SP account mapper scripting API

The following bindings are available to SP account mapper scripts.

The SP account mapper script is a next-generation script and therefore has access to all the next-generation common bindings in addition to those described here.

Binding Description

Binding	Description
`accountMapperHelper`	The helper object contains supporting methods that provide context information when customizing account mapping on the SP. `public Map<String, Object> getNameID()` Returns the NameID from the assertion as a map, or `null` if no NameID is present in the assertion. `public boolean isTransientNameId(String nameIDFormat)` Returns a boolean indicating whether the NameID format is transient. `public String getTransientUserForSP()` Returns the transient user ID. `public boolean useNameIDAsSPUserID()` Returns `true` if the NameID should be used as the SP user ID. `public boolean isAutoFedEnabled()` Returns `true` if auto-federation is enabled for the entity. `public void validateUserId(String userId)` Validates the user ID. `public String getAutoFedUser(String defaultValue)` Returns the user for the auto-federation attribute, or `defaultValue` if no matching user is found. Specify the NameID value as the default value when a NameID is present in the assertion. `public String getAutoFedUser()` Returns the user for the auto-federation attribute, or `null` if no matching user is found. Use this method when no NameID is present in the assertion.
`assertion`	The SAML 2.0 assertion as a map of values. Example assertion map { "version": "2.0", "issueInstant": 1758805815000, "subject": { "subjectConfirmation": [ { "subjectConfirmationData": { "elementName": "SubjectConfirmationData", "mutable": false, "notOnOrAfter": 1758806415000, "inResponseTo": "s29f426899dd94932aec220d3294c7b1ee964b54f7", "content": [ "" ], "recipient": "https://sp.example.com:18080/am/Consumer/metaAlias/alpha/sp1", "notBefore": null, "address": null, "contentType": null }, "method": "urn:oasis:names:tc:SAML:2.0:cm:bearer", "nameID": null, "mutable": false, "encryptedID": null, "baseID": null } ], "nameID": { "@class": "com.sun.identity.saml2.assertion.impl.NameIDImpl", "value": "KR0XstW8C97SHPfusdTrTphgbiCo", "nameQualifier": "idp1", "format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent", "mutable": false, "spnameQualifier": "sp1", "spprovidedID": "" }, "mutable": false, "encryptedID": null, "baseID": null }, "advice": null, "signature": "<ds:Signature ...</ds:Signature>", "conditions": { "notOnOrAfter": 1758806415000, "conditions": [], "audienceRestrictions": [ { "audience": [ "sp1" ], "mutable": false } ], "oneTimeUses": [], "proxyRestrictions": [], "notBefore": 1758805215000, "mutable": false }, "id": "s2637ff7cd391dda376a66738031d7fbd63771debd", "statements": [], "authnStatements": [ { "authnContext": { "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport", "authnContextDecl": null, "authnContextDeclRef": null, "authenticatingAuthority": null, "mutable": false }, "subjectLocality": null, "authnInstant": 1758805814000, "sessionIndex": "s2be0bc04c82ddb9e91bdf70f21bf5fc7dda59a301", "sessionNotOnOrAfter": null, "mutable": false } ], "authzDecisionStatements": [], "attributeStatements": [ { "mutable": false, "encryptedAttribute": null, "attribute": [ { "name": "mail", "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic", "friendlyName": null, "mutable": false, "attributeValue": [ "<saml:AttributeValue ...xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">bjensen@example.com</saml:AttributeValue>" ], "anyAttribute": null, "attributeValueString": [ "bjensen@example.com" ] } ] } ], "issuer": { "value": "idp1", "nameQualifier": "", "format": "", "mutable": false, "spnameQualifier": "", "spprovidedID": "" }, "signed": true, "mutable": false, "timeValid": true }
`hostedEntityId`	The entity ID for the hosted SP.

accountMapperHelper

The helper object contains supporting methods that provide context information when customizing account mapping on the SP.

