Reputation: 391
I have done end-to-end configuration for IdP and SP in ping federate. SAML Response is generated at IdP and the same is received at SP.But, I want the response to be at my local server in order to use the user's attributes for my logic. Could anyone tell me how it shall be achieved?
I just get openToken at the target resource I configure in Ping Federate.
Thanks, Aswini J
Upvotes: 0
Views: 2186
Reputation: 356
In PingFederate terminology what you are trying to accomplish is last mile integration after the SAML assertion is processed by the PingFederate server operating in the SP role. There are two approaches that work best for providing subject & attribute information via last mile integration, mainly Agentless Reference ID integration Kit, or OpenToken Integration Kit. If your application is Java, .NET, or PHP, there are examples of the integration available from Ping.
The most simple configuration is to read attributes from SAML assertion into the OpenToken and then use the OpenToken integration Kit (PHP, Java, or .NET), which is an agent library in your application. The documentation for the OpenToken integration kit shows the code to write to read the OpenToken within your application. The configuration in the PingFederate SP Server will need an SP Adapter and IdP Connection where the SAML assertion values are mapped into the OpenToken, which is also in the OpenToken documentation.
Upvotes: 2
Reputation: 4255
In short, you can't. Also, you don't want the actual response because your application will then need to know what kind of protocol message it is receiving from your Partner (SAML 1.1, 2.0, WS-Fed, OIDC) and handle it correctly. To make life simpler for developers to integrate their applications with PF, Ping provides a variety of Integration Kits to abstract that protocol data from your application. PF handles the complexity of the standards based messaging and your application only needs to decrypt and pull the authenticated user information (attribute/value pairs) out of the OTK that you're currently using within PF. You can configure the SP Adapter in your IDP Connection to included all kinds of identity information that is included in the SAMLResponse received.I would refer to the OpenToken Integration Kit as a starting point.
Upvotes: 2