This allows the application to use the information to support various features, such as making authorization decisions or providing personalized content.

The application has access to the following session and attribute information:

  • Attributes from the OpenToken Adapter contract
    • These include, by default, the subject (SUBJECT) and attributes specified on the Extended Contract screen of the adapter instance configuration. Only the attributes fulfilled at runtime are available to the application. Attributes with a NULL value are not included in the OpenToken.
  • NOT-ON-OR-AFTER
    • The time that the token expires.
  • RENEW-UNTIL
    • The time that the session expires. Tokens cannot be renewed past this time.
  • AUTH_NOT-BEFORE
    • The time that the session began.
  • AUTHNCONTEXT
    • Information from the SAML assertion that describes how the user was authenticated by the identity provider (IdP). For a complete description, see "Authentication context" in Terminology in the PingFederate documentation.

For security reasons, each HTTP request header is first prepended with a specific (configurable) prefix. The OpenToken IIS Agent always removes and rewrites these prefixed request headers for each request.

If applications protected by the OpenToken IIS Agent cannot be modified to accept headers with this prefix, you can Configuring the OpenToken IIS Agent to omit the HTTP header prefix.