Access Management 7.2.2

Customize SAML v2.0 with plugins

AM includes several plugin points that let you extend SAML v2.0 functionality. AM provides some default implementation for the plugins, but you can also configure your own custom implementation per entity provider.

You can implement a custom SAML v2.0 plugin in Java, or for the plugin points described in this section, using a script.

Configure AM to use your custom implementation in the entity provider settings.

Note that if a scripted implementation is configured, it takes precedence over any Java class that is specified. To make sure the Java class is used, clear any Script settings in the entity provider configuration.

For more information about configuration settings, see the Reference section.

The following table provides an overview of the SAML v2.0 plugin points that can be implemented using either Java or script.

Plugin Description

Customize the default IDP attribute mapper to specify which user attributes are included in an assertion.

Customize SAML responses and browser redirects.

Java implementation

The plugin interfaces and default Java implementation can be found in the openam-federation-library.

To view the supported plugin interfaces, see the com.sun.identity.saml2.plugins package.

Scripted implementation

AM provides a scripting engine and template scripts for you to extend SAML v2.0 behavior by running scripts stored as configuration, rather than by updating code. Creating and modifying plugin scripts enables rapid development without the need to change or recompile core AM.

  • To view the contents of the default scripts in the AM admin UI, including the available script properties, go to Realms > Realm Name > Scripts and select the script you want to examine.

  • To view all the sample scripts, see Sample scripts.

SAML v2.0 scripting API

The following properties are common to all SAML v2.0 plugin scripts. See individual plugins for additional properties specific to the script type.

Show script properties
hostedEntityId

The entity ID for the hosted IDP.

logger

The logger instance particular to the script type. For more information, see Debug Logging. The output log files will be prefixed by a static string denoting the script type. Always present.

realm

The name of the realm that the user is authenticating to.