I have not been able to disable the login, much to my chagrin, but I was able to successfully implement a security requirement I had to check when local/side_door logins occur. Below is code that I run within a notification's advanced condition:

//wait 5 seconds to ensure other events and logs have the ability to queue. We want to make sure that external.authentication.succeeded has time to run

//and that the transaction log for the possible API call has time to be created.

gs.sleep(5000);


var gd = new GlideDateTime();

gd.setValue(event.sys_created_on);

gd.add(-5000);


var date = gd.getLocalDate();

var time = gd.getLocalTime();

time = time.getByFormat('HH:mm:ss');


var gr = new GlideRecord('sysevent');

gr.addEncodedQuery("name=external.authentication.succeeded^parm1STARTSWITH"+event.parm1+"^sys_created_on>=javascript:gs.dateGenerate('"+date+"','"+time+"')");

gr.query();


//if the 'external.authentication.succeeded' record exists then the user logged in with SSO.

if(gr.hasNext()) {

         answer = false;

} else {

         //Also we do not want to keep track of API logins right now.

         gr = new GlideRecord('syslog_transaction');

         gr.addEncodedQuery('urlLIKE/login.do^session='+event.instance);

         gr.query();


         //if there is a transaction with login.do then this is most likely a side_door/local login

         if(gr.hasNext()) {

                   gs.warn("side_door.do login detected. user_name = "+event.parm1);

                   answer = true; //if the event doesn't exist then the user logged in locally which is not allowed

         }

}

The notification is triggered when the "login" event is triggered.

The trick here was to try and distinguish logins. A login event is created for:

- SSO login

- LDAP login

- SOAP/REST API authentications

- side_door.do/login.do login

So in my case we don't allow LDAP logins so I don't have to worry about that.

All SSO logins also have a corresponding "external.authentication.succeeded" event so if that exists then it is an SSO login.

Now with those 2 out of the way we need to distinguish a local login from an API login. To do this you must check the transaction table because API calls will not have a transaction for login.do but all local logins will.

Now with all that logic in place we can figure out if a local login occurred.

Using this logic between the event and transaction tables you should be able to add improved security logs. You could add code to:

- check specific API calls

- check LDAP login if you use that

- basically anything that requires a login can now be a little more properly distinguished

This could all be made much simpler if SN just implemented new events:

- login-SSO

- login-LDAP

- login-API

- login-sidedoor

- login-local

So if anyone working on future releases is reading this, think about implementing these new events please.

Thanks, John