IdP adapter
Use an IdP adapter script to alter the processing of the authentication request; for example, redirect the user before single sign-on or before sending a failure response.
The script provides hooks at the following points in assertion processing:
Processing phase | Description |
---|---|
|
Invoked when Advanced Identity Cloud receives the authentication request. Only applicable to SP-initiated flows. |
|
Invoked before redirecting the request for authentication. Only applicable to SP-initiated flows. |
|
Invoked after the user successfully authenticates or makes the request with an existing valid session, and before the response is sent. |
|
Invoked after Advanced Identity Cloud prepares the response, but before it signs the response. This lets you customize the content of the SAML response. |
|
Invoked before Advanced Identity Cloud returns a SAML error response. Only applicable to SP-initiated flows. |
Learn about IdP adapter scripts from the following resources:
|
Demonstrate an IdP adapter
Before you try the example, configure single sign-on using SAML v2.0 with Advanced Identity Cloud as the hosted IdP.
The following example determines whether to redirect the authentication journey based policy evaluation:
Configure a policy
-
Under Native Consoles > Access Management, go to Realms > Realm Name > Authorization > Resource Types and create a new resource type with the following settings:
- Name
-
SAML SP Access
- Pattern
-
*
- Action
-
Assert
(Default State:Deny
)
-
Go to Policy Sets and create a new policy set with the following settings:
- Id
-
saml
- Name
-
saml
- Resource Types
-
SAML SP Access
-
Add a new policy with the following settings:
- Name
-
SAML Access Policy
- Resource Types
-
SAML SP Access
- Resources
-
*
- Actions
-
ASSERT:Denied
- Response Attributes
-
redirect_uri: https://example.com
- Subjects
-
"type": "AuthenticatedUsers"
Create the script
-
In the Advanced Identity Cloud admin console, create a script of type SAML2 IDP Adapter.
-
In the JavaScript field, paste the template saml2-idp-adapter.js script.
-
Insert the following code in the
preSendResponse
function. The script causes Advanced Identity Cloud to redirect or send an error response if the policy for the SP evaluates to false:function preSendResponse() { var frJava = JavaImporter( com.sun.identity.saml2.common.SAML2Exception); try { var ents = idpAdapterScriptHelper.getEntitlements( "saml", realm, session, authnRequest).iterator(); while (ents.hasNext()) { var entitlement = ents.next(); var isAllowed = entitlement.getActionValue("Assert"); if (isAllowed != null && isAllowed == true) { return false; } else { var redirectUris = entitlement.getAttributes().get("redirect_uri"); if (redirectUris == null || redirectUris.isEmpty()) { logger.error("No redirect_uri"); response.sendError(403); } else { var redirectUri = redirectUris.iterator().next(); response.sendRedirect(redirectUri); } return true; } } } catch (error) { logger.error("Error in preSend reponse. " + error); throw new frJava.SAML2Exception(error); } }
-
Save your changes and close the editor.