such as redirecting users to different failure pages depending on the failure reason and so forth.

Procedure

  1. Create custom Gosu class CustomAuthServlet.gs:
    1. Open Guidewire Studio™ for PolicyCenter.
    2. In the Studio Project window, expand configuration > gsrc.
    3. Right-click gsrc and click New > Package.
    4. Enter a package name for upgrade purposes.
      For example, enter something such as companyName.auth.
    5. Right-click the newly created package and click New > Gosu Class.
    6. Enter CustomAuthServlet as the name for the class and click OK.
    7. Enter the following class definition: 
      package companyName.auth
  
uses com.guidewire.pl.system.dependency.PLDependencies
uses com.guidewire.pl.system.service.context.ServiceToken
uses com.guidewire.pl.system.server.Version
uses com.guidewire.pl.web.controller.WebServlet
uses javax.servlet.http.HttpServletResponse
uses javax.servlet.http.HttpServletRequest
uses javax.servlet.http.HttpServlet
uses gw.servlet.ServletUtils
uses javax.security.auth.login.LoginException
uses gw.servlet.Servlet
uses gw.plugin.Plugins
uses gw.plugin.baseurlbuilder.IBaseURLBuilder
  
@Servlet( \ path : String ->path.matches( "/ssosaml" ) )
class CustomAuthServlet extends HttpServlet {
  override function doPost(req: HttpServletRequest, resp: HttpServletResponse) {
    var user:User = ServletUtils.getAuthenticatedUser(req, true);
    if (user != null) {
      redirectToIndex(req, resp);
      return;
    }
      
    // try to login
    try {
      PLDependencies.LoginManager.login(req);
    } catch (e : LoginException) {
      respondUnauthorized(req,resp);
      return;
    }
      
    var serviceToken:ServiceToken = PLDependencies.CommonDependencies.ServiceToken;
    if (serviceToken == null || !serviceToken.AuthenticatedUser) {
      respondUnauthorized(req,resp);
    } else {
      // store token
      req.getSession(false).setAttribute(WebServlet.SERVICE_TOKEN_SESSION_ATTR, serviceToken);
      redirectToIndex(req, resp);
    }
      
    return;
  }
     
  private function respondUnauthorized(req:HttpServletRequest, resp:HttpServletResponse) {
    print("User is unauthorized")
    redirectToError(req, resp);
  }
     
  private function redirectToIndex(req:HttpServletRequest, resp:HttpServletResponse) {
    print("User is authorized. Send to index page.")
    var plugin:IBaseURLBuilder = (IBaseURLBuilder) Plugins.get("BaseURLBuilderPlugin");
    var pcStartupPageEP = "PolicyCenterStartupPageEP"
    resp.sendRedirect(plugin.getApplicationBaseURL(req) + "/" + pcStartupPageEP + ".do");
  }
    
  private function redirectToError(req:HttpServletRequest, resp:HttpServletResponse) {
    print("User is unauthorized. Send to Default Failure page.")
    var plugin:IBaseURLBuilder = (IBaseURLBuilder) Plugins.get("BaseURLBuilderPlugin");
    var defaultFailureEP = "DefaultFailureEP"
    resp.sendRedirect(plugin.getApplicationBaseURL(req) + "/" + defaultFailureEP + ".do");
  }
}
  2. Add your custom servlet to the list of valid PolicyCenter servlets:
    1. Expand configuration > config > servlets.
    2. Open servlets.xml.
    3. Add the name of your custom servlet to the list.
      For example: 
      <servlet class="companyName.auth.CustomAuthServlet"/>
  3. Create custom Gosu class AuthServicePlugin.gs and place the class in your custom authentication package. For example: 
    package companyName.auth

uses gw.plugin.security.AuthenticationServicePlugin
uses gw.plugin.security.AuthenticationServicePluginCallbackHandler
uses gw.plugin.security.AuthenticationSource
uses gw.plugin.security.UserNamePasswordAuthenticationSource
uses java.lang.IllegalArgumentException
uses javax.security.auth.login.FailedLoginException

