PingFederate Server SDK 12.3
Authentication Adapters
The primary integration point for PingFederate is communicating authentication and security context information
between the server and an external application or service. This is accomplished via the authentication adapters.
Authentication adapter interfaces to be realized as well as numerous supporting classes can be found under the
org.sourceid.saml20.adapter package. The adapter interface(s) that need to be implemented are dependent on
the SAML role that the PingFederate server will be functioning in.
PingFederate as a Service Provider
Operating PingFederate in the role of a SAML Service Provider (SP) requires that you have at least one
implementation of an SpAuthenticationAdapter deployed on the server.
PingFederate as an Identity Provider
Operating PingFederate in the role of a SAML Identity Provider (IdP) requires that you have at least one
implementation of an IdpAuthenticationAdapter deployed on the server.
Authentication Selectors
Authentication Selectors can be used to aid in the decision of which IdP Authentication Adapter or IdP Connection should be used. The decision
can be based on the information made available via the parameters passed to the selectContext(...) method. An
Authentication Selector can return a result value which is mapped to a IdP Authentication Adapter or IdP Connection. Alternatively, an Authentication
Selector may return the desired IdP Authentication Source's ID. An Authentication Selector implementation uses the
AuthenticationSelector interface.
Authentication API
The PingFederate Authentication API allows a client to retrieve the status of an authentication flow and
invoke authentication actions through an API endpoint. The Authentication API SDK packages allow developers to create IdP
adapters and selectors that are compatible with this API. The starting point for creating an API-capable plugin
is to implement the AuthnApiPlugin interface. Implementing this interface
allows PingFederate to retrieve a description of the plugin's API, which is used to generate documentation.
A plugin's API description consists of the various authentication states the plugin supports, and the actions that are available
in each state. AuthnStateSpec instances are used to define states in the
plugin's API description. AuthnActionSpec instances are used to define
actions.
When processing an API GET request, a plugin uses AuthnApiSupport to
return the AuthnState instance for the current state.
For an API POST request, a plugin uses the same support class to determine the action that has been requested,
deserialize the model for the action, and return the AuthnState instance
for the next state.
STS Token Translators
There are two integration points for the PingFederate STS. IdP Token Processors validate incoming security tokens. SP Token Generators issue security tokens for use in the local domain. Token translator interfaces to be realized as well as numerous supporting classes can be found in the org.sourceid.wstrust.plugin.** packages. The translator interface(s) that need to be implemented are dependent on the STS role that the PingFederate STS server will be functioning in.
PingFederate IdP Token Processor
Operating PingFederate in the role of a STS Identity Provider (IdP) requires that you have at least one
implementation of an TokenProcessor deployed on the server.
PingFederate SP Token Generator
Operating PingFederate in the role of a STS Service Provider (SP) requires that you have at least one
implementation of an TokenGenerator deployed on the server.
Password Credential Validators
Password Credential Validators are used to verify a given username and password in various contexts throughout the system. For example, credential validators are used to configure OAuth Resource Owner authorization grants and the HTML Form IdP Adapter. The password credential validator interfaces allow developers to define custom credential validators.
A Password Credential Validator implementation uses the PasswordCredentialValidator interface.
Other related interfaces are found in the com.pingidentity.sdk.password package.
Identity Store Provisioners
Identity Store Provisioners provide a mechanism for provisioning and deprovisioning users to external user stores. For example, a custom Identity Store Provisioner could be configured within an Inbound Provisioning IdP Connection to provision users using the SCIM protocol.
An Identity Store Provisioner implementation uses the IdentityStoreProvisioner interface.
Other related interfaces are found in the com.pingidentity.sdk.provision package.
OAuth 2.0 Interfaces
The OAuth 2.0 interfaces enable customizations of several areas, including: access token processing, dynamic client registration, storage of clients, storage of persistent grants and authorization detail processing.
Interfaces can be found in the com.pingidentity.sdk.oauth20, com.pingidentity.sdk.oauth20.registration, com.pingidentity.sdk.accessgrant and com.pingidentity.sdk.authorizationdetails packages.
Notification Publisher Interfaces
The Notification Publisher interface enables customization of notification delivery methods. Interface can be found in the com.pingidentity.sdk.notification package.
OOB Auth Interface
This interface defines the methods that the PingFederate server calls to orchestrate out-of-band (OOB) authentication/authorization.
