Using OGNL expressions to call a custom Java class to extend PingFederate -

Object-Graph Navigation Language (OGNL) is based on the Java Programming language and is part of the Apache Commons library. It has been integrated in to PingFederate and is extremely useful for evaluating and manipulating attribute values as part of attribute contract fulfillment within a SAML or WS-Federation connection or used as part of Issuance Criteria. The real power comes when extending OGNL with a java class for implementing complex business requirements that are more advanced than what OGNL can handle. This blog covers the process to extend OGNL expressions by writing a custom java method that can be invoked as an OGNL method within PingFederate.

The use case that we run into most commonly is when an attribute returned from a data source (e.g. Active Directory, LDAP, or JDBC) needs further processing as part of attribute contract fulfillment. For example, parsing the Active Directory attribute memberOf. By default, the attribute returned from active directory will contain the distinguished names for every security group, however, you may only want the common names to be returned in the assertion. This is accomplished through the following steps:

Create a Java project defining a specific class and associated methods
Create a jar of the project
Place the jar file in the library directory for PingFederate:/server/default/lib
Restart the PingFederate server so that the Java class is loaded
Define an OGNL expression that will utilize the custom java class and methods

The following is a simple method for parsing the CN value for all the security groups returned by the Active Directory memberOf attribute.

package com.pegright.ping;
public class UtilParseMemberOf {
    public String parseGroups(String groupString) {
        StringBuilder outStr = new StringBuilder();
        outStr.append("[");
        boolean first = true;
        String[] items = groupString.split("CN=");
        for(String s : items){
            if(s.indexOf(",") >0) {
                String group = s.substring(0,s.indexOf(","));
                if(first) {
                    first = false;
                } else {
                    outStr.append(", ");
                }
                outStr.append("""+group+""");
            }
        }
        outStr.append("]");
        return outStr.toString();
    }
}

This OGNL expression can be used to fulfill an SP Connection attribute, whether the connection is for SAML or WS-Federation. Within the attribute contract fulfillment, the source type of Expression allows for OGNL expressions to be used for complex mapping capabilities. The following is a sample expression that utilizes the Java library:

#ptp = new com.pegright.ping.UtilParseMemberOf(),
#result = ptp.parseGroups(#this.get("ds.memberOf"))

The use of OGNL by PingFederate is a great way to implement complex mapping requirements to fulfill attribute contracts. The ability to extend OGNL by writing your own custom Java class for unique requirements further shows the flexibility of PingFederate. It’s one of the key capabilities that makes PingFederate the market leader in meeting complex federation use cases. Contact us if you have questions on the use of OGNL or if you need help making the most of your Ping Identity investment.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
LS_CSRF_TOKEN	session	Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_47704508_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_zcsr_tmp	session	No description available.
663a60c55d	session	No description available.
ac09458e72	session	No description
AnalyticsSyncHistory	1 month	No description
CookieLawInfoConsent	1 year	No description
fd6b13af5c	session	No description available.
li_gc	2 years	No description
proofidltd-_zldp	2 years	No description
proofidltd-_zldt	1 day	No description
visitorId	1 year	No description
zc_consent	1 year	No description available.
zc_cu	1 year	No description available.
zc_cu_exp	1 year	No description available.
zc_loc	session	No description available.
zc_show	1 year	No description available.
ZCAMPAIGN_CSRF_TOKEN	session	No description available.

Using OGNL expressions to call a custom Java class to extend PingFederate

Using OGNL expressions to call a custom Java class to extend PingFederate

About the Author: ProofID

Share

TOPICS

Be the first to hear about news, product updates, and innovation from proofid

Using OGNL expressions to call a custom Java class to extend PingFederate

Using OGNL expressions to call a custom Java class to extend PingFederate

About the Author: ProofID

Share

TOPICS

Kerberos authentication troubleshooting with PingFederate

Configuring Qualys with PingFederate

Advanced user registration with PingFederate

PingFederate & PingAccess Configuration Made Easy with ProofID ConfigMigrator

Be the first to hear about news, product updates, and innovation from proofid