--- title: Developing authentication selectors description: This topic describes aspects of authentication selectors within the context of PingFederate, including implementation, context selection, and callbacks. component: pingfederate version: 13.1 page_id: pingfederate:sdk_developers_guide:pf_develop_authen_select canonical_url: https://docs.pingidentity.com/pingfederate/13.1/sdk_developers_guide/pf_develop_authen_select.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: authentication-selector-interface: Authentication selector interface context-selection: Context selection authentication-selector-callback: Authentication selector callback --- # Developing authentication selectors This topic describes aspects of authentication selectors within the context of PingFederate, including implementation, context selection, and callbacks. ## Authentication selector interface Authentication selectors allow PingFederate to choose an appropriate authentication source, an identity provider (IdP) adapter or an IdP connection (for federation hub use cases), based on criteria defined in the authentication selector instance. When creating an authentication selector, use the following primary Java packages: * `org.sourceid.saml20.adapter.gui` * `org.sourceid.saml20.adapter.conf` * `com.pingidentity.sdk` For each authentication selector implementation, in addition to the methods described under [Shared plugin interfaces](pf_share_plugin_interface.html), you must define the following: * Context Selection * Authentication selector callback ## Context selection PingFederate calls the `selectContext()` method to determine which authentication source to select. The `mappedAuthnSourcesNames` contains the list of `AuthenticationSourceKeys` and names that are available for the selector to reference. ``` AuthenticationSelectorContext selectContext(HttpServletRequest req, HttpServletResponse resp, Map mappedAuthnSourcesNames, Map extraParameters, String resumePath) ``` The `HttpServletRequest` can evaluate cookies, parameters, headers, and other request information to determine which authentication source to select. The `HttpServletResponse` also helps determine the appropriate authentication source to select if the authentication selector requires user interaction. If the `resp` object is written to, it is considered a committed response and returned to the user's browser. The `resumePath` is a relative URL used in conjunction with the `resp` object, such that the user's browser is sent to this URL to resume the single sign-on (SSO) work flow. After an authentication source is selected, you can create an `AuthenticationSelectorContext` to denote which authentication source to use. You can reference the selected authentication source by its ID or by its context, which is a name that decouples authentication selectors from the configured IDs. ## Authentication selector callback PingFederate calls the `callback()` method after authenticating against a selected source. The `callback()` method allows authentication selectors to update resulting attributes, set cookies, or perform other custom functions. ``` void callback(HttpServletRequest req, HttpServletResponse resp, Map authnIdentifiers, AuthenticationSourceKey authenticationSourceKey, AuthenticationSelectorContext authnSelectorContext); ``` | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Writing content to the `resp` object in the `callback()` method is not supported, and doing so might result in unexpected behavior. Setting cookies is supported. |