Forms Authentication
Forms authentication scripts in PowerShell Universal.
Last updated
Forms authentication scripts in PowerShell Universal.
Last updated
The forms authentication script is only called when users login through the login page. If you use any other authentication method, this script is not called. Role policy scripts are called for all authentication types.
By default, the forms authentication script is configured to accept the user Admin and any password. You can configure this authentication policy to interact with whatever system you like. The script will receive a PSCredential
object that contains the user name and password entered by the user at the login page.
Authentication settings are also stored with authentication.ps1
To update forms authentication, you can click Settings Security and then click the Settings button for the forms authentication.
You can update the PowerShell script found in settings to configure how the user is authenticated. You'll need to return a New-PSUAuthenticationResult
from the script to indicate whether the user was successfully authenticated.
You can check the password of the credential by using the GetNetworkCredential()
method of PSCredential
.
During forms authentication, you can set claims that will be available within role policies. This can provide a performance benefit when interacting with remote systems since you can perform a single claim lookup and then evaluate the claims locally rather than having to make additional calls to the remote system.
This example uses Active Directory to look up group membership and assign the as claims that will be available within the roles scripts.
Within your roles.ps1
file, you will be able to use these claims to validate group membership.
This example checks to see if the user is part of the SOC_Admins group.
These are the variables defined within the security scripts.
$Cookies
Cookies provided in the client's HTTP request.
hashtable
$Headers
Headers provided in the client's HTTP request.
hashtable
$LocalIpAddress
The local IP address of the request.
string
$LocalPort
The local port of the request.
string
$RemoteIpAddress
The remote IP address of the request.
string
$RemotePort
The remote port of the request.
string
When calling API endpoints or the PowerShell Management API, you can use Basic authentication to pass in a user name and password. This will invoke the forms authentication and authorization scripts to valid the login. The username and password should be encoded as Base64 in the username:password
format and sent in the Authorization header with a Basic
prefix.
You can also use the built-in -Credential parameter on Invoke-RestMethod to avoid having to encode the basic credentials yourself. The $AdminCredential
below needs to be a PSCredential
.
You can use the live log view on the authentication page to view information about the script execution. The live log view will display PowerShell streams.