PingAM

Customize SAML 2.0

AM includes several plugin points that let you extend SAML 2.0 functionality. AM provides some default implementation for the plugins, but you can also configure your own custom implementation per entity provider.

You can implement a custom SAML 2.0 plugin in Java, or for the plugin points described in this section, using a script.

Configure AM to use your custom implementation in the entity provider settings. For information about configuration settings, refer to the Reference section.

If configured, a scripted implementation takes precedence over any Java class that is specified. To make sure the Java class is used, clear any Script settings in the entity provider configuration.

The following table provides an overview of the SAML 2.0 plugin points that can be implemented using either Java or script.

Plugin Description

Customize the default IdP attribute mapper to specify which user attributes are included in an assertion.

Customize SAML responses and browser redirects.

Customize configuration in the hosted SP adapter environment.

Java implementation

The plugin interfaces and default Java implementation can be found in the openam-federation-library.

To view the supported plugin interfaces, refer to these packages:

Scripted implementation

AM provides a scripting engine and template scripts for you to extend SAML 2.0 behavior by running scripts stored as configuration, rather than by updating code. Creating and modifying plugin scripts enables rapid development without the need to change or recompile core AM.

  • To explore the default scripts in the AM admin UI, including the available script properties, go to Realms > Realm Name > Scripts and select the script you want to examine.

  • For all available sample scripts, refer to Sample scripts.

SAML 2.0 scripting API

The following properties are common to all SAML 2.0 plugin scripts. Refer to individual plugins for additional properties specific to the script type.

Binding Description

hostedEntityId

The entity ID for the hosted IDP.

logger

The logger instance particular to the script type. For more information, refer to Debug Logging. The output log files will be prefixed by a static string denoting the script type. Always present.

realm

The name of the realm that the user is authenticating to.