Collecting session data from PingAM
Get session data from a PingAM journey (tree) to use in PingFederate.
Steps
-
Create a script to collect the desired session data from the PingAM journey that you specified in the adapter settings:
-
In the PingAM administrative console, go to the realm that the journey is in, then go to Scripts and click New Script.
-
In the Name field, give the script a meaningful name.
-
In the Description field, give the script a meaningful description.
-
In the Script Type list, select Decision node script for authentication trees.
-
In the Language section, select JavaScript.
-
In the Evaluator Version section, confirm that the value is Legacy.
-
In the Script field, enter the following sample code.
The following script sets the username, email and telephone number attributes that PingAM stores as part of authentication. Use this script as a starting point for the session data that you want to make available to PingFederate.
/* - Data made available by nodes that have already executed are available in the sharedState variable. - The script should set outcome to either "true" or "false". - Note: This script is not fault-tolerant. It is simply meant to give an idea of how script nodes may be used. */ var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action); var userId = nodeState.get("username").asString(); // lookup attributes by LDAP attribute name var mail = idRepository.getAttribute(userId, "mail").iterator().next(); var telephoneNumber = idRepository.getAttribute(userId, "telephoneNumber").iterator().next(); // for each attribute, add the 'putSessionProperty' method action = fr.Action.goTo("true").putSessionProperty("am.protected.sessionUsername", userId) .putSessionProperty("am.protected.mail", mail) .putSessionProperty("am.protected.telephoneNumber", telephoneNumber) .build(); outcome = "true";
-
Click Validate.
-
-
Use the script in the authentication journey:
This procedure assumes that the mail, username, and telephone number attributes are available from a previous node in the journey.
-
Go to Authentication → Trees and open the journey that’s being used in the adapter.
-
Drag the Scripted Decision node onto the journey.
-
Select the Scripted Decision node and give the node a meaningful name.
-
In the Script list, select the script that you created in the previous step.
-
In the Outcomes field, enter
true
. Press Enter. -
Connect the
True
outcome of the DataStore Decision node to the Scripted Decision node. -
Connect the
True
outcome of the Scripted Decision node to the Success node. -
Click Save.
-
-
Add the properties that the script sets in the session to the allow list:
-
In the PingAM administrative console, go to Services.
-
Add or edit the Session Property Whitelist Service. To add this service:
-
Click Add a Service.
-
In the Choose a service type list, search for
Session Property Whitelist Service
and select it in the list.
-
-
On the Session Property Whitelist Service page, in the Allowlisted Session Property Names field, add the following properties:
-
am.protected.sessionUsername
-
am.protected.mail
-
am.protected.telephoneNumber
-
-
Click Save Changes.
-
-
Map the user attributes that you set in the script to their session attribute equivalents:
-
Go to Authentication → Settings and click the Post Authentication Processing Settings tab.
-
In the User Attribute Mapping to Session Attribute field, add the following attribute mappings:
-
mail|mail
-
username|sessionUsername
-
telephoneNumber|telephoneNumber
-
-
Click Save Changes.
-
-
Test the user journey.