---
title: Collecting session data from PingAM
description: Get session data from a PingAM journey (tree) to use in PingFederate.
component: pingam
page_id: pingam:setup:pf_pingam_ik_collecting_session_data_from_pingam
canonical_url: https://docs.pingidentity.com/integrations/pingam/setup/pf_pingam_ik_collecting_session_data_from_pingam.html
revdate: August 2, 2024
section_ids:
  steps: Steps
---

# Collecting session data from PingAM

Get session data from a PingAM journey (tree) to use in PingFederate.

## Steps

1. Create a script to collect the desired session data from the PingAM journey that you specified in the [adapter settings](pf_pingam_ik_pingam_idp_adapter_settings_reference.html):

   1. In the PingAM administrative console, go to the realm that the journey is in, then go to **Scripts** and click **[icon: plus, set=fa]New Script**.

   2. In the **Name** field, give the script a meaningful name.

   3. In the **Description** field, give the script a meaningful description.

   4. In the **Script Type** list, select **Decision node script for authentication trees**.

   5. In the **Language** section, select **JavaScript**.

   6. In the **Evaluator Version** section, confirm that the value is **Legacy**.

   7. In the **Script** field, enter the following sample code.

      |   |                                                                                                                                                                                                                                       |
      | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | The following script sets the username, email and telephone number attributes that PingAM stores as part of authentication. Use this script as a starting point for the session data that you want to make available to PingFederate. |

      ```javascript
      /*
      - Data made available by nodes that have already executed are available in the sharedState variable.
      - The script should set outcome to either "true" or "false".
      - Note: This script is not fault-tolerant. It is simply meant to give an idea of how script nodes may be used.
      */

      var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action);

      var userId = nodeState.get("username").asString();

      // lookup attributes by LDAP attribute name
      var mail = idRepository.getAttribute(userId, "mail").iterator().next();
      var telephoneNumber = idRepository.getAttribute(userId, "telephoneNumber").iterator().next();

      // for each attribute, add the 'putSessionProperty' method
      action = fr.Action.goTo("true").putSessionProperty("am.protected.sessionUsername", userId)
      .putSessionProperty("am.protected.mail", mail)
      .putSessionProperty("am.protected.telephoneNumber", telephoneNumber)
      .build();

      outcome = "true";
      ```

   8. Click **Validate**.

2. Use the script in the authentication journey:

   |   |                                                                                                                                    |
   | - | ---------------------------------------------------------------------------------------------------------------------------------- |
   |   | This procedure assumes that the mail, username, and telephone number attributes are available from a previous node in the journey. |

   1. Go to **Authentication > Trees** and open the journey that's being used in the adapter.

   2. Drag the **Scripted Decision** node onto the journey.

   3. Select the **Scripted Decision** node and give the node a meaningful name.

   4. In the **Script** list, select the script that you created in the previous step.

   5. In the **Outcomes** field, enter `true`. Press Enter.

   6. Connect the `True` outcome of the **DataStore Decision** node to the **Scripted Decision** node.

   7. Connect the `True` outcome of the **Scripted Decision** node to the **Success** node.

   8. Click **Save**.

3. Add the properties that the script sets in the session to the allow list:

   1. In the PingAM administrative console, go to **Services**.

   2. Add or edit the **Session Property Whitelist Service**. To add this service:

      1. Click **[icon: plus, set=fa]Add a Service**.

      2. In the **Choose a service type** list, search for `Session Property Whitelist Service` and select it in the list.

   3. On the **Session Property Whitelist Service** page, in the **Allowlisted Session Property Names** field, add the following properties:

      * `am.protected.sessionUsername`

      * `am.protected.mail`

      * `am.protected.telephoneNumber`

   4. Click **Save Changes**.

4. Map the user attributes that you set in the script to their session attribute equivalents:

   1. Go to **Authentication > Settings** and click the **Post Authentication Processing Settings** tab.

   2. In the **User Attribute Mapping to Session Attribute** field, add the following attribute mappings:

      * `mail|mail`

      * `username|sessionUsername`

      * `telephoneNumber|telephoneNumber`

   3. Click **Save Changes**.

5. Test the user journey.