Package com.pingidentity.sdk

Interface AuthenticationSelector

  • All Superinterfaces:
    ConfigurablePlugin, DescribablePlugin, Plugin
    public interface AuthenticationSelector
extends Plugin
    This interface defines the methods that the PingFederate server calls when performing IdP Authentication Selection.

    See ConfigurablePlugin for methods that need to be implemented to facilitate communication of configuration information with the PingFederate server.

    If your implementation of this method needs to operate asynchronously, it just needs to write to the HttpServletResponse as appropriate and commit it. Right after invoking this method the PingFederate server checks to see if the response has been committed. If the response has been committed, PingFederate saves the state it needs and discontinues processing for the current transaction. Processing of the transaction is continued when the user agent returns to the resumePath at the PingFederate server at which point the server invokes this method again. This series of events will be repeated until this method returns without committing the response. When that happens (which could be the first invocation) PingFederate will complete the protocol transaction processing with the return result of this method.

    Since:
    7.3

    • Field Detail

      • AUTHN_REQ_DOC_PARAM_NAME

        static final String AUTHN_REQ_DOC_PARAM_NAME
        Use this value as a key in the map extraParameters to access the AuthnRequestDocument of the SP-initiated SSO request.
        See Also:
        Constant Field Values

      • EXTRA_PARAMETER_NAME_INSTANCE_ID

        static final String EXTRA_PARAMETER_NAME_INSTANCE_ID
        The input parameter name for authentication selector instance id in extraParameters map. The value is a String.
        See Also:
        Constant Field Values

      • EXTRA_PARAMETER_NAME_ENTITY_ID

        static final String EXTRA_PARAMETER_NAME_ENTITY_ID
        The parameter name in the extraParameters map for the entity id of the SP connection, if applicable.
        See Also:
        Constant Field Values

      • EXTRA_PARAMETER_NAME_SP_ADAPTER_ID

        static final String EXTRA_PARAMETER_NAME_SP_ADAPTER_ID
        The parameter name in the extraParameters map for the id of the SP Adapter, if applicable.
        See Also:
        Constant Field Values

      • EXTRA_PARAM_NAME_SCOPE

        static final String EXTRA_PARAM_NAME_SCOPE
        The parameter name in the extraParameters map for the OAuth scope.
        See Also:
        Constant Field Values

      • EXTRA_PARAM_NAME_AUTHORIZATION_DETAILS

        static final String EXTRA_PARAM_NAME_AUTHORIZATION_DETAILS
        The parameter name in the extraParameters map for the OAuth authorization_details.
        See Also:
        Constant Field Values

      • EXTRA_PARAM_NAME_CLIENT_ID

        static final String EXTRA_PARAM_NAME_CLIENT_ID
        The parameter name in the extraParameters map for the OAuth client id.
        See Also:
        Constant Field Values

      • EXTRA_PARAMETER_NAME_SIGNED_REQUEST_CLAIMS

        static final String EXTRA_PARAMETER_NAME_SIGNED_REQUEST_CLAIMS
        The parameter name in the extraParameters map to retrieve all of the received claims within an OAuth/OpenID Connect Request Object or the parameters of a pushed authorization request. The value is a Map<String, Object>.
        See Also:
        Constant Field Values

      • EXTRA_PARAM_NAME_CHAINED_ATTRIBUTES

        static final String EXTRA_PARAM_NAME_CHAINED_ATTRIBUTES
        When chaining authentication sources together, either by authentication policies or composite adapters, the merged attribute map of the previous authentication sources' attributes is passed in to this selector via this "parameter". The attribute map is of type Map<String, Object> with entry key being the previous authentication source's attribute name and the entry value of type AttributeValue.
        Since:
        8.1
        See Also:
        Constant Field Values

      • EXTRA_PARAM_NAME_TRACKED_HTTP_REQUEST_PARAMS

        static final String EXTRA_PARAM_NAME_TRACKED_HTTP_REQUEST_PARAMS
        The parameter name in the extraParameters map for the tracked HTTP request parameters.

