PingOne Advanced Identity Cloud

Query SAML application and authentication request

The samlApplication binding is only present when a journey runs in a SAML 2.0 context and an application journey is configured. You can access the binding object for the duration of the authentication session (determined by the Max duration setting).

Use the samlApplication binding to query the SAML 2.0 authentication request properties and identity provider (IdP) and service provider (SP) configuration attributes.

You can check and debug the configuration values, but changes to properties are confined to the scope of the script and won’t affect the underlying objects.

String getFlowInitiator()

Returns IDP or SP depending on which provider initiates the SAML 2.0 flow.

Map<String, Object> getAuthnRequest()

Returns an object containing the properties of the SAML 2.0 authentication request.

Example authnRequest object

The following example is formatted to display the object structure:

{
  "destination": "https://<tenant-env-fqdn>/am/SSORedirect/metaAlias/idp1",
  "signature": null,
  "subject": null,
  "issueInstant": 1724341924000,
  "consent": "",
  "forceAuthn": false,
  "protocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
  "mutable": false,
  "issuer": {
    "value": "sp1",
    "nameQualifier": "",
    "format": "",
    "mutable": false,
    "spnameQualifier": "",
    "spprovidedID": ""
  },
  "assertionConsumerServiceURL": "https://<tenant-env-sp-fqdn>/am/Consumer/metaAlias/sp1",
  "@class": "com.sun.identity.saml2.protocol.impl.AuthnRequestImpl",
  "extensions": null,
  "passive": false,
  "version": "2.0",
  "requestedAuthnContext": {
    "@class": "com.sun.identity.saml2.protocol.impl.RequestedAuthnContextImpl",
    "elementName": "RequestedAuthnContext",
    "mutable": false,
    "authnContextClassRef": [
      "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
    ],
    "authnContextDeclRef": [],
    "comparison": "exact"
  },
  "nameIDPolicy": {
    "@class": "com.sun.identity.saml2.protocol.impl.NameIDPolicyImpl",
    "format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
    "allowCreate": true,
    "mutable": false,
    "spnameQualifier": "sp1"
  },
  "attributeConsumingServiceIndex": null,
  "conditions": null,
  "scoping": null,
  "signed": false,
  "id": "s2c72252b5b2ce2b43e5150c8ee8aba0401f3ef390",
  "providerName": "",
  "assertionConsumerServiceIndex": null
}
Map<String, List<String>> getIdpAttributes()

Returns a map containing the extended configuration for the hosted IdP.

Example IdP attributes
IdP attribute Example value

assertionEffectiveTime

[ "600" ]

idpAuthncontextClassrefMapping

[ "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|0||default" ]

assertionNotBeforeTimeSkew

[ "600" ]

metaAlias

[ "/idp1" ]

idpECPSessionMapper

[ "com.sun.identity.saml2.plugins.DefaultIDPECPSessionMapper" ]

idpAccountMapper

[ "com.sun.identity.saml2.plugins.DefaultIDPAccountMapper" ]

nameIDFormatMap

[ "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress|mail" ]

idpAttributeMapper

[ "com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper" ]

saeIDPUrl

[ "https://<tenant-env-fqdn>/am/idpsaehandler/metaAlias/idp1" ]

idpAuthncontextMapper

[ "com.sun.identity.saml2.plugins.DefaultIDPAuthnContextMapper" ]

cotlist

[ "cot1" ]

Map<String, List<String>> getSpAttributes()

Returns a map containing the extended configuration for the remote SP.

Example SP attributes
SP attribute Example value

metaAlias

[ ]

treeName

[ "test" ]

idpProxyCount

[ "0" ]

cotlist

[ "cot1" ]

Example

The following script calls the samlApplication methods to log the authentication request and configuration values:

  • Next-generation

  • Legacy

function logObject(objType, obj) {
  var logMsg = objType + " \n";
    for (attr in obj) {
      logMsg += "\t" + attr + " = " + obj[attr] + "\n";
  }
  logger.info(logMsg);
}

if (typeof (samlApplication) === "undefined") {
  logger.error("Journey is not associated with a SAML application");
  action.goTo("false");
}
else {
    var flowType = samlApplication.getFlowInitiator();
    logger.info("Flow type: " + flowType);

    if (flowType == 'SP') {
      var authnRequest = samlApplication.getAuthnRequest();
      logObject("authnRequest", authnRequest);
    }

    logObject("idpAttributes", samlApplication.getIdpAttributes());
    logObject("spAttributes", samlApplication.getSpAttributes());

    action.goTo("true");
}

Not available in Legacy bindings.