The PingFederate Apache Agent passes session information and user attributes from the adapter to the application.
The Apache Agent includes the information in HTTP request headers or Apache environment variables. This information can then be used by the application for authorization decisions or for generation of content specific to the user making the request.
- Attributes from the OpenToken Adapter contract
- The subject (SUBJECT) and any attributes that you add on the
Extended Contract tab of the adapter configuration. Only
the attributes fulfilled at runtime are exposed to the application; attributes
with a
NULL
value are not included in the OpenToken.
NOT-ON-OR-AFTER
- The time until inactivity timeout is reached.
RENEW-UNTIL
- The time until overall session timeout is reached.
AUTH_NOT-BEFORE
- The time when the session was created.
AUTHNCONTEXT
- Information from the SAML assertion that describes how the user was authenticated at the IdP.
For security reasons, each HTTP request header or Apache environment variable is first pre-pended with a specific prefix. For help configuring the prefix, see Configuring the Apache Agent. The Apache Agent always removes and rewrites these prefixed request headers and/or environment variables for each request.
If you can't modify your applications to accept headers with this prefix, you can configure
the Apache Agent to add a prefix to the HTTP headers or
environment variables. In this case, on the Extended Contract tab of
the OpenToken Adapter configuration, include an attribute named
pf_attribute_list
. Map that attribute in your identity provider (IdP)
connection as a text field containing a comma-separated list of all the attributes in the
adapter contract. This attribute list is sent in the OpenToken and used by the Apache Agent to overwrite headers in the request.
For more information, see Configuring target session fulfillment in the PingFederate documentation.