public class TokenTransformationFilter extends Object implements org.forgerock.http.Filter
TokenTransformationFilter is responsible to transform a token issued by OpenAM
into a token of another type.
{
"type": "TokenTransformationFilter",
"config": {
"openamUri": "https://openam.example.com/openam/",
"realm": "/my-realm",
"username": "${attributes.username}",
"password": "${attributes.password}",
"idToken": "${attributes.id_token}",
"from": "OPENIDCONNECT",
"to": "SAML2",
"instance": "oidc-to-saml",
"amHandler": "#Handler",
"cache-size": "${32000}",
"cache-ttl": "${0}",
}
}
The openamUri attribute is the OpenAM base URI against which authentication and STS requests will be issued.
The realm attribute is the OpenAM realm that contains both the subject (described through username and password attributes) and the STS instance (described with instance).
The idToken attribute is an Expression specifying where to get the JWT id_token.
Note that the referenced value has to be a String (the JWT encoded value).
The instance attribute is the name of an STS instance: a pre-configured transformation available under a specific REST endpoint.
The amHandler attribute is a reference to a Handler heap object. That handler will be used
for all REST calls to OpenAM (as opposed to the next Handler of the filter method that is dedicated to
continue the execution flow through the chain).
After transformation, the returned issued_token (at the moment it is a String that contains
the XML of the generated SAML assertions), is made available in the StsContext for downstream handlers.
The cache-size attribute is an Expression specifying cache size, default value 32000
The cache-ttl attribute is an Expression specifying cache ttl in ms, default value 0 ms (cache disabled)
If errors are happening during the token transformation, the error response is returned as-is to the caller, and informative messages are being logged for the administrator.
| Modifier and Type | Class and Description |
|---|---|
static class |
TokenTransformationFilter.Heaplet
Creates and initializes a token transformation filter in a heap environment.
|
| Constructor and Description |
|---|
TokenTransformationFilter(org.forgerock.http.Handler handler,
URI endpoint,
Expression<String> idToken,
String from,
String to,
com.google.common.cache.Cache<String,String> cache)
Constructs a new TokenTransformationFilter transforming the OpenID Connect id_token from
idToken
into a SAML 2.0 Assertions structure (into target). |
| Modifier and Type | Method and Description |
|---|---|
org.forgerock.util.promise.Promise<org.forgerock.http.protocol.Response,org.forgerock.util.promise.NeverThrowsException> |
filter(org.forgerock.services.context.Context context,
org.forgerock.http.protocol.Request request,
org.forgerock.http.Handler next) |
public TokenTransformationFilter(org.forgerock.http.Handler handler,
URI endpoint,
Expression<String> idToken,
String from,
String to,
com.google.common.cache.Cache<String,String> cache)
idToken
into a SAML 2.0 Assertions structure (into target).handler - pipeline used to send the STS transformation requestendpoint - Fully qualified URI of the STS instance (including the _action=translate query string)idToken - Expression for reading OpenID Connect id_token (expects a String)public org.forgerock.util.promise.Promise<org.forgerock.http.protocol.Response,org.forgerock.util.promise.NeverThrowsException> filter(org.forgerock.services.context.Context context,
org.forgerock.http.protocol.Request request,
org.forgerock.http.Handler next)
filter in interface org.forgerock.http.FilterCopyright © 2025 Open Identity Platform Community. All rights reserved.