PingAM 8.0.0

IdP attribute mapper

Use the IdP attribute mapper to map user-configured attributes to SAML attribute objects to insert into the generated SAML assertion.

The default implementation is to retrieve the mapped attribute values from the user profile first. If the attribute values aren’t present in the user’s profile, then the IdP attribute mapper attempts to retrieve them from the authenticated session.

These steps assume your environment is already correctly configured for single sign-on using SAML v2.0, where AM is the hosted IdP.

Java implementation

Java interface

IDPAttributeMapper

Default Java class

com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper

To create a custom IdP attribute mapper in Java, follow these high-level steps:

  1. Include the openam-federation-library as a dependency in your Maven project.

  2. Write a Java class that implements the com.sun.identity.saml2.plugins.IDPAttributeMapper interface, or extends the com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper class.

  3. Override the getAttributes() method to customize the list of the attributes returned.

  4. Package your custom class in a JAR file and copy to the /WEB-INF/lib folder where you deployed AM.

  5. Configure AM to use the new Java plugin.

    1. In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.

    2. In the Attribute Mapper field, type the fully qualified name of your custom class.

    3. Save your changes.

  6. Restart AM or the container in which it runs.

Learn more in How do I create a custom SAML2 IDP attribute mapper in PingAM? in the Knowledge Base.

Scripted implementation

Complete the following steps to implement an example IdP attribute mapper script that modifies the SAML attributes that are inserted in the assertion returned by the IdP.

Learn about IdP attribute mapper scripts from the following resources:

  1. In the AM admin UI, go to Realms > Realm Name > Scripts, and click SAML2 IDP Attribute Mapper Script to modify the default script. Alternatively, create a new script of type Saml2 IDP Attribute Mapper.

  2. In the Script field, insert the following lines of example code to return a custom static attribute, around line 150, preceding return attributes;:

    var customSet = new java.util.HashSet();
customSet.add("test");
attributes.add(idpAttributeMapperScriptHelper.createSAMLAttribute("customSAMLAttribute", null, customSet));

  3. Validate and save your changes.

  4. Configure AM to use the updated IdP attribute mapper script.

    1. Still in the AM admin UI, go to Applications > Federation > Entity Providers > Hosted IDP Name > Assertion Processing.

    2. Under Attribute Mapper, select your customized script from the Attribute Mapper Script drop-down list.

    3. Save your changes.

  5. Test your changes and verify that the AttributeStatement element in the SAML assertion contains the custom attribute.

    For example:

    <saml:AttributeStatement>
  <saml:Attribute Name="customSAMLAttribute">
    <saml:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:type="xs:string">test
    </saml:AttributeValue>
  </saml:Attribute>
</saml:AttributeStatement>