IDP adapter

Use this plugin to alter the processing of the authentication request at a particular point in the SAML journey, such as to redirect the user before single sign-on takes place, or before a failure response is sent.

The plugin provides hooks at the following points in assertion processing:

Plugin point	Description
preSingleSignOn	Invoked when the authentication request is first received. Only applicable to SP-initiated flows.
preAuthentication	Invoked before the request is redirected for authentication. Only applicable to SP-initiated flows.
preSendResponse	Invoked after the user has successfully authenticated or for an existing valid session, before the response is sent.
preSignResponse	Invoked after the response has been constructed, but before the response is signed, to let you customize the content of the SAML response.
preSendFailureResponse	Invoked before a SAML error response is returned. Only applicable to SP-initiated flows.

Plugin point

Description

preSingleSignOn

Invoked when the authentication request is first received. Only applicable to SP-initiated flows.

preAuthentication

Invoked before the request is redirected for authentication. Only applicable to SP-initiated flows.

preSendResponse

Invoked after the user has successfully authenticated or for an existing valid session, before the response is sent.

preSignResponse

Invoked after the response has been constructed, but before the response is signed, to let you customize the content of the SAML response.

preSendFailureResponse

Invoked before a SAML error response is returned. Only applicable to SP-initiated flows.

Java implementation

To create a custom IDP adapter in Java, follow these high-level steps:

Include the openam-federation-library as a dependency in your Maven project.
Write a Java class that implements the org.forgerock.openam.saml2.plugins.IDPAdapter interface, or extends the com.sun.identity.saml2.plugins.DefaultIDPAdapter class.
Override one of the methods described in the plugin points table to customize the authentication journey.
Package your custom class in a JAR file and copy to the /WEB-INF/lib folder where you deployed AM.
Configure AM to use the new Java plugin.
1. In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted IDP Name > Advanced.
2. In the IDP Adapter Class field, type the fully qualified name of your custom class.
3. Save your changes.
Restart AM or the container in which it runs.
Test your changes using an appropriate mode of single-sign on.

For example, note that some plugin points are only invoked during SP-initiated flows.

Scripted implementation

To explore the default script, including the available script properties, refer to saml2-idp-adapter.js.

To view or modify the default script in the AM admin UI, go to Realms > Realm Name > Scripts and select SAML2 IDP Adapter Script.

Customize the IDP adapter script

Complete the following steps to implement an example IDP adapter script that determines whether the authentication journey should be redirected, based on the evaluation of a policy.

If you prefer to create a new script, reference the new script name when you configure the hosted entity provider.

For more information, refer to Manage scripts (UI).

This task assumes your environment is already correctly configured for single sign-on using SAML v2.0, where AM is the hosted IDP.

For this example, configure a policy that belongs to a policy set named saml:
1. In the AM admin UI, go to Realms > Realm Name > Authorization > Resource Types to create a new resource type with the following values:
  - Name: SAML SP Access
  - Pattern: *
  - Action: Assert (Default State: Deny)
2. Go to Policy Sets to create a new policy set:
  - Id: saml
  - Name: saml
  - Resource Types: SAML SP Access
3. Add a new policy:
  - Name: SAML Access Policy
  - Resource Types: SAML SP Access
  - Resources: *
  - Actions: ASSERT:Denied
  - Response Attributes: redirect_uri: https://example.com
  - Subjects: "type": "AuthenticatedUsers"

To modify the default script, go to Scripts, and click SAML2 IDP Adapter Script. Alternatively, create a new script of type Saml2 IDP Adapter.

In the Script field, add code to the preSendResponse function to redirect or send an error response if the policy for the SP evaluates to false. For example:

function preSendResponse () {

  var frJava = JavaImporter(
    com.sun.identity.saml2.common.SAML2Exception);

  try {
    var ents = idpAdapterScriptHelper.getEntitlements(
        "saml", realm, session, authnRequest).iterator();
    while(ents.hasNext()){
      var entitlement = ents.next();
      var isAllowed = entitlement.getActionValue("Assert");

      if(isAllowed != null && isAllowed == true){
        return false;
      } else{
        var redirectUris = entitlement.getAttributes().get("redirect_uri");

        if (redirectUris == null || redirectUris.isEmpty()){
          logger.error("No redirect_uri");
          response.sendError(403);
        } else{
          var redirectUri = redirectUris.iterator().next();
          response.sendRedirect(redirectUri);
        } return true;
      }
    }
  } catch(error) {
    logger.error("Error in preSend reponse. " + error);
    throw new frJava.SAML2Exception(error);
  }
}

Validate and save your changes.

Configure AM to use the updated IDP adapter script.
1. Still in the AM admin UI, go to Applications > Federation > Entity Providers > Hosted IDP Name > Advanced.
2. In the IDP Adapter Script field, select SAML2 IDP Adapter Script. If you created a new script rather than modifying the default, select your script name.
3. Save your changes.
Test your changes using an SP-initiated flow and verify that the user is redirected to the redirect_uri (in this example, https://example.com).

IDP adapter scripting API

The following properties are available to IDP adapter scripts, in addition to the common SAML v2.0 properties.

Binding Description

Binding	Description
`authnRequest`	The original authentication request sent from the SP. Not available to the `preSendFailureResponse` function. Refer to AuthnRequest.
`faultCode`	The fault code returned in the SAML response. Only available to the `preSendFailureResponse` function.
`faultDetail`	Contains the details of the fault returned in the SAML response. Only available to the `preSendFailureResponse` function.
`idpAdapterScriptHelper`	The idpAdapterScriptHelper instance contains supporting methods that provide context information when customizing the IDP adapter plugin points. Always present.
`relayState`	A String representing the relayState used in the redirect. Not available to the `preSingleSignOn` or `preSendFailureResponse` functions.
`reqId`	The id to use for continuation of processing if the adapter redirects. Not available to the `preSignResponse` or `preSendFailureResponse` functions.
`request`	The `HttpServletRequest` object. Always present.
`res`	The SAML response. For information, refer to Response. Only available to the `preSignResponse` function.
`response`	The `HttpServletResponse` object. Not available to the `preSignResponse` function.
`session`	Contains a representation of the user’s single sign-on session object. Refer to the SSOToken interface for information about SSO token and authentication information, as well as session-related properties. Not available to the `preSingleSignOn` or `preSendFailureResponse` functions.

authnRequest

The original authentication request sent from the SP. Not available to the preSendFailureResponse function. Refer to AuthnRequest.

faultCode

The fault code returned in the SAML response.

Only available to the preSendFailureResponse function.

faultDetail

Contains the details of the fault returned in the SAML response.

Only available to the preSendFailureResponse function.

idpAdapterScriptHelper

The idpAdapterScriptHelper instance contains supporting methods that provide context information when customizing the IDP adapter plugin points.

Always present.

relayState

A String representing the relayState used in the redirect.

Not available to the preSingleSignOn or preSendFailureResponse functions.

reqId

The id to use for continuation of processing if the adapter redirects.

Not available to the preSignResponse or preSendFailureResponse functions.

request

The HttpServletRequest object. Always present.

res

The SAML response. For information, refer to Response.

Only available to the preSignResponse function.

response

The HttpServletResponse object.

Not available to the preSignResponse function.

session

Contains a representation of the user’s single sign-on session object. Refer to the SSOToken interface for information about SSO token and authentication information, as well as session-related properties.