SAML 2.0 protocol context example for access policy

Edit online

You can specify an access policy that makes access decisions based on context that is obtained from the protocol.

For SAML 2.0, the protocol context includes federation information, partner information, and the authentication request. The following policy makes an access decision based on the protocol context.


//Retrieve protocol context
var protocolContextJSON = (function() {
       var protocolContext = context.getProtocolContext();
       var protocolContextReturn = {};
       protocolContextReturn["request"] = "" + protocolContext.getAuthnRequest();
       protocolContextReturn["FederationId"] = "" + protocolContext.getFederationId();
       protocolContextReturn["PartnerId"] = "" + protocolContext.getPartnerId();
       protocolContextReturn["FederationName"] = "" + protocolContext.getFederationName();
       protocolContextReturn["PartnerName"] = "" + protocolContext.getPartnerName();
       return protocolContextReturn;
})();

An example of using SAML 2.0 protocol context to decide whether to allow or deny based on the partner name is as follows.


importClass(Packages.com.ibm.security.access.policy.decision.Decision);
importClass(Packages.com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler);

var protocolContext = context.getProtocolContext();	
    
if (protocolContext.getPartnerName() != "SP Company"){
       var decision = Decision.allow();
       context.setDecision(decision);
}
else{
       var handler = new HtmlPageDenyDecisionHandler();
       handler.setMacro("@MESSAGE@", "Sorry "+protocolContext.getPartnerName()+ " is not allowed
              to run a successful Single Sign on flow");
       var decision = Decision.deny(handler);
       context.setDecision(decision);
}