TokenTransformationFilter
Transforms a token issued by AM to another token type.
The TokenTransformationFilter makes the result of the token transformation
available to downstream handlers in the sts
context.
Learn more in StsContext.
The current implementation uses REST Security Token Service (STS) APIs to
transform an OpenID Connect ID Token (id_token
) into a SAML 2.0 assertion.
The subject confirmation method is Bearer, as described in
Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0.
The TokenTransformationFilter makes the result of the token transformation
available to downstream handlers in the issuedToken
property of the
${contexts.sts}
context.
The TokenTransformationFilter configuration references a REST STS instance that must be set up in AM before the TokenTransformationFilter can be used. The REST STS instance exposes a preconfigured transformation under a specific REST endpoint.
Errors that occur during the token transformation cause a error response to be returned to the client and an error message to be logged for the PingGateway administrator.
Usage
{
"name": "string",
"type": "TokenTransformationFilter",
"config": {
"amService": AmService reference,
"idToken": runtime expression<string>,
"instance": configuration expression<string>,
"username": configuration expression<string>, //deprecated
"password": configuration expression<string> //deprecated
}
}
Properties
"amService"
: AmService reference, required-
The AmService heap object to use for the following properties:
-
agent
, the credentials of the PingGateway agent in AM, to authenticate PingGateway as an AM REST STS client, and to communicate WebSocket notifications from AM to PingGateway. This credentials are evaluated when the route is initialized -
url
, the URL of an AM service to use for session token validation and authentication. Authentication and REST STS requests are made to this service. -
realm
, the AM realm containing the following information:-
The AM application that can make the REST STS request and whose credentials are the username and password.
-
The STS instance described by the instance field.
-
-
ssoTokenHeader
, the name of the HTTP header that provides the SSO token for the REST STS client subject. -
amHandler
, the handler to use for authentication and STS requests to AM.
-
"idToken"
: runtime expression<string>, required-
The value of the OpenID Connect ID token. The expected value is a string that is the JWT encoded
id_token
. "instance"
: configuration expression<string>, required-
An expression evaluating to the name of the REST STS instance.
This expression is evaluated when the route is initialized, so the expression cannot refer to
request
orcontexts
. "username"
: string, required-
The use of this property is deprecated. Use the AmService property agent
instead.The username to authenticate PingGateway as an AM REST STS client.
"password"
: expression, required-
The use of this property is deprecated. Use the AmService property agent
instead.The password to authenticate PingGateway as an AM REST STS client.
Example
The following example shows a configuration for a TokenTransformationFilter:
{
"type": "TokenTransformationFilter",
"config": {
"amService": "MyAmService",
"idToken": "${attributes.openid.id_token}",
"instance": "openig"
}
}
You can find an example of how to set up and test the TokenTransformationFilter in OIDC ID tokens to SAML assertions.