Customizing SAML2 plugins in AM

This book provides information on customizing the SAML2 plugins in AM. These plugins include account mappers, attribute mappers and adapters for both the IdP and SP.


How do I customize SAML2 plugins in AM (All versions)?

The purpose of this article is to provide information on customizing the default SAML2 plugins in AM. These plugins include account mappers, attribute mappers and adapters for both the IdP and SP.

Overview

If you want to customize the default account mappers, attribute mappers or adapters, you need to implement corresponding interfaces or extend an abstract class. Most of those interfaces or abstract classes have an implementation that we recommend extending when you need a custom plugin. Extending an implementation allows you to delegate the bulk of the work to the default method implementation and only perform small changes according to business requirements.

The following table shows the classes to extend and the corresponding interfaces and abstract classes:

Plugin to customize Implementation class to extend Corresponding Interface or abstract class 
IDP Account Mapper DefaultIDPAccountMapper IDPAccountMapper
SP Account Mapper DefaultLibrarySPAccountMapper SPAccountMapper
IDP Attribute Mapper DefaultLibraryIDPAttributeMapper IDPAttributeMapper
SP Attribute Mapper DefaultSPAttributeMapper SPAttributeMapper
IDP Adapter DefaultIDPAdapter SAML2IdentityProviderAdapter
SP Adapter N/A SAML2ServiceProviderAdapter (Abstract class)

These classes are available from the am-external Git repository hosted on our BitBucket® Server.

The interfaces are part of the Public API: API Javadoc › Package com.sun.identity.saml2.plugins.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java® code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

Customizing a default plugin

See the following articles for specific details on customizing the different SAML2 plugins for different use cases:

The basic process is:

  1. Git clone the AM external repository.
  2. Check out the relevant branch.
  3. Create a new Java project in your IDE.
  4. Add a Maven dependency to your project for the openam-federation-library.
  5. Create a new custom class that extends the default implementation class.
  6. Override the method you want to modify and insert your business logic.
  7. Build a .jar file containing the custom class.
  8. Copy the .jar file to the WEB-INF/lib/ folder where AM is deployed.
  9. Update the configuration for the relevant hosted entity provider by replacing the default class with your new custom class.
  10. Restart the web application container in which AM runs.
  11. Test your changes.

See Also

Customizing SAML2 plugins in AM

SAML Federation in AM

SAML v2.0 Guide › Assertion Processing (IdP)

SAML v2.0 Guide › Assertion Processing (SP)

SAML v2.0 Guide › Advanced Settings (IdP)

API Javadoc › Package com.sun.identity.saml2.plugins

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11474 (Custom IDP Attribute mappers may cause failures after upgrade)


Account Mappers


How do I create a custom SAML2 IdP account mapper in AM (All versions)?

The purpose of this article is to provide information on creating a custom SAML2 account mapper for the hosted IdP in AM. This is achieved by extending the DefaultIDPAccountMapper class that implements the IDPAccountMapper interface, which requires cloning the am-external repository. A common customization is to modify the NameID value included in a SAML2 assertion by adding a static value as prefix and/or suffix.

Overview

If you want to customize the default IdP account mapper, for example, to customize the NameID value returned in the assertion, you can do this by implementing a custom IDPAccountMapper. This is achieved by extending the DefaultIDPAccountMapper Java® class. This class is available from the am-external Git repository hosted on our BitBucket® Server.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

Prerequisites 

Creating a custom account mapper requires cloning the am-external repository. Before you begin, please follow the steps below to ensure you have access to the ForgeRock private Maven repository:

  1. Generate a ~/.m2/settings.xml file per How do I access the ForgeRock protected Maven repositories? It is essential that you create a valid settings.xml to access the Maven repositories needed for the build process. Failing to do this will cause your build to fail.
  2. Create an SSH key and add it to your Bitbucket profile to allow you to clone the source code with an SSH URL.

Customizing the NameID value

The NameID value included in the SAML assertion is used by the remote SP to identify the end user via account mapping. See How does AM (All versions) use account mapping to identify the end user from a SAML Assertion? for further information.

There may be a need to modify the NameID value to comply with the business requirement of the remote SP. For example, the SP might want the NameID value to include their domain as a suffix; so if the NameID value is 12345, it would become 12345@sp.example.com when passed in the assertion. This change would only affect the one remote SP; the NameID value for other SPs would remain unchanged.