public Map<String, Object> getNameID(): Returns the NameID from the assertion as a map, or null if no NameID is present in the assertion.
public boolean isTransientNameId(String nameIDFormat): Returns a boolean indicating whether the NameID format is transient.
public String getTransientUserForSP(): Returns the transient user ID.
public boolean useNameIDAsSPUserID(): Returns true if the NameID should be used as the SP user ID.
public boolean isAutoFedEnabled(): Returns true if auto-federation is enabled for the entity.
public void validateUserId(String userId): Validates the user ID.
public String getAutoFedUser(String defaultValue): Returns the user for the auto-federation attribute, or defaultValue if no matching user is found. Specify the NameID value as the default value when a NameID is present in the assertion.
public String getAutoFedUser(): Returns the user for the auto-federation attribute, or null if no matching user is found. Use this method when no NameID is present in the assertion.

assertion

The SAML 2.0 assertion as a map of values.

Example assertion map

{
    "version": "2.0",
    "issueInstant": 1758805815000,
    "subject": {
        "subjectConfirmation": [
            {
                "subjectConfirmationData": {
                    "elementName": "SubjectConfirmationData",
                    "mutable": false,
                    "notOnOrAfter": 1758806415000,
                    "inResponseTo": "s29f426899dd94932aec220d3294c7b1ee964b54f7",
                    "content": [
                        ""
                    ],
                    "recipient": "https://sp.example.com:18080/am/Consumer/metaAlias/alpha/sp1",
                    "notBefore": null,
                    "address": null,
                    "contentType": null
                },
                "method": "urn:oasis:names:tc:SAML:2.0:cm:bearer",
                "nameID": null,
                "mutable": false,
                "encryptedID": null,
                "baseID": null
            }
        ],
        "nameID": {
            "@class": "com.sun.identity.saml2.assertion.impl.NameIDImpl",
            "value": "KR0XstW8C97SHPfusdTrTphgbiCo",
            "nameQualifier": "idp1",
            "format": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
            "mutable": false,
            "spnameQualifier": "sp1",
            "spprovidedID": ""
        },
        "mutable": false,
        "encryptedID": null,
        "baseID": null
    },
    "advice": null,
    "signature": "<ds:Signature ...</ds:Signature>",
    "conditions": {
        "notOnOrAfter": 1758806415000,
        "conditions": [],
        "audienceRestrictions": [
            {
                "audience": [
                    "sp1"
                ],
                "mutable": false
            }
        ],
        "oneTimeUses": [],
        "proxyRestrictions": [],
        "notBefore": 1758805215000,
        "mutable": false
    },
    "id": "s2637ff7cd391dda376a66738031d7fbd63771debd",
    "statements": [],
    "authnStatements": [
        {
            "authnContext": {
                "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
                "authnContextDecl": null,
                "authnContextDeclRef": null,
                "authenticatingAuthority": null,
                "mutable": false
            },
            "subjectLocality": null,
            "authnInstant": 1758805814000,
            "sessionIndex": "s2be0bc04c82ddb9e91bdf70f21bf5fc7dda59a301",
            "sessionNotOnOrAfter": null,
            "mutable": false
        }
    ],
    "authzDecisionStatements": [],
    "attributeStatements": [
        {
            "mutable": false,
            "encryptedAttribute": null,
            "attribute": [
                {
                    "name": "mail",
                    "nameFormat": "urn:oasis:names:tc:SAML:2.0:attrname-format:basic",
                    "friendlyName": null,
                    "mutable": false,
                    "attributeValue": [
                        "<saml:AttributeValue ...xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\">bjensen@example.com</saml:AttributeValue>"
                    ],
                    "anyAttribute": null,
                    "attributeValueString": [
                        "bjensen@example.com"
                    ]
                }
            ]
        }
    ],
    "issuer": {
        "value": "idp1",
        "nameQualifier": "",
        "format": "",
        "mutable": false,
        "spnameQualifier": "",
        "spprovidedID": ""
    },
    "signed": true,
    "mutable": false,
    "timeValid": true
}

hostedEntityId

The entity ID for the hosted SP.

PingOne Advanced Identity Cloud

SP account mapper scripting API