Developing authentication selectors

Authentication selectors allow PingFederate to choose an appropriate authentication source, an identity provider (IdP) adapter or an IdP connection (for federation hub use cases), based on criteria defined in the authentication selector instance.

When creating an authentication selector, use the following primary Java packages:

For each authentication selector implementation, in addition to the methods described under Shared plugin interfaces, you must define the following:

PingFederate calls the selectContext() method to determine which authentication source to select. The mappedAuthnSourcesNames contains the list of AuthenticationSourceKeys and names that are available for the selector to reference.

The HttpServletRequest can evaluate cookies, parameters, headers, and other request information to determine which authentication source to select. The HttpServletResponse also helps determine the appropriate authentication source to select if the authentication selector requires user interaction. If the resp object is written to, it is considered a committed response and returned to the user’s browser. The resumePath is a relative URL used in conjunction with the resp object, such that the user’s browser is sent to this URL to resume the single sign-on (SSO) work flow.

After an authentication source is selected, you can create an AuthenticationSelectorContext to denote which authentication source to use. You can reference the selected authentication source by its ID or by its context, which is a name that decouples authentication selectors from the configured IDs.

PingFederate calls the callback() method after authenticating against a selected source. The callback() method allows authentication selectors to update resulting attributes, set cookies, or perform other custom functions.