Scribd
Upload
126 views14 pages

11 - Advanced SSO Then Lab

11

Uploaded by

Ujjwal Joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
126 views14 pages

11 - Advanced SSO Then Lab

11

Uploaded by

Ujjwal Joshi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

PINGIDENTITY.

COM
ADVANCED SSO

Copyright © 2015 Ping Identity Corp. All rights reserved.2


QUICK TERMINOLOGY (JUST IN CASE)
§ Attribute contract:
– Attributes the IdP will send in the assertion
– Remains the same for all users
› But the values of the attributes can change

Copyright © 2015 Ping Identity Corp. All rights reserved.3


ATTRIBUTE MAPPING
• adapter to assertion (IdP side)

• assertion to adapter (SP side)

• from data stores (either side)

Copyright © 2015 Ping Identity Corp. All rights reserved.4


EXPRESSIONS
• Used when you need to hardcode or change the
value
• Types of expressions
• Simple
• OGNL

Copyright © 2015 Ping Identity Corp. All rights reserved.5


SIMPLE EXPRESSIONS
• Hard-coded text strings

• Referencing Variables in Adapter or Assertion


Contract
• ${attribute-name}
• attribute name is case-sensitive
• Concatenation of attribute values

• “Bob Saml”
Copyright © 2015 Ping Identity Corp. All rights reserved.6
OGNL
§ Object-Graph Navigation Language (OGNL)
• Based on java
• http://commons.apache.org/ognl/
§ Disabled by default
§ To enable:
<pf_install>/pingfederate/server/default/data/config-
store/org.sourceid.common.ExpressionManager.xml

Copyright © 2015 Ping Identity Corp. All rights reserved.7


EXAMPLES
• Attribute named calc is set to the current timestamp:

calc=new java.util.Date().getTime()

• Force the resulting value to upper case:

#this.get("attribute name").toString().toUpperCase()

• Retrieve the attribute 'mail' and strip off everything after the '@'
symbol. For example, '[email protected]' becomes just ’jsaml’

#this.get("mail").toString().substring(0,
#this.get("mail").toString().indexOf("@"))

Copyright © 2015 Ping Identity Corp. All rights reserved.8


IDENTITY ATTRIBUTE AGGREGATION
§ Connect to
multiple
directories and
databases

§ Fulfill complex
attribute
requirements
Copyright © 2015 Ping Identity Corp. All rights reserved.9
SUMMARY: MULTIPLE SOURCES

Copyright © 2015 Ping Identity Corp. All rights reserved.10


ISSUANCE CRITERIA
§ Conditionally allowing or disallowing the issuance of security
tokens
§ Can evaluate attributes and other run-time variables

Copyright © 2015 Ping Identity Corp. All rights reserved.11


ISSUANCE CRITERIA

Copyright © 2015 Ping Identity Corp. All rights reserved.12


LAB: ADVANCED SSO
§ MySQL database
– Map mail, department, and name attributes from
database to assertion

§ Issuance Criteria:
– Only users in IT department can access application

Copyright © 2015 Ping Identity Corp. All rights reserved.13


PINGIDENTITY.COM

You might also like