Some SAML 2 Service Providers require an Identity Provider to include the optional AuthnStatement attribute SessionNotOnOrAfter in the SAML Response. PingAM can support this attribute through a custom IDP Adapter. Since version 7.2, PingAM has been capable of customizing this IDP Adapter as a scripted implementation. As the scripted version of the IDP Adapter is easiest to implement, the following sample code adds the SessionNotOnOrAfter attribute during the preSignResponse() function of the IDP Adapter script.
function preSignResponse () {
try {
var assertion = res.getAssertion().get(0);
// create SessionNotOnOrAfter value
var sessionNotOnOrAfter = new Date();
// set integer additional seconds to same value as Assertion > Not-Before Time Skew - default is 600.
sessionNotOnOrAfter.setSeconds(sessionNotOnOrAfter.getSeconds() + 600);
var authnstatement = assertion.getAuthnStatements().get(0);
authnstatement.setSessionNotOnOrAfter(sessionNotOnOrAfter);
logger.error("authnstatement {}",authnstatement.toXMLString());
} catch (e)
{ logger.error("Error: " + e.message); }
}