Use IDP adapter to alter authentication request process
Use this script type to alter the processing of the authentication request; for example, redirect the user before single sign-on, or before sending a failure response.
The script provides hooks at the following points in assertion processing:
Processing phase | Description |
---|---|
|
Invoked when Identity Cloud receives the authentication request. Only applicable to SP-initiated flows. |
|
Invoked before redirecting the request for authentication. Only applicable to SP-initiated flows. |
|
Invoked after the user successfully authenticates or makes the request with an existing valid session, and before the response is sent. |
|
Invoked after Identity Cloud prepares the response, but before it signs the response. This lets you customize the content of the SAML response. |
|
Invoked before Identity Cloud returns a SAML error response. Only applicable to SP-initiated flows. |
For a template script, refer to saml2-idp-adapter.js.
Demonstrate an IDP adapter
Before you try the example, configure single sign-on using SAML v2.0 with Identity Cloud as the hosted IDP.
The following example determines whether to redirect the authentication journey based policy evaluation:
Configure a policy
-
In the AM admin UI, go to Realms > Realm Name > Authorization > Resource Types and create a new resource type with the following settings:
- Name
-
SAML SP Access
- Pattern
-
*
- Action
-
Assert
(Default State:Deny
)
-
Go to Policy Sets and create a new policy set with the following settings:
- Id
-
saml
- Name
-
saml
- Resource Types
-
SAML SP Access
-
Add a new policy with the following settings:
- Name
-
SAML Access Policy
- Resource Types
-
SAML SP Access
- Resources
-
*
- Actions
-
ASSERT:Denied
- Response Attributes
-
redirect_uri: https://example.com
- Subjects
-
"type": "AuthenticatedUsers"
Create the script
-
In the AM admin UI, go to Realms > Realm Name > Scripts, click + New Script, add these settings, and click Create:
- Name
-
A unique name for your script
- Script Type
-
Scroll down to select
Saml2 IDP Adapter
-
In the Script text field for the new script, paste the template saml2-idp-adapter.js script.
-
Insert the following code in the
preSendResponse
function. The script causes Identity Cloud to redirect or send an error response if the policy for the SP evaluates to false:function preSendResponse() { var frJava = JavaImporter( com.sun.identity.saml2.common.SAML2Exception); try { var ents = idpAdapterScriptHelper.getEntitlements( "saml", realm, session, authnRequest).iterator(); while (ents.hasNext()) { var entitlement = ents.next(); var isAllowed = entitlement.getActionValue("Assert"); if (isAllowed != null && isAllowed == true) { return false; } else { var redirectUris = entitlement.getAttributes().get("redirect_uri"); if (redirectUris == null || redirectUris.isEmpty()) { logger.error("No redirect_uri"); response.sendError(403); } else { var redirectUri = redirectUris.iterator().next(); response.sendRedirect(redirectUri); } return true; } } } catch (error) { logger.error("Error in preSend reponse. " + error); throw new frJava.SAML2Exception(error); } }
-
Click Validate, make any necessary corrections, and click Save Changes.
Available objects
Identity Cloud injects the following objects into the execution context of an IDP adapter script:
Binding | Information |
---|---|
|
The original authentication request from the SP. For details, refer to AuthnRequest. Not available to the |
|
The fault code in the SAML response. Only available to the |
|
The details of the fault in the SAML response. Only available to the |
|
The entity ID for the hosted IDP. |
|
An object with methods to provide context when customizing the IDP adapter plugin points. For details, refer to IdpAdapterScriptHelper. |
|
Write a message to the Identity Cloud |
|
The realm the user authenticates to. |
|
A String representing the Not available to the |
|
The identifier to continue processing if the adapter redirects. Not available to the |
|
The |
|
The SAML response. For details, refer to Response. Only available to the |
|
The Not available to the |
|
Represents the user’s single sign-on session object. For details, refer to SSOToken. Not available to the |