Session information and user attributes
The PingFederate Apache agent passes session information and user attributes from the adapter to the application.
The Apache agent includes the information in HTTP request headers or Apache environment variables. This information can then be used by the application for authorization decisions or for generation of content specific to the user making the request.
The following session and attribute information is exposed to the application:
- Attributes from the OpenToken Adapter contract
-
The subject (
SUBJECT) and any attributes that you add on the Extended Contract tab of the adapter configuration. Only the attributes fulfilled at runtime are exposed to the application. Attributes with aNULLvalue aren’t included in the OpenToken. NOT-ON-OR-AFTER-
The time until inactivity timeout is reached.
RENEW-UNTIL-
The time until overall session timeout is reached.
AUTH_NOT-BEFORE-
The time when the session was created.
AUTHNCONTEXT-
Information from the SAML assertion that describes how the user was authenticated at the IdP.
For security reasons, each HTTP request header or Apache environment variable is first pre-pended with a specific prefix. Learn more about configuring the prefix in Configuring the Apache agent. The Apache agent always removes and rewrites the prefixed request headers and environment variables for each request.
If you can’t modify your applications to accept headers with this prefix, you can configure the Apache agent to add a prefix to the HTTP headers or environment variables. In this case, on the Extended Contract tab of the OpenToken Adapter configuration, include an attribute named pf_attribute_list. Map that attribute in your identity provider (IdP) connection as a text field containing a comma-separated list of all the attributes in the adapter contract. This attribute list is sent in the OpenToken and used by the Apache agent to overwrite headers in the request.
Learn more about Configuring target session fulfillment in the PingFederate documentation.