Revoke session tokens from users on Azure upon termination

Which IIQ version are you inquiring about?

IdentityIQ 8.4p2

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

We have a requirement to revoke session from Azure user on termination.

Can anyone please guide on what is the best way to achieve this requirement.

I have tried to call Microsoft-graph API from IIQ rule, however getting error 400. The same API call is working fine from postman.

Pls find the code snippet. I am removing the client id/secret/scope values but they are working fine. I was earlier getting 411 and 415. Had done changes to resolve them, but now continuously getting 400. Can anyone pls assist on what could be the reason ?

<?xml version='1.0' encoding='UTF-8'?> Revoke Azure AD sign-in sessions via Microsoft Graph after a successful disable operation. import java.io.\*; import java.net.\*; import sailpoint.object.\*; import java.util.\*; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory;

private static Log custLog = LogFactory.getLog(“com.sailpoint.ad”);

// --------------------------------------------------------
 // 1. Identify user being disabled
 // --------------------------------------------------------
 String userId = "UPN" // Specified correct UPN value

userId = URLEncoder.encode(userId, “UTF-8”);
/*if (plan != null) {
for (ProvisioningPlan.AccountRequest acctReq : plan.getAccountRequests()) {
if (“Disable”.equalsIgnoreCase(acctReq.getOperation())) {
userId = acctReq.getNativeIdentity(); // typically UPN or ObjectID
break;
}
}
}*/

if (userId == null) {
   custLog.info("No disable request found in provisioning plan. Skipping session revoke.");
   return;
 }



custLog.info("Revoke-AzureAD-Session: Disabling user \[" + userId + "\]");



// --------------------------------------------------------
 // 2. Azure AD App Registration credentials
 //    ?? TODO: store these securely (Application attributes or encrypted settings)
 // --------------------------------------------------------
 String tenantId = "<YOUR_TENANT_ID>";
 String clientId = "<YOUR_CLIENT_ID>";
 String clientSecret = "<YOUR_CLIENT_SECRET>";







String scope = "[https://graph.microsoft.com/.default";](https://graph.microsoft.com/.default%22; "https://graph.microsoft.com/.default%22;")



clientId = URLEncoder.encode(clientId, "UTF-8");
 clientSecret = URLEncoder.encode(clientSecret, "UTF-8");
 scope = URLEncoder.encode(scope, "UTF-8");



// --------------------------------------------------------
 // 3. Request Access Token
 // --------------------------------------------------------
 String tokenEndpoint = "[https://login.microsoftonline.com/"](https://login.microsoftonline.com/%22 "https://login.microsoftonline.com/%22") + tenantId + "/oauth2/v2.0/token";
 String urlParameters =
   "client_id=" + clientId + "&scope=" + scope + "&client_secret=" + clientSecret + "&grant_type=client_credentials";



URL url = new URL(tokenEndpoint);
 HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 conn.setRequestMethod("POST");
 conn.setDoOutput(true);
 conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");



OutputStream os = conn.getOutputStream();
 os.write(urlParameters.getBytes("UTF-8"));
 os.flush();
 os.close();



BufferedReader in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
 String inputLine;
 StringBuffer response = new StringBuffer();
 while ((inputLine = in.readLine()) != null) {
     response.append(inputLine);
 }
 in.close();



String jsonResponse = response.toString();
 custLog.info("Access Token Response: " + jsonResponse);



String accessToken = jsonResponse.replaceAll(".\*\\\\\\"access_token\\\\\\":\\\\\\"(\[^\\\\\\"\]+)\\\\\\".\*", "$1");
 //return accessToken;



// --------------------------------------------------------
 // 4. Call Microsoft Graph API to revoke sessions
 // --------------------------------------------------------

String revokeUrl = "https://graph.microsoft.com/v1.0/users/" + userId + “/revokeSignInSessions”;
URL revoke = new URL(revokeUrl);
HttpURLConnection revokeConn = (HttpURLConnection) revoke.openConnection();
revokeConn.setRequestMethod(“POST”);
revokeConn.setRequestProperty(“Authorization”, “Bearer” + accessToken);
revokeConn.setRequestProperty(“Content-Type”, “application/json”);
revokeConn.setRequestProperty(“Content-Length”, “0”);
revokeConn.setDoOutput(true);

// force Java to actually send the header
OutputStream os = revokeConn.getOutputStream();
os.write(new byte[0]);
os.flush();
os.close();

 int status = revokeConn.getResponseCode();




 //return status;
 if (status == 204) {
     custLog.info("Revoke-AzureAD-Session: Successfully revoked session for user " + userId);
     return "Success";
 } else {
     custLog.error("Revoke-AzureAD-Session: Failed to revoke session. HTTP Status: " + status);
     /\*BufferedReader errReader = new BufferedReader(new InputStreamReader(revokeConn.getErrorStream()));
     String errLine;
     StringBuffer errResponse = new StringBuffer();
     while ((errLine = errReader.readLine()) != null) {
         errResponse.append(errLine);
     }
     errReader.close();
     log.error("Error Response: " + errResponse.toString());\*/
     return "Failure";
 }

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.