New Authentication variables

@Adam could you provide a quick example on using the new variables available in the Authentication.ps1 file in PSU version 2.0.1?

I am trying to implement them and not having the best of luck. Can these variables be accessed from within the ScriptBlock parameter in Set-PSUAuthenticationMethod? Or do they have to be accessed before that?

You should be able to just reference this variables like regular PS variables. They aren’t showing up for you?

Hi @adam ,
I can confirm that these variables are indeed working for us (@Kbraley9 is working on this project with us).

Would it be possible to also add these variables into the roles.ps1 file in a future release? Since this file is also part of the authentication flow, and we are logging which roles the authenticating user is part of, I think it would be helpful. I attempted to stick the gathered remote IP into the $session var to use it from the roles.ps1 file, but that didn’t work either. I think allowing access to the $session var from these files, and/or making a randomized session ID var available to these files would prove useful so that we can associate a single login session with logging done during the auth process as well as dashboard functions. Not sure if the cookies var can provide something like this. Worst-case, we can just set a random UUID to the $session var and use that within roles.ps1 and any dashboard that is being accessed.

Here is what our current logging output is looking like (unknown ip due to logging from within roles.ps1 file, and domains are sanitized):

[06/14/21 23:46:16] - User '' successfully authorized to DC '' via ''
[06/14/21 23:46:17] - Enumerated roles in 0.824238 secs
[06/14/21 23:46:17] Unknown IP - User '' is a member of 'PSU Administrator' group
[06/14/21 23:46:19] Unknown IP - User '' is a member of 'Control Panel Internal Admin' group
[06/14/21 23:46:48] - User '' successfully authorized to DC '' via ''
[06/14/21 23:46:49] - Enumerated roles in 0.6581443 secs
[06/14/21 23:46:52] Unknown IP - User '' is a member of 'Control Panel Customer Admin' group

Hmm strange. I must be due to where the roles.ps1 is being evaluated.

As a work around, you could pass special claims from authentication.ps1 to roles.ps1. You could add the missing variables to the claims and they will be available within the $User variable in roles.ps1.

Hi @adam ,
That suggestion worked well. Is there any way you know of also somehow getting access to those claims within a dashboard? It would be great to be able to track a specific session through the logs (by first setting a session ID when the login is successful). I see that the $user var is available in a dashboard but it only contains the username and nothing else. Worst case we can add this to the logs and at least have some idea about who is doing what.

Not at the moment but it should be pretty easy to add. I’ve created an issue here: ClaimsPrincipal in dashboard · Issue #250 · ironmansoftware/issues · GitHub