PingGateway 2024.11

ScriptableIdentityAssertionPlugin

An out-of-the box implementation of IdentityAssertionPlugin to support use-cases that aren’t provided by a PingGateway plugin.

Use with an IdentityAssertionHandler for local processing, such as authentication. The plugin returns IdentityAssertionClaims to include in the identity assertion JWT PingGateway sends to PingOne Advanced Identity Cloud.

The script does the following:

  1. Validates the identity request JWT.

  2. (Optional) Takes a single String that represents the principal or a principal and a map of additional claims from the IdentityRequestJwtContext.

  3. If a PreProcessingFilter is configured, triggers the filter.

  4. Returns principal and identity claims in the identity assertion JWT.

If script execution fails, the plugin creates an IdentityAssertionPluginException.

Usage

{
    "name": string,
    "type": "ScriptableIdentityAssertionPlugin",
    "config": {
        "preProcessingFilter": Filter reference,
        "type": configuration expression<string>,
        "file": configuration expression<string>, // Use either "file"
        "source": [ string, ... ],                // or "source", but not both
        "args": map,
        "clientHandler": Handler reference
    }
}

Properties

For information about other properties for ScriptableIdentityAssertionPlugin, refer to Scripts.

"preProcessingFilter": _Filter reference, optional

A Filter to perform user defined actions, such as local authentication and/or authorization.

Default: Pass the request without pre-processing.

Example

The following example applies a preProcessingFilter that uses a ScriptableFilter to test whether the user is authenticated. If a Basic Authorization Header isn’t found, a response is generated to trigger a Basic Authentication.

{
  "name": "BasicAuthScriptablePlugin",
  "type": "ScriptableIdentityAssertionPlugin",
  "config": {
    "type": "application/x-groovy",
    "source": [
      "import org.forgerock.openig.handler.assertion.IdentityAssertionClaims",
      "import org.forgerock.openig.handler.assertion.IdentityAssertionException",
      "if (request.headers.authorization != null && request.headers.authorization.values[0] == 'Basic user:password') {",
          return new IdentityAssertionClaims("iguser", Map.of("auth", "basic"))",
      "}",
      "return newExceptionPromise(new IdentityAssertionException('Invalid authentication'))",
    ],
    "preProcessingFilter": {
      "type": "ScriptableFilter",
      "config": {
        "type": "application/x-groovy",
        "source": [
          "if (request.headers.authorization == null) {",
          "    Response response = new Response(Status.UNAUTHORIZED)",
          "    response.headers['WWW-Authenticate'] = \"Basic\"",
          "    return response",
          "}",
          "return next.handle(context, request)",
        ],
      },
    }
  }
}