PingAM 8.0.0

Metadata annotation

The annotation specifies two required attributes: the outcomeProvider and the configClass. Typically, the configClass attribute is an inner interface in the node implementation class.

You can also specify the following optional attributes: configValidator, extensions, and tags.

For example, the following is the @Node.Metadata annotation for the Data Store Decision node:

@Node.Metadata(outcomeProvider = AbstractDecisionNode.OutcomeProvider.class,
        configClass = DataStoreDecisionNode.Config.class,
        tags = {"basic authn", "basic authentication"})

Outcome provider

The outcomeProvider class defines the possible node outcomes.

The abstract implementations of the node interface, org.forgerock.openam.auth.node.api.SingleOutcomeNode and org.forgerock.openam.auth.node.api.AbstractDecisionNode, define outcome providers you can use for simple use cases. Provide your own implementation for more complex use cases.

To ensure the node is available to the Configuration Provider node, your outcome provider class must implement the StaticOutcomeProvider or the BoundedOutcomeProvider interfaces.

Learn more about these implementations and interfaces in the org.forgerock.openam.auth .node.api package.

For example, the following is the custom outcome provider from the LDAP Decision node, which has True, False, Locked, Cancelled, and Expired exit paths:

    /**
     * Defines the possible outcomes from this Ldap node.
     */
    public static class LdapOutcomeProvider implements StaticOutcomeProvider {
        @Override
        public List<Outcome> getOutcomes(PreferredLocales locales) {
            ResourceBundle bundle = locales.getBundleInPreferredLocale(LdapDecisionNode.BUNDLE,
                    LdapOutcomeProvider.class.getClassLoader());
            return ImmutableList.of(
                    new Outcome(LdapOutcome.TRUE.name(), bundle.getString("trueOutcome")),
                    new Outcome(LdapOutcome.FALSE.name(), bundle.getString("falseOutcome")),
                    new Outcome(LdapOutcome.LOCKED.name(), bundle.getString("lockedOutcome")),
                    new Outcome(LdapOutcome.CANCELLED.name(), bundle.getString("cancelledOutcome")),
                    new Outcome(LdapOutcome.EXPIRED.name(), bundle.getString("expiredOutcome")));
        }
    }

Configuration class

The configClass contains the configuration of any attributes requested by the node when using it as part of a tree.

Learn more in the Config interface.

Configuration validator

The optional configValidator class validates the provided configuration at the class level. This can be useful when you have two attributes that depend on each other for validation. For example, an attribute is only required if another attribute is set to true.

The configValidator class must implement the ServiceConfigValidator interface.

For example, the following is the @Node.Metadata annotation for the Message node:

@Node.Metadata(outcomeProvider = AbstractDecisionNode.OutcomeProvider.class,
        configClass = MessageNode.Config.class,
        configValidator = MessageNode.MessageNodeValidator.class,
        tags = {"utilities"})

Where the MessageNode.MessageNodeValidator.class validates the locales entered:

    /**
     * Validates the message node, ensuring all provided Locales are valid.
     */
    public static class MessageNodeValidator implements ServiceConfigValidator {

        private final Logger logger = LoggerFactory.getLogger(MessageNodeValidator.class);

        private static String getLocaleStringFromMessage(String message) {
            return StringUtils.substringBetween(message, "[", "]");
        }

        @Override
        public void validate(Realm realm, List<String> configPath, Map<String, Set<String>> attributes)
                throws ServiceConfigException, ServiceErrorException {
            for (String messageAttribute : MESSAGE_ATTRIBUTES) {
                validateMessageAttribute(attributes, messageAttribute);
            }
        }

        private void validateMessageAttribute(Map<String, Set<String>> attributes, String messageAttribute)
                throws ServiceConfigException {
            Set<String> attributesSet = attributes.get(messageAttribute);
            Set<Locale> messageLocales = attributesSet.stream()
                    .map(MessageNodeValidator::getLocaleStringFromMessage)
                    .map(com.sun.identity.shared.locale.Locale::getLocale)
                    .collect(Collectors.toSet());
            for (Locale messageLocale : messageLocales) {
                if (!LocaleUtils.isAvailableLocale(messageLocale)) {
                    logger.debug("Invalid messageLocale {} for {} attribute", messageLocale.toString(),
                            messageAttribute);
                    throw new ServiceConfigException("Invalid locale provided");
                }
            }
        }
    }

Extensions

The optional extensions class provides additional metadata information about the node. The Java class is serialized into JSON.

For example, the following is the @Node.Metadata annotation for the Username Collector node with an extensions class added:

@Node.Metadata(outcomeProvider = SingleOutcomeNode.OutcomeProvider.class,
        configClass = UsernameCollectorNode.Config.class,
        extensions = UsernameCollectorNode.ExtraMetadata.class,
        tags = {"basic authn", "basic authentication"})

Where the UsernameCollectorNode.ExtraMetadata.class adds extra metadata:

/**
     * Extra Metadata for the username collector node.
     */
    public static class ExtraMetadata {

        /**
         * The owner of the node.
         */
        public String owner = "Ping Identity";

    }

The getType() response for this node includes this metadata:

"metadata": {
    "owner": "Ping Identity",

Tags

The optional tags attribute contains a list of tags to categorize the node within the tree designer view.

Tags are made up of one or more text strings that let users find the node more easily when designing trees. For example, you could include common pseudonyms for the functionality the node provides, such as mfa for a node that provides multi-factor authentication functionality.

The tree designer view organizes nodes into a number of categories, based on the presence of certain tag values, as described in the table below:

Authentication node tag categories
Category Tag Example nodes

Basic Authentication

"basic authentication"

Data Store Decision node
Username Collector node

MFA

"mfa"

Push Sender node
WebAuthn Authentication node

Risk

"risk"

Account Lockout node
CAPTCHA node

Behavioral

"behavioral"

Increment Login Count node
Login Count Decision node

Contextual

"contextual"

Cookie Presence Decision node
Set Persistent Cookie node

Federation

"federation"

OAuth 2.0 node
OpenID Connect node

Identity Management

"identity management"

Anonymous User Mapping node
Terms and Conditions Decision node

Utilities

"utilities"

Choice Collector node
Scripted Decision node

Nodes that aren’t tagged with one of these tags appear in an Uncategorized section.

For example, the @Node.Metadata annotation for Timer Start node places it in the Utilities section:

@Node.Metadata(outcomeProvider = SingleOutcomeNode.OutcomeProvider.class,
        configClass = TimerStartNode.Config.class,
        tags = {"metrics", "utilities"})

Learn more in the Annotation Interface Node.Metadata.