PingGateway 2024.11

SessionInfoFilter

Calls the AM endpoint for session information, and makes the data available as a new context to downstream PingGateway filters and handlers. Learn more in SessionInfoContext.

When using a SessionInfoFilter with a CrossDomainSingleSignOnFilter (CDSSO filter) or SingleSignOnFilter (SSO filter):

  • Include the SessionInfoFilter after the CDSSO or SSO filter in the chain.

  • Do not use the raw CDSSO or SSO token in the SessionInfoFilter configuration. Use the token the CDSSO or SSO filter adds to the context, such as ${contexts.ssoToken.value}.

WebSocket notifications for sessions

When WebSocket notifications are set up for sessions, PingGateway receives a notification from AM when a user logs out of AM, or when the AM session is modified, closed, or times out. PingGateway then evicts entries that are related to the event from the sessionCache.

For information about setting up WebSocket notifications, using them to clear the session cache, and including them in the server logs, refer to WebSocket notifications.

Usage

{
  "name": string,
  "type": "SessionInfoFilter",
  "config": {
    "amService": AmService reference,
    "ssoToken": runtime expression<string>
  }
}

Properties

"amService": AmService reference, required

The AmService object to use for communication with AM.

The following sessionProperties, are retrieved from AM:

  • When sessionProperties in AmService is configured, listed session properties with a value.

  • When sessionProperties in AmService isn’t configured, all session properties with a value.

  • Properties with a value that are required by PingGateway but not specified by sessionProperties in AmService. For example, when the session cache is enabled, session properties related to the cache are automatically retrieved.

Properties with a value are returned, properties with a null value aren’t returned.

"ssoToken": runtime expression<string>, optional

Location of the AM SSO or CDSSO token.

This property can take the following values:

  • ${contexts.ssoToken.value}, when the SingleSignOnFilter is used for authentication

  • ${contexts.ssoToken.value} or ${contexts.cdsso.token}, when the CrossDomainSingleSignOnFilter is used for authentication

  • ${request.headers['mySsoToken'][0]}, where the SSO or CDSSO token is the first value of the mySsoToken header in the request.

Default: ${request.cookies['AmService-ssoTokenHeader'][0].value}, where AmService-ssoTokenHeader is the name of the header or cookie where the AmService expects to find SSO or CDSSO tokens.

Examples

You can find an example that uses this filter in Retrieve a Username From the sessionInfo Context.

More information

org.forgerock.openig.openam.SessionInfoFilter

org.forgerock.openig.openam.SessionInfoContext

SessionInfoContext

AM’s Authorization guide