The PingFederate Apache Agent passes session information and user attributes from the adapter to the application.

The Apache Agent includes the information in HTTP request headers or Apache environment variables. This information can then be used by the application for authorization decisions or for generation of content specific to the user making the request.

The following session and attribute information is exposed to the application:
Attributes from the OpenToken Adapter contract
The subject (SUBJECT) and any attributes that you add on the Extended Contract tab of the adapter configuration. Only the attributes fulfilled at runtime are exposed to the application; attributes with a NULL value are not included in the OpenToken.
The time until inactivity timeout is reached.
The time until overall session timeout is reached.
The time when the session was created.
Information from the SAML assertion that describes how the user was authenticated at the IdP.

For security reasons, each HTTP request header or Apache environment variable is first pre-pended with a specific prefix. For help configuring the prefix, see Configuring the Apache Agent. The Apache Agent always removes and rewrites these prefixed request headers and/or environment variables for each request.

If you can't modify your applications to accept headers with this prefix, you can configure the Apache Agent to add a prefix to the HTTP headers or environment variables. In this case, on the Extended Contract tab of the OpenToken Adapter configuration, include an attribute named pf_attribute_list. Map that attribute in your identity provider (IdP) connection as a text field containing a comma-separated list of all the attributes in the adapter contract. This attribute list is sent in the OpenToken and used by the Apache Agent to overwrite headers in the request.

For more information, see Configuring target session fulfillment in the PingFederate documentation.