SP adapter
Use this script type to make application-specific changes during the processing of the
authentication request on the SP side, such as updating the SPNameQualifier
attribute.
The script provides hooks at the following points:
Processing phase | Description |
---|---|
|
Invoked before PingOne Advanced Identity Cloud sends the single sign-on request to the IdP. |
|
Invoked before single sign-on processing begins on the SP side, when PingOne Advanced Identity Cloud receives the response from the IdP. |
|
Invoked when single sign-on processing succeeds. |
|
Invoked when single sign-on processing fails. |
|
Invoked when the processing of a new name identifier succeeds. |
|
Invoked when the association of a name identifier between an SP and IdP is successfully terminated. |
|
Invoked before the single logout process starts on the SP side, while the user session is still valid. |
|
Invoked after the single logout process succeeds, when the user session has been invalidated. |
Demonstrate an SP adapter
This task assumes your environment is already correctly configured for single sign-on using SAML v2.0, where PingOne Advanced Identity Cloud is the hosted SP.
Complete the following steps to implement an example SP adapter script that updates the SPNameQualifier attribute in the authentication request:
Create the script
-
In the Advanced Identity Cloud admin UI, create a script of type SAML2 SP Adapter.
-
In the JavaScript field, paste the template saml2-sp-adapter.js script.
-
Add code to the
preSingleSignOnRequest
function to change the value ofSPNameQualifier
in the authentication request. Optionally, add code to redirect a successful login in thepostSingleSignOnSuccess
function.For example:
function preSingleSignOnRequest() { logger.error("In preSingleSignOnRequest"); authnRequest.getNameIDPolicy().setSPNameQualifier("mySP-Updated"); } function postSingleSignOnSuccess() { logger.error("In postSingleSignOnSuccess"); response.sendRedirect("https://example.com"); return true; }
-
Save your changes and close the editor.
Available objects
PingOne Advanced Identity Cloud injects the following objects into the execution context of an SP adapter script:
Binding | Information | ||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The original authentication request sent from the SP. Only available to single sign-on functions. Refer to AuthnRequest. |
||||||||||||||||||||||||
|
The binding used for the name identifier request: Not available to single sign-on functions. |
||||||||||||||||||||||||
|
The failure code associated with the error that has occurred. Possible values
Only available to |
||||||||||||||||||||||||
|
The entity ID for the hosted IdP. |
||||||||||||||||||||||||
|
The identifier of the IdP for which the sign-on request is sent. |
||||||||||||||||||||||||
|
The ManageNameIDRequest object for the name identifier request. Only available to |
||||||||||||||||||||||||
|
The ManageNameIDResponse object for the name identifier request. Only available to |
||||||||||||||||||||||||
|
A boolean indicating whether federation is used, otherwise false. Only available to the |
||||||||||||||||||||||||
|
Write a message to the PingOne Advanced Identity Cloud |
||||||||||||||||||||||||
|
The single logout LogoutRequest. Only available to |
||||||||||||||||||||||||
|
The single logout LogoutResponse. Only available to |
||||||||||||||||||||||||
|
The PrintWriter for writing to. Only available to |
||||||||||||||||||||||||
|
The protocol profile used: Available to |
||||||||||||||||||||||||
|
The realm the user authenticates to. |
||||||||||||||||||||||||
|
The HttpServletRequest object. Always present. |
||||||||||||||||||||||||
|
The HttpServletResponse object. Always present. |
||||||||||||||||||||||||
|
Contains a representation of the user’s single sign-on session object. Refer to the SSOToken interface for information about SSO token and authentication information, as well as session-related properties. Only available to |
||||||||||||||||||||||||
|
The SpAdapterScriptHelper object contains supporting methods that provide context information when customizing the SP adapter plugin points. Always present. |
||||||||||||||||||||||||
|
The SSO response received from the IdP. Available to |
||||||||||||||||||||||||
|
The unique universal ID of the user associated with the request. Not available to single sign-on functions. |