PingOne Advanced Identity Cloud

IdP attribute mapper

Use this script type to map user-configured attributes to SAML attributes into the generated SAML assertion.

The default implementation retrieves the mapped attribute values from the user profile first. If the attribute values are missing from the user’s profile, then PingOne Advanced Identity Cloud attempts to retrieve them from the user’s session.

For a template script, refer to saml2-idp-attribute-mapper.js.

Demonstrate an IdP attribute mapper

Before you try the example, configure single sign-on using SAML v2.0 with PingOne Advanced Identity Cloud as the hosted IdP.

The following example modifies the SAML attributes in the assertion returned by the IdP:

Create the script

  1. In the Advanced Identity Cloud admin UI, create a script of type SAML2 IDP Attribute Mapper.

  2. In the JavaScript field, paste the template saml2-idp-attribute-mapper.js script.

  3. Insert the following lines just before return attributes; around line 150 to return a custom static attribute:

    var customSet = new java.util.HashSet();
    customSet.add("test");
    attributes.add(
      idpAttributeMapperScriptHelper.createSAMLAttribute(
        "customSAMLAttribute", null, customSet));
  4. Save your changes and close the editor.

Configure the IdP

  1. Under Native Consoles > Access Management, go to Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.

  2. In the Attribute Mapper Script field, select your script.

  3. Save your changes.

Test the script

  1. Perform a SAML v2.0 flow.

  2. Verify the AttributeStatement element in the SAML assertion contains the custom attribute:

    <saml:AttributeStatement>
      <saml:Attribute Name="customSAMLAttribute">
        <saml:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:type="xs:string"
        >test</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>

Available objects

PingOne Advanced Identity Cloud injects the following objects into the execution context of an IdP attribute mapper script:

Binding Information

hostedEntityId

The entity ID for the hosted IdP.

idpAttributeMapperScriptHelper

An object with methods for IdP attribute mapping. For details, refer to IdpAttributeMapperScriptHelper.

logger

Write a message to the PingOne Advanced Identity Cloud am-core log source. The logger identifier takes the form scripts.script-type.script-id. For details, refer to Debug.

realm

The realm the user authenticates to.

remoteEntityId

The remote entity ID.

session

Represents the user’s single sign-on session object. For details, refer to SSOToken.