You can customize the NameID value as follows:

  1. Git clone the AM external repository (this repository is required for reference and building your custom class): $ git clone ssh://git@stash.forgerock.org:7999/openam/am-external.git
  2. Check out the relevant branch. For example, 7.0.0: $ cd am-external $ git checkout releases/7.0.0  $ cd openam-federation
  3. Create a new Java project in your IDE.
  4. Add a Maven dependency to your project for the openam-federation-library. For example:<dependency>  <groupId>org.forgerock.am</groupId>   <artifactId>openam-federation-library</artifactId> </dependency>
Note

You must add openam-federation-library as a dependency. The code for this library is located in the repository you cloned in step 1 (am-external/openam-federation/openam-federation-library). You may need to add more dependencies depending on your specific customization.

  1. Create a new custom class that extends the DefaultIDPAccountMapper class, for example, CustomIDPAccountMapper. You should refer to Interface IDPAccountMapper for further information.
  2. Override the getNameID() method to achieve your desired customization. The resulting class would look similar to this: public class CustomIDPAccountMapper extends DefaultIDPAccountMapper{    @Override     public NameID getNameID(Object session, String hostEntityID, String remoteEntityID, String realm, String nameIDFormat) throws SAML2Exception {         NameID myNameID= super.getNameID(session, hostEntityID, remoteEntityID, realm, nameIDFormat);         if ("http://sp.example.com:38080/openam".equals(remoteEntityID)) {             myNameID.setValue(myNameID.getValue() + "@sp.example.com");         }         return myNameID;     } }
  3. Build a .jar file containing the custom class using the following command:$ mvn clean packageThe project will generate a .jar file containing your custom class in the target directory. For example, am-custom-mapper-7.0.0.jar.
  4. Copy the .jar file to the WEB-INF/lib/ folder where AM is deployed. For example:$ cp am-custom-mapper-7.0.0.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
  5. Update the configuration for the Hosted IdP with your new custom class:
    • AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers  > [Hosted IdP Name] > Assertion Processing > Account Mapper and replace the default class with the fully qualified name of your custom class.
    • AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Account Mapper and replace the default class with the fully qualified name of your custom class.
  6. Restart the web application container in which AM runs.
  7. Test your changes.

The resulting assertion will show the modified NameID for the applicable SP. If you used the above snippet of code, this would mean you only see changes for http://sp.example.com, but not for other SPs.

See Also

How do I customize SAML2 plugins in AM (All versions)?

SAML Federation in AM

SAML v2.0 Guide › Assertion Processing

API Javadoc › Interface IDPAccountMapper

Related Training

N/A

Related Issue Tracker IDs

N/A


How do I create a custom SAML2 SP account mapper in AM (All versions)?

The purpose of this article is to provide information on creating a custom SAML2 account mapper for the hosted SP in AM. This is achieved by extending the DefaultLibrarySPAccountMapper class that implements the SPAccountMapper interface, which requires cloning the am-external repository.

Overview

If you want to customize the default SP account mapper, for example, to present a Terms and Conditions page to users who are federating for the first time, you can do this by implementing a custom SPAccountMapper. This is achieved by extending the DefaultLibrarySPAccountMapper Java® class. This class is available from the am-external Git repository hosted on our BitBucket® Server.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

Prerequisites 

Creating a custom account mapper requires cloning the am-external repository. Before you begin, please follow the steps below to ensure you have access to the ForgeRock private Maven repository:

  1. Generate a ~/.m2/settings.xml file per How do I access the ForgeRock protected Maven repositories? It is essential that you create a valid settings.xml to access the Maven repositories needed for the build process. Failing to do this will cause your build to fail.
  2. Create an SSH key and add it to your Bitbucket profile to allow you to clone the source code with an SSH URL.

Creating a custom SP account mapper

You can create a custom SP account mapper as follows:

  1. Git clone the AM external repository: $ git clone ssh://git@stash.forgerock.org:7999/openam/am-external.git
  2. Check out the relevant branch. For example, 7.0.0: $ cd am-external $ git checkout releases/7.0.0  $ cd openam-federation
  3. Create a new Java project in your IDE.
  4. Add a Maven dependency to your project for the openam-federation-library. For example:<dependency>  <groupId>org.forgerock.am</groupId>   <artifactId>openam-federation-library</artifactId> </dependency>
Note

You must add openam-federation-library as a dependency. The code for this library is located in the repository you cloned in step 1 (am-external/openam-federation/openam-federation-library). You may need to add more dependencies depending on your specific customization.

