Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space IDS and version 8.2.0

...

VariableDescription
user [Bean]Contents depend on the type of the user directory.
  • LDAP: Contains all the attributes of the user’s entry in the directory, for example user.cn or user[‘cn’] resolves to the cn attribute of user in an LDAP user directory.
  • SQL: Contains all the attributes defined by UbiloginAuthorizer view.
method [Bean]Contains all the attributes defined by the authentication method, after attribute mapping (see section 2.3) is applied.
  • Additionally, in case the Authorization Policy is registered to an OAuth2 –application, the method bean exposes following built-in attributes:
    • grant_type
      The grant_type of the authentication request that was used for obtaining the token.
    • refresh_token_iat
      If grant_type is refresh_token then this contains the create time of refresh_token.
prefix [Bean] Contains the collection of all authorizer implementations registered in Ubisecure SSO, with their prefixes as keys.[PS1] [AÅ2]
username [Bean]Contains the properties of the user in the user directory. Changes to nameID variable are not reflected in this variable.
  • value [String]
  • handle [String]
  • format [String]
  • nameQualifier [String]
  • spNameQualifier [String]
  • spProvidedID [String]
sso [Bean] Contains the following properties.
  • id[String] – SSO session ID. This should never be sent to an application as plain text. Instead sha1 digest should be used to create a transient session id, like ${sha1.text(sso.id).uuid}
  • locale [String] – Value of the current UI locale.
  • template[String] – Name of the current UI template.

Examples of use:

Get user’s CN attribute in the user directory and concatenate it with string ‘@example.com’. Both expressions are equivalent.

...

  • attribute [AttributeBuilder]
    The attribute in current authorization policy context, which will be sent to the application.

    VariableDescription
    name(String s) [AttributeBuilder]Set the name of the attribute. Note that this overrides the setting in authorization policy itself.
    values(String s) [AttributeBuilder]Add a value for the attribute.
    nameFormat(String s) [AttributeBuilder] Set the nameFormat of the attribute. Valid values are:
    • UNSPECIFIED
      urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
    • URI
      urn:oasis:names:tc:SAML:2.0:attrname-format:uri
    • BASIC
      urn:oasis:names:tc:SAML:2.0:attrname-format:basic
    friendlyName(String s) [AttributeBuilder]Set the friendlyName of the attribute.


Examples of use:

Set a value manager to attribute role.

...

  • ${eidm['roles'].contains('Users/OrganizationMainUser') ? 'true' : 'false'}

Returns “true” if the user status in Ubisecure CustomerID is 'Enabled' (='1'). Otherwise a null value is returned. This is useful if you also add the specified attribute to the list of required attributes. Then only enabled users can get access to the service.

  • ${eidm['user.status'].contains('1') ? 'true' : null}

Returns “useradmin” if the user has the absolute CustomerID role Users/OrganizationMainUser. Otherwise “normaluser” is returned.

...

  • sha1 [DigestBuilder]
    Helper for building SHA1 digest.

    VariableDescription
    text(String input) [DigestBuilder]Append input string to digest builder.
    bytes(byte[] input) [DigestBuilder]Append input bytearray to digest builder.
    guid [UUID]Convert digest to GUID.
    uuid [UUID] Convert digest to UUID.


  • sha256 [DigestBuilder]
    Helper for building SHA256 digest.

    VariableDescription
    text(String input) [DigestBuilder] Append input string to digest builder.
    bytes(byte[] input) [DigestBuilder]Append input bytearray to digest builder.
    guid [UUID]Convert digest to GUID.
    uuid [UUID] Convert digest to UUID.

     

Examples of use:

Create SHA256 digest of SSO Session ID and convert the digest to UUID.

...

FunctionDescription
xss:html(String input) [String]Encode input string for HTML.
xss:url(String input) [String]Encode input string for URL.
xss:js(String input) [String]Encode input string for JavaScript.
xss:json(String input) [String]Encode input string for JSON.
c14n:text(String input) [String]Encode input string for Text Node in Canonical XML.
c14n:attr(String name, String input) [String]Encode input string for Attribute Node name in Canonical XML.
base64:encode(byte[] input) [String]Base64 encode input bytearray.

md5:encode(byte[] input) [String]

md5 encode input bytearray. (Requires SSO 6.9 or newer)

guid:encode(byte[] input) [String]

UUID/GUID encode bytearray. Array’s length must be 16 bytes.
utf8:bytes(string input) [byte[]]UTF8 encode input string and convert to byte array.
digest:sha1(byte[] input) [byte[]]SHA1 digest of input bytearray.
digest:sha256(byte[] input) [byte[]]SHA256 digest of input bytearray.
re:replace(String input, String regex, String replacement) [String]Replaces the first substring of input string that matches the given regular expression with the given replacement.

Examples of use:

${base64:encode(utf8:bytes(user.uid))}
or
${base64:encode(utf8:bytes(user['uid'][0]))}

...