Skip navigation links

PingFederate Server SDK 9.3

The PingFederate SDK provides the classes and interfaces necessary to integrate external applications and services with the PingFederate server as well as the ability to customize some behaviors of the system.

See: Description

Note: Before you upgrade a production implementation of PingFederate customized with the SDK, test your customizations in a lower, upgraded environment first. Once you verify your customizations work as expected, make a backup of your original PingFederate implementation before removing from the server.

Core Packages 
Package Description
com.pingidentity.access
Provides access to various objects contained within the main PingFederate application and engine.
com.pingidentity.adapter.htmlform  
com.pingidentity.adapter.support  
com.pingidentity.sdk
Top level package for the PingFederate SDK.
com.pingidentity.sdk.accessgrant
Provides the ability to create a custom Access Grant storage mechanism.
com.pingidentity.sdk.accessgrant.exception
Exception classes related to the custom Access Grants storage mechanisms.
com.pingidentity.sdk.account  
com.pingidentity.sdk.key
Provides classes used to manage PingFederate's master key set.
com.pingidentity.sdk.locale
Provides interfaces and helper classes to extend PingFederate's localization support.
com.pingidentity.sdk.notification
A plugin interface, with associated classes, for creating custom notification publishers.
com.pingidentity.sdk.oauth20
A plugin interface, with associated classes, for issuing and validating access tokens.
com.pingidentity.sdk.oauth20.registration
A plugin interface, with associated classes, for creating custom OAuth 2.0 client registration policies.
com.pingidentity.sdk.oobauth
A plugin interface, with associated classes, for orchestrating out-of-band authentication/authorization.
com.pingidentity.sdk.password
A plugin interface for validating usernames and passwords.
com.pingidentity.sdk.provision
The root package for the Identity Store Provisioner interfaces.
com.pingidentity.sdk.provision.exception
Exception classes related to Identity Store Provisioner plugins.
com.pingidentity.sdk.provision.groups.request
Request contexts related to Identity Store Provisioner group operations.
com.pingidentity.sdk.provision.groups.response
Response contexts related to Identity Store Provisioner group operations.
com.pingidentity.sdk.provision.users.request
Request contexts related to Identity Store Provisioner user operations.
com.pingidentity.sdk.provision.users.response
Response contexts related to Identity Store Provisioner user operations.
com.pingidentity.sdk.template
Provides classes used to render user-facing screens (e.g.
com.pingidentity.sdk.xml
Provides classes used for XML handling.
com.pingidentity.sources
Driver classes and interfaces not limited to any protocol.
com.pingidentity.sources.gui
Contains protocol independent dynamic UI classes and interfaces.
org.sourceid.saml20.adapter
Adapter classes and interfaces that are common across SAML2 roles (both IdP and SP).
org.sourceid.saml20.adapter.attribute
Class representation for single and multi-value attribute values.
org.sourceid.saml20.adapter.conf
Provides classes that are containers for configuration values entered by the user/administrator via the PingFederate GUI administration console.
org.sourceid.saml20.adapter.gui
Provides classes that enable an adapter to describe to PingFederate the way its GUI configuration screen should look.
org.sourceid.saml20.adapter.gui.event
Provides methods that can be implemented to support custom actions that occur based upon UI events while managing adapter instances.
org.sourceid.saml20.adapter.gui.validation
Provides interfaces that can be implemented to provide custom validation of data entered by administrators/users via the GUI.
org.sourceid.saml20.adapter.gui.validation.impl
Provides implementations of some commonly needed field level validation.
org.sourceid.saml20.adapter.idp
Identity Provider (IdP) role specific interfaces, classes, and sub-packages.
org.sourceid.saml20.adapter.idp.authn
Identity Provider (IdP) role specific interfaces and classes for authentication adapters.
org.sourceid.saml20.adapter.sp
Service Provider (SP) role specific interfaces, classes, and sub-packages.
org.sourceid.saml20.adapter.sp.authn
Service Provider (SP) role specific interfaces and classes for authentication adapters.
org.sourceid.saml20.adapter.state
HTTP Session like state functionality.
org.sourceid.saml20.authncontext
Authentication context class references.
org.sourceid.util.log
Provides access to the AttributeMap
org.sourceid.wstrust.plugin
Interfaces, classes, and exceptions for token processors and generators.
org.sourceid.wstrust.plugin.generate
Interfaces and classes for token generators.
org.sourceid.wstrust.plugin.process
Interfaces, classes, and exceptions for token processors.
Authentication API Packages 
Package Description
com.pingidentity.sdk.api.authn
Contains the interface that must be implemented by plugins that support the Authentication API.
com.pingidentity.sdk.api.authn.common
Contains "spec" classes for states, actions, and errors that are shared across multiple API-capable plugins.
com.pingidentity.sdk.api.authn.exception
Contains exceptions that are used by the Authentication API SDK classes.
com.pingidentity.sdk.api.authn.model
Contains the core set of models for the Authentication API.
com.pingidentity.sdk.api.authn.model.action
Contains the models for various shared Authentication API actions.
com.pingidentity.sdk.api.authn.model.state
Contains the models for various shared Authentication API states.
com.pingidentity.sdk.api.authn.spec
Defines various "spec" classes for the Authentication API.
com.pingidentity.sdk.api.authn.util
Defines various utility classes for handling Authentication API requests and generating responses.
XML Bean Packages 
Package Description
org.oasisOpen.docs.wss.x2004.x01.oasis200401WssWssecuritySecext10  
org.oasisOpen.docs.wss.x2004.x01.oasis200401WssWssecurityUtility10  
org.sourceid.protocol.dsig10.xml  
org.sourceid.protocol.saml11.xml  
org.sourceid.protocol.samlp11.xml  
org.sourceid.protocol.xmlenc10.xml  
org.sourceid.saml20.xmlbinding.assertion  
org.sourceid.saml20.xmlbinding.protocol  
org.w3.xml.x1998.namespace  
org.xmlsoap.schemas.ws.x2004.x08.addressing  
org.xmlsoap.schemas.ws.x2004.x09.policy  
org.xmlsoap.schemas.ws.x2005.x02.trust  
The PingFederate SDK provides the classes and interfaces necessary to integrate external applications and services with the PingFederate server as well as the ability to customize some behaviors of the system.

