This topic describes aspects of authentication selectors within the context of PingFederate, including implementation, context selection, and callbacks.
Authentication selector interface
Authentication selectors allow PingFederate to choose an appropriate authentication source, an identity provider (IdP) adapter or an IdP connection (for federation hub use cases), based on criteria defined in the authentication selector instance.
When creating an authentication selector, use the following primary Java packages:
-
org.sourceid.saml20.adapter.gui
-
org.sourceid.saml20.adapter.conf
-
com.pingidentity.sdk
For each authentication selector implementation, in addition to the methods described under Shared plugin interfaces, you must define the following:
- Context Selection
- Authentication selector callback
Context selection
selectContext()
method to determine which
authentication source to select. The
mappedAuthnSourcesNames
contains the list of AuthenticationSourceKeys and names that are
available for the selector to reference.
AuthenticationSelectorContext selectContext(HttpServletRequest req,
HttpServletResponse resp,
Map<AuthenticationSourceKey, String> mappedAuthnSourcesNames,
Map<String, Object> extraParameters,
String resumePath)
The
HttpServletRequest
can
evaluate
cookies, parameters, headers, and
other request
information
to determine which authentication source to select. The
HttpServletResponse also helps determine the appropriate
authentication source to select if the authentication selector requires user
interaction.
If
the resp
object
is written to, it is considered a
committed response and returned to the user's browser. The
resumePath is a relative URL used in conjunction with the
resp object, such that the user's browser is sent to this URL to
resume the single sign-on (SSO) work flow.Once an authentication source is selected, you can create an AuthenticationSelectorContext to denote which authentication source to use. You can reference the selected authentication source by its ID or by its context, which is a name that decouples authentication selectors from the configured IDs.
Authentication selector callback
callback()
method after authenticating against a
selected source. The callback()
method allows authentication selectors
to update resulting attributes, set cookies, or perform other custom
functions.void callback(HttpServletRequest req,
HttpServletResponse resp,
Map authnIdentifiers,
AuthenticationSourceKey authenticationSourceKey,
AuthenticationSelectorContext authnSelectorContext);
Writing content to the resp object in the
callback()
method is not supported, and doing so might result
in unexpected behavior.
Setting
cookies is supported.