Currently this interface is used solely for OAuth CIBA use cases. It can be found in the com.pingidentity.sdk.oobauth package.
Persistent Session Storage
Custom storage of persistent sessions is possible by implementing the SessionStorageManager interface.
XML Bean Packages
The XML bean packages for the SAML 1.x, 2.0, WS-Trust and WS-Federation protocols are included to allow an administrator to customize protocol messages through OGNL expressions.
Secret Managers
Secret Managers provide a mechanism for retrieving secrets from external secret storage services. For example, secret managers are used to configure passwords in JDBC, LDAP, and REST API data sources. The secret manager interfaces allow developers to define custom secret managers.
A Secret Manager implementation uses the SecretManager interface.
Other related interfaces are found in the com.pingidentity.sdk.secretmanager package.
CAPTCHA and Risk Providers
CAPTCHA and Risk Providers provide a mechanism for completing Risk from external Risk services. The CAPTCHA provider interface allows developers to define custom CAPTCHA and Risk providers.
A CAPTCHA and Risk Provider implementation uses the CaptchaProvider interface.
| Package | Description |
|---|---|
| com.pingidentity.access |
Provides access to various objects contained within the main PingFederate application and engine.
|
| com.pingidentity.adapter.support |
Provides support classes for the adapter SDK.
|
| com.pingidentity.sdk |
Top level package for the PingFederate SDK.
|
| com.pingidentity.sdk.accessgrant |
Provides the ability to create a custom Access Grant storage mechanism.
|
| com.pingidentity.sdk.accessgrant.exception |
Exception classes related to the custom Access Grants storage mechanisms.
|
| com.pingidentity.sdk.account |
Provides the ability to manage accounts
|
| com.pingidentity.sdk.api.authn |
Contains the interface that must be implemented by plugins that support the Authentication API.
|
| com.pingidentity.sdk.api.authn.common |
Contains "spec" classes for states, actions, and errors that are shared across multiple API-capable plugins.
|
| com.pingidentity.sdk.api.authn.exception |
Contains exceptions that are used by the Authentication API SDK classes.
|
| com.pingidentity.sdk.api.authn.model |
Contains the core set of models for the Authentication API.
|
| com.pingidentity.sdk.api.authn.model.action |
Contains the models for various shared Authentication API actions.
|
| com.pingidentity.sdk.api.authn.model.action.interfaces | |
| com.pingidentity.sdk.api.authn.model.state |
Contains the models for various shared Authentication API states.
|
| com.pingidentity.sdk.api.authn.model.state.interfaces | |
| com.pingidentity.sdk.api.authn.spec |
Defines various "spec" classes for the Authentication API.
|
| com.pingidentity.sdk.api.authn.util |
Defines various utility classes for handling Authentication API requests and generating responses.
|
| com.pingidentity.sdk.authorizationdetails |
Provides the ability to create an authorization detail processor to process custom authorization detail types.
|
| com.pingidentity.sdk.captchaprovider |
A plugin interface, with associated classes, for creating custom CAPTCHA/Risk providers.
|
| com.pingidentity.sdk.internal.interfaces | |
| com.pingidentity.sdk.internal.services | |
| com.pingidentity.sdk.key |
Provides classes used to manage PingFederate's master key set.
|
| com.pingidentity.sdk.locale |
Provides interfaces and helper classes to extend PingFederate's localization support.
|
| com.pingidentity.sdk.logging | |
| com.pingidentity.sdk.notification |
A plugin interface, with associated classes, for creating custom notification publishers.
|
| com.pingidentity.sdk.oauth20 |
A plugin interface, with associated classes, for issuing and validating access tokens.
|
| com.pingidentity.sdk.oauth20.registration |
A plugin interface, with associated classes, for creating custom OAuth 2.0 client registration policies.
|
| com.pingidentity.sdk.oobauth |
A plugin interface, with associated classes, for orchestrating out-of-band
authentication/authorization.
|
| com.pingidentity.sdk.password |
A plugin interface for validating usernames and passwords.
|
| com.pingidentity.sdk.provision |
The root package for the Identity Store Provisioner interfaces.
|
| com.pingidentity.sdk.provision.exception |
Exception classes related to Identity Store Provisioner plugins.
|
| com.pingidentity.sdk.provision.groups.request |
Request contexts related to Identity Store Provisioner group operations.
