PingOne Advanced Identity Cloud

IdP adapter

Use this script type to alter the processing of the authentication request; for example, redirect the user before single sign-on, or before sending a failure response.

The script provides hooks at the following points in assertion processing:

Processing phase Description

preSingleSignOn

Invoked when PingOne Advanced Identity Cloud receives the authentication request. Only applicable to SP-initiated flows.

preAuthentication

Invoked before redirecting the request for authentication. Only applicable to SP-initiated flows.

preSendResponse

Invoked after the user successfully authenticates or makes the request with an existing valid session, and before the response is sent.

preSignResponse

Invoked after PingOne Advanced Identity Cloud prepares the response, but before it signs the response. This lets you customize the content of the SAML response.

preSendFailureResponse

Invoked before PingOne Advanced Identity Cloud returns a SAML error response. Only applicable to SP-initiated flows.

For a template script, refer to saml2-idp-adapter.js.

Demonstrate an IdP adapter

Before you try the example, configure single sign-on using SAML v2.0 with PingOne Advanced Identity Cloud as the hosted IdP.

The following example determines whether to redirect the authentication journey based policy evaluation:

Configure a policy

  1. Under Native Consoles > Access Management, go to Realms > Realm Name > Authorization > Resource Types and create a new resource type with the following settings:

    Name

    SAML SP Access

    Pattern

    *

    Action

    Assert (Default State: Deny)

  2. Go to Policy Sets and create a new policy set with the following settings:

    Id

    saml

    Name

    saml

    Resource Types

    SAML SP Access

  3. Add a new policy with the following settings:

    Name

    SAML Access Policy

    Resource Types

    SAML SP Access

    Resources

    *

    Actions

    ASSERT:Denied

    Response Attributes

    redirect_uri: https://example.com

    Subjects

    "type": "AuthenticatedUsers"

Create the script

  1. In the Advanced Identity Cloud admin UI, create a script of type SAML2 IDP Adapter.

  2. In the JavaScript field, paste the template saml2-idp-adapter.js script.

  3. Insert the following code in the preSendResponse function. The script causes PingOne Advanced Identity Cloud to redirect or send an error response if the policy for the SP evaluates to false:

    function preSendResponse() {
    
      var frJava = JavaImporter(
        com.sun.identity.saml2.common.SAML2Exception);
    
      try {
        var ents = idpAdapterScriptHelper.getEntitlements(
          "saml", realm, session, authnRequest).iterator();
        while (ents.hasNext()) {
          var entitlement = ents.next();
          var isAllowed = entitlement.getActionValue("Assert");
    
          if (isAllowed != null && isAllowed == true) {
            return false;
          } else {
            var redirectUris = entitlement.getAttributes().get("redirect_uri");
    
            if (redirectUris == null || redirectUris.isEmpty()) {
              logger.error("No redirect_uri");
              response.sendError(403);
            } else {
              var redirectUri = redirectUris.iterator().next();
              response.sendRedirect(redirectUri);
            } return true;
          }
        }
      } catch (error) {
        logger.error("Error in preSend reponse. " + error);
        throw new frJava.SAML2Exception(error);
      }
    }
  4. Save your changes and close the editor.

Configure the IdP

  1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > Hosted IDP Name > Advanced.

  2. In the IDP Adapter Script field, select your script.

  3. Save your changes.

Test the script

  1. Perform an SP-initiated flow.

  2. Verify the user is redirected to the redirect_uri from the policy (https://example.com).

Available objects

PingOne Advanced Identity Cloud injects the following objects into the execution context of an IdP adapter script:

Binding Information

authnRequest

The original authentication request from the SP. For details, refer to AuthnRequest.

Not available to the preSendFailureResponse function.

faultCode

The fault code in the SAML response.

Only available to the preSendFailureResponse function.

faultDetail

The details of the fault in the SAML response.

Only available to the preSendFailureResponse function.

hostedEntityId

The entity ID for the hosted IdP.

idpAdapterScriptHelper

An object with methods to provide context when customizing the IdP adapter plugin points. For details, refer to IdpAdapterScriptHelper.

logger

Write a message to the PingOne Advanced Identity Cloud am-core log source. The logger identifier takes the form scripts.script-type.script-id. For details, refer to Debug.

realm

The realm the user authenticates to.

relayState

A String representing the relayState in the redirect.

Not available to the preSingleSignOn or preSendFailureResponse functions.

reqId

The identifier to continue processing if the adapter redirects.

Not available to the preSignResponse or preSendFailureResponse functions.

request

The HttpServletRequest object.

res

The SAML response. For details, refer to Response.

Only available to the preSignResponse function.

response

The HttpServletResponse object.

Not available to the preSignResponse function.

session

Represents the user’s single sign-on session object. For details, refer to SSOToken.

Not available to the preSingleSignOn or preSendFailureResponse functions.