IdP attribute mapper
Use this script type to map user-configured attributes to SAML attributes into the generated SAML assertion.
The default implementation retrieves the mapped attribute values from the user profile first. If the attribute values are missing from the user’s profile, then PingOne Advanced Identity Cloud attempts to retrieve them from the user’s session.
For a template script, refer to saml2-idp-attribute-mapper.js.
Demonstrate an IdP attribute mapper
Before you try the example, configure single sign-on using SAML v2.0 with PingOne Advanced Identity Cloud as the hosted IdP.
The following example modifies the SAML attributes in the assertion returned by the IdP:
Create the script
-
In the Advanced Identity Cloud admin UI, create a script of type SAML2 IDP Attribute Mapper.
-
In the JavaScript field, paste the template saml2-idp-attribute-mapper.js script.
-
Insert the following lines just before
return attributes;
around line 150 to return a custom static attribute:var customSet = new java.util.HashSet(); customSet.add("test"); attributes.add( idpAttributeMapperScriptHelper.createSAMLAttribute( "customSAMLAttribute", null, customSet));
-
Save your changes and close the editor.
Configure the IdP
-
Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.
-
In the Attribute Mapper Script field, select your script.
-
Save your changes.
Test the script
-
Perform a SAML v2.0 flow.
-
Verify the
AttributeStatement
element in the SAML assertion contains the custom attribute:<saml:AttributeStatement> <saml:Attribute Name="customSAMLAttribute"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >test</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>
Available objects
PingOne Advanced Identity Cloud injects the following objects into the execution context of an IdP attribute mapper script:
Binding | Information |
---|---|
|
The entity ID for the hosted IdP. |
|
An object with methods for IdP attribute mapping. For details, refer to IdpAttributeMapperScriptHelper. |
|
Write a message to the PingOne Advanced Identity Cloud |
|
The realm the user authenticates to. |
|
The remote entity ID. |
|
Represents the user’s single sign-on session object. For details, refer to SSOToken. |