Customize SAML v2.0 with plugins
AM includes several plugin points that let you extend SAML v2.0 functionality. AM provides some default implementation for the plugins, but you can also configure your own custom implementation per entity provider.
You can implement a custom SAML v2.0 plugin in Java, or for the plugin points described in this section, using a script.
Configure AM to use your custom implementation in the entity provider settings.
Note that if a scripted implementation is configured, it takes precedence over any Java
class that is specified. To make sure the Java class is used, clear any Script
settings in the entity provider configuration.
For more information about configuration settings, see the Reference section.
The following table provides an overview of the SAML v2.0 plugin points that can be implemented using either Java or script.
Plugin | Description |
---|---|
Customize the default IDP attribute mapper to specify which user attributes are included in an assertion. |
|
Customize SAML responses and browser redirects. |
Java implementation
The plugin interfaces and default Java implementation can be found in the openam-federation-library
.
To view the supported plugin interfaces, see the
com.sun.identity.saml2.plugins
package.
Scripted implementation
AM provides a scripting engine and template scripts for you to extend SAML v2.0 behavior by running scripts stored as configuration, rather than by updating code. Creating and modifying plugin scripts enables rapid development without the need to change or recompile core AM.
-
To view the contents of the default scripts in the AM admin UI, including the available script properties, go to Realms > Realm Name > Scripts and select the script you want to examine.
-
To view all the sample scripts, see Sample scripts.
SAML v2.0 scripting API
The following properties are common to all SAML v2.0 plugin scripts. See individual plugins for additional properties specific to the script type.
Show script properties
hostedEntityId
-
The entity ID for the hosted IDP.
logger
-
The logger instance particular to the script type. For more information, see Debug Logging. The output log files will be prefixed by a static string denoting the script type. Always present.
realm
-
The name of the realm that the user is authenticating to.