Affects Version/s: 10.0.1
Fix Version/s: None
Following in the footsteps of OpenIDM, it would be really nice to have a script interface for creating conditions.
The "ScriptableCondition" would take a single parameter - the script to execute. Possibly the target scripting language would be another parameter, but it would be fine to support only a single language to begin with.
Many variables would be exposed to the script. In fact, virtually anything that the other default conditions can do should be possible with the ScriptableCondition. Variables available should include:
- Max Session Time and Idle Session Time
- Module Instance / Module Chain that the user authenticated with
- Authentication Level of the current session
- IP Address and DNS Name of the original login request
- Current session properties
- User attributes
The return value should probably be a string indicating the decision that was made, for example "true" indicating that the target policy does apply to this user. Boolean values could also be handled.
The written script should also be able to return advice, just like the "Authentication Level" condition. This might be facilitated by returning an appropriate string, for example "true:advice:xxxxx".
There should also be an object allowing the script to print messages to the debug logs. java.lang.System.out.println may be sufficient.
If possible, sensitive attributes (such as passwords) should be excluded from the script's scope.
More info on custom policy plugins here: