...
| Info |
|---|
For more general information, see Grouper Custom UI |
Requirements
- Set up a group that people can enroll or unenroll in to test their MFA with O365
- Only allow people to use this who have a date in the future where they will be required
- Dont allow people already required to be able to unenroll
- Show if the assignment is provisioned into Azure (if the MFA is enabled)
- Show if the assignment is provisioned into LDAP from PSPNG (intermediary destination, then it flows from LDAP/AD into Azure)
- Require the user be in MFA, and if not, give a link to enroll
- Require the user have an O365 mailbox, and if not, notify the user
- Managers (readers and updaters) should be able to check on a user, see why their access is not correct, and enroll or unenroll them
- Emails should be sent to users when they enroll or unenroll (or a manager does it for them) so they have information about unenrolling or re-enrolling later
User variables
Configuration
| Code Block |
|---|
{
"variableToAssign":"cu_o365twoStepTeam",
"userQueryType":"grouper",
"groupName":"penn:isc:ait:apps:O365:o365twoStepTeam",
"label":"On O365 Two-Step team",
"order":110,
"forLoggedInUser":true
}
{
"variableToAssign":"cu_o365twoStepEnrolled",
"fieldNames":"members",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepEnrolled']}",
"order":10
}
{
"variableToAssign":"cu_o365twoStepSelfEnrolled",
"fieldNames":"members",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:simpleEnrollUnenroll:o365twoStepSelfEnrolled",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepSelfEnrolled']}",
"order":20
}
{
"variableToAssign":"cu_o365twoStepCanEnrollUnenroll",
"fieldNames":"optins,optouts",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:simpleEnrollUnenroll:o365twoStepSelfEnrolled",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepCanEnrollUnenroll']}",
"order":30
}
{
"variableToAssign":"cu_o365twoStepRequiredToEnroll",
"fieldNames":"members",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod_policy",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepRequiredToEnroll']}",
"order":40
}
{
"variableToAssign":"cu_o365twoStepRequiredDate",
"bindVar0":"${subject.id}",
"userQueryType":"sql",
"variableType":"string",
"configId":"grouper",
"bindVar0type":"string",
"query":"select min(value_string) from authz_o365_twostep_req_date_v where subject_id = ?",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepRequiredDate']}",
"order":50
}
{
"variableToAssign":"cu_o365twoStepInAzure",
"userQueryType":"azure",
"configId":"pennAzure",
"variableToAssignOnError":"cu_o365twoStepInAzureError",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepInAzure']}",
"errorLabel":"${textContainer.text['penn_o365twoStep_cu_o365twoStepInAzureError']}",
"order":60
}
{
"variableToAssign":"cu_o365hasMailbox",
"userQueryType":"grouper",
"groupName":"penn:isc:ait:apps:O365:o365hasMailbox",
"label":"${textContainer.text['penn_o365twoStep_cu_o365hasMailbox']}",
"order":80
}
{
"variableToAssign":"cu_twoStepUsers",
"fieldNames":"members",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:community:authentication:twoStepUsers",
"label":"${textContainer.text['penn_o365twoStep_cu_twoStepUsers']}",
"order":90
}
{
"variableToAssign":"cu_o365twoStepInLdap",
"userQueryType":"ldap",
"variableToAssignOnError":"cu_o365twoStepInLdapError",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepInLdap']}",
"errorLabel":"${textContainer.text['penn_o365twoStep_cu_o365twoStepInLdapError']}",
"order":70,
"configId":"oneProdAd"
}
{
"variableToAssign":"cu_o365twoStepAllowedToManage",
"fieldNames":"updaters,readers",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:simpleEnrollUnenroll:o365twoStepSelfEnrolled",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepAllowedToManage']}",
"order":100,
"forLoggedInUser":true
}
{
"variableToAssign":"default",
"ldapSearchDn":"DC=one,DC=upenn,DC=edu",
"ldapFilter":"(&(objectclass=user)(employeeID=${subject.getId()})(memberof=CN=${group.getName()},OU=Grouper,OU=365Groups,DC=one,DC=upenn,DC=edu))",
"ldapAttributeToRetrieve":"employeeID"
} |
Text configuration
Configuration
| Code Block |
|---|
{
"endIfMatches":true,
"customUiTextType":"canAssignVariables",
"index":0,
"text":"${cu_o365twoStepTeam}"
}
{
"customUiTextType":"emailToUser",
"index":0,
"text":"true"
}
{
"endIfMatches":true,
"customUiTextType":"emailSubject",
"index":0,
"text":"${cu_grouperEnroll ? textContainer.text['penn_o365twoStep_enroll_emailSubject'] : textContainer.text['penn_o365twoStep_unenroll_emailSubject']}"
}
{
"endIfMatches":true,
"customUiTextType":"emailBody",
"index":10,
"text":"${textContainer.text['penn_o365twoStep_unenroll_emailBody']}",
"script":"${!cu_grouperEnroll}"
}
{
"endIfMatches":true,
"customUiTextType":"emailBody",
"index":0,
"text":"${textContainer.text['penn_o365twoStep_enroll_emailBody']}",
"script":"${cu_grouperEnroll}"
}
{
"endIfMatches":true,
"customUiTextType":"canSeeUserEnvironment",
"index":0,
"text":"${cu_o365twoStepAllowedToManage}"
}
{
"endIfMatches":true,
"customUiTextType":"canSeeScreenState",
"index":0,
"text":"false"
}
{
"endIfMatches":true,
"customUiTextType":"emailBccGroupName",
"index":0,
"text":"penn:isc:ait:apps:O365:twoStepProd:simpleEnrollUnenroll:o365twoStepAllowedToAdmin"
}
{
"endIfMatches":true,
"customUiTextType":"instructions1",
"index":60,
"text":"${textContainer.text['penn_o365twoStep_instructions_notRequiredCannotEnroll']}",
"script":"${!cu_o365twoStepRequiredToEnroll}"
}
{
"endIfMatches":true,
"customUiTextType":"unenrollButtonShow",
"index":0,
"text":"${cu_o365twoStepEnrolled && cu_o365twoStepCanEnrollUnenroll && !cu_o365twoStepRequiredToEnroll}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollButtonShow",
"index":0,
"text":"${!cu_o365twoStepEnrolled && cu_o365twoStepCanEnrollUnenroll && cu_twoStepUsers && cu_o365hasMailbox}"
}
{
"endIfMatches":true,
"customUiTextType":"managerInstructions",
"index":0,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_instructions_manager']}",
"script":"${cu_o365twoStepAllowedToManage}"
}
{
"endIfMatches":true,
"customUiTextType":"unenrollButtonText",
"index":0,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_unenrollButtonText']}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollButtonText",
"index":0,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollButtonText']}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":70,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_enrolledPendingNotInLdapButInAzure']}",
"script":"${cu_o365twoStepEnrolled && !cu_o365twoStepInAzure}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":60,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_enrolledPendingInLdapAndAzure']}",
"script":"${cu_o365twoStepEnrolled && (cu_o365twoStepInLdapError || !cu_o365twoStepInLdap) && !cu_o365twoStepInAzure}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":50,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_enrolled']}",
"script":"${cu_o365twoStepEnrolled && cu_o365twoStepInAzure}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":40,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_enrolledErrorInAzure']}",
"script":"${cu_o365twoStepEnrolled && cu_o365twoStepInAzureError}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":30,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_notEnrolledPendingNotInLdapButInAzure']}",
"script":"${!cu_o365twoStepEnrolled && cu_o365twoStepInAzure}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":20,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_notEnrolledPendingInLdapAndAzure']}",
"script":"${!cu_o365twoStepEnrolled && (cu_o365twoStepInLdapError || cu_o365twoStepInLdap) && cu_o365twoStepInAzure}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":10,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_notEnrolled']}",
"script":"${!cu_o365twoStepEnrolled && !cu_o365twoStepInAzure}"
}
{
"endIfMatches":true,
"customUiTextType":"enrollmentLabel",
"index":0,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_enrollLabel_notEnrolledErrorInAzure']}",
"script":"${!cu_o365twoStepEnrolled && cu_o365twoStepInAzureError}"
}
{
"endIfMatches":true,
"customUiTextType":"instructions1",
"index":50,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_instructions_notEnrolledButCanEnroll']}",
"script":"${!cu_o365twoStepRequiredToEnroll && !cu_o365twoStepEnrolled && cu_o365twoStepCanEnrollUnenroll && cu_twoStepUsers && cu_o365hasMailbox}"
}
{
"endIfMatches":true,
"customUiTextType":"instructions1",
"index":40,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_instructions_needsO365']}",
"script":"${!cu_o365twoStepRequiredToEnroll && !cu_o365twoStepEnrolled && cu_o365twoStepCanEnrollUnenroll && !cu_o365hasMailbox}"
}
{
"endIfMatches":true,
"customUiTextType":"instructions1",
"index":30,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_instructions_needsTwoStep']}",
"script":"${!cu_o365twoStepRequiredToEnroll && !cu_o365twoStepEnrolled && cu_o365twoStepCanEnrollUnenroll && !cu_twoStepUsers}"
}
{
"endIfMatches":true,
"customUiTextType":"instructions1",
"index":20,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_instructions_willBeRequiredToEnroll']}",
"script":"${ !cu_o365twoStepRequiredToEnroll && cu_o365twoStepEnrolled && cu_o365hasMailbox && cu_o365twoStepCanEnrollUnenroll}"
}
{
"endIfMatches":true,
"customUiTextType":"instructions1",
"index":10,
"defaultText":false,
"text":"${textContainer.text['penn_o365twoStep_instructions_requiredToEnroll']}",
"script":"${cu_o365twoStepRequiredToEnroll}"
}
{
"customUiTextType":"helpLink",
"defaultText":true,
"text":"${textContainer.text['penn_o365twoStep_helplink']}"
}
{
"customUiTextType":"header",
"defaultText":true,
"text":"${textContainer.text['penn_o365twoStep_header']}"
} |
...