        This is the key in extraParameters to retrieve the Map of tracked HTTP request parameters that were included in the initial HTTP request of the current transaction. Parameters in the request that have not been configured as a tracked parameter are not stored in this Map. These values will not change throughout the authentication The value is an unmodifiable Map<String, Collection<String>>.

        Since:
        9.2
        See Also:
        Constant Field Values

    • Method Detail

      • selectContext

        AuthenticationSelectorContext selectContext​(javax.servlet.http.HttpServletRequest req,
                                            javax.servlet.http.HttpServletResponse resp,
                                            Map<AuthenticationSourceKey,​String> mappedAuthnSourcesNames,
                                            Map<String,​Object> extraParameters,
                                            String resumePath)
        This is the method that the PingFederate server will invoke during Authentication Selection.
        Parameters:
        req - the HttpServletRequest can be used to read cookies, parameters, headers, etc. It can also be used to find out more about the request like the full URL the request was made to. Accessing the HttpSession from the request is not recommended and doing so is deprecated. Use SessionStateSupport as an alternative.
        resp - the HttpServletResponse.
        mappedAuthnSourcesNames - the map of name value pairs containing the mapped authentication source information for the respective connection.
        extraParameters - the map of extra object data used for facilitating specific authentication selection implementations. The values found in this collection are stored in keys AUTHN_REQ_DOC_PARAM_NAME and AuthenticationSelector.EXTRA_PARAMETER_*.
        resumePath - the relative URL that the user agent needs to return to, if the implementation of this method invocation needs to operate asynchronously. If this method operates synchronously, this parameter can be ignored. The resumePath is the full path portion of the URL - everything after hostname and port. If the hostname, port, or protocol are needed, they can be derived using the HttpServletRequest.
        Returns:
        AuthenticationSelectorContext the resulting context of the Authentication selection process. The result type must be set to either AuthenticationSelectorContext.ResultType.CONTEXT, AuthenticationSelectorContext.ResultType.ADAPTER_ID or AuthenticationSelectorContext.ResultType.IDP_CONN_ID depending on the desired behavior of the Authentication Selector. If AuthenticationSelectorContext.ResultType.CONTEXT is returned, the respective mapping will be evaluated to arrive at the authentication source to be invoked. If AuthenticationSelectorContext.ResultType.ADAPTER_ID is returned, the respective adapter instance will be invoked. If AuthenticationSelectorContext.ResultType.IDP_CONN_ID is returned, the respective IdP connection will be invoked. AuthenticationSelectorDescriptor.canSelectAuthnSourceResultType() should return true if result type is AuthenticationSelectorContext.ResultType.ADAPTER_ID or AuthenticationSelectorContext.ResultType.IDP_CONN_ID

      • callback

        void callback​(javax.servlet.http.HttpServletRequest req,
              javax.servlet.http.HttpServletResponse resp,
              Map authnIdentifiers,
              AuthenticationSourceKey authenticationSourceKey,
              AuthenticationSelectorContext authnSelectorContext)
        This is the method that the PingFederate server will invoke after the selected authentication source completes its authentication (for adapters this is after the lookupAuthN(...) method). The callback method can be used to update resulting attributes from adapter invocation, set cookies, etc. Writing content to the HttpServletResponse is not supported, doing so will result in unexpected behavior.
        Parameters:
        req - the HttpServletRequest can be used to read cookies, parameters, headers, etc. Accessing the HttpSession from the request is not recommended and doing so is deprecated. Use SessionStateSupport as an alternative.
        resp - the HttpServletResponse can be used to set cookies before continuing the SSO request.
        authnIdentifiers - the map of attribute values resulting from the authentication of the authentication source.
        authenticationSourceKey - the selected authentication source
        authnSelectorContext - the resulting context of the Authentication Selector's selectContext(...) method.
        See Also:
        IdpAuthenticationAdapterV2, IdpAuthenticationAdapter