PingFederate Server

Sample customizations

Use OGNL expressions to customize assertions and authentication requests in different ways.

Add SessionNotOnOrAfter to assertions

This expression adds the optional SessionNotOnOrAfter attribute to the <AuthnStatement> element and sets the value to 60 minutes.

Message Type

AssertionType

Expression
#cal = new org.apache.xmlbeans.XmlCalendar(new java.util.Date()),
#cal.setTimeZone(@java.util.TimeZone@getTimeZone("UTC")),
#cal.add(@java.util.Calendar@MINUTE, 60),
#AssertionType.getAuthnStatementArray(0).setSessionNotOnOrAfter(cal)
Expected assertions
...
<saml:AuthnStatement ... AuthnInstant="2015-03-20T16:27:37.344Z"
 SessionNotOnOrAfter="2015-03-20T17:27:37.398Z">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>...</saml:AuthnContextClassRef>
    </saml:AuthnContext>
</saml:AuthnStatement>
...

Use well-formed XML as attribute value

The following expression inserts well-formed XML in the <AttributeValue> element if the Attribute Name Format is urn:pingidentity.com:SAML:attrname-format:xml:complex.

Message Type

AssertionType

Expression
#i = 0,
#AssertionType.getAttributeStatementArray(0).getAttributeArray().{#this.getNameFormat().equals('urn:pingidentity.com:SAML:attrname-format:xml:complex')?
{#AssertionType.getAttributeStatementArray(0).getAttributeArray(i).removeAttributeValue(1)}:null,
#i = #i+1}

Line breaks are inserted for readability only. Statements calling methods whose arguments are enclosed in quotes must be entered on a single line.

This example uses well-formed XML as the attribute value for attributes that are configured as urn:pingidentity.com:SAML:attrname-format:xml:complex (a custom attribute name format added to <pf_install>/pingfederate/server/default/data/config-store/custom-name-formats.xml) in the Attribute Contract window. You can use other application logic here.

Sample inputs (attributes and their values)
Example input 1

Attribute Name

ExtAttr1

Attribute Name Format

urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Attribute Value

123

Example input 2

Attribute Name

ExtAttr2

Attribute Name Format

urn:pingidentity.com:SAML:attrname-format:xml:complex

Attribute Value

<saml:Attribute
 xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
 Name="ExtAttr2"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:customNs="http://www.sample.tld/customnamespace">
        <customNs:Line>Documentation</customNs:Line>
        <customNs:Line>Ping Identity</customNs:Line>
    </saml:AttributeValue>
</saml:Attribute>

This is a well-formed XML document in one line.

Expected results
...
<saml:Attribute Name="ExtAttr1"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xsi:type="xs:string"
     xmlns:xs="http://www.w3.org/2001/XMLSchema"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        123
    </saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="ExtAttr2"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:customNs="http://www.sample.tld/customnamespace">
        <customNs:Line>Documentation</customNs:Line>
        <customNs:Line>Ping Identity</customNs:Line>
    </saml:AttributeValue>
</saml:Attribute>
...

Include extensions in authentication requests

This expression includes the optional Extensions element in the authentication requests if a certain query parameter (oid in this example) is sent to the /sp/startSSO.ping endpoint to start an SP-initiated SSO request.

Message Type

AuthnRequestDocument

Expression
#element = #XmlHelper.addToSaml2Extensions(#AuthnRequestDocument, '<samplens:orgId name="orgId" xmlns:samplens="urn:org.sample.wms"/>'),
#value = #HttpServletRequest.getParameter('oid') == null ? 'someDefaultValue' : #HttpServletRequest.getParameter('oid') ,
#XmlHelper.setAttribute(#element, 'value', #value)
Expected AuthnRequest

A GET request to https://<pf_host>:<pf.https.port>/sp/startSSO.ping?PartnerIdpId=<entityID>&oid=123 would trigger the following Extensions block.

<samlp:AuthnRequest ...>
  <saml:Issuer ...>...</saml:Issuer>
  <samlp:Extensions>
    <samplens:orgId name="orgId" value="123" xmlns:samplens="urn:org.sample.wms"/>
  </samlp:Extensions>
  ...
</samlp:AuthnRequest>

For information about OGNL, see the Apache Commons OGNL Language Guide.