| Code Block |
|---|
####################################
## Custom UI for O365 two step
####################################
# header for o365 two step custom ui
penn_o365twoStep_header = <h1>PennO365 Two-Step Verification</h1>
penn_o365twoStep_helplink = <a href="https://www.isc.upenn.edu/how-to/penno365-office-365-proplus">${textContainer.text['grouper.help'] }</a>
# top line for managers
penn_o365twoStep_instructions_manager = View status of users in Two-Step Verification with O365. Enroll or unenroll users if applicable.<br /><br />You will see what the user sees below when you pull up a user<br /><br />
# if required to enroll, cannot opt in or opt out
penn_o365twoStep_instructions_requiredToEnroll = To improve Penn's data security, you are required to use Two-Step Verification with O365.<br /><br />
# not required, will be required, and in two step and has o365 mailbox
penn_o365twoStep_instructions_willBeRequiredToEnroll = To improve Penn's data security, you will be required to enroll in Two-Step Verification for O365 on <b>${cu_o365twoStepRequiredDate}</b>.<br /><br />
# not require, not allowed
penn_o365twoStep_instructions_notRequiredCannotEnroll = You are not required to enroll, and you are not allowed to enroll.<br /><br />
# not in two step
penn_o365twoStep_instructions_needsTwoStep = You are not enrolled in Two-Step Verification. <a href="https://twostep.apps.upenn.edu/twoFactor/twoFactorUi/app/UiMain.index">Enroll now</a>.<br /><br />
# not in o365
penn_o365twoStep_instructions_needsO365 = You need an O365 account.<br /><br />
# can enroll, not enrolled, not required
penn_o365twoStep_instructions_notEnrolledButCanEnroll = To improve Penn's data security, you will be required to enroll in Two-Step Verification for O365 by <b>${cu_o365twoStepRequiredDate}</b>. Enroll now to ensure that you're not locked out of email and other O365 services. <br /><br />You must enroll for O365 even if you are already enrolled in Two-Step Verification for Penn WebLogin (PennKey).<br /><br />
# not enrolled, cant check azure
penn_o365twoStep_enrollLabel_notEnrolledErrorInAzure = <b>Enrollment status:</b> <b style="color: red; font-size: 120%">Not enrolled in this system but an error occurred checking your enrollment in O365</b>
# not enrolled
penn_o365twoStep_enrollLabel_notEnrolled = <b>Enrollment status:</b> <b style="color: red; font-size: 120%">Not enrolled</b>
# not enrolled but yes in ldap and azure
penn_o365twoStep_enrollLabel_notEnrolledPendingInLdapAndAzure = <b>Enrollment status:</b> <b style="color: brown; font-size: 120%">Pending to be unenrolled. Generally takes less than 1 hour.</b>
# not enrolled but still in azure
penn_o365twoStep_enrollLabel_notEnrolledPendingNotInLdapButInAzure = <b>Enrollment status:</b> <b style=\"color: brown; font-size: 120%\">Pending to be unenrolled. Generally takes less than 15 minutes.</b>
# enrolled, cant check azure
penn_o365twoStep_enrollLabel_enrolledErrorInAzure = <b>Enrollment status:</b> <b style=\"color: brown; font-size: 120%\">Enrolled in this system but an error occurred checking your enrollment in O365</b>
# enrolled
penn_o365twoStep_enrollLabel_enrolled = <b>Enrollment status:</b> <b style=\"color: green; font-size: 120%\">Enrolled</b>
# enrolled but not in ldap or azure
penn_o365twoStep_enrollLabel_enrolledPendingInLdapAndAzure = <b>Enrollment status:</b> <b style=\"color: brown; font-size: 120%\">Pending. Generally takes less than 1 hour.</b>
# enrolled but still not in azure
penn_o365twoStep_enrollLabel_enrolledPendingNotInLdapButInAzure = <b>Enrollment status:</b> <b style=\"color: brown; font-size: 120%\">Pending. Generally takes less than 15 minutes.</b>
penn_o365twoStep_enrollButtonText = Enroll
penn_o365twoStep_unenrollButtonText = Unenroll