class AuthServicePlugin implements AuthenticationServicePlugin {
  var _handler: AuthenticationServicePluginCallbackHandler;
  override function authenticate(p0: AuthenticationSource): String {
    if (p0 typeis  UserNamePasswordAuthenticationSource == false) {
      throw new IllegalArgumentException("Authentication source type " + p0.getClass().getName() + 
      "is not known to this plugin");
    }
    var uNameSource:UserNamePasswordAuthenticationSource =  (UserNamePasswordAuthenticationSource) p0 ;
    var username = uNameSource.Username;
    var userPublicId = _handler.findUser(username);
    if (userPublicId == null) {   throw new FailedLoginException("Bad user name " + username);}
    return userPublicId;
  }
  
  override function setCallback(p0: AuthenticationServicePluginCallbackHandler) {
    _handler = p0;
  }
}
  4. Create custom Gosu class AuthSourceCreator.gs and place the class in your custom authentication package. For example: 
    package companyName.auth

uses gw.plugin.security.AuthenticationSourceCreatorPlugin
uses gw.plugin.security.AuthenticationSource
uses javax.servlet.http.HttpServletRequest
uses gw.plugin.security.UserNamePasswordAuthenticationSource

class AuthSourceCreator implements AuthenticationSourceCreatorPlugin {
  override function createSourceFromHTTPRequest(p0: HttpServletRequest): AuthenticationSource {

    var source:AuthenticationSource;                                          
    var userName:String =  p0.getParameter ("username");
    var password:String =  p0.getParameter("password");

    print("userName\t" + userName)
    print("password\t" + password)
    
    source = new UserNamePasswordAuthenticationSource(userName, password);
    
    return source;
  
  }
}

    In your code, check for errors and throw InvalidAuthenticationSourceData if there are errors.

  5. Associate your custom AuthServicePlugin class with the AuthenticationServicePlugin plugin.
    1. Expand configuration > config > Plugins > registry:
    2. Open AuthenticationServicePlugin.gwp.
    3. Click Remove Plugin to remove the default plugin.
    4. Click Add Plugin and select Add Gosu Plugin.
    5. For Gosu Class, enter the AuthServicePlugin.gs class, including the fully qualified package.
  6. Associate your custom AuthSourceCreator class with the AuthenticationSourceCreatorPlugin plugin.
    1. Open AuthenticationSourceCreatorPlugin.gwp.
    2. Click Remove Plugin to remove the default plugin.
    3. Click Add Plugin and select Add Gosu Plugin.
    4. For Gosu Class, enter the AuthSourceCreator.gs class, including the fully qualified package.
  7. Create an entry point for the PolicyCenter entry page:
    1. Expand configuration > config > Page Configuration > pcf, right-click entrypoints and click New > PCF file.
    2. Enter PolicyCenterStartupPageEP for the file name.
    3. Select Entry Point for the file type and click OK.
    4. Select the entry point.
    5. Set location to PolicyCenterStartupPage().
    6. Set authenticationRequired to false.
  8. Create an entry point for the default failure page.
    1. Right-click entrypoints and click New > PCF file.
    2. Enter DefaultFailureEP for the file name.
    3. Select Entry Point for the file type and click OK.
    4. Select the entry point.
    5. Set location to DefaultFailurePage().
    6. Set authenticationRequired to false.
  9. Create a BaseURLBuilderPlugin plugin implementation:
    1. Right-click configuration > config > Plugins > registry and click New > Plugin.
    2. Enter BaseURLBuilderPlugin for the name.
    3. Enter IBaseURLBuilder for the interface and click OK.
    4. Click Add Plugin and select Add Java Plugin.
    5. Enter com.guidewire.pl.web.render.html.BaseURLBuilderImpl for the Java Class.
  10. Test your work:
    1. Create a test HTML page on your local PolicyCenter server.
    2. Include the following form on the HTML page: 
      <form name="input" action="http://localhost:8180/pc/service/ssosaml" method="post">
    Username: <input type="text" name="username">
    Password: <input type="text" name="password">
  <input type="submit" value="Submit">
</form>