Use OGNL expressions to customize assertions and authentication requests in different ways.
Add SessionNotOnOrAfter to assertions
This expression adds the optional SessionNotOnOrAfter attribute to the <AuthnStatement> element and sets the value to 60 minutes.
- Message Type
-
AssertionType
- Expression
-
#cal = new org.apache.xmlbeans.XmlCalendar(new java.util.Date()), #cal.setTimeZone(@java.util.TimeZone@getTimeZone("UTC")), #cal.add(@java.util.Calendar@MINUTE, 60), #AssertionType.getAuthnStatementArray(0).setSessionNotOnOrAfter(cal)
- Expected assertions
-
... <saml:AuthnStatement ... AuthnInstant="2015-03-20T16:27:37.344Z" SessionNotOnOrAfter="2015-03-20T17:27:37.398Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>...</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> ...
Use well-formed XML as attribute value
The following expression inserts well-formed XML in the
<AttributeValue> element if the Attribute Name
Format is
urn:pingidentity.com:SAML:attrname-format:xml:complex
.
- Message Type
-
AssertionType
- Expression
-
#i = 0, #AssertionType.getAttributeStatementArray(0).getAttributeArray().{ #this.getNameFormat().equals('urn:pingidentity.com:SAML:attrname-format:xml:complex')?{ #xml = #this.getAttributeValueArray(0).getStringValue(), #ast = @org.sourceid.saml20.xmlbinding.assertion.AttributeStatementType$Factory@parse(#xml), #AssertionType.getAttributeStatementArray(0).setAttributeArray(#i, ast.getAttributeArray(0)) }:null, #i = #i+1 }
Note:Line breaks are inserted for readability only. Statements calling methods whose arguments are enclosed in quotes must be entered on a single line.
This example uses well-formed XML as the attribute value for attributes that are configured as
urn:pingidentity.com:SAML:attrname-format:xml:complex
(a custom attribute name format added to <pf_install>/pingfederate/server/default/data/config-store/custom-name-formats.xml) in the Attribute Contract window. You can use other application logic here. - Sample inputs (attributes and their values)
-
Attribute Name ExtAttr1 Attribute Name Format urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified Attribute Value 123
Attribute Name ExtAttr2 Attribute Name Format urn:pingidentity.com:SAML:attrname-format:xml:complex Attribute Value <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="ExtAttr2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:customNs="http://www.sample.tld/customnamespace"> <customNs:Line>Documentation</customNs:Line> <customNs:Line>Ping Identity</customNs:Line> </saml:AttributeValue> </saml:Attribute>
Note:This is a well-formed XML document in one line.
- Expected results
-
... <saml:Attribute Name="ExtAttr1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 123 </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="ExtAttr2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:customNs="http://www.sample.tld/customnamespace"> <customNs:Line>Documentation</customNs:Line> <customNs:Line>Ping Identity</customNs:Line> </saml:AttributeValue> </saml:Attribute> ...
Include extensions in authentication requests
This expression includes the optional Extensions element in the
authentication requests if a certain query parameter (oid
in this
example) is sent to the /sp/startSSO.ping endpoint to start an
SP-initiated SSO request.
- Message Type
AuthnRequestDocument
- Expression
-
#element = #XmlHelper.addToSaml2Extensions(#AuthnRequestDocument, '<samplens:orgId name="orgId" xmlns:samplens="urn:org.sample.wms"/>'), #value = #HttpServletRequest.getParameter('oid') == null ? 'someDefaultValue' : #HttpServletRequest.getParameter('oid') , #XmlHelper.setAttribute(#element, 'value', #value)
- Expected AuthnRequest
- A GET request to
https://<pf_host>:<pf.https.port>/sp/startSSO.ping?PartnerIdpId=<entityID>&oid=123
would trigger the following Extensions block.
<samlp:AuthnRequest ...> <saml:Issuer ...>...</saml:Issuer> <samlp:Extensions> <samplens:orgId name="orgId" value="123" xmlns:samplens="urn:org.sample.wms"/> </samlp:Extensions> ... </samlp:AuthnRequest>