penn_o365twoStep_enroll_emailBody = Dear ${subject.getName()},$newline$$newline$Thank you for enrolling in Two-Step Verification for PennO365.$newline$$newline$When you log in to PennO365 using your Microsoft account, you will be routinely prompted for a single-use verification code.$newline$$newline$You can accept push notifications or generate codes on your phone using Duo Mobile. Make sure you also print out single-use verification codes in case you don't have access to that device (on the "Manage settings" page, click "Generate codes")$newline$$newline$Remember to keep your profile updated with backup phone numbers (to which single-use codes can be sent) and friends you can authorize to retrieve a code if all else fails.$newline$$newline$For more information about Two-Step Verification, see: http://upenn.edu/twostep$newline$$newline$The Penn Two-Step Support team$newline$$newline$For technical assistance with Two-Step Verification, contact the IT support staff of your school or center. If you are unsure whom to contact, visit the Get IT Help directory: https://www.isc.upenn.edu/get-it-help$newline$$newline$Manage your enrollment: https://grouper.server.school.edu/grouper/grouperUi/app/UiV2Main.indexLite?operation=UiV2GroupLite.liteGroup&groupId=61bcaad67d57438ab1fea11c426c2f64
penn_o365twoStep_enroll_emailSubject = Penn Two-Step Verification - you have enrolled in Two-Step Verification for PennO365
penn_o365twoStep_unenroll_emailBody = Dear ${subject.getName()},$newline$$newline$You have unenrolled from Two-Step Verification for PennO365.$newline$$newline$When you log in to PennO365 using your Microsoft account you will no longer be routinely prompted for a single-use verification code.$newline$$newline$Manage your enrollment: https://grouper.server.school.edu/grouper/grouperUi/app/UiV2Main.indexLite?operation=UiV2GroupLite.liteGroup&groupId=61bcaad67d57438ab1fea11c426c2f64$newline$$newline$For more information about Two-Step Verification, see: http://upenn.edu/twostep$newline$$newline$The Penn Two-Step Support team$newline$$newline$For technical assistance with Two-Step Verification, contact the IT support staff of your school or center. If you are unsure whom to contact, visit the Get IT Help directory: https://www.isc.upenn.edu/get-it-help$newline$$newline$Manager your enrollment: https://grouper.server.school.edu/grouper/grouperUi/app/UiV2Main.indexLite?operation=UiV2GroupLite.liteGroup&groupId=61bcaad67d57438ab1fea11c426c2f64
penn_o365twoStep_unenroll_emailSubject = Penn Two-Step Verification - you have unenrolled from Two-Step Verification for PennO365
penn_o365twoStep_cu_o365twoStepAllowedToManage = Manager of PennO365 Two-Step self enrollments
penn_o365twoStep_cu_o365twoStepCanEnrollUnenroll = Allowed to enroll or unenroll since has a future deadline
penn_o365twoStep_cu_o365twoStepSelfEnrolled = Self-enrolled in PennO365 Two-Step Verification
penn_o365twoStep_cu_o365twoStepRequiredToEnroll = Required to enroll because org was required in past
penn_o365twoStep_cu_twoStepUsers = Two-Step Verification
penn_o365twoStep_cu_o365hasMailbox = O365 mailbox
penn_o365twoStep_cu_o365twoStepInLdap = In One AD LDAP (intermediary data flow destination)
penn_o365twoStep_cu_o365twoStepInLdapError = Is there an error checking One AD?
penn_o365twoStep_cu_o365twoStepInAzure = In O365 Azure (final data flow destination) means Two-Step on for O365
penn_o365twoStep_cu_o365twoStepInAzureError = Is there an error checking Azure O365?
penn_o365twoStep_cu_o365twoStepRequiredDate = Date required to enroll
penn_o365twoStep_cu_o365twoStepEnrolled = In PennGroup for Two-Step Verification in PennO365 (required or self-enrolled)
|
Screen examples
Someone who is allowed to enroll and is not enrolled
...