PingOne

Collecting session data from PingAM

Get session data from a PingAM journey (tree) to use in PingFederate.

Steps

  1. Create a script to collect the desired session data from the PingAM journey that you specified in the adapter settings:

    1. In the PingAM administrative console, go to the realm that the journey is in, then go to Scripts and click New Script.

    2. In the Name field, give the script a meaningful name.

    3. In the Description field, give the script a meaningful description.

    4. In the Script Type list, select Decision node script for authentication trees.

    5. In the Language section, select JavaScript.

    6. In the Evaluator Version section, confirm that the value is Legacy.

    7. In the Script field, enter the following sample code.

      The following script sets the username, email and telephone number attributes that PingAM stores as part of authentication. Use this script as a starting point for the session data that you want to make available to PingFederate.

      /*
      - Data made available by nodes that have already executed are available in the sharedState variable.
      - The script should set outcome to either "true" or "false".
      - Note: This script is not fault-tolerant. It is simply meant to give an idea of how script nodes may be used.
      */
      
      var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action);
      
      var userId = nodeState.get("username").asString();
      
      // lookup attributes by LDAP attribute name
      var mail = idRepository.getAttribute(userId, "mail").iterator().next();
      var telephoneNumber = idRepository.getAttribute(userId, "telephoneNumber").iterator().next();
      
      // for each attribute, add the 'putSessionProperty' method
      action = fr.Action.goTo("true").putSessionProperty("am.protected.sessionUsername", userId)
      .putSessionProperty("am.protected.mail", mail)
      .putSessionProperty("am.protected.telephoneNumber", telephoneNumber)
      .build();
      
      outcome = "true";
    8. Click Validate.

  2. Use the script in the authentication journey:

    This procedure assumes that the mail, username, and telephone number attributes are available from a previous node in the journey.

    1. Go to Authentication → Trees and open the journey that’s being used in the adapter.

    2. Drag the Scripted Decision node onto the journey.

    3. Select the Scripted Decision node and give the node a meaningful name.

    4. In the Script list, select the script that you created in the previous step.

    5. In the Outcomes field, enter true. Press Enter.

    6. Connect the True outcome of the DataStore Decision node to the Scripted Decision node.

    7. Connect the True outcome of the Scripted Decision node to the Success node.

    8. Click Save.

  3. Add the properties that the script sets in the session to the allow list:

    1. In the PingAM administrative console, go to Services.

    2. Add or edit the Session Property Whitelist Service. To add this service:

      1. Click Add a Service.

      2. In the Choose a service type list, search for Session Property Whitelist Service and select it in the list.

    3. On the Session Property Whitelist Service page, in the Allowlisted Session Property Names field, add the following properties:

      • am.protected.sessionUsername

      • am.protected.mail

      • am.protected.telephoneNumber

    4. Click Save Changes.

  4. Map the user attributes that you set in the script to their session attribute equivalents:

    1. Go to Authentication → Settings and click the Post Authentication Processing Settings tab.

    2. In the User Attribute Mapping to Session Attribute field, add the following attribute mappings:

      • mail|mail

      • username|sessionUsername

      • telephoneNumber|telephoneNumber

    3. Click Save Changes.

  5. Test the user journey.