Access Management 7.3.1

Customize SAML v2.0

AM includes several plugin points that let you extend SAML v2.0 functionality. AM provides some default implementation for the plugins, but you can also configure your own custom implementation per entity provider.

You can implement a custom SAML v2.0 plugin in Java, or for the plugin points described in this section, using a script.

Configure AM to use your custom implementation in the entity provider settings. For information about configuration settings, refer to the Reference section.

If configured, a scripted implementation takes precedence over any Java class that is specified. To make sure the Java class is used, clear any Script settings in the entity provider configuration.

The following table provides an overview of the SAML v2.0 plugin points that can be implemented using either Java or script.

Plugin Description

Customize the default IDP attribute mapper to specify which user attributes are included in an assertion.

Customize SAML responses and browser redirects.

Customize configuration in the hosted SP adapter environment.

Java implementation

The plugin interfaces and default Java implementation can be found in the openam-federation-library.

To view the supported plugin interfaces, refer to these packages:

Scripted implementation

AM provides a scripting engine and template scripts for you to extend SAML v2.0 behavior by running scripts stored as configuration, rather than by updating code. Creating and modifying plugin scripts enables rapid development without the need to change or recompile core AM.

  • To explore the default scripts in the AM admin UI, including the available script properties, go to Realms > Realm Name > Scripts and select the script you want to examine.

  • For all available sample scripts, refer to Sample scripts.

SAML v2.0 scripting API

The following properties are common to all SAML v2.0 plugin scripts. Refer to individual plugins for additional properties specific to the script type.

Binding Description

hostedEntityId

The entity ID for the hosted IDP.

logger

The logger instance particular to the script type. For more information, refer to Debug Logging. The output log files will be prefixed by a static string denoting the script type. Always present.

realm

The name of the realm that the user is authenticating to.

Copyright © 2010-2024 ForgeRock, all rights reserved.