Example OGNL expressions
The following examples show common ways you might want to customize your outgoing SAML assertion.
Example 1: AuthnContextClassRef based on SAML_AUTHN_CTX
To send AuthnContextClassRef
based on the SAML_AUTHN_CTX
attribute from your PingFederate authentication policy, use the following expression:
#req = #AuthnRequestDocument.getAuthnRequest(), #newctx = #ChainedAttributes.get("SAML_AUTHN_CTX"), #newctx && ( #req.isSetRequestedAuthnContext() && #req.unsetRequestedAuthnContext(), #ctx = #req.addNewRequestedAuthnContext(), #ctx.addAuthnContextClassRef(#newctx.toString()) )
In this example, the value of the SAML_AUTHN_CTX
attribute is "Password" and the expression sends the following:
<AuthnRequest Version="2.0" ID="gjmkj6OVk9tVhd1kvno63j92pqb" IssueInstant="2021-05-11T21:36:42.953Z" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:urn="urn:oasis:names:tc:SAML:2.0:assertion">
<urn:Issuer>localhost:default:entityId</urn:Issuer>
<urn:Subject>
<urn:NameID>rsa@demo.com</urn:NameID>
</urn:Subject>
<NameIDPolicy AllowCreate="true"/>
<RequestedAuthnContext>
<urn:AuthnContextClassRef>Password</urn:AuthnContextClassRef>
</RequestedAuthnContext>
</AuthnRequest>
Example 2: AuthnContextClassRef based on SP entity ID
To send AuthnContextClassRef
based on the service provider (SP) entity ID, use the following expression:
#Salesforce = "salesforceSPConnection", // this would be the target #req = #AuthnRequestDocument.getAuthnRequest(), #newctx = #Salesforce == #FedHubSpConnPartnerId ? "urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:PingFed_Lev_Low": null, #newctx && ( #req.isSetRequestedAuthnContext() && #req.unsetRequestedAuthnContext(), #ctx = #req.addNewRequestedAuthnContext(), #ctx.addAuthnContextClassRef(#newctx.toString()) )
In this example, the SP connection used is Salesforce. The value urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:PingFed_Lev_Low
is sent as the AuthnContextClassRef. #FedHubSpConnPartnerId
is the SP entity ID.
For other variables, see Message types and available variables in the PingFederate documentation. |
The expression sends the following:
<AuthnRequest Version="2.0" ID="gjmkj6OVk9tVhd1kvno63j92pqb" IssueInstant="2021-05-11T21:36:42.953Z" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:urn="urn:oasis:names:tc:SAML:2.0:assertion"> <urn:Issuer>localhost:default:entityId</urn:Issuer> <urn:Subject> <urn:NameID>rsa@demo.com</urn:NameID> </urn:Subject> <NameIDPolicy AllowCreate="true"/> <RequestedAuthnContext> <urn:AuthnContextClassRef>urn:rsa:names:tc:SAML:2.0:ac:classes:spec:stepup:PingFed _Lev_Low</urn:AuthnContextClassRef> </RequestedAuthnContext> </AuthnRequest>