|
| com.pingidentity.sdk.provision.groups.response |
Response contexts related to Identity Store Provisioner group operations.
|
| com.pingidentity.sdk.provision.users.request |
Request contexts related to Identity Store Provisioner user operations.
|
| com.pingidentity.sdk.provision.users.response |
Response contexts related to Identity Store Provisioner user operations.
|
| com.pingidentity.sdk.secretmanager |
A plugin interface, with associated classes, for creating custom secret managers.
|
| com.pingidentity.sdk.session |
Provides interfaces and helper classes to interact with PingFederate's session management functionality.
|
| com.pingidentity.sdk.template |
Provides classes used to render user-facing screens (e.g.
|
| com.pingidentity.sdk.util |
Provides utility classes used by the SDK.
|
| com.pingidentity.sdk.xml |
Provides classes used for XML handling.
|
| com.pingidentity.sources |
Driver classes and interfaces not limited to any protocol.
|
| com.pingidentity.sources.gui |
Contains protocol independent dynamic UI classes and interfaces.
|
| org.oasisOpen.docs.wss.x2004.x01.oasis200401WssWssecuritySecext10 | |
| org.oasisOpen.docs.wss.x2004.x01.oasis200401WssWssecurityUtility10 | |
| org.oasisOpen.docs.wsSx.wsTrust.x200512 | |
| org.sourceid.protocol.dsig10.xml | |
| org.sourceid.protocol.saml11.xml | |
| org.sourceid.protocol.samlp11.xml | |
| org.sourceid.protocol.xmlenc10.xml | |
| org.sourceid.saml20.adapter |
Adapter classes and interfaces that are common across SAML2 roles (both IdP and SP).
|
| org.sourceid.saml20.adapter.attribute |
Class representation for single and multi-value attribute values.
|
| org.sourceid.saml20.adapter.conf |
Provides classes that are containers for configuration values entered by the user/administrator
via the PingFederate GUI administration console.
|
| org.sourceid.saml20.adapter.gui |
Provides classes that enable an adapter to describe to PingFederate the way its GUI configuration
screen should look.
|
| org.sourceid.saml20.adapter.gui.event |
Provides methods that can be implemented to support
custom actions that occur based upon UI events while
managing adapter instances.
|
| org.sourceid.saml20.adapter.gui.kerberos |
Provides classes that enable an adapter to describe to PingFederate the way Kerberos Realm selector GUI
configuration screen should look.
|
| org.sourceid.saml20.adapter.gui.validation |
Provides interfaces that can be implemented to provide
custom validation of data entered by administrators/users via the GUI.
|
| org.sourceid.saml20.adapter.gui.validation.impl |
Provides implementations of some commonly needed field level validation.
|
| org.sourceid.saml20.adapter.idp |
Identity Provider (IdP) role specific interfaces, classes, and sub-packages.
|
| org.sourceid.saml20.adapter.idp.authn |
Identity Provider (IdP) role specific interfaces and classes for authentication adapters.
|
| org.sourceid.saml20.adapter.sp |
Service Provider (SP) role specific interfaces, classes, and sub-packages.
|
| org.sourceid.saml20.adapter.sp.authn |
Service Provider (SP) role specific interfaces and classes for authentication adapters.
|
| org.sourceid.saml20.adapter.state |
HTTP Session like state functionality.
|
| org.sourceid.saml20.authncontext |
Authentication context class references.
|
| org.sourceid.saml20.domain.datasource.info |
Provides wrappers to data source specific information.
|
| org.sourceid.saml20.service.session.data |
Provides classes and interfaces related to persistent storage of authentication sessions.
|
| org.sourceid.saml20.xmlbinding.assertion | |
| org.sourceid.saml20.xmlbinding.protocol | |
| org.sourceid.util.log | |
| org.sourceid.wstrust.plugin |
Interfaces, classes, and exceptions for token processors and generators.
|
| org.sourceid.wstrust.plugin.generate |
Interfaces and classes for token generators.
|
| org.sourceid.wstrust.plugin.process |
Interfaces, classes, and exceptions for token processors.
|
| org.w3.xml.x1998.namespace | |
| org.xmlsoap.schemas.ws.x2004.x08.addressing | |
| org.xmlsoap.schemas.ws.x2004.x09.policy | |
| org.xmlsoap.schemas.ws.x2005.x02.trust |