Scripting API
PingOne Advanced Identity Cloud provides the following scriptable extension points. Each extension point is associated with a script type, or a context.
Configuration provider scripts
Build a configuration map with custom values and add it to the authentication flow.
An authentication journey calls the script through a Configuration Provider node.
For a sample script, refer to config-provider-node.js.
OAuth 2.0 scripts
Extend authorization server behavior with the OAuth 2.0 scripts.
-
Modify the key-value pairs contained within an OAuth 2.0 access token.
-
Authorize endpoint data provider
Return additional data from an authorization request.
-
Add a
may_act
claim for delegation or impersonation when performing token exchange. -
Populate claims in a request when issuing an ID token or making a request to the OpenID Connect
userinfo
endpoint. -
Evaluate and return an OAuth 2.0 access token’s scope information.
-
Customize the set of requested scopes for authorize, access token, refresh token, and back channel authorize requests.
SAML 2.0 scripts
Customize your SAML 2.0 single sign-on implementation:
-
Alter the processing of the authentication request during a SAML 2.0 journey, such as to redirect the user before single sign-on takes place or before a failure response is sent.
-
Map user-configured attributes to SAML 2.0 attribute objects to insert into the generated SAML 2.0 assertion.
-
Customize the processing of the authentication request on the SP.
Journey decision node scripts
This extension point lets you write a script to determine the path of an authentication journey. The script provides bindings for accessing data in request headers, shared state, and user session data. This data helps to provide the context for you to decide the possible paths a user could take.
An authentication journey calls the script through a Scripted Decision node.
For more information, refer to the Scripted decision node API.
Library scripts
As part of the next-generation scripting engine, library scripts let you reuse common functionality in Scripted Decision node scripts.
For more information, refer to the Library scripts.
Scripted policy conditions
Use this scriptable extension point to tailor the actions that PingOne Advanced Identity Cloud takes as part of policy evaluation. The script lets you access a user’s profile information, use that information in HTTP calls, and make a policy decision based on the outcome.
An PingOne Advanced Identity Cloud policy calls the script as part of an environment condition. For more information, refer to scripted policy conditions.
For a sample script, refer to policy-condition.js.
Social identity provider profile transformation
Adapt the profile from the provider to align with the profile expected by the platform.
An authentication journey calls the script through a Social Provider Handler node.
For a sample script, refer to normalized-profile-to-managed-user.js.