...
Attribute | Description |
---|---|
Group | Group to whom the policy item is linked to. |
Site | Top level site of the policy item group. |
Scope | Scope of the policy item. If set, the specified scope value, or one of the values in case of multiple values, must be present in the authentication request for the policy item to be evaluated. Note that this can only be used with OpenID Connect, OAuth 2.0 and Mobile Connect applications. Other application integration protocols don't support attribute scopes, so for them policy items with scope anything other than empty value will not be evaluated. Empty value means that the policy item is evaluated regardless of scope. Multiple values can be separated by a space. |
Name | Name of the authorization attribute. |
Value | Attribute value. See the syntax below. |
Name Format | SAML attribute name format, used in the SAML message. Usually not needed. |
Friendly Name | SAML attribute friendly name, used in the SAML message. Usually not needed. |
Update | Update the edited fields |
Add | Add new group – authorization association for to this authorization policy |
Remove | Remove the selected group – authorization association(s) |
Note |
---|
The following claims cannot be overwritten with an authorization policy for OpenID Connect and OAuth2 applications.
|
The syntax of the attribute value is as follows:
text:<string>
→ the value is <string>user:<name>
→ the value is evaluated by reading the attribute <name> from the user's directory object. For example,user:uid
would return the value of the uid attribute.user:<name>;binary
→ LDAP binary option mechanism (http://www.rfc-editor.org/rfc/rfc2251.txt , Authentication and authorization process - SSO and Management customization - SSO → Disabling Context Menu items). The attribute <name> is returned to web applications as Base64 coded string. For example,user:objectGuid;binary
would return value such assFy0xj0cXU6QpjsQRCzG5Q==
.method:<name>
→ the value is evaluated by reading the attribute <name> assigned by the authentication method component. The availability of method attributes depends on the authentication method implementation.
...
For more information, refer to Expression language API - SSO.
Note |
---|
Note: In the image above, there's the expression that sets the attribute's name to "role", so an attribute with name "Update NameID and add role 'manager'" would not be defined. Instead, the name of the policy item group is used here as a human-readable description. |
...