PingOne Advanced Identity Cloud

IdP adapter

Use an IdP adapter script to alter the processing of the authentication request; for example, redirect the user before single sign-on or before sending a failure response.

The script provides hooks at the following points in assertion processing:

Processing phase Description

preSingleSignOn

Invoked when PingOne Advanced Identity Cloud receives the authentication request. Only applicable to SP-initiated flows.

preAuthentication

Invoked before redirecting the request for authentication. Only applicable to SP-initiated flows.

preSendResponse

Invoked after the user successfully authenticates or makes the request with an existing valid session, and before the response is sent.

preSignResponse

Invoked after PingOne Advanced Identity Cloud prepares the response, but before it signs the response. This lets you customize the content of the SAML response.

preSendFailureResponse

Invoked before PingOne Advanced Identity Cloud returns a SAML error response. Only applicable to SP-initiated flows.

Learn about IdP adapter scripts from the following resources:

Demonstrate an IdP adapter

Before you try the example, configure single sign-on using SAML v2.0 with PingOne Advanced Identity Cloud as the hosted IdP.

The following example determines whether to redirect the authentication journey based policy evaluation:

Configure a policy

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Authorization > Resource Types and create a new resource type with the following settings:

    Name

    SAML SP Access

    Pattern

    *

    Action

    Assert (Default State: Deny)

  2. Go to Policy Sets and create a new policy set with the following settings:

    Id

    saml

    Name

    saml

    Resource Types

    SAML SP Access

  3. Add a new policy with the following settings:

    Name

    SAML Access Policy

    Resource Types

    SAML SP Access

    Resources

    *

    Actions

    ASSERT:Denied

    Response Attributes

    redirect_uri: https://example.com

    Subjects

    "type": "AuthenticatedUsers"

Create the script

  1. In the Advanced Identity Cloud admin UI, create a script of type SAML2 IDP Adapter.

  2. In the JavaScript field, paste the template saml2-idp-adapter.js script.

  3. Insert the following code in the preSendResponse function. The script causes PingOne Advanced Identity Cloud to redirect or send an error response if the policy for the SP evaluates to false:

    function preSendResponse() {
    
      var frJava = JavaImporter(
        com.sun.identity.saml2.common.SAML2Exception);
    
      try {
        var ents = idpAdapterScriptHelper.getEntitlements(
          "saml", realm, session, authnRequest).iterator();
        while (ents.hasNext()) {
          var entitlement = ents.next();
          var isAllowed = entitlement.getActionValue("Assert");
    
          if (isAllowed != null && isAllowed == true) {
            return false;
          } else {
            var redirectUris = entitlement.getAttributes().get("redirect_uri");
    
            if (redirectUris == null || redirectUris.isEmpty()) {
              logger.error("No redirect_uri");
              response.sendError(403);
            } else {
              var redirectUri = redirectUris.iterator().next();
              response.sendRedirect(redirectUri);
            } return true;
          }
        }
      } catch (error) {
        logger.error("Error in preSend reponse. " + error);
        throw new frJava.SAML2Exception(error);
      }
    }
  4. Save your changes and close the editor.

Configure the IdP

  1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > Hosted IDP Name > Advanced.

  2. In the IDP Adapter Script field, select your script.

  3. Save your changes.

Test the script

  1. Perform an SP-initiated flow.

  2. Verify the user is redirected to the redirect_uri from the policy (https://example.com).