Authentication Adapters

The primary integration point for PingFederate is communicating authentication and security context information between the server and an external application or service. This is accomplished via the authentication adapters. Authentication adapter interfaces to be realized as well as numerous supporting classes can be found in the org.sourceid.saml20.adapter.** packages. The adapter interface(s) that need to be implemented are dependent on the SAML role that the PingFederate server will be functioning in.

PingFederate as a Service Provider
Operating PingFederate in the role of a SAML Service Provider (SP) requires that you have at least one implementation of an SpAuthenticationAdapter deployed on the server.

PingFederate as an Identity Provider
Operating PingFederate in the role of a SAML Identity Provider (IdP) requires that you have at least one implementation of an IdpAuthenticationAdapter deployed on the server.

Authentication Selectors

Authentication Selectors can be used to aid in the decision of which IdP Authentication Adapter or IdP Connection should be used. The decision can be based on the information made available via the parameters passed to the selectContext(...) method. An Authentication Selector can return a result value which is mapped to a IdP Authentication Adapter or IdP Connection. Alternatively, an Authentication Selector may return the desired IdP Authentication Source's ID. An Authentication Selector implementation uses the AuthenticationSelector interface.

Authentication API

The PingFederate Authentication API allows a client to retrieve the status of an authentication flow and invoke authentication actions through an API endpoint. The Authentication API SDK packages allow developers to create IdP adapters and selectors that are compatible with this API. The starting point for creating an API-capable plugin is to implement the AuthnApiPlugin interface. Implementing this interface allows PingFederate to retrieve a description of the plugin's API, which is used to generate documentation.

A plugin's API description consists of the various authentication states the plugin supports, and the actions that are available in each state. AuthnStateSpec instances are used to define states in the plugin's API description. AuthnActionSpec instances are used to define actions.

When processing an API GET request, a plugin uses AuthnApiSupport to return the AuthnState instance for the current state. For an API POST request, a plugin uses the same support class to determine the action that has been requested, deserialize the model for the action, and return the AuthnState instance for the next state.

STS Token Translators

There are two integration points for the PingFederate STS. IdP Token Processors validate incoming security tokens. SP Token Generators issue security tokens for use in the local domain. Token translator interfaces to be realized as well as numerous supporting classes can be found in the org.sourceid.wstrust.plugin.** packages. The translator interface(s) that need to be implemented are dependent on the STS role that the PingFederate STS server will be functioning in.

PingFederate IdP Token Processor
Operating PingFederate in the role of a STS Identity Provider (IdP) requires that you have at least one implementation of an TokenProcessor deployed on the server.

PingFederate SP Token Generator
Operating PingFederate in the role of a STS Service Provider (SP) requires that you have at least one implementation of an TokenGenerator deployed on the server.

Password Credential Validators

Password Credential Validators are used to verify a given username and password in various contexts throughout the system. For example, credential validators are used to configure OAuth Resource Owner authorization grants and the HTML Form IdP Adapter. The password credential validator interfaces allow developers to define custom credential validators.

A Password Credential Validator implementation uses the PasswordCredentialValidator interface. Other related interfaces are found in the com.pingidentity.sdk.password package.

Identity Store Provisioners

Identity Store Provisioners provide a mechanism for provisioning and deprovisioning users to external user stores. For example, a custom Identity Store Provisioner could be configured within an Inbound Provisioning IdP Connection to provision users using the SCIM protocol.

An Identity Store Provisioner implementation uses the IdentityStoreProvisioner interface. Other related interfaces are found in the com.pingidentity.sdk.provision package.

OAuth 2.0 Interfaces

The OAuth 2.0 interfaces enable customizations of several areas, including: access token processing, dynamic client registration, storage of clients and storage of persistent grants. Interfaces can be found in the com.pingidentity.sdk.oauth20, com.pingidentity.sdk.oauth20.registration and com.pingidentity.sdk.accessgrant packages.

Notification Publisher Interfaces

The Notification Publisher interface enables customization of notification delivery methods. Interface can be found in the com.pingidentity.sdk.notification package.

OOB Auth Interfaces

The OOB Auth interface enables customization of ... (todo darina reword) methods. Interface can be found in the com.pingidentity.sdk.ciba package.

XML Bean Packages

The XML bean packages for the SAML 1.x, 2.0, and WS-Federation protocols are included to allow an administrator to customize Browser SSO protocol messages through OGNL expressions.

Skip navigation links

Copyright 2019 Ping Identity Corp. All rights reserved.