Versions Compared

Old Version 1

changes.mady.by.user John Jellema

Saved on

compared with

New Version 2

changes.mady.by.user Arto Vainiolehto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

AttributeDescription
GroupGroup to whom the policy item is linked to.
SiteTop level site of the policy item group.
Scope

Scope of the policy item.

If set, the specified scope value, or one of the values in case of multiple values, must be present in the authentication request for the policy item to be evaluated. Note that this can only be used with OpenID Connect, OAuth 2.0 and Mobile Connect applications. Other application integration protocols don't support attribute scopes, so for them policy items with scope anything other than empty value will not be evaluated.

Empty value means that the policy item is evaluated regardless of scope.

Multiple values can be separated by a space.

NameName of the authorization attribute.
ValueAttribute value. See the syntax below.
Name FormatSAML attribute name format, used in the SAML message. Usually not needed.
Friendly NameSAML attribute friendly name, used in the SAML message. Usually not needed.
UpdateUpdate the edited fields
AddAdd new group – authorization association for to this authorization policy
RemoveRemove the selected group – authorization association(s)


Note

The following claims cannot be overwritten with an authorization policy for OpenID Connect and OAuth2 applications.

active, aud, client_id, expires_in, iat, scope and token_type


The syntax of the attribute value is as follows:

  • text:<string>
    → the value is <string>
  • user:<name>
    → the value is evaluated by reading the attribute <name> from the user's directory object. For example, user:uid would return the value of the uid attribute.
  • user:<name>;binary
    → LDAP binary option mechanism (http://www.rfc-editor.org/rfc/rfc2251.txt , Authentication and authorization process - SSO and Management customization - SSO → Disabling Context Menu items). The attribute <name> is returned to web applications as Base64 coded string. For example, user:objectGuid;binary would return value such as sFy0xj0cXU6QpjsQRCzG5Q== .
  • method:<name>
    → the value is evaluated by reading the attribute <name> assigned by the authentication method component. The availability of method attributes depends on the authentication method implementation.

...

For more information, refer to Expression language API - SSO.


Note

Note: In the image above, there's the expression that sets the attribute's name to "role", so an attribute with name "Update NameID and add role 'manager'" would not be defined. Instead, the name of the policy item group is used here as a human-readable description.

...