public interface SpAuthenticationAdapter extends ConfigurableAuthnAdapter
See ConfigurableAuthnAdapter
for methods that need to be implemented to facilitate communication of
configuration information with the PingFederate server.
LocalIdPasswordLookup
Modifier and Type | Field and Description |
---|---|
static String |
REQUEST_ATTR_KEY_CREATE_AUTHN_COMPLETE
A request attribute key to indicate to the server that the adapter is done processing the create authn step
even though the response has been committed.
|
Modifier and Type | Method and Description |
---|---|
Serializable |
createAuthN(SsoContext ssoContext,
javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String resumePath)
This is the method that the PingFederate server will invoke during processing of a single sign-on
to create a security context for a user at the external application.
|
boolean |
logoutAuthN(Serializable authnBean,
javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String resumePath)
This is the method that the PingFederate server will invoke during processing of a single logout
to terminate a security context for a user at the external application.
|
String |
lookupLocalUserId(javax.servlet.http.HttpServletRequest req,
javax.servlet.http.HttpServletResponse resp,
String partnerIdpEntityId,
String resumePath)
When the PingFederate server is configured to do account linking, it stores the association between
the user identifier provided by the IdP and the local user identifier.
|
configure, getAdapterDescriptor
static final String REQUEST_ATTR_KEY_CREATE_AUTHN_COMPLETE
Serializable createAuthN(SsoContext ssoContext, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String resumePath) throws AuthnAdapterException, IOException
If your implementation of this method needs to operate asynchronously, it just needs to write to the
HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server
checks to see if the response has been committed. If the response has been committed, PingFederate saves
the state it needs and discontinues processing for the current transaction. Processing of the transaction is
continued when the user agent returns to the resumePath
at the PingFederate server at which
point the server invokes this method again. This series of events will be repeated until this method
returns without committing the response. When that happens (which could be the first invocation) PingFederate
will complete the protocol transaction processing with the return result of this method.
Note that if the response is committed, then PingFederate ignores the return value. Only the return value of an invocation that does not commit the response will be used.
There may be implementations where your adapter implementation needs to commit the response
(e.g., render an HTML 'auto-post' page that submits to the target resource) but completes the act of
creating the authenticated session in doing so and therefore does not require any asynchronous behavior.
In such a situation PingFederate should store the return value of this method to facilitate logout
at a later time but refrain from sending a 302 redirect to the user agent as normal (because the
adapter has already committed the response). This behavior can be achieved by setting the following
attribute on the HttpServletRequest:
req.setAttribute(REQUEST_ATTR_KEY_CREATE_AUTHN_COMPLETE, true);
and then writing to and committing the HttpServletResponse as appropriate.
ssoContext
- an object containing information about the single sing-on (including user
identifying attributes).req
- the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used
to find out more about the request like the full URL the request was made to. Accessing the HttpSession from
the request is not recommended and doing so is deprecated. Use
SessionStateSupport
as an alternative.resp
- the HttpServletResponse. The response can be used to facilitate an asynchronous interaction.
Sending a client side redirect or writing (and flushing) custom content to the response are two ways that
an invocation of this method allows for the adapter to take control of the user agent. Note that if
control of the user agent is taken in this way, then the agent must eventually be returned to the
resumePath
endpoint at the PingFederate server to complete the protocol transaction.resumePath
- the relative URL that the user agent needs to return to, if the implementation of this method
invocation needs to operate asynchronously. If this method operates synchronously, this parameter can
be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If
the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.logoutAuthN(java.io.Serializable, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)
method. This is the value that the
adapter implementation can use to identify individual user security contexts. Many implementations will find
using a String such as a session id sufficient for this value.AuthnAdapterException
- for any unexpected runtime problem that the implementation cannot handle.IOException
- for any problem with I/O (typically any operation that writes to the HttpServletResponse
will throw an IOException.String lookupLocalUserId(javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String partnerIdpEntityId, String resumePath) throws AuthnAdapterException, IOException
If your implementation of this method needs to operate asynchronously, it just needs to write to the
HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server
checks to see if the response has been committed. If the response has been committed, PingFederate saves
the state it needs and discontinues processing for the current transaction. Processing of the transaction is
continued when the user agent returns to the resumePath
at the PingFederate server at which
point the server invokes this method again. This series of events will be repeated until this method
returns without committing the response. When that happens (which could be the first invocation) PingFederate
will complete the protocol transaction processing with the return result of this method.
req
- the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used
to find out more about the request like the full URL the request was made to. Accessing the HttpSession from
the request is not recommended and doing so is deprecated. Use
SessionStateSupport
as an alternative.resp
- the HttpServletResponse. The response can be used to facilitate an asynchronous interaction.
Sending a client-side redirect or writing (and flushing) custom content to the response are two ways that
an invocation of this method allows for the adapter to take control of the user agent. Note that if
control of the user agent is taken in this way, then the agent must eventually be returned to the
resumePath endpoint at the PingFederate server to complete the protocol transaction.partnerIdpEntityId
- the entity id of the IdP from whom the single sign-on was received.resumePath
- the relative URL that the user agent needs to return to, if the implementation of this method
invocation needs to operate asynchronously. If this method operates synchronously, this parameter can
be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If
the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.AuthnAdapterException
- for any unexpected runtime problem that the implementation cannot handle.IOException
- for any problem with I/O (typically any operation that writes to the HttpServletResponse
will throw an IOException).boolean logoutAuthN(Serializable authnBean, javax.servlet.http.HttpServletRequest req, javax.servlet.http.HttpServletResponse resp, String resumePath) throws AuthnAdapterException, IOException
If your implementation of this method needs to operate asynchronously, it just needs to write to the
HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server
checks to see if the response has been committed. If the response has been committed, PingFederate saves
the state it needs and discontinues processing for the current transaction. Processing of the transaction is
continued when the user agent returns to the resumePath
at the PingFederate server at which
point the server invokes this method again. This series of events will be repeated until this method
returns without committing the response. When that happens (which could be the first invocation) PingFederate
will complete the protocol transaction processing with the return result of this method.
Note that if the response is committed, then PingFederate ignores the return value. Only the return value of an invocation that does not commit the response will be used.
Note on SOAP logout: If this logout is being invoked as the result of a back channel protocol request, the request, response and resumePath parameters will all be null as they have no meaning in such a context where the user agent is inaccessible.
authnBean
- the opaque (to the PingFederate server) Serializable that was returned by the
createAuthN(org.sourceid.saml20.adapter.sp.authn.SsoContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, java.lang.String)
method. This is the value that the adapter implementation can use to identify
individual user security contexts. Many implementations will find using a String such as a session id
sufficient for this value.req
- the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used
to find out more about the request like the full URL the request was made to. Accessing the HttpSession from
the request is not recommended and doing so is deprecated. Use
SessionStateSupport
as an alternative.resp
- the HttpServletResponse. The response can be used to facilitate an asynchronous interaction.
Sending a client side redirect or writing (and flushing) custom content to the response are two ways that
an invocation of this method allows for the adapter to take control of the user agent. Note that if
control of the user agent in taken is this way, then the agent must eventually be returned to the
resumePath
endpoint at the PingFederate server to complete the protocol transaction.resumePath
- the relative URL that the user agent needs to return to, if the implementation of this method
invocation needs to operate asynchronously. If this method operates synchronously, this parameter can
be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If
the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.AuthnAdapterException
- for any unexpected runtime problem that the implementation cannot handle.IOException
- for any problem with I/O (typically any operation that writes to the HttpServletResponse
will throw an IOException.Copyright 2019 Ping Identity Corp. All rights reserved.