SP single sign-on integration
When PingFederate is configured as an SP, it takes inbound SAML assertions and converts them to some local format (cookie or otherwise) that can be used by an application to create a user’s session. For an OpenToken, the PingFederate adapter takes the attributes and values from the SAML assertion and stores them in an OpenToken cookie or query parameter in the user’s browser. The user is then redirected to the target application, which can then identify the user from the OpenToken, using the Agent API.
As with the IdP, you can use the Agent API to read tokens directly. The Agent API is a .NET class that provides access to functionality for reading an OpenToken from a given HTTP request.
Reading attributes
The readToken method inspects the cookie (or query parameters, depending on the agent configuration), decodes the OpenToken, and returns a collection of attributes.
If there is no token, it returns a null result. If an errors occurs while reading the token, it returns a null result and a TokenException is thrown.
The following code snippet shows the readToken method:
try {
IDictionary userInfo = agent.ReadToken(Request);
if(userInfo != null) {
String username = (String)userInfo[Agent.TOKEN_SUBJECT];
}
}
catch(TokenException e) {
// Handle exception
}
Receiving multi-value attributes
The Agent Toolkit for .NET supports receiving multi-value attributes from PingFederate. Multi-value attributes are passed using the opentoken.MultiStringDictionary collection.
The following code snippet shows how to process multi-value attributes:
try {
MultiStringDictionary userInfo =
agent.ReadTokenMultiStringDictionary(Request);
if(userInfo != null) {
String username = userInfo[Agent.TOKEN_SUBJECT][0];
List<String> groups = userInfo["GROUP"];
}
}
catch(TokenException e) {
// Handle exception
}