Customizable user-facing pages - PingFederate

Customizable user-facing pages - PingFederate - 12.0

PingFederate Server

bundle

pingfederate-120

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 12.0 (Latest)

category

Administrator

Administratorguide

Audience

Capability

ContentType

DeploymentMethod

Guide

Product

Productdocumentation

SingleSignonSSO

Software

SystemAdministrator

pf-120

pingfederate

ContentType_ce

Product documentation

Guide

Guide > Administrator Guide

PingFederate supplies HTML templates, located in the <pf_install>/pingfederate/server/default/conf/template directory, to provide information to the end-users or to request user input when processing their requests.

The PingFederate HTML templates utilize the Velocity template engine, an open-source Apache project. For more information about Velocity, please refer to the Velocity project documentation on the Apache website at https://velocity.apache.org.

You can modify most of these pages in a text editor to suit the particular branding and informational needs of your PingFederate installation. CSS and images for these pages are included in the template/assets subdirectory. Each page contains both Velocity constructs and standard HTML. The Velocity engine interprets the commands embedded in the template page before the HTML is rendered in the user's browser. At runtime, PingFederate supplies values for the Velocity variables used in the template.

Note:

You can develop and deploy your own tools using the Velocity tools framework. For a full list of available tools, see Tools Usage Summary in the Apache Velocity documentation.

Each template contains specific variables that can be used for rendering the associated web page. You can see the variables and usage examples in the comments of each template.

The following table describes variables that are available across all templates.

Variable	Description and Usage
`utils`- utility class	The utility method to display JSON String arrays. `$utils.toJsonArray(Collection<Object>)` - Use this method to convert a collection into a JSON string.
`$escape`	A utility class that can be used to escape String variables inserted into the template, such as `$escape.escape($client.name)` where `$client.name` is one of the variables available in the oauth.approval.page.template.html template file. Use `$escape.forJavaScript($variable)` when passing String variables into a JavaScript code block or an event handler within a template, such as `window.location.replace("$escape.forJavaScript($wreply)")` as seen in the sourceid-wsfed-idp-signout-cleanup-template.html template file. Important: Use the `$escape` variable to escape external data, such as request parameters, to mitigate the risk of potential cross-site scripting (XSS) attacks.
`$HttpServletRequest`	A Java object instance of `javax.servlet.http.HttpServletRequest`. Used to add additional knowledge about the request that is otherwise unavailable in the template, such as the `User-Agent` HTTP header.
`$HttpServletResponse`	A Java object instance of `javax.servlet.http.HttpServletResponse`. Used to modify the response in the template, such as setting additional browser cookies.
`$locale`	A Java object instance of `java.util.Locale` that represents a user's country and language. Used to customize the end-user experience. For example, the locale is used to display content in the user's preferred language.
`$CurrentPingFedBaseURL`	The host name found in the request, provided that it matches either the PingFederate's base URL or one of the configured virtual host names.
`$PingFedBaseURL`	The PingFederate base URL. For most deployments, use the `$CurrentPingFedBaseURL` variable instead of the `$PingFedBaseURL` variable.
`$templateMessages`	Used to localize messages in the template, based on user's Locale, an instance of `com.pingidentity.sdk.locale.LanguagePackMessages`. For more information, see the Javadoc for the `LanguagePackMessages` class in the directory `<pf_install>`/pingfederate/sdk/doc.
`$TrackingId`	The user's session tracking ID.

The following describes variables that are available on some templates.

Variable	Description
`$entityId`	The entity ID (connection ID) of the SP connection used in this SSO transaction.
`$connectionName`	The name of the SP Connection used in this SSO transaction.
`$client_id`	The ID of the OAuth client used in this transaction.
`$spAdapterId`	The SP Adapter ID used in this transaction.
`$baseUrl`	The base URL of PingFederate instance.
`$adapterId`	The IdP Adapter ID used in this transaction.
`$oidcUiLocales`	The value of the OpenID Connect `ui_locales` parameter that conveys the user's preferred languages and scripts for the user interface.
`$extendedProperties`	The extended properties defined on either the connection or OAuth client.
`$userAttributes`	The user's display name, email address, and other user-specific data retrieved from the template type used in this transaction. The $userAttributes variable represents the attributes associated with a user's identity and enables the retrieval of user-specific information across templates. In Local Identity Profile (LIP)-related templates, the attribute names of `$userAttributes` are derived from the data store mapping configured in Authentication > Policies > Local Identity Profiles > Data Store Configuration > Data Store Mapping. For example, `userAttributes.email` is an attribute in this context. In Adapter-related templates, the attribute names of `$userAttributes` are based on the configured contract in the LDAP-type password credential validator (PCV). For non-LDAP PCVs, the attribute names are derived from the implementation of the SDK method, `ResettablePasswordCredential.findUser()`. The following attributes are commonly used: `userAttributes.userName` `userAttributes.givenName` `userAttributes.mail` `userAttributes.phone` `userAttributes.pingid` `userAttributes.mailVerified`
`$grantAttributes`	The attributes of the grant used in this transaction.

Important:

Changing Velocity or JavaScript code is not recommended.

At runtime, the user's browser is directed to the appropriate page, depending on the operation being performed and where the related condition occurs. For example, if a single sign-on (SSO) error occurs during identity provider (IdP)-initiated SSO, the user's browser is directed to the IdP's SSO error-handling page.

Applications can override the PingFederate server-hosted pages provided specifically for SSO and single logout (SLO) errors by specifying a URL value in the relevant application endpoint's InErrorResource parameter. Administrators can override SSO and SLO success pages by specifying default URLs on the SP Default URLs window (Applications > Integration > SP Default URLs) or the IdP Default URL window (Authentication > Integration > IdP Default URL).

The Velocity templates retrieve titles and other text from a message-property file, pingfederate-messages.properties, located in the <pf_install>/pingfederate/server/default/conf/language-packs directory. You can also localize these messages using the PingFederate localization framework.

Note:

If you have a clustered PingFederate environment, copy the customized, and localized, templates to each node.

Strict content security policy for HTML templates

Content security policy (CSP) is a security feature that protects against cross-site scripting (XSS) attacks by controlling what resources a web page can load. When creating customizable user-facing pages, ensure that your HTML templates follow a strict CSP to prevent the execution of any unsafe or unauthorized scripts and resources on the user's browser. For more information, see Content Security Policy (CSP) in the Mozilla developer documentation.

PingFederate enforces a CSP on its HTML templates through the <meta> HTML element. The CSP configured though this element varies depending on the template and the use-cases it supports. You can modify the CSP to work with your template customizations and security requirements. The $CSPNonce Velocity variable is available on all templates, and you can use this variable to allow inline scripts and styles by including the nonce in <script> and <script> HTML tags.