  1. Create a new custom class that extends the DefaultLibrarySPAccountMapper class, for example, CustomSPAccountMapper. You should refer to Interface SPAccountMapper for further information.
  2. Override the getIdentity() method to achieve your desired customization. The resulting class would look similar to this: public class CustomSPAccountMapper extends DefaultLibrarySPAccountMapper {    /**     * comments to be made here      */     @Override     public String getIdentity (         Assertion assertion,         String hostEntityID,         String realm){              String myIdentity = super.getIdentity(assertion, hostEntityID, realm);              if (myIdentity == null) {             // write custom code. For example, present a Terms and Conditions page for first time federated users.         }         //write custom code here if needed.                   return myIdentity;     } }
  3. Build a .jar file containing the custom class using the following command:$ mvn clean packageThe project will generate a .jar file containing your custom class in the target directory. For example, am-custom-mapper-7.0.0.jar.
  4. Copy the .jar file to the WEB-INF/lib/ folder where AM is deployed. For example:$ cp am-custom-mapper-7.0.0.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
  5. Update the configuration for the Hosted SP with your new custom class:
    1. AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Hosted SP Name] > Assertion Processing > Account Mapper and replace the default class with the fully qualified name of your custom class.
    2. AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted SP Name] > Assertion Processing > Account Mapper and replace the default class with the fully qualified name of your custom class.
  6. Restart the web application container in which AM runs.
  7. Test your changes.

See Also

How do I customize SAML2 plugins in AM (All versions)?

How does AM (All versions) use account mapping to identify the end user from a SAML Assertion?

SAML Federation in AM

SAML v2.0 Guide › Assertion Processing

API Javadoc › Interface SPAccountMapper

Related Training

N/A

Related Issue Tracker IDs

N/A


Attribute Mappers


How do I create a custom SAML2 IdP attribute mapper in AM (All versions)?

The purpose of this article is to provide information on creating a custom SAML2 attribute mapper for the hosted IdP in AM. This is achieved by extending the DefaultLibraryIDPAttributeMapper class that implements the IDPAttributeMapper interface, which requires cloning the am-external repository.

Overview

If you want to customize the default IdP attribute mapper, for example, to map an LDAP attribute name and value to a custom format for a specific SP, you can do this by implementing a custom IDPAttributeMapper. This is achieved by extending the DefaultLibraryIDPAttributeMapper Java® class. This class is available from the am-external Git repository hosted on our BitBucket® Server.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

Prerequisites 

Creating a custom attribute mapper requires cloning the am-external repository. Before you begin, please follow the steps below to ensure you have access to the ForgeRock private Maven repository:

  1. Generate a ~/.m2/settings.xml file per How do I access the ForgeRock protected Maven repositories? It is essential that you create a valid settings.xml to access the Maven repositories needed for the build process. Failing to do this will cause your build to fail.
  2. Create an SSH key and add it to your Bitbucket profile to allow you to clone the source code with an SSH URL.

Creating a custom IdP attribute mapper

You can create a custom IdP attribute mapper as follows:

  1. Git clone the AM external repository (this repository is required for reference and building your custom class): $ git clone ssh://git@stash.forgerock.org:7999/openam/am-external.git
  2. Check out the relevant branch. For example, 7.0.0: $ cd am-external $ git checkout releases/7.0.0  $ cd openam-federation
  3. Create a new Java project in your IDE.
  4. Add a Maven dependency to your project for the openam-federation-library. For example:<dependency>  <groupId>org.forgerock.am</groupId>   <artifactId>openam-federation-library</artifactId> </dependency>
Note

You must add openam-federation-library as a dependency. The code for this library is located in the repository you cloned in step 1 (am-external/openam-federation/openam-federation-library). You may need to add more dependencies depending on your specific customization.

  1. Create a new custom class that extends the DefaultLibraryIDPAttributeMapper class, for example, CustomIDPAttributeMapper. You should refer to Interface IDPAttributeMapper for further information.
  2. Override the getAttributes() method to achieve your desired customization. The resulting class would look similar to this: public class CustomIDPAttributeMapper extends DefaultLibraryIDPAttributeMapper {    /**     * comments to be made here      */     @Override     public List getAttributes (         Object session,          String hostEntityID,          String remoteEntityID,          String realm){              List<Attribute> attributes =          super.getAttributes (session, hostEntityID, remoteEntityID, realm);              if ("http://sp.example.com:38080/openam".equals(remoteEntityID)) {             //modify attribute list here         }               return attributes;     } }
  3. Build a .jar file containing the custom class using the following command:$ mvn clean packageThe project will generate a .jar file containing your custom class in the target directory. For example, am-custom-mapper-7.0.0.jar.
  4. Copy the .jar file to the WEB-INF/lib/ folder where AM is deployed. For example:$ cp am-custom-mapper-7.0.0.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
  5. Update the configuration for the Hosted IdP with your new custom class:
    • AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with the fully qualified name of your custom class.
    • AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted IdP Name] > Assertion Processing > Attribute Mapper and replace the default class with the fully qualified name of your custom class.
  6. Restart the web application container in which AM runs.
  7. Test your changes.

See Also

How do I customize SAML2 plugins in AM (All versions)?

SAML Federation in AM

SAML v2.0 Guide › Assertion Processing

API Javadoc › Interface IDPAttributeMapper

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11474 (Custom IDP Attribute mappers may cause failures after upgrade)


How do I create a custom SAML2 SP attribute mapper in AM (All versions)?

The purpose of this article is to provide information on creating a custom SAML2 attribute mapper for the hosted SP in AM. This is achieved by extending the DefaultSPAttributeMapper class that implements the SPAttributeMapper interface, which requires cloning the am-external repository.

Overview

If you want to customize the default SP attribute mapper, for example, to map an LDAP attribute name and value to a custom format, or to add an extra attribute to the local session, you can do this by implementing a custom SPAttributeMapper. This is achieved by extending the DefaultSPAttributeMapper Java® class. This class is available from the am-external Git repository hosted on our BitBucket® Server.

Caution

Disclaimer for the following code, please review before implementing these changes. This code is just a sample; it does not include best practice for Java code (such as error handling) and will need customizing to fit your use case. Customizing SAML2 plugins is outside the scope of ForgeRock support; if you want more tailored advice, consider engaging Deployment Support Services.  

Prerequisites 

Creating a custom attribute mapper requires cloning the am-external repository. Before you begin, please follow the steps below to ensure you have access to the ForgeRock private Maven repository:

  1. Generate a ~/.m2/settings.xml file per How do I access the ForgeRock protected Maven repositories? It is essential that you create a valid settings.xml to access the Maven repositories needed for the build process. Failing to do this will cause your build to fail.
  2. Create an SSH key and add it to your Bitbucket profile to allow you to clone the source code with an SSH URL.

Creating a custom SP attribute mapper

You can create a custom SP attribute mapper as follows:

  1. Git clone the AM external repository (this repository is required for reference and building your custom class): $ git clone ssh://git@stash.forgerock.org:7999/openam/am-external.git
  2. Check out the relevant branch. For example, 7.0.0: $ cd am-external $ git checkout releases/7.0.0  $ cd openam-federation
  3. Create a new Java project in your IDE.
  4. Add a Maven dependency to your project for the openam-federation-library. For example:<dependency>  <groupId>org.forgerock.am</groupId>   <artifactId>openam-federation-library</artifactId> </dependency>
Note

You must add openam-federation-library as a dependency. The code for this library is located in the repository you cloned in step 1 (am-external/openam-federation/openam-federation-library). You may need to add more dependencies depending on your specific customization.

  1. Create a new custom class that extends the DefaultSPAttributeMapper class, for example, CustomSPAttributeMapper. You should refer to Interface SPAttributeMapper for further information.
  2. Override the getAttributes() method to achieve your desired customization. The resulting class would look similar to this: public class CustomSPAttributeMapper extends DefaultSPAttributeMapper {    /**      * Constructor      */     public CustomSPAttributeMapper() {     }     /**     * comments to be made here      */     @Override     public Map<String,Set<String>> getAttributes (         List<Attribute> attributes,          String userID,          String hostEntityID,          String remoteEntityID,          String realm){      Map<String,Set<String>> attributes =          super.getAttributes (attributes, userID, hostEntityID, remoteEntityID, realm);               //insert business logic here such as adding a new attribute               return attributes;     } }
  3. Build a .jar file containing the custom class using the following command:$ mvn clean packageThe project will generate a .jar file containing your custom class in the target directory. For example, am-custom-mapper-7.0.0.jar.
  4. Copy the .jar file to the WEB-INF/lib/ folder where AM is deployed. For example:$ cp am-custom-mapper-7.0.0.jar /path/to/tomcat/webapps/openam/WEB-INF/lib/
  5. Update the configuration for the Hosted SP with your new custom class:
    • AM 6 and later console: navigate to Realms > [Realm Name] > Applications > Federation > Entity Providers > [Hosted SP Name] > Assertion Processing > Attribute Mapper and replace the default class with the fully qualified name of your custom class.
    • AM 5.x console: navigate to Realms > [Realm Name] > Applications > SAML > Circle of Trust Configuration > Entity Providers > [Hosted SP Name] > Assertion Processing > Attribute Mapper and replace the default class with the fully qualified name of your custom class.
  6. Restart the web application container in which AM runs.
  7. Test your changes.

See Also

How do I customize SAML2 plugins in AM (All versions)?

SAML Federation in AM

SAML v2.0 Guide › Assertion Processing

API Javadoc › Interface SPAttributeMapper

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.

This content has been optimized for printing.

Loading...