SP adapter

Use this script type to make application-specific changes during the processing of the authentication request on the SP side, such as updating the SPNameQualifier attribute.

The script provides hooks at the following points:

Processing phase Description

Processing phase	Description
`preSingleSignOnRequest`	Invoked before PingOne Advanced Identity Cloud sends the single sign-on request to the IDP.
`preSingleSignOnProcess`	Invoked before single sign-on processing begins on the SP side, when PingOne Advanced Identity Cloud receives the response from the IDP.
`postSingleSignOnSuccess`	Invoked when single sign-on processing succeeds.
`postSingleSignOnFailure`	Invoked when single sign-on processing fails.
`postNewNameIDSuccess`	Invoked when the processing of a new name identifier succeeds.
`postTerminateNameIDSuccess`	Invoked when the association of a name identifier between an SP and IDP is successfully terminated.
`preSingleLogoutProcess`	Invoked before the single logout process starts on the SP side, while the user session is still valid.
`postSingleLogoutProcess`	Invoked after the single logout process succeeds, when the user session has been invalidated.

preSingleSignOnRequest

Invoked before PingOne Advanced Identity Cloud sends the single sign-on request to the IDP.

preSingleSignOnProcess

Invoked before single sign-on processing begins on the SP side, when PingOne Advanced Identity Cloud receives the response from the IDP.

postSingleSignOnSuccess

Invoked when single sign-on processing succeeds.

postSingleSignOnFailure

Invoked when single sign-on processing fails.

postNewNameIDSuccess

Invoked when the processing of a new name identifier succeeds.

postTerminateNameIDSuccess

Invoked when the association of a name identifier between an SP and IDP is successfully terminated.

preSingleLogoutProcess

Invoked before the single logout process starts on the SP side, while the user session is still valid.

postSingleLogoutProcess

Invoked after the single logout process succeeds, when the user session has been invalidated.

Learn about SP adapter scripts from the following resources:

For a template script, refer to saml2-sp-adapter.js.
To view the available bindings, refer to the SP adapter scripting API.

Demonstrate an SP adapter

This task assumes your environment is already correctly configured for single sign-on using SAML v2.0, where PingOne Advanced Identity Cloud is the hosted SP.

Complete the following steps to implement an example SP adapter script that updates the SPNameQualifier attribute in the authentication request:

Create the script
Configure the SP
Test the script

Create the script

In the Advanced Identity Cloud admin UI, create a script of type SAML2 SP Adapter.
In the JavaScript field, paste the template saml2-sp-adapter.js script.
Copy the saml2-sp-adapter.js script and paste in the Script field.

Add code to the preSingleSignOnRequest function to change the value of SPNameQualifier in the authentication request. Optionally, add code to redirect a successful login in the postSingleSignOnSuccess function.

For example:

function preSingleSignOnRequest() {
  logger.error("In preSingleSignOnRequest");
  authnRequest.getNameIDPolicy().setSPNameQualifier("mySP-Updated");
}

function postSingleSignOnSuccess() {
    logger.error("In postSingleSignOnSuccess");
    response.sendRedirect("https://example.com");
    return true;
}

Save your changes and close the editor.

Configure the SP

Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted SP Name > Assertion Processing.
In the Adapter Script field, select the script you created.
Save your changes.

Test the script

Test your changes using an SP-initiated flow.
Verify that the SAML2.0 request contains the updated value (SPNameQualifier="mySP-Updated") and that the user is redirected to https://example.com on successful login.