IDP attribute mapper plugin
Use this plugin to map user-configured attributes to SAML attribute objects to insert into the generated SAML assertion.
The default implementation is to retrieve the mapped attribute values from the user profile first. If the attribute values are not present in the user’s profile, then the plugin attempts to retrieve them from the user’s session.
Java implementation
To create a custom IDP attribute mapper in Java, follow these high-level steps:
-
Include the
openam-federation-library
as a dependency in your Maven project. -
Write a Java class that implements the
com.sun.identity.saml2.plugins.IDPAttributeMapper
interface, or extends thecom.sun.identity.saml2.plugins.DefaultIDPAttributeMapper
class. -
Override the
getAttributes()
method to customize the list of the attributes returned. -
Package your custom class in a JAR file and copy to the
/WEB-INF/lib
folder where you deployed AM. -
Configure AM to use the new Java plugin.
-
In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.
-
In the Attribute Mapper field, type the fully qualified name of your custom class.
-
Save your changes.
-
-
Restart AM or the container in which it runs.
Learn more in How do I create a custom SAML2 IDP attribute mapper in PingAM? in the Knowledge Base. |
- Java interface
- Default Java class
-
com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper
Scripted implementation
To view the default script, including the available script properties, see saml2-idp-attribute-mapper.js.
To view or modify the default script in the AM admin UI, go to Realms > Realm Name > Scripts and select SAML2 IDP Attribute Mapper Script.
Customize the IDP attribute mapper script
Complete the following steps to implement an example IDP attribute mapper script that modifies the SAML attributes that are inserted in the assertion returned by the IDP.
If you prefer to create a new script, reference the new script name when you configure the hosted entity provider.
For more information, see Manage scripts (UI).
This task assumes your environment is already correctly configured for single sign-on using SAML v2.0, where AM is the hosted IDP.
-
In the AM admin UI, go to Realms > Realm Name > Scripts, and click SAML2 IDP Attribute Mapper Script to modify the default script. Alternatively, create a new script of type
Saml2 IDP Attribute Mapper
. -
In the Script field, insert the following lines of example code to return a custom static attribute, around line 150, preceding
return attributes;
:var customSet = new java.util.HashSet(); customSet.add("test"); attributes.add(idpAttributeMapperScriptHelper.createSAMLAttribute("customSAMLAttribute", null, customSet));
For information about the bindings that are available to the script, see IDP attribute mapper scripting API.
-
Validate and save your changes.
-
Configure AM to use the updated IDP attribute mapper script.
-
Still in the AM admin UI, go to Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.
-
In the Attribute Mapper Script field, select SAML2 IDP Attribute Mapper Script.
If you created a new script rather than modifying the default, select your script name.
-
Save your changes.
-
-
Test your changes and verify that the
AttributeStatement
element in the SAML assertion contains the custom attribute.For example:
<saml:AttributeStatement> <saml:Attribute Name="customSAMLAttribute"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">test </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
IDP attribute mapper scripting API
The following properties are available to IDP attribute mapper scripts, in addition to the common SAML v2.0 properties.
Show script properties
idpAttributeMapperScriptHelper
-
An IdpAttributeMapperScriptHelper instance containing methods used for IDP attribute mapping. See the IdpAttributeMapperScriptHelper interface. Always present.
remoteEntityId
-
The remote entity ID.
session
-
Contains a representation of the user’s single sign-on session object. See the SSOToken interface for information about SSO token and authentication information, as well as session-related properties.