HMSREG365 Login

hmsreg365.no is intended to be a common entry point for users accross different HMSREG365 sites.
On this site users can be verified as holders of their phones with their mobile phone number and a SMS token, and then users get presented with a list of sites / Projects to log into. When selecting, the users are being redirected to the selected site without having to authenticate again.
This is done via a 10 second OneTime Token that is generated by hmsreg365, and in the next step verified to be valid via a call from the destination host the user selects back to https://hmsreg365.no.

First part of flow (verifying the user owns the mobile on hmsreg365.no):

End User

Navigate to hmsreg365.no
Login Page
Login Page
User fills in SMS number
Login Page
User fills in SMS token
Login Page
User selects host
from list
Login Page
Redirects

hmsreg365.no

Loginhandler
LoginHandler
-Redirect to /login
LoginHandler
Step 1
(Web.config)
LoginHandler
Step 1 Verified
Step 2 triggered
LoginHandler
Step 2 Verified
On to step 3.
LoginHandler
Step 3 Verify
Redirect with OTT
Authentication Step
1. Hmsreg365_AuthStepSmsNumber
Parameter: SMSNumberParameter
On Verify: Dynamically adds steps 2 and 3
2. Hmsreg365_AuthStepSmsToken
On trigger -sends SMS to user
Parameter:Token
3. Hmsreg365_AuthStepHostList
Parameter: Hmsreg365_AuthHostsParameter
On Verify: Create Onetime token, redirect to selected host with Onetime token

Second part of flow, authenticate on destination:

End User

Login Page
Redirected to destination
/login with query params including Token
Start page of destination
With project selected

Destination host

Login Handler
Parameter hmsreg365Token selects alternative
Hmsreg365_AuthStep_OneTimeToken
Hmsreg365_AuthStep_OneTimeToken
Posts smsnumber and token.
Success?
First step is verified.
Next Step: SetCredentials
-Impersonate user.

Hmsreg365.no

HmsReg365VerifyToken
/api/hmsreg365/verifyToken
Validate token

Requirements and setup on Hmsreg365.no site

Required code modules, modifications to login Web App and settings on the Hmsreg365.no site.
Web.config, main step is Hmsreg365_AuthStepSmsNumber, but with Pims365Login as an alternative for Admin Login:

    
        <authenticationSteps>
            <step name="Hmsreg365_AuthStepSmsNumber">
              <alternative name="Pims365Login" caption="Admin login">
                <step name="Pims365Login" allowRemember="true" rememberCaption="Husk meg" caption="Logg inn">
                  <alternative name="nykonto" caption="Ny Konto" allowInQuery="true" autoProcess="true">
                    <step name="Pims365SignupTokenIdentity" allowInQuery="true" />
                    <step name="Pims365ResetPassword" confirm="false" message="test" />
                  </alternative>
            
                  <alternative name="settpassord" allowInQuery="true" autoProcess="true">
                    <step name="Pims365ResettTokenIdentity" allowInQuery="true" />
                    <step name="Pims365ResetPassword" confirm="false" message="test v2" />
                  </alternative>
            
                  <alternative name="ResetPassword">
                    <step name="Pims365ResettTokenSender">
                      <alternative name="settpassord" allowInQuery="true" autoProcess="true">
                        <step name="Pims365ResettTokenIdentity" allowInQuery="true" />
                        <step name="Pims365ResetPassword" confirm="false" message="test v2" />
                      </alternative>
                    </step>
                  </alternative>
                </step>
            </alternative>
            </step>
        </authenticationSteps>
    

Code Module: Hmsreg365_AuthStepSmsNumber (Step 1)

Code module that inherits from AuthenticationStep and acts as step 1.
Description: Expose SMSNumberParameter as an input for the user. When step is Verified (user have added number), this step dynamically adds Hmsreg365_AuthStepSmsToken and Hmsreg365_AuthStepHostList as next steps.
VerifyParameter(s): SMSNumberParameter
Setup: This step should be the main step in the authenticationSteps section of Web.config.

Code Module: Hmsreg365_AuthStepSmsToken (Step 2)

Code module that inherits from TwilioSMSIdentity and indirectly ConditionalTriggeredAuthenticationStep. Acts as step 2.
Description: SMSNumberParameter is the TriggerParameter for this step, so when Step 1 is verified, this step will be triggered immediately and then Generates the SMS Token and sends it to the user. The UI will generate an input for the SMSTokenParameter
VerifyParameter(s): SMSTokenParameter

Code Module: Hmsreg365_AuthStepHostList (Step 3)

Code module that inherits from AuthenticationStep and IAuthenticationStepWithRequirePostback. Acts as step 3.
Description: This step uses the custom parameter Hmsreg365_AuthHostsParameter. This parameter generate and contain the list of Hosts/Projects that the user can choose to activate.
On Verify: Picks up parameters and calls astp_Hmsreg_LagEngangskode (with smsnumber) that creates a one time token (GUID) that is stored in atbv_Hmsreg_Engangskoder with validity of 10 seconds. The Stored procedure then returns this token.
Next, the GotoUrl is picked up, and appended with query parameters smsnumber and hmsreg365token.
Finally it calls RequestContext.Response.Redirect with the generated host url.
This triggers a response with code 302 and location set to new url.
Important! The fact that this inherits from IAuthenticationStepWithRequirePostback forces posts from the login page (client side) of this step to be Form posts instead of ajax posts. This is important because the 302 redirect will not work on Ajax.
VerifyParameter(s): Hmsreg365_AuthHostsParameter

Code Module: Hmsreg365_AuthHostsParameter

Custom parameter that implements IAuthenticationParameterWithGetValueList.
Description: This parameter generates and contains the list of Hosts/Projects that the user can choose to activate.
Mainly the logic resides in GetValueList that queries atbv_Felles_KunderBaser, and then iterates them.
For Each it calls personExist that will do a post to the url hostUrl + "/api/pims365/person/" + vMobilnr. Each of the hosts are then called with a route matching the Code Module api/pims365/person/{mobilnr} and should respond with a list of objects containing the attributes:

  • Prosjekt_ID
  • Prosjekt
  • HostName
  • HostUrl

Based on this, the ValueList is returned as a list of objects with the following attributes:
  • Prosjekt_ID- Project ID
  • Prosjekt - Name of project
  • HostUrl - Host Url (from atbv_Felles_KunderBaser)
  • GotoUrl - Host Url + /login + Query parameter ReturnUrl containing Prosjekt-ID parameter
  • HostName - Name of Host (from atbv_Felles_KunderBaser)

Code Module: HmsReg365VerifyToken

Route handler that responds to requests matching "api/hmsreg365/VerifyToken.
Description: Picks up form fields smsnumber and hmsreg365token from request.
Passes these to astp_Hmsreg_BekreftEngangskode that responds with the following columns:

  • success - bit
  • message - error message if token was not acceptable

This output is then written as response back to the caller (Hmsreg365_AuthStep_OneTimeToken)

Web App: login

Login app is pretty similar to the one on pims365, with the following changes:
Changes:

  • In Main HTML, added @Render("SiteScript", FileName:"intlTelInput.min.js") (used for sms number input)
  • New Web Script "hmsreg365" that contains method renderHostList
  • A small section in Main CSS containing styles for the class .Hmsreg365_AuthHosts
  • In Main Script, beforeunload listener in the start, the timeout is extended to 20seconds (to make sure browser have time to redirect)
  • In Main Script, method renderField calls renderHostList if parameter.type === "Hmsreg365_AuthHosts"
  • In Main Script, method renderField if (parameter.type === "SMSNumber")renders input using intlTelInput to properly handle country codes

Requirements and setup on Desitnation Hosts

Required code modules and settings on hosts that can take incoming hmsreg365tokens
Web.config, new alternative is HMSREG365Token:


  <authenticationSteps>
        <step name="Pims365Login" allowRemember="true" rememberCaption="Husk meg" caption="Logg inn">
          <alternative name="HMSREG365Token" caption="ConfigCaption" allowInQuery="true" autoProcess="true">
            <step name="Hmsreg365_AuthStep_OneTimeToken" allowInQuery="true"/>
            <step name="SetCredentials"/>
          </alternative>
          <alternative name="nykonto" caption="Ny Konto" allowInQuery="true" autoProcess="true">
            <step name="Pims365SignupTokenIdentity" allowInQuery="true"/>
            <step name="Pims365ResetPassword" confirm="false" message="test"/>
          </alternative>
          <alternative name="nykonto" caption="Ny Konto" allowInQuery="true" autoProcess="true">
            <step name="Pims365SignupTokenIdentity" allowInQuery="true"/>
            <step name="Pims365ResetPassword" confirm="false" message="test"/>
          </alternative>
          <alternative name="settpassord" allowInQuery="true" autoProcess="true">
            <step name="Pims365ResettTokenIdentity" allowInQuery="true"/>
            <step name="Pims365ResetPassword" confirm="false" message="test v2"/>
          </alternative>
          <alternative name="ResetPassword">
            <step name="Pims365ResettTokenSender">
              <alternative name="settpassord" allowInQuery="true" autoProcess="true">
                <step name="Pims365ResettTokenIdentity" allowInQuery="true"/>
                <step name="Pims365ResetPassword" confirm="false" message="test v2"/>
              </alternative>
            </step>
          </alternative>
        </step>
  </authenticationSteps>    

Code Module: Hmsreg365_AuthStep_OneTimeToken (Step 1 of alternative)

Code module that inherits from ConditionalAuthenticationStep and implements IIdentityprovider.
Description: Authentication step that is activated when "smsnumber" and "hmsreg365token" query parameter is passed, and tries to verify token
VerifyParameter(s): QuerySMSNumberParameter, VisibleTokenParameter(hmsreg365token)
On Verify: Posts a https request against https://hmsreg365.no/api/hmsreg365/verifyToken/(HmsReg365VerifyToken) supplying smsnumber and hmsreg365token as form parameters.
Converts the response into a TokenResponse object that have attributes success(boolean) and message(string).
If success=true then it will pass as verified and move to next step (SetCredentials)
Setup: This step should be a new alternative in the authenticationSteps section of Web.config. along with SetCredentials step to impersonate user.

Code Module: Hmsreg365_AuthQuerySMSNumberParameter

Code module that exposes a class that is required by Hmsreg365_AuthStep_OneTimeToken
Description: Inherits from SMSNumberParameter, but overrides AllowInQuery with true since we need this parameter to be picked up from the incoming URL query parameter.

Code Module: "api/pims365/person/{mobilnr}"

Code module that responds to the route "api/pims365/person/{mobilnr}" Description: Confirms that a mobile number is passed, then looks up Person ID from atbv_Felles_Personer based on Mobilnr
Next, looks up positions this user have in projects from aviw_Felles_StillingerMedHostname and returns the following columns as a JSON dataset:

  • Prosjekt_ID
  • Prosjekt
  • HostName
  • HostUrl

This response is used and processed in Hmsreg365_AuthHostsParameter.
NOTE! This Code module / route is also in use by the Pims